Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with John Pemberton on 8/12/21.

The application has been amended as follows: 

1.	(Currently Amended) A computing apparatus, comprising:
a hardware platform; and
a storage medium having stored thereon executable instructions to provide a threat detection engine configured to:
identify two or more suspicious fragment objects, wherein at least two of the two or more identified suspicious fragment objects are each located in a different location of a device, wherein the different locations include two or more of a 
store the two or more identified suspicious fragments objects; 
add the two or more stored identified suspicious fragments objects to a rolling map to provide a temporal snapshot of suspicious fragment objects over a time span; 
determine a connection between the two or more stored identified suspicious fragments objects within the rolling map by analyzing data in each of the two or more stored identified suspicious fragment objects and metadata associated with each of the two or more stored identified suspicious fragment objects to determine previous and possible future connections; 
determine if the two or more stored identified suspicious fragment objects represent a probable computer security threat;
predict a fragment object to occur on the device at an additional location different than the locations of the two or more identified suspicious fragment objects; and
provide a message to the device to search for the predicted fragment object at the additional location. 

2.	(Original) The computing apparatus of claim 1, wherein the time span is one hour.

3.	(Cancelled)

4.	(Previously Presented) The computing apparatus of claim 1, wherein determining that the two or more stored identified suspicious fragment objects represent the probable computer security threat comprises linking the two or more stored identified suspicious fragment objects based on data in each of the two or more stored identified suspicious fragment objects and metadata associated with each of the two or more stored identified suspicious fragment objects.



6.	(Cancelled) 

7.	(Cancelled)

8.	(Cancelled) 


9.	(Currently Amended) One or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to provide an inference engine configured to:
receive, over a network connection, a new suspicious fragment object from a client device;
add the new suspicious fragment object to a rolling map to provide a snapshot of suspicious fragment objects over a time span; 
identify a probable connection between the new suspicious fragment object and an existing suspicious fragment object within the rolling map by analyzing data in each of the new suspicious fragment object and the existing suspicious fragment object and metadata associated with each of the new suspicious fragment object and the existing suspicious fragment object to determine previous and possible future connections; 
determine that the identified probable connection between the new suspicious fragment object and the existing suspicious fragment object represents a probable computer security threat, wherein the new suspicious fragment object and the existing suspicious fragment object are each located in a different location of the client device, wherein the different locations include two or more of a windows management instrumentation (WMI) entry, a registry hive, an environment variable, a link, a shortcut, a macro, a scheduled task, and a cookie;
predict a fragment object to occur on the device at an additional location different than the locations of the new suspicious fragment object and existing suspicious fragment object; and
provide a message to the client device to search for the predicted fragment object at the additional location. 

10.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 9, wherein the time span is one hour.

11.	(Cancelled)

12.	(Previously Presented) The one or more tangible, non-transitory computer-readable mediums of claim 9, wherein determining that the identified probable connection between the new suspicious fragment object and the existing suspicious fragment object represents the probable computer security threat comprises linking the new suspicious fragment object and the existing suspicious fragment object based on data in each of the new suspicious fragment object and the existing suspicious fragment object and metadata associated with each of the new suspicious fragment object and the existing suspicious fragment object.

13.	(Previously Presented) The one or more tangible, non-transitory computer-readable mediums of claim 9, wherein determining that the identified probable connection between the new suspicious fragment object and the existing suspicious fragment object represents the probable computer security threat comprises identifying a verified connection between the new suspicious fragment object and the existing suspicious fragment object. 

14.	(Cancelled)

15.	(Cancelled)



17.	(Canceled) 

18.	(Canceled) 

19.	(Canceled) 

20.	(Canceled)

21.	(Currently Amended) A computer-implemented method of securing a device against a living-off-the-land attack, comprising:
receiving a new suspicious fragment object from a client device;
adding the new suspicious fragment object to a rolling map to provide a snapshot of suspicious fragment objects over a time span;
identifying a probable connection between the new suspicious fragment object and an existing suspicious fragment object within the rolling map by analyzing data in each of the new suspicious fragment object and the existing suspicious fragment object and metadata associated with each of the new suspicious fragment object and the existing suspicious fragment object to determine previous and possible future connections; 
determining that the probable connection between the new suspicious fragment object and the existing suspicious fragment object represents a probable computer security threat, wherein the new suspicious fragment object and the existing suspicious fragment object are each located in a different location of the client device, wherein the different locations include two or more of a windows management instrumentation (WMI) entry, a registry hive, an environment variable, a link, a shortcut, a macro, a scheduled task, and a cookie; 
predicting a fragment object to occur on the client device at an additional location different than the locations of the new suspicious fragment object and the existing suspicious fragment object; and
providing a message to the client device to instruct the client device to search for the predicted fragment object at the additional location.

22.	(Previously Presented) The method of claim 21, wherein the time span is one hour.

23.	(Cancelled)

24.	(Previously Presented) The method of claim 21, wherein determining that the identified probable connection between the new suspicious fragment object and the existing suspicious fragment object represents the probable computer security threat comprises linking the new suspicious fragment object and the existing suspicious fragment object based on data in each of the new suspicious fragment object and the existing suspicious fragment object and metadata associated with each of the new suspicious fragment object and the existing suspicious fragment object.

25.	(Currently Amended) The computing apparatus of claim 1, further comprising:
based on the two or more identified suspicious fragments objects, determine one or more fragment objects that are part of the probable computer security threat but have not been identified as being located on the device; and
search the device for the determined two or more identified suspicious fragment objects.

26.	(Previously Presented) The computing apparatus of claim 1, further comprising:
communicating the two or more stored identified suspicious fragment objects to a network element, wherein the network element receives a plurality of suspicious fragment objects from a plurality of devices and aggregates the plurality of suspicious fragment objects to determine if the two or more stored identified suspicious fragment objects represent the probable computer security threat.


27.	(Previously Presented) The computing apparatus of claim 26, wherein the two or more stored identified suspicious fragment objects do not represent the probable computer security threat by themselves but do represent the probable computer security threat when aggregated with the plurality of suspicious fragment objects from the plurality of devices.

28.	(Cancelled) 

29.	(New)  The one or more tangible, non-transitory computer-readable mediums of claim 9, comprising executable instructions to further provide an inference engine configured to:
receive a plurality of suspicious fragment objects from a plurality of devices; and
aggregate the plurality of suspicious fragment objects to determine if the new suspicious fragment object and the existing suspicious fragment object represent the probable computer security threat.

30.	(New)  The one or more tangible, non-transitory computer-readable mediums of claim 29, wherein the new suspicious fragment object and the existing suspicious fragment object do not represent the probable computer security threat by themselves but do represent the probable computer security threat when aggregated with the plurality of suspicious fragment objects from the plurality of devices.

31.	(New)  The method of claim 21, further comprising:
receiving a plurality of suspicious fragment objects from a plurality of devices; and
aggregating the plurality of suspicious fragment objects to determine if the new suspicious fragment object and the existing suspicious fragment object represent the probable computer security threat.


32.	(New)  The method of claim 31, wherein the new suspicious fragment object and the existing suspicious fragment object do not represent the probable computer security threat by 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495