Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the communication filed on 3/9/2021.
Claims 1-27 are examined 
Claims 1-5, 7-13, 15-21, 23-24 and 25-27 are rejected. 
Claims 6, 14, 22 are cancelled. 

Response to Arguments
Applicant arguments, dated 3/9/2021 have been fully considered. 
Regarding USC 103 rejection, applicant argues on page 13-15 that, combination of references does not teach – 
For Claim 25 - 
A - Page 13-14 – In OA Ref Park does not teach, ‘processor node detecting whether programming code of a first program has been modified by a second computer program including relocated by hooking to another memory address, .. relocated away from the first memory address ..’. 
In summary applicant argues that Park fail to teach above claimed limitation of claim 25. 



In summary applicant argues that Park fail to teach above claimed limitation of claim 25. 
Examiner does not find argument persuasive. 
Examiner notes that Park teaches – 
Para 54 – ‘The permanent DEP setting unit 31, configured to enable permanent Data Execution Prevention (DEP) on a process, includes a check unit 311, an execution unit 312 .. ‘ 
Para 56 – ‘a normal memory area means a memory area excluding a code area, and the normal memory area includes a data area, a stack, a heap, and the like. In a normal case, because a code is executed in a code area of memory, a normal memory area is represented as a non-executable memory area .. ‘ 
Para 57 – ‘ The reason why permanent DEP is enabled on the process is that a malicious behavior as illustrated in FIG. 4 operates as follows. When input data (for example, input data may be a document file in case of a document reader program, or may be chatting messages in case of a chatting program) is input, the process processes the input data. In this case, the input data attacks a vulnerable code, and thus code execution flow is moved from the code area to a location of the input data in the normal memory area .. ‘. 
 In summary – Park teaches DEP setting unit whose core function is to check – ‘malware in system based on vulnerability of code which further includes checking location of code in memory area (Para 56).  Further Park teaches in para 57 – detects vulnerable code, and thus code execution flow is moved from the code area to a location of the input data in the normal memory area’ – where code is check for 
Further Park para 58 teaches – ROP – return oriented programming where code is checked for operation at it designated location – example code A only operating at location A which further covers the claimed function as code A operating at location B can be detected via ROP as malicious code. 
Additionally Park Fig 11 step s3 – s44 and para 78-85 teaches all steps as of checking and execution of code to detect malware as described in action below. As attorney describes ‘hooking unit’ and ‘DEP unit’ these are units which carry out the steps of detection of code at its designated location. More importantly it is the overall functionality of Park which covers the claimed limitation versus the two units, thus examiner request to focus on overall teaching of Park.  
Examiner further elaborates on claim language of ‘code is expected to be located’, from the view point of malware – if the code resides in alternate memory area that can be ‘expected area’ and from the view point of anti-malware, the expected memory area can be same – therefore the term ‘expected memory area’ is broadly interpreted as ‘memory area’ which makes the claim broad and where the limitation is covered by Park which teaches memory address authentication and code verification. 

Checking of code variation in memory address 
Checking of code’s memory address 
Checking of code’s variance and designated memory address which in summary covers the claimed limitation and overcome’ s attorney’s interpretation and argument of claimed limitation. 
Therefore examiner summarizes that Park distinctly teach claim limitation as described above of – ‘determining whether a particular section of code has been relocated away from the first memory address’. 
Any objections or rejections not set forth below have been withdrawn.  
Examiner is open for phone call interview to discuss further with applicant’s representative for the purpose of compact prosecution. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s) as explained below. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


Double Patent Analysis of 16,735,444 and US Patent 10,565,369.
Claims 1-5, 7-13, 15-21, 23-24, 25-27 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent 10,565,369. Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the U.S. Patent 10,565,369.
This is a non-provisional double patenting rejection. The assignee of the application and the patent is the same.
Exemplary claim 1 with the substantive differences between the conflicting claim 1 identified in bold is outlined below in the following comparison table.
Claim Comparison Table   
Instant Application
16,722,464
US Patent 
10,565,369
25. A method, comprising: a processor node 
detecting whether programming code of a first computer program has been modified by a second computer program including being relocated by hooking to another memory address, 
wherein the modification detecting includes validating a first section of programming code, 
said validating including comparing a section of programming code actually located at a first memory address at to the first section of programming code expected to be located at the first memory address to determine whether the first section of programming code has been relocated away from the first memory address. 


 



detecting whether programming code of a first computer program has been modified by a second computer program including being relocated to another memory address, 
wherein the modification detecting includes: 
registering a first section of programming code of the first computer program in a first registry data structure, the registering including: 

an identification of a first section of programming code of the first computer program; and entering into the first code section entry, 
a first memory address at which the first section of programming code is expected to be located; 
and validating the registered first section of programming code, said validating including comparing the section of programming code actually located at the first memory address to the first section of programming code identified by the first code section entry of the first registry data structure to determine whether the first section of programming code has been relocated away from the first memory address entered in the first code section entry of the first registry data structure. 





Claim 25 and independent claim(s) of the instant application is broader in all respects than conflicting claim 1 and independent claim(s) of Patent No. U.S. Patent 10,565,369.  It is clear that all the elements of claims 25, 26, 27  of the instant application are to be found in the patent of claims 1, 9 and 17. The difference between 
For example, in the instant application claim 1 recites “validation of software code at first and second memory location(s) with checking of hook function from first and second software location with expected location address and along with other steps” similarly in the patent claim 1 the ‘all steps of instant application claim 25 along with ‘registering and identifying of sections of software code in registry data structure and other steps’. Thus, claim 25 and independent claim(s) of instant application is broader.
The pending claims of the instant application are generic to the species of patent
‘369. Thus, the generic invention is ‘anticipated’ by the species of the patented invention and the instant application claims are generic to the species of invention covered by the patent claim. Therefore, they are not patentably distinct from each other.

Double Patent Analysis of 16,735,444 and US Patent 9,940,455.
Claims 1-5, 7-13, 15-21, 23-24, 25-27 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent 9,940,455. Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the U.S. Patent 9,940,455.
This is a non-provisional double patenting rejection. The assignee of the application and the patent is the same.
Exemplary claim 25 with the substantive differences between the conflicting claim 1 identified in bold is outlined below in the following comparison table.

Claim Comparison Table   
Instant Application
16,722,464
US Patent 
9,940,455
25. A method, comprising: a processor node 
detecting whether programming code of a first computer program has been modified by a second computer program including being relocated by hooking to another memory address, 
wherein the modification detecting includes validating a first section of programming code, 
said validating including comparing a section of programming code actually located at a first memory address at which the first section of programming code is expected to be located, to the first section of programming code expected to be located at the first memory address to determine whether the first section of programming code has been relocated away from the first memory address. 


 


1. A method, comprising: detecting whether programming code of a first computer program has been modified by a second computer program, wherein the modification detecting includes: registering a first section of programming code of the first computer program in a first registry data structure, the registering including: 
entering into a first code section entry of the first registry data structure associated with the first computer program, an identification of a first section of programming code of the first computer program; and 
entering into the first code section entry, a first memory address at which the first section of programming code is expected to be located wherein the first code section entry of the first registry data structure is populated with the memory address at which the first section of programming code is located when the first computer program is executed a first time prior to opportunities for other software to modify the first computer program; and 






Claim 25 and independent claim(s) of the instant application is broader in all respects than conflicting claim 1 and independent claim(s) of Patent No. U.S. Patent 9,940,455.  It is clear that all the elements of claims 25, 26, 27  of the instant application are to be found in the patent of claims 1, 8 and 15. The difference between the instant application claims 25, 26, 27 and claims 1, 8 and 15 of patent claims lies in the fact that the patented claim includes more elements and is thus more specific. 
For example, in the instant application claim 1 recites “validation of software code at first memory location with expected location address and checking of hook function from first and second software along with other steps” similarly in the patent claim 1 the ‘all steps of instant application claim 25 along with ‘entering, registering and identifying 
The pending claims of the instant application are generic to the species of patent
‘455. Thus, the generic invention is ‘anticipated’ by the species of the patented invention and the instant application claims are generic to the species of invention covered by the patent claim. Therefore, they are not patentably distinct from each other.
A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
This is non-provisional double patenting rejection since the conflicting claims have been patented.  





Examiner Notes 
Claims 1-5, 7-13, 15-21, 23-24 overcome prior art rejection however they are rejected in view of DP rejection as described above. 

Claim Rejections - 35 USC § 102
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 25, 26 and 27  are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by U.S. Publication 2015/0213260 to Park et al. (hereinafter “Park”)
As per claim 25 Park teaches, a method, comprising: 
a processor node detecting whether programming code of a first computer program has been modified by a second computer program (Park para 60-61 teaches hooking function with execution of call with specific function, where execution of the process is suspended by hooking the function to detect malicious behavior by checking code modification in memory area. Examiner interprets the following – Function code or program of Park (interpreted as claimed limitation of program 1) to be process or function code / for specific function as commonly known in art) and hooking code (interpreted as second program). Further detection of malicious behavior code by interaction of two programs is distinctly covered by Park as explained above where program 1 (function code) when interacting with program 2 (hooking code) detects malicious behavior (modification of code) covers the claimed limitation); 
(Park para 56-58 teaches where DEP (data execution prevention) program (interpreted as first program) interacts with input data (second program) and DEP checks after Input data program if the code execution model has moved from code area to a location in normal memory area. Examiner interprets that moving of code in another memory area (address) covers the claimed limitation. Further para 63-65 teaches hook function analyzing return address of code. Examiner interprets that checking of return address of code by hook function can be summarized as following – where hook function validates the memory address of residing code, by checking the reply of function code and its memory address if the expected memory address then the function code is normal otherwise it is malicious. Further checking of return memory address covers claimed function of relocation to another memory address), wherein the modification detecting includes validating a first section of programming code, actually located at a first memory address at which the first section of programming code is expected to be located, to the first section of programming code expected to be located at the first memory address to determine whether the first section of programming code has been relocated away from the first memory address (Park Fig 11 step s3 – s44 and para 78-85 teaches the following – Detection of vulnerability attack in the program by - Para 77 - Step S2 – hooking step where process calls the specific function, with specific task by hooking the function with the purpose of detecting attack code. Step S4 including steps s41, s42 and s44 where diagnosis step of analyzing hook / stack program check return address information and determines whether return address is in code area then it is determined that it is a malicious behavior (para 80). Examiner interprets the Fig 11 steps to cover claimed limitation as Fig 11 can be interpreted as following – hooking step over program function then checking the return memory address which is interpreted as checking the valid memory address is it the same as expected or different, then if the return memory address is same the hook function for program code – both are valid if the return address reply is different, then it means that software code has been relocated at different memory area which is concludes that code is malicious. In summary hook function of program code with return memory address validation step as described in Fig 11 covers the claimed function). 
Claim 26, 
Claim 26 is rejected in accordance with method of claim 25.
Claim 27,  
Claim 27 is rejected in accordance with method of claim 25.

Conclusion 

Claims 1-5, 7-13, 15-21, 23-24 and 25-27 have been rejected. 
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431