DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/08/2021 has been entered.
Claims 1, 12 and 20 have been amended and new claim 21 has been added. 
Claims 1 and 3-21 are pending and herein considered.

Response to Arguments
Applicant’s arguments with respect to pending claims 1 and 3-21 have been carefully examined but they are not persuasive.
	Regarding independent claims 1, 12 and 20, Applicant essentially argues (pp 8-9) that the feature “the first source identifier is determined based on monitoring network activity associated with a network transmission that downloads the first application to the first computing device, the monitoring comprising detecting information transmitted to the first computing device" is not disclosed by the references of record because “the off-device monitoring comprises detecting information transmitted to (e.g., incoming) to the requesting device (e.g., first computing device)” (emphasis added).
Examiner respectfully disagrees and points out that the limitation does not require the monitoring to be “off-device”, in fact the claims do not specify where the monitoring is performed. Moreover, the Specification (par. 598-604) discloses that monitoring may be performed by the mobile device or by a server. Thus, performing network monitoring “on-device” reads on the claimed limitation.
In addition, Applicant does not assign a particular meaning to the word determining, so the system/server may determine the source identifier simply by receiving metadata (monitored on-device in view of Morrissey) that comprises said identifier, and extracting the identifier from received metadata, as is done in view of Das’77: the server uses the received application identifier (that includes the source identifier) “to determine the status of the application (par. 38), i.e. the server extracts (and determines) the application identifier from the received network packets (par. 45). See office action for additional details.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).


Claims 1, 3, 7, 9, 10, 12-13, 18 and 20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,540,494 in view of Morrissey et al. US 2014/0096246 (Morrissey). Claims 1-20 of US Patent No. 10,540,494 disclose most of the features of claims 1, 3, 7, 9, 10, 12-13, 18 and 20 of the instant application, except for the feature “wherein the first source identifier is determined based on monitoring network activity associated with a network transmission that downloads the first application”, similarly recited by claims 1, 12 and 20. However, such a feature is disclosed by US 2014/0096246 (Morrissey), which is one of the references used in the Office Action.  It would have been obvious to one of ordinary skill in the art to have used the featured taught by Morrissey, in order to detect untrusted applications.
"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896,225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). "ELI LILLY AND COMPANY v BARR LABORATORIES, INC. United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Claim Rejections - 35 USC § 112
Claims 1, 3-11 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and 
Claim 1 recites, “determine a first source identifier of the first application by the system”. Hence it is not clear what component of the system performs the determining, it could be the claimed at least one processor, or other not recited component of the system. Therefore, the claim is indefinite. Claims 3-11 and 21 are rejected as depending on claim 1. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 1, 3, 6-7, and 9-21 are rejected under 35 U.S.C. 103 as being unpatentable over Das et al. US 2013/0097660 A1 (hereinafter Das) in view of Das et al. US 2013/0283377 A1 (hereinafter Das’77) in view of Morrissey et al. US 2014/0096246 A1 (hereinafter Morrissey) and further in view of  Dalcher et al. US 2013/0276120 A1 (hereinafter Dalcher).
Regarding claim 1, Das substantially discloses:
A system, comprising: at least one processor; and memory storing instructions configured to instruct the at least one processor to (Das: par. 13-14, 20, 30, Fig. 1, 2; the whitelist server 17 that maintains/updates a plurality of application whitelists :
receive, from a first computing device, a first application identifier for a first application (Das: e.g. par. 17, 20, 22, 33, 51-52; sending with a query, by a (mobile) client device, a first application manifest, including an application identifier, to the whitelist server; where the application is not yet installed, or is already installed).
Das teaches that the application manifest includes inter alia, application developer identity, but he does not appear to specifically extract/isolate (“determine”) a source identifier (from the application manifest). However, in a related application (by the same inventor and applicant), Das'77 discloses that the metadata associated with an application is parsed to extract at least a source identifier and a digital signature of the application, both identifying the source of the application; the aforementioned is in addition to generating an application (key) identifier (e.g. par. 22-23, 33-34, 45). The application (identifier) key and the parsed metadata (collectively referred to as application identifier) are then packaged and transmitted over one or more networks (Internet) to a server for evaluation (assessment) of the application status (state) (par. 12, 24, 34-35). The server uses the received application identifier (that includes the source identifier, see above) “to determine the status of the application (par. 38), i.e. the server extracts (and determines) the application identifier from the received network source identifier (or source identification based on the digital signature) effectively groups applications by origin (same developer/publisher) and is used to search (a list/records in) a database to “imply”/predict a status (state) for applications, based on the reputation of a particular source (publisher) of the application (par. 45). Hence, said list/records in the database, effectively represent white and black lists (of reputations) of application sources. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das and Das’77 to at least determine application sources and to create whitelists/blacklists of application source reputations. One would have done so, at least to allow application classification (as trusted/untrusted) even when the application was not yet assessed (application not yet included in the whitelists/blacklists for individual applications, per Das’77: par. 45). In the context of Das, the whitelists/blacklists are stored in a database at or associated with the whitelists server and are cached in part, on the (mobile) devices; the application and source identifiers are used to search corresponding states/reputations stored in locally cached whitelists/blacklists for individual applications and for application sources. Said locally cached whitelists/blacklists are updated at least with responses to queries (which are also cache update requests) sent to the whitelists server (Das: e.g. par. 40). Accordingly, Das in view of Das’77 discloses:
determine a first source identifier of the first application, wherein the first source identifier is determined based on metadata received at the server (per above).
Das as modified above does not appear to expressly disclose that the metadata is obtained by monitoring network activity. However, in a related application, Morrissey  monitoring network activity associated with a network transmission that downloads the first application to the first computing device, the monitoring comprising detecting information transmitted to the first computing device; (“metadata and related information may be received, collected and/or captured by various routines, modules and/or applications that run on the mobile device 202. For example…the download manager 216 may be adapted to capture, download and/or collect metadata about the application package when the application package is downloaded, for example, the URL from where the application was downloaded and the name of the application and/or application package”; where the metadata may be captured from the protocol used to download the application (Morrissey: par. 33); and where the metadata includes, inter alia, “information related to the source of the application package (e.g., the download URL, the download IP address, etc.)” (Morrissey: par. 26)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das modified and Morrissey to at least capture application source identifiers and other metadata during the download of respective applications. One would have done so, to build the metadata (Morrissey: par. 33) necessary for evaluation of the application status (reputation) (per Das modified by Das’77 above). Accordingly, Das in view of Das’77 and Morrissey discloses the aforementioned limitation. 
Das as modified above does not appear to expressly disclose a second computing device as claimed. However, in a related application, Dalcher discloses a hierarchical architecture comprising an administrative super (root) server that communicates with other (lower level parent) servers (corresponding to the whitelists 
send the first application identifier and the first source identifier over a network to a second computing device (When the first application is not found on the whitelists cached at the whitelist server, the application status query is propagated up to the administrative super server, as outlined above in view of Dalcher);
receive, from the second computing device, a first state designation for the first application (The administrative super server returns a response to the status query to the whitelist server, the response is additionally used to update the caches on the whitelists server and on the computing device (Dalcher: Fig. 5; and as outlined above), the first state designation representing a trusted state or an untrusted state (The response indicates a trusted or untrusted state (Das: e.g. par. 30));
in response to receiving the first state designation, set a second state designation; and send the second state designation to the first computing device (The response to the query from the administrative super server is sent to the whitelists server, which builds a message including the answer and sends it to the (endpoint) computing device (Dalcher: Fig. 5; and as outlined above). In addition and in one scenario (in view of Das: e.g. par. 20, 33-35), the whitelists server modifies the response (answer) sent to the endpoint computing device to be in compliance with particular entity's policies).
The aforementioned covers all the limitations of claim 1.

claims 3, 6-7, 9-11 and 21, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Das in view of Das’77, Morrissey and Dalcher discloses:
 (3) The first source identifier is determined by detecting the first source identifier on the first computing device (Das’77: e.g. par. 22-23, 33-34, 45; and as outlined for the rejection of claim 1).
(6) The first source identifier is an IP address, a domain, or a uniform resource locator (Das’77: par. 45; where a website is identified by a URL or a domain).
(7) The second computing device is configured to store a list of trusted source identifiers, and to store first data regarding at least one trusted application for each respective trusted source identifier of the list; and the first state designation is determined based on the first data (Das’77: par. 45; and as outlined for the rejection of claim 1). 
(9) Sending the second state designation to the first computing device causes the first computing device to set an application state to untrusted (Das: e.g. par. 30, 44, 48, 54. Das’77: e.g. par. 45; malicious state for the application).
(10) The first computing device is configured to, in response to receiving the second state designation, perform at least one of blocking installation of the first application, blocking execution of the first application, disabling execution of one or more components of the first application, denying the first application access to a network, or uninstalling the first application (Das: e.g. par. 14, 33, 37, 48. Das’77: e.g. par. 45).
(11) Determine that applications from the first source identifier are untrusted; determine that the first application is identical to a second application, wherein the second application is determined to be from a trusted source; and in response to determining that the first application is identical to the second application, set the second state designation to represent a trusted state (In a scenario, a trusted application, registered in the white lists of application identifiers and of application sources, is distributed from a new source; where the new source is not trusted or not yet registered in the white lists of application sources (and thus not trusted, per Das: par. 30, 33). However, if the new source distributes an identical copy of the trusted application, the application is found in the white lists of application identifiers (Das: e.g. par. 48. Das’77: e.g. par. 44) and is classified as trusted).
(20) The information transmitted to the first computing device pertains to at least one of: a content type header, an MINE type, or a file format signature (Morrissey: par. 26, 33; the metadata transmitted to the server includes “e.g., the download URL [HTTP protocol], the download IP address, etc.”)

Regarding claims 12 and 20, they correspond to claim 1, and claims 12 and 20 do not disclose beyond the features of claim1. Therefore, claims 12 and 20 are rejected under 35 U.S.C 103, as being unpatentable over Das in view of Das’77 in view of Morrissey and further in view of Dalcher for the same reasons outlined for the rejection of claim 1.

claims 13-19, the rejection of claim 12 under 35 U.S.C 103 is incorporated herein. In addition, Das in view of Das’77, Morrissey and Dalcher discloses:
(13) The first computing device stores the first source identifier (Das: e.g. par. 51-52; application manifest (with source identifier) is stored on the first (mobile) device).
(14) Determining the first source identifier comprises monitoring activity for a second application that is associated with the first application identifier (Das: e.g. par. 21-22, 28, 52, 55, 81; Application information is obtained from various sources and application behavior analysis performed on copies of the application (with results included in the manifest)).
(15) Monitoring activity for the second application comprises monitoring network activity on a third computing device (Das: e.g. par. 55; “knowledge gained from monitoring application activity on anyone mobile device may be aggregated and analyzed against information about similar activity obtained from other mobile devices”).
(16) Monitoring activity for the second application comprises monitoring, in a virtual machine, behavior of the second application (Das: e.g. par. 28-29, 81; monitoring application behavior in a cloud environment).
(17) Prior to receiving the first application identifier, the first source identifier is determined to be trusted, and wherein the method further comprises: after receiving the first application identifier, determining that the first source identifier is untrusted based on behavior associated with the first source identifier; and in response to determining that the first source identifier is untrusted, setting the second state designation to represent an untrusted state (Das: e.g. par. 81; “any threat or vulnerability may be trusted” to “untrusted”).
(18) Denying, based on the determined first source identifier, access by the first computing device to a network location associated with the first source identifier (Das: e.g. par. 13, 31-34; “The [application] whitelist can be one of a plurality of whitelists, each whitelist associated with a corresponding set of policies, and each set of policies associated with a corresponding entity”. A “reputation system can protect against end users downloading and/or installing applications…that do not conform to policies of the controlling entity, such as applications that are not included in an approved list of applications (i.e., a whitelist)”. When an application is not included in the application whitelist, the “mobile device 14 (e.g., through whitelist enforcement module 22) can terminate and/or block downloading of the application”. Das modified by Das’77, extends the aforementioned reputation system to the whitelists of application source identifiers, and thus, can block the application download even when the application was not yet assessed (application not yet included in the whitelists/blacklists for individual applications, per Das’77: par. 45)).
(19) The access by the first computing device to the network location is denied further based on a policy for the first computing device set by the second computing device (Das: e.g. par. 20, 29, 35, Fig. 1; “Policies in policies database 28 [at the second computing device] may be defined, associated with, assigned or applied by a service provider, device manufacturer, an enterprise manager, or any other appropriate entity”. “The management console [at the second computing device] may provide appropriate policies, whitelists (e.g., whitelists 30), inventory exchange, corporate application reputation scores, etc. to suitable whitelist enforcement modules 22 on mobile devices (e.g., mobile device 14)”; A “reputation system can perform a database lookup and return a reputation score, or a qualitative assessment (e.g., derived based on policies in policies database 28)”).

	Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Das’77 in view of Morrissey in view of Dalcher and further in view of Baldi US 8,843,627 B1 (hereinafter Baldi).
	Regarding claims 4 and 5, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. Das modified does not expressly disclose that the first source identifier is determined by detecting code operating in the network path, as recited claims 4-5. However, Baldi discloses “a method, system, and computer readable medium for network traffic classification that can be applied to application/traffic profiling. Specifically, for each incoming flow observed on a network, a classifier attempts to map the flow to the application from which the flow is generated”; “a signature/fingerprint for an application is dynamically (i.e., while monitoring the traffic flows) extracted for the flows”; the identity of an (not yet known) application is “discovered from further analysis of the flows classified using the newly generated signatures/fingerprints (Baldi: col. 2 line 55-col. 3 line 10; col. 21 lines 47-64). A flow in 
	(4 and 5) The first source identifier is determined by detecting code that operates in the network path from a network source to the first computing device, wherein the code is detected operating in a network device (Baldi: Fig. 1A; see Data collectors 114, server node 112, client node 113; and as outlined above).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Das’77 in view of Morrissey in view of Dalcher and further in view of Kuo et al. US 2009/0083852 A1 (hereinafter Kuo).
Regarding claim 8, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. Das modified does not expressly disclose a plurality of install locations… Kuo discloses (e.g. par. 28, 30, 33) a whitelist server that “includes information about files that are designated as good. This information may include the name of the file, a hash of the file, the directory in which the file is installed, the package or software product to which the file belongs, the vendor producing the file, the date the file was identified as being on the whitelist, the version of the file, other information about the file, and the like. In one embodiment, a file identified in the whitelist may only be considered a "good" file on a particular node if the file is found in the proper directory [of a plurality of directories of a directory structure]. For example, if the whitelist indicates that the file FILE1 is located in the directory DIR1 and a node finds the file FILE1 in a directory DIR2, the FILE1 in DIR2 is not designated as a good file based on the whitelist”. I would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das modified with Kuo to at least include “proper” (expected) install directories in the application/source whitelists. One would have done so at least because additionally verifying the install directory, increases the security of the (first) computing device (Kuo: e.g. par. 33) by detecting malware even for files that are included in the whitelists. Accordingly, Das in view of Das’77, Morrissey, Dalcher and Kuo discloses:
the first computing device is configured to use a plurality of install locations to install applications; the first application is to be installed in a first install location of the plurality of install locations; and the first state designation is determined based on the first install location (as outlined above). 

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.









/SHANTO ABEDIN/Primary Examiner, Art Unit 2494