Remarks
Claims 1, 2, 4, 5, 7, and 10-34 are pending.  
Claims 10-34 remain withdrawn from consideration.  
Claims 1, 2, 4, 5, and 7 are rejected below.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 5/3/2021 have been fully considered but they are not persuasive.
Applicant argues the first 2 limitations of claim 1, appears to quote the office action, copies in claim 22 of Shukla, and alleges “Applicants respectfully disagree because Shukla does not specifically teach disassembling an executable binary code application but rather merely scanning a module binary.  Applicants respectfully submit that disassembling the executable binary code application but rather merely scanning a module binary.”  Applicant then alleges “Accordingly, Applicants respectfully submit that one of ordinary skill in the art would find that Shukla’s scanning of a module binary does not teach disassembling the executable binary code application.”  Claim 22 of Shukla was not cited for this subject matter.  Therefore, Applicant’s reliance thereon is of no significance to the actual rejection.  Shukla clearly discloses disassembling an executable binary code application, for example, in determining where various calls are, .  

Claim Objections
Claim 1 is objected to because of the following informalities:  Claim 1 attempts to reference “an API cell”, but it is unclear just what an API cell is.  The previous office action interpreted this as “API call” as can be seen in the prior art rejection, which is how it should be amended.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-9 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  
The claims are replete with antecedent basis issues and other 112(b) issues for indefiniteness.  In some cases, it is unclear if certain subject matter is the same as the 
Claim 1, “loading” limitation: “the memory of the validation code”, “an API call type”, “an API call target”, “an API call location”, “an API call return location”, “a privileged instruction type”, and “a privileged instruction location”.  
Claim 1, “transmitting” limitation: “the event stating a type, a location address, a target address, and a return address”.  
Claim 1, “implementing” limitation: “an event”.  
Claim 3: “the API call he privileged instruction”.  
Claim 4: “an API call location”.  
Claim 5: “the API call location”, “the argument”, “the disassembled structure”, and “the binary executable”.  
Claim 6: “the rule list” and “the rule server”.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 5, and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla (U.S. Patent Application Publication 2008/0016339) in view of Yun (U.S. Patent 9,619,649).
Regarding Claim 1,
Shukla discloses a method for monitoring and validating an execution of an executable binary code, comprising the steps of:
With at least one computer processor, disassembling an executable binary code application (Exemplary Citations: for example, Paragraphs 32, 37-39, 41-43, 45, 46, 56, 58, 60-64, 68-70, 73, 74, 77, 79, 80, and associated figures; making any analysis on a portion of code and/or determining what any portion of code is doing, calling, or the like, for example);

Listing a type of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; API function type (e.g., file manipulation, process creation, network access, etc.), for example);
Listing a location of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; any address or other location associated with the API call, for example);
Listing a target of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; target address or next API call in a sequence of calls, for example);
Listing a location of return from the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; return address, for example);
Detecting a privileged instruction that is executed by the executable binary code (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; any instruction is privileged somehow, for example);

Listing a type of the privileged instruction (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; types similar to the above, for example);
Listing a location of the privileged instruction (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; location, module, or the like, for example);
Creating a rule set for validating the API call and the privileged instruction execution by the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-82, and associated figures; generating rules and/or the entirety of the system of Shukla, for example);
Transmitting the rule set to a validation code at an enforcement point (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; ruleset being given to the system to be protected, for example);
Loading the rule set in a memory of the validation code, wherein the rule set pertains to an API call type, an API call target, an API call location, an API call return location, a privileged instruction type and a privileged instruction location (Exemplary Citations: for example, 
During an execution of the executable binary code application, monitoring the executable binary code to determine a conformity of the API call and the privileged instruction made by the executable binary code application with the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; monitoring API calls, for example);
Inserting a monitoring and validation code that, during execution of the executable binary code application, generates an event based on the API call or the privileged instruction (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; injecting module into application or kernel-level component that validates API calls and creates events, for example);
Transmitting an event stating a type, location address, target address, and return address for an observed API call or the location of the privileged instruction (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; recorded events with addresses similar to those discussed above sent to memory or other entity, for example);
Transmitting the event based on the API call or the privileged instruction to a validator application, wherein the validator application 
With the validator application (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures):
Checking a conformity of the event based on an API call or the privileged instruction with the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; validating API call, for example);
Implementing a default action when a rule violation is detected for an event associated with an API call or a privileged instruction during an execution of the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; any action, such as finding and deleting the malware.  Further subject matter related to this found in paragraphs 94-109, for example);
Applying an additional validation for the API call and the privileged instruction in the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures); and
Wherein a rule list is used to validate the API call and the privileged instruction executed by the application (Exemplary Citations: for example, 
But does not explicitly disclose that the API call and the privileged instruction is reported to a rule server and a corresponding rule is received, that the rule list is downloaded from a rule server, and that an additional information about a system state is reported to the rule server.  
Yun, however, disclose that the API call and the privileged instruction is reported to a rule server and a corresponding rule is received (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; parameter, API call, system call, etc. being sent/reported to server, for example);
Wherein a rule list is downloaded from a rule server and used to validate the API call and the privileged instruction executed by the application (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; list of parameters, information, black list, or the like, as examples);
Wherein an additional information about a system state is reported to the rule server (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; any additional information, for example).  It would have been 
Regarding Claim 2,
Shukla as modified by Yun discloses the method of claim 1, in addition, Shukla discloses that the executable binary code comprises an application, a dynamic loaded library, a kernel module, a hypervisor, a set of firmware, or a memory page (Exemplary Citations: for example, Paragraphs 32, 37-39, 41-43, 45, 46, 56, 58, 60-64, 68-70, 73, 74, 77, 79, 80, and associated figures).  
Regarding Claim 4,
Shukla as modified by Yun discloses the method of claim 1, in addition, Shukla discloses that an API call location or the privileged instruction location is validated with a specified disassembled structure of the binary executable code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures).  
Regarding Claim 5,

Regarding Claim 7,
Shukla as modified by Yun discloses the method of claim 1, in addition, Shukla discloses that a dynamic analysis is performed to determine the API call and the privileged instruction executed by the application and to create the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures).  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432