Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the communication filed on 12/30/2019.
Claims 1-20 are examined and rejected. 

Examiner Notes 
Claim 4 recites .. ‘ little or no processing .. by detection proxy .. ‘ which covers broad range of processing, as terms ‘little’ covers broad range, as interpreted by examiner. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2019/0342315 to Smelov et al. (hereinafter known as “Smelov”) and in view of U.S. Publication 20160285914 to Singh et al. (hereinafter known as “Singh”).

As per claim 1 Smelov teaches, a computing apparatus, comprising: 
a hardware platform comprising a processor and a memory (Smelov Fig 8 device 402A, para 40 teaches computer with processor, memory); 
a user application (Smelov para 156, Fig 11 element 404 web based application / and application module 1115);
telemetry probes to collect telemetry about use of the user application (Smelov para 156, Fig 11 element 1135 teaches analytics tracking engine); 
a detection proxy to collect telemetry data from the telemetry probes and forward the telemetry data to a detection cloud service (Smelov para 156 and 171, Fig 11 element 1140 to element 1120 telemetry tracker engine is interpreted as detection proxy). 

Although Smelov teaches module to detect malware (interpreted as tampering of application) it does not teach however Singh teaches, 
logic to receive from the detection cloud service a detection message that the user application has exhibited behavior consistent with tampering (Singh para 79-83  Fig 5A element 504 and 505 teaches analyzing data / traffic for malicious behavior based on triggering event), and to take remedial action responsive to the detection message (Singh para 79-83 teaches actions to handle malicious traffic – A – notify user, B – preventing the object, C – block traffic, D – upload network analysis information to cloud service which covers claimed limitation). 


Smelov – Singh are analogous art because they both are from data traffic inspection for malware or intrusion data. At the time of invention it would have been obvious to one of ordinary skill in the art, having the teachings of Smelov – Singh before him or her, to analyze data / traffic with proxy / module for malware detection of Smelov with Singh’s teaching of analysis of tampering behavior. 
The suggestion/motivation for doing so would have been to detect anomalous or malicious behavior through successive inter communications between devices (Singh para 1). 

As per claim 2 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the user application includes an internal anti-tampering mechanism (Smelov para 144 Fig 8 element 402A includes secure container which is similar to anti-tampering mechanism). 

As per claim 3 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the detection proxy comprises a unidirectional forwarder function for the telemetry data (Smelov para 156 teaches where 1120 forwards telemetry data to application (telemetry analysis data)). 

As per claim 4 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the detection proxy performs little or no processing on the telemetry data before forwarding  (Smelov para 156 teaches where 1120 includes sanctioned or non-sanctioned application).

As per claim 5 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the detection proxy includes logic to block telemetry from known bad telemetry sources (Smelov para 156-157 where application inspection module blocks malware and 158 teaches SSTP secure socket tunneling protocol which includes restraining malware (bad telemetry sources)). 

As per claim 6 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the telemetry data comprise network traffic request data (Smelov para 44-45 teaches network traffic with received and transmitted based on application request).

As per claim 7 combination of Smelov-Singh teaches, the computing apparatus of claim 6, wherein the traffic request data comprise request type, request order, and request timing (Smelov para 7 where telemetry data includes address, time, status code). 

As per claim 8 combination of Smelov-Singh teaches, the computing apparatus of claim 6, wherein the traffic request data comprise source internet protocol (IP) address or destination IP address (Smelov para 7 and 128 teaches URL / address).

As per claim 9 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the telemetry data include execution environment data (Smelov para 40 teaches data from environment sensors).

As per claim 10 combination of Smelov-Singh teaches, the computing apparatus of claim 9, wherein the execution environment data include CPU load, memory footprint, battery charge value, battery charging state, free local storage, network latency, bandwidth, time of day, date, or geographic location (Smelov para 177-178 and 184 includes computing resources data). 

As per claim 11 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the detection proxy is to provide passive monitoring of the user application's network usage (Smelov para 184 teaches network related telemetry data – statement about passive monitoring).

As per claim 12 combination of Smelov-Singh teaches, the computing apparatus of claim 1, wherein the detection proxy is to provide continuous monitoring of the user application (Smelov para 44 and 57 teaches monitoring of data).

As per claim 13 combination of Smelov-Singh teaches, the computing apparatus of claim 1, further comprising an anti- malware engine, wherein the detection proxy cooperates with anti-malware engine to detect malicious modification of the user application through changes to behavior patterns (Smelov para 73 teaches tampering of application / security module and para 181 teaches rogues application detection).

As per claim 14 Smelov teaches, one or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to instruct a processor (Smelov Fig 8 device 402A, para 40 teaches computer with processor, memory) to: 
install telemetry probes for a local application's access to a remote application programming interface (API) (Smelov para 155 - 156, Fig 11 element 1135 teaches analytics tracking engine); 
install an application backend for the local application (Smelov para 73), the application backend comprising a detection engine, the detection engine comprising 68Attorney Docket No.:Patent Application 04796-1351 (P300042)Cloud-Based Tamper Detectioninstructions to record and forward telemetry about the remote API calls to a detection cloud service (Smelov para 47, 88 and 98 and 120 teaches forwarding analysis data to cloud module); 
receive from the detection cloud service a tampering notification (Smelov para 155 – 156 - Fig 14 element 1410 to 1420). 
Although Smelov teaches module to detect malware (interpreted as tampering of application) it does not teach however Singh teaches, 
(Singh para 79-83 teaches actions to handle malicious traffic – A – notify user, B – preventing the object, C – block traffic, D – upload network analysis information to cloud service which covers claimed limitation). 

Smelov teaches analysis of telemetry data in cloud service by analysis module interpreted as detection proxy for malware (Fig 11). Smelov does not teach however Singh teaches, analysis of tampering behavior (Fig 5A). 
Smelov – Singh are analogous art because they both are from data traffic inspection for malware or intrusion data. At the time of invention it would have been obvious to one of ordinary skill in the art, having the teachings of Smelov – Singh before him or her, to analyze data / traffic with proxy / module for malware detection of Smelov with Singh’s teaching of analysis of tampering behavior. 
The suggestion/motivation for doing so would have been to detect anomalous or malicious behavior through successive inter communications between devices (Singh para 1). 

As per claim 15 combination of Smelov-Singh teaches, the one or more tangible, non-transitory computer-readable media of claim 14, wherein the local application is a game, financial application, or medical application (Smelov para 173 teaches financial and health applications).

As per claim 17 combination of Smelov-Singh teaches, the one or more tangible, non-transitory computer-readable media of claim 14, wherein the telemetry probes comprise application programming interface (API) hooks (Smelov para 47 and 88).

As per claim 18 Smelov teaches, a server apparatus, comprising: 
a hardware platform comprising a processor and a memory (Smelov Fig 8 device 402A, para 40 teaches computer with processor, memory); 
a network interface (Smelov para 40); and instructions encoded within the memory to instruct the processor to: 
receive from a detection proxy of an endpoint telemetry data related to a user application of the endpoint's use of one or more remote application programming interfaces (APIs) (Smelov para 156 and 171, Fig 11 element 1140 to element 1120 telemetry tracker engine is interpreted as detection proxy and para 88 teaches secure API’s); 
analyze the telemetry data (Smelov para 156, Fig 11 element 1135 teaches analytics tracking engine). 
Although Smelov teaches module to detect malware (interpreted as tampering of application) it does not teach however Singh teaches, 69Attorney Docket No.:Patent Application
04796-1351 (P300042)Cloud-Based Tamper Detectiondetermine from the analysis that the user application exhibits behavior out of bounds of expected behavior for the user application (Singh para 79-83  Fig 5A element 504 and 505 teaches analyzing data / traffic for malicious behavior based on triggering event); and 
(Singh para 79-83 teaches actions to handle malicious traffic – A – notify user, B – preventing the object, C – block traffic, D – upload network analysis information to cloud service which covers claimed limitation). 
Smelov teaches analysis of telemetry data in cloud service by analysis module interpreted as detection proxy for malware (Fig 11). Smelov does not teach however Singh teaches, analysis of tampering behavior (Fig 5A). 
Smelov – Singh are analogous art because they both are from data traffic inspection for malware or intrusion data. At the time of invention it would have been obvious to one of ordinary skill in the art, having the teachings of Smelov – Singh before him or her, to analyze data / traffic with proxy / module for malware detection of Smelov with Singh’s teaching of analysis of tampering behavior. 
The suggestion/motivation for doing so would have been to detect anomalous or malicious behavior through successive inter communications between devices (Singh para 1).   

As per claim 19 combination of Smelov-Singh teaches, the server apparatus of claim 18, wherein sending the notification comprises sending the notification to a third-party cloud service that provides the one or more remote APIs (Smelov para 88 teaches secure API’s).  

As per claim 20 combination of Smelov-Singh teaches, the server apparatus of claim 18, wherein sending the notification comprises notifying a security agent on the endpoint (Smelov para 172).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2019/0342315 to Smelov et al. (hereinafter known as “Smelov”) and in view of U.S. Publication 20160285914 to Singh et al. (hereinafter known as “Singh”) and further in view of U.S. Publication 2017/0093904 to Ng et al. (hereinafter known as “Ng”).

As per claim 16 combination of Smelov-Singh teaches, the one or more tangible, non-transitory computer-readable media of claim 14. 

Smelov-Singh does not teach however Ng teaches, wherein the local application includes at least one paid feature, and wherein the tampering notification indicates that the application reached the paid feature without appropriate remuneration (Ng para 28, 51, 128 – teaches detection in revenue error as a variable for user / system / company, which covers the claimed limitation of calculation of paid feature (revenue) or remuneration of system / user).  

Smelov-Singh teaches analysis of telemetry data in cloud service by analysis module interpreted as detection proxy for malware with tampering behavior. Smelov-
Smelov – Singh – Ng are analogous art because they both are from data traffic inspection for malware or intrusion data. At the time of invention it would have been obvious to one of ordinary skill in the art, having the teachings of Smelov – Singh – Ng before him or her, to analyze data / traffic with proxy / module for malware detection of Smelov - Singh’s with Ng’s teaching of detecting of tampering of financial remuneration. 
The suggestion/motivation for doing so would have been to enhance security within multiple functions, entities, applications with metrics to reduce cyber security threat(s) (Ng para 2).   

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kurtz et al US Publication 2021/0117544 discloses detection of malware by security as a service module based on random data samples and other steps as described in Fig 1-3.
Le Strat et al US Publication 2020/0374324 discloses malware detection based on collaboration channel between multiple devices and shared location on memory as described in Fig 5, 8 and 10.
Komarek et al US Publication 2020/0204569 discloses network security service to detection different malware classes with vector descriptor as described in Fig 4A-D.
Luthra et al US Publication 2020/0089887 discloses crowdsourcing and machine learning to improve computer system security process to generate risk profile of users as described in Fig 1, 5-6.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/VIRAL S LAKHIA/Examiner, Art Unit 2431