DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
2.	This action is in response to the following communication: Amendment to application No. 15/716,517 filed on 02/08/2021.
3.	Claims 8, 9 and 11-14 were previously cancelled.
Claims 1 and 7 have been amended.
Claims 1-7 and 10 now remain pending.
Claims 1 and 7 are independent claims.
Specification Objection
4.	Prior rejection is overcome by corrections.
 Claim Objections
5.	Prior objection is overcome by corrections.
6:	Claim 7 is objected to because of the following informalities:  
Claim 7 grammatical error on line 10, “the et of collected events are used”, Examiner suggest using “the [[et]] set of collected events are used”.
Appropriate correction is required.
Response to Arguments
7.	Applicant’s arguments with respect to newly amended independent claims 1 and 7 and claims 2-6 and 10 on pages 6-12 of the response have been fully considered but they are not persuasive are moot in view of the new ground(s) of rejection - see Ramchandra (Art newly made of record) as applied below, as they further teach such use.
Claim Rejections - 35 USC § 103

8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1-5 are rejected under 35 U.S.C. 103 as being unpatentable over Subhraveti U.S. Patent No. 8,468,501, in view of Sahita et al., U.S. Patent No. 9,886,577 (hereinafter Sahita) in view of Saunders et al., U.S. Patent No. 8,533,836 (hereinafter Saunders) in view of Li et al., US 9,917,855 (hereinafter Li) in view of Ramchandra et al., EP 3449375 (hereinafter Ramchandra). 
In regards to claim 7, the rejections above are incorporated, respectively.
    In regards to claim 1, Subhraveti teaches:
A method useful for disassembling an executable binary comprising the steps of: (column 5, lines 28-32, see the record and replay tool 213 comprises two key components for recording and replaying: a common signal handler 216 and an agent 217. The common signal handler 216 monitors and intercepts all incoming signals to the program 214, such those from external processes and program inputs).
runtime monitoring of an application executing on a computer system (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, 
capturing an API/system call performed by the application (Abstract, see system calls are recorded for each program thread, tracked by an extension to the operating system kernel and include returned call parameter data) and (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made).  
generating a list of collected events, wherein the list of collected events comprises at least one of the API/system call or the control transfer (Abstract, see a method, system and program product for recording a program execution comprising recording processor context for each thread of the program, results of system calls by the program, and memory pages accessed by the program during an execution interval in a checkpoint file).
Subhraveti doesn’t explicitly teach:
capturing a control transfer in the application.
However, Sahita teaches such use: (column 2, lines 57-61, see monitoring module 14 can be configured to mark code pages that contain sensitive API code pages as non-executable, thus being able to validate entries into the code sections using virtualization 
Subhraveti and Sahita are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti and Sahita  before him or her, to modify the system of Subhraveti to include the teachings of Sahita, as a system for the detection of malicious invocation of sensitive code, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to capture a calls that invoke a branch, as suggested by Sahita  (column 2, lines 57-61, column 11, lines  43-58).   
Subhraveti and Sahita, in particular Subhraveti doesn’t explicitly teach:
transferring the list of collected events to a disassembler; with the disassembler: wherein the dissembler comprises a program that translates machine language into assembly language.
However, Saunders teaches such use (column 2, lines 35-41, see the present invention extends to methods, systems, and computer program products for identifying software execution behavior. A portion of assembly code is accessed. The portion of assembly code includes assembly language instructions from an assembly language instruction 
Subhraveti, Sahita and Saunders are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti and Saunders before him or her, to modify the system of Subhraveti to include the teachings of Saunders, as a system for identifying software execution behavior, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to translate machine language to assembly language, as suggested by Saunders (column 2, lines 35-41, column 9, lines 6-13).      
Subhraveti, Sahita and Saunders, in particular Subhraveti doesn’t explicitly teach:
generating a set of disassembly traces for an application executable binary by starting a disassembly operation at one or more potential start locations.
However, Li teaches such use: (column 8, lines 31-43, see after the checkpoints are configured, the sample process is executed (step 602) and monitored by the execution inspector 311 for checkpoint hits. When a checkpoint is hit (step 603), the code coverage profiler 312 identifies a hidden code segment of the sample process (step 604). The static behavior analyzer 313 scans the hidden code segment to identify APIs (or other functions) that are typically called by malware to perform a malicious behavior. More particularly, the static behavior analyzer 313 may disassemble the hidden code segment (step 630), identify APIs and related parameters from the 
validating the set of disassembly traces by checking a consistency with a set of observed events that are in a memory region covered by the set of disassembly traces; and combining a set of validated disassembly traces to complete the disassembly operation on the application executable binary.
However, Li teaches such use: (column 8, lines 54-60, see he identified behavior nodes are correlated to form a behavior net (step 608), which is scored (step 609) to determine if the sample process is malware. For example, behavior nodes may be weighted and the total of the weights of behavior nodes of a behavior net may be compared to a threshold to determine if the sample process is malware). 
Subhraveti, Sahita and Saunders and Li are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti, Sahita, Saunders and Li before him or her, to modify the system of Subhraveti, Sahita and Saunders in particular Subhraveti to include the teachings of Li, as a system for analysis of processes, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to utilize a disasembler, as suggested by Li (column 8, lines 31-43, column 9, lines 24-29).  
Subhraveti, Sahita, Saunders and Li, in particular Subhraveti doesn’t explicitly teach:
the set of observed events are checked against a list of known events produced by the application.
However, Ramchandra teaches such use: (p. 3, [0010], see the following description provides methods, systems, and computer program products for monitoring API integrations for building contexts around service integrations. Further, as described below, the contexts allow for establishing a baseline state of a system, and for identifying irregularities that may adversely affect the performance of the system) and (p. 15, [0057], see the context analyzer (147) may compare the newly created contexts previously built around the baseline state of the system (100). For example, the newly created contexts may be compared to a baseline state of the system (100) from a prior week, a prior month, a prior year. As an option, based on such comparison, the context analyzer (147) may detect that operation of the system (100) has departed from the previously determined baseline).
Subhraveti, Sahita, Saunders, Li and Ramchandra are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti, Sahita, Saunders, Li and Ramchandra before him or her, to modify the system of Subhraveti, Sahita, Saunders and Li in particular Subhraveti to include the teachings of Ramchandra, as a system for analysis of processes, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to compare traces, as suggested by Ramchandra (p. 15, [0057], p. 23, [0100]).       

    In regards to claim 2, Subhraveti teaches:
an event Information includes a processor register value, an application attribute, an application symbol table, an application's stack, and a processor's Iasi branch records (column 6, lines 3-6, see the partial program execution state recorded in the checkpoint 418 includes an image of the system processor context. The processor context includes register contents and operating system descriptor entries 419).

     In regards to claim 3, Subhraveti, Sahita and Saunders, in particular Subhraveti doesn’t explicitly teach:
collected events are reported to a remote server for use In disassembly of the application executable binary.
However, Li teaches such use: BOD (column 8, lines 54-60, see he identified behavior nodes are correlated to form a behavior net (step 608), which is scored (step 609) to determine if the sample process is malware. For example, behavior nodes may be weighted and the total of the weights of behavior nodes of a behavior net may be compared to a threshold to determine if the sample process is malware) and (column 8, lines 31-43, see after the checkpoints are configured, the sample process is executed (step 602) and monitored by the execution inspector 311 for checkpoint hits. When a checkpoint is hit (step 603), the code coverage profiler 312 identifies a hidden code segment of the sample process (step 604). The static behavior analyzer 313 scans the hidden code segment to identify APIs (or other functions) that are typically called by malware to perform a malicious behavior. More particularly, the static behavior 
Subhraveti, Sahita and Saunders and Li are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti, Sahita, Saunders and Li before him or her, to modify the system of Subhraveti, Sahita and Saunders in particular Subhraveti to include the teachings of Li, as a system for analysis of processes, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to utilize a disasembler, as suggested by Li (column 8, lines 31-43, column 9, lines 24-29).      

     In regards to claim 4, Subhraveti teaches:
the step of monitoring and reporting of a control flow in the application for generating disassembly of the application executable binary by: (column 5, lines 28-32, see the record and replay tool 213 comprises two key components for recording and replaying: a common signal handler 216 and an agent 217. The common signal handler 216 monitors and intercepts all incoming signals to the program 214, such those from external processes and program inputs).  
scanning the computer system for a running process associated with the application executable binary; instrumenting an application code of the 
inserting event-logging code Into the executable application to monitor the control flow (column 6, lines 61-67, see a system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made. Ptrace is a system call utility available in many versions of the Unix operating system which allows one process to control another, enabling the controlling process to inspect and manipulate the internal state of its target process).
inserting a software interrupt into the executable application to monitor the control flow (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made) and (column 6, lines 64-67, see Ptrace is a system call utility available in many versions of the Unix operating system which allows one 
logging a collected event reflecting a characteristic of the control flow; and reporting the collected event to a server (column 3, line 67- column 4, lines 9, see the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider)).

     In regards to claim 5, Subhraveti teaches:
a potential size of the memory region is bounded by a code section boundary (column 5, lines 51-53, see the record and replay tool 413 decouples the program 414 from installed code binaries by recording specific code pages 420 within executable files of the libraries accessed by the program 414 during the recording interval).

10.	Claim 6  is rejected under 35 U.S.C. 103 as being unpatentable over Subhraveti in view of Sahita in view of Saunders in view of Li  in view of Ramchandra in view of Barton et al., U.S. 2014/0298420 (hereinafter Barton).

    In regards to claim 6, Subhraveti, Sahita, Saunders, Li and Ramchandra, in particular Subhraveti doesn’t explicitly teach:
the validation code is part of an operating system.
However, Barton teaches such use: (p. 1, [0128], see those skilled in the art will recognize that the Android operating system may include built-in mechanisms for requesting the signing certificate of an application, which the access manager 724 may utilize to validate the identity of a managed mobile application requesting access to the computing resources such as enterprise resources 712). 
Subhraveti, Sahita, Saunders, Li, Ramchandra and Barton are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Subhraveti, Sahita, Saunders, LI, Ramchandra and Barton before him or her, to modify the system of Subhraveti, Sahita, Li, Saunders and Ramchandra, in particular Subhraveti to include the teachings of Barton, as a validation system for managing access to enterprise resources, and accordingly it would enhance the system of Subhraveti, which is focused on recording program execution, because that would provide Subhraveti with the ability to perform validation a the operating system level, as suggested by Barton (p. 1, [0128], p. 19, [0173]).      

Claims 7 and 10 are rejected  under 35 U.S.C. 103 as being unpatentable over Li in view of Subhraveti in view of Xiaocheng et al., U.S. Patent No. 8,397,241 (hereinafter Xiaocheng) in view of Jorgensen, US 9,300,759 in view of Ramchandra. 
     In regards to claim 7, Li teaches:
A method useful for monitoring of an API/system call implemented by an application for generating disassembly of an application executable binary of the application, comprising the steps of: (column 8, lines 31-43, see after the checkpoints are configured, the sample process is executed (step 602) and monitored by the execution inspector 311 for checkpoint hits. When a checkpoint is hit (step 603), the code coverage profiler 312 identifies a hidden code segment of the sample process (step 604). The static behavior analyzer 313 scans the hidden code segment to identify APIs (or other functions) that are typically called by malware to perform a malicious behavior. More particularly, the static behavior analyzer 313 may disassemble the hidden code segment (step 630), identify APIs and related parameters from the disassembled hidden code segment (step 631), and trace references of parameters between the APIs (step 632)).
the observed API/system call is used to validate the disassembly of an application executable binary (column 8, lines 54-60, see he identified behavior nodes are correlated to form a behavior net (step 608), which is scored (step 609) to determine if the sample process is malware. For example, behavior nodes may be weighted and the total of the weights of behavior nodes of a behavior net may be compared to a threshold to determine if the sample process is malware).

scanning a computer system for an executable application; scanning the computer system for a running process associated with the application executable binary.
However, Subhraveti teaches such use: (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made) and (column 6, lines 64-67, see Ptrace is a system call utility available in many versions of the Unix operating system which allows one process to control another, enabling the controlling process to inspect and manipulate the internal state of its target process).   
initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the application executable binary.
However, Subhraveti teaches such use: (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made) and (column 6, lines 64-67, see Ptrace is a system call utility available in many versions of the Unix operating system which allows one process to control another, enabling the controlling process to inspect and manipulate the internal state of its target process).
the API/system call is monitored from the application, a kernel of an operating system, an emulator, or a hypervisor.
However, Subhraveti teaches such use: (Abstract, see system calls are recorded for each program thread, tracked by an extension to the operating system kernel and include returned call parameter data) and (column 6, lines 59-63, see the agent 517 tracks the program 514's system calls by providing an operating system kernel extension 523 to a system call tracing component of the operating system 515. A system call component, like “ptrace”, allows an originating program thread to be signaled when a system call is made). 
Li and Subhraveti are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Li and Subhraveti before him or her, to modify the system of Li to include the teachings of Subhraveti, as a system for recording program execution, and accordingly it would enhance the system of Li, which is focused on a system for analysis of processes, because that would provide Li with the ability to monitor system calls, as suggested by Subhraveti (column 6, lines 59-63, column 10, lines 38-53).      
Li and Subhraveti, in particular Li doesn’t explicitly teach:
the observed API/system call is validated by matching a pointer type with the API/system call.
However, Xiaocheng teaches such use: (column 4, lines 30-34, see when a non-annotated function calls a GPU annotated function, it implies a call from the CPU to 
 Li, Subhraveti and Xiaocheng are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Li, Subhraveti and Xiaocheng before him or her, to modify the system of Li and Subhraveti, in particular Li, to include the teachings of Xiaocheng, as a system for shared language support, and accordingly it would enhance the system of Li 
which is focused on a system for analysis of processes, because that would provide Li with the ability to validate api calls, as suggested by Xiaocheng (column 4, lines 30-34, column 10, lines 38-43).      
Li, Subhraveti and Xiaocheng, in particular Li doesn’t explicitly teach:
reporting a set of collected events to a local server; the observed API/system call is reported to a remote server.
However, Jorgensen teaches such use: (Abstract, techniques are disclosed for a client-and-server architecture where the client makes asynchronous API calls to the client.  Where the client makes multiple asynchronous API calls, and where these API calls have dependencies (i.e., a result of one call is used as a parameter in a second call), the client may send the server these multiple asynchronous API calls before execution of a call has completed), (column 6, lines 37-43, see client 202 must wait until server 204 has finished processing 304 the first API call 302 before client 202 may send server 204 the dependent API call 316, in FIG. 4, client 202 need not wait to send 
Li, Subhraveti, Xiaocheng and Jorgensen are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Li, Subhraveti, Xiaocheng and Jorgensen before him or her, to modify the system of Li, Subhraveti, and Xiaocheng, in particular Li, to include the teachings of Jorgensen, as a system for sending system calls to a server, and accordingly it would enhance the system of Li which is focused on a system for analysis of processes, because that would provide Li with the ability to report events to a server, as suggested by Jorgensen (Abstract, column 16, lines 29-58).      
Li, Subhraveti, Xiaocheng and Jorgensen, in particular Li doesn’t explicitly teach:
the set of collected events are used to validate a disassembly trace and to identify and initiate a new disassembly trace.
However, Ramchandra teaches such use: (p. 14, [0053], see one or more points of information in the transaction may be used to calculate a new point of information in a context), (p. 15, [0057], see in one or more embodiments, the context analyzer (147) may monitor the creation of new contexts during the operation of the system (100). Moreover, the context analyzer (147) may compare the newly created contexts previously built around the baseline state of the system (100). For example, the newly created contexts may be compared to a baseline state of the system (100) from a prior 
Li, Subhraveti, Xiaocheng, Jorgensen and Ramchandra are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Li, Subhraveti, Xiaocheng, Jorgensen and Ramchandra before him or her, to modify the system of Li, Subhraveti, Xiaocheng and Jorgensen, in particular Li, to include the teachings of Ramchandra, as a system for sending system calls to a server, and accordingly it would enhance the system of Li which is focused on a system for analysis of processes, because that would provide Li with the ability to detect new traces, as suggested by Ramchandra (p. 15, [0057],  p. 23, [0100]).      

     In regards to claim 10, Li doesn’t explicitly teach:
the API/system call is validated by checking the consistency of a disassembled code with an argument used by the APS/system call.
However, Subhraveti teaches such use: (column 12, lines 18-20, see results of the system calls include returned call value and parameter data, and are recorded as a continuous log in the partial checkpoint) and (column 8, lines 58-61, see the recorded 
Li and Subhraveti are analogous art because they are from the same field of endeavor, system call monitoring.
Therefore, at the time of the invention, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teaching of Li and Subhraveti before him or her, to modify the system of Li to include the teachings of Subhraveti, as a system for recording program execution, and accordingly it would enhance the system of Li, which is focused on a system for analysis of processes, because that would provide Li with the ability to monitor system calls, as suggested by Subhraveti (column 6, lines 59-63, column 10, lines 38-53).      

Conclusion
12.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US Patent Application Publications

Mehta et al., 	10909236 	Matching trace security policy

Cui et al., 	9569288	Application pattern discovery

13.	Examiner, in light of the above submission maintains the previous rejections, and any new ground(s) of rejection is necessitated by Applicant’s amendment.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Correspondence Information
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Evral Bodden whose telephone number is 571-272-3455.  The examiner can normally be reached on Monday to Friday, 8:30 to 5:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 

/EVRAL E BODDEN/Primary Examiner, Art Unit 2193