Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that 
Claims 1,3-8, 10-15, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kapoor et al. US 20160378979 (“Kapoor”) and further in view of Gupta et al. US 20180324195 (“Gupta”) and MacLeod et al. US 20180351968 (“MacLeod”).
Regarding claim 1, Kapoor teaches a computer-implemented method for detecting a malicious application, comprising: detecting a first process has been launched on a computing device (detecting a first process, abstract[0122-0129], processor 310 is mentioned in [0058]); receiving from the first process an execution stack associated with the one or more control points of the first process (A “ready” or “waiting” process has been loaded into main memory and is awaiting execution on a processor…. only one process may execute at any one time, and all other “concurrently executing” processes will be waiting for execution, [0066]); and responsive to detecting activity on the one or more control points of the first process (A process is “running” when the dispatcher has dispatched it to a processing core for execution. The process's instructions are executed by a processor or processing core, [0067]), (When the process is malicious, candidate malicious object 510 creates legitimate process 520 with its initial thread suspended. Candidate malicious object 510 then modifies suspended thread 530 to insert its own malware objects. This creates subverted process 182, which may be considered a malware object. Security agent 224 may detect the suspicious behavior and trace subverted process 182 back to candidate malicious object 510. Thus, candidate malicious object 510 may itself be treated as a malware object, and appropriate remedial action may be taken, [0068-0086]).
Kapoor does not explicitly teach monitoring at least one thread associated with the first process using one or more control points of the first process.
Gupta teaches the monitoring (In the monitor mode, as runtime information arrives and is analyzed by the Analysis Engine, it generates notifications, [0116]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Kapoor and Gupta do not explicitly teach generating an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.
Macleod teaches applying machine learning algorithms to identify a malicious attack (see [0046]).
Kapoor, Gupta and Macleod are analogous to malware detection. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor and Gupta with Macleod for the purpose of quickly identifying and preventing propagation of a malware attacks that evade detection (see Macleod, [0006]).
Regarding claim 3, Kapoor teaches wherein the detecting the first process has launched and the monitoring the at least one thread associated with the first process is performed by a file protector driver module (To intercept such malicious behavior, examples of malicious or suspicious behavior that security agent 224 may detect include the following: a. creating another thread. This may be done from a user mode hook in candidate malicious object 510 or a kernel mode callback. b. Modifying code. This may be done from a user mode hook in candidate malicious object 510 or in a hypervisor memory monitor. c. Modifying thread state, such as the start address. This may be done from a user mode hook in candidate malicious object 510. d. Modifying data, such as the process environment block (PEB) or 
Regarding claim 4, Kapoor or Gupta do not explicitly teach wherein the one or more control points are associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread.
Macleod teaches minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., open, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320, see Macleod [0083-0085, 0090]).
Kapoor, Gupta and Macleod are analogous to malware detection. Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor, Gupta and Macleod for the purpose of logging and isolating suspicious files so the user can restore the files if they were a false positive, see Macleod [0097].
Regarding claim 5, Kapoor teaches wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process (It should also be noted that candidate malicious object 510 may comprise more than one discrete malware process cooperating to exploit legitimate process 520. For example, if candidate malicious object 510 (A) intends to compromise legitimate process 520 (B), the following may occur, by way of illustrative and nonlimiting example: a. A creates B suspended. b. A creates C, D, and E. c. C injects code into B (legitimate object 520).  d. D creates a thread into B. e. E resumes the main thread in B (see Kapoor [0099-0104]).
Regarding claim 6, Kapoor does not explicitly teach 
Gupta teaches the second process comprises a shared-service process configured to import third-party processes to be embedded in the second process as separate threads (The application may also leverage its own or third party libraries, [0119]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Regarding claim 7, Kapoor teaches further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process (Remedial action may then be taken as appropriate or necessary, see Kapoor abstract, [0010, 0041, 0080, 0105-0106].
Regarding claim 8, Kapoor teaches a computer-implemented method for detecting a malicious application, comprising: detecting a first process has been launched on a computing device (detecting a first process, abstract[0122-0129], processor 310 is mentioned in [0058]); receiving from the first process an execution stack associated with the one or more control points of the first process (A “ready” or “waiting” process has been loaded into main memory and is awaiting execution on a processor…. only one process may execute at any one time, and all other “concurrently executing” processes will be waiting for execution, [0066]); and responsive to detecting activity on the one or more control points of the first process (A process is “running” when the dispatcher has dispatched it to a processing core for execution. The process's instructions are executed by a processor or processing core, [0067]), generating an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process (When the process is malicious, candidate malicious object 510 creates legitimate process 520 with its 
Kapoor does not explicitly teach monitoring at least one thread associated with the first process using one or more control points of the first process.
Gupta teaches the monitoring (In the monitor mode, as runtime information arrives and is analyzed by the Analysis Engine, it generates notifications, [0116]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Regarding claim 10, 
Regarding claim 11, Kapoor or Gupta do not explicitly teach wherein the one or more control points are associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread.
Macleod teaches minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., open, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320, see Macleod [0083-0085, 0090]).
Kapoor, Gupta and Macleod are analogous to malware detection. Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor, Gupta and Macleod for the purpose of logging and isolating suspicious files so the user can restore the files if they were a false positive, see Macleod [0097].
Regarding claim 12, Kapoor teaches wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process (It should also be noted that candidate malicious object 510 may comprise more than one discrete malware process cooperating to exploit legitimate process 520. For example, if candidate malicious object 510 (A) intends to compromise legitimate process 520 (B), the following may occur, by way of illustrative and nonlimiting example: a. A creates B suspended. b. A creates C, D, and E. c. C injects code into B (legitimate object 520).  d. D creates a thread into B. e. E resumes the main thread in B (see Kapoor [0099-0104]).
Regarding claim 13, Kapoor does not explicitly teach 
Gupta teaches the second process comprises a shared-service process configured to import third-party processes to be embedded in the second process as separate threads (The application may also leverage its own or third party libraries, [0119]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Regarding claim 14, Kapoor teaches further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process (Remedial action may then be taken as appropriate or necessary, see Kapoor abstract, [0010, 0041, 0080, 0105-0106].
Regarding claim 15, Kapoor teaches a non-transitory computer readable medium comprising computer executable instructions for detecting a malicious application, including instructions for: detecting a first process has been launched on a computing device (detecting a first process, abstract[0122-0129], processor 310 is mentioned in [0058]); receiving from the first process an execution stack associated with the one or more control points of the first process (A “ready” or “waiting” process has been loaded into main memory and is awaiting execution on a processor…. only one process may execute at any one time, and all other “concurrently executing” processes will be waiting for execution, [0066]); and responsive to detecting activity on the one or more control points of the first process (A process is “running” when the dispatcher has dispatched it to a processing core for execution. The process's instructions are executed by a processor or processing core, [0067]), generating an indication that the execution of the first process is malicious by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process 
Kapoor does not explicitly teach monitoring at least one thread associated with the first process using one or more control points of the first process.
Gupta teaches the monitoring (In the monitor mode, as runtime information arrives and is analyzed by the Analysis Engine, it generates notifications, [0116]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Regarding claim 17, Kapoor teaches wherein the detecting the first process has launched and the monitoring the at least one thread associated with the first process is performed by a file protector driver module (To intercept such malicious behavior, examples of malicious or suspicious behavior that security agent 224 may detect include the following: a. creating another thread. This may be done from a user mode hook in candidate malicious object 510 or a kernel mode callback. b. Modifying code. This may be done from a user mode hook in candidate malicious object 510 or in a hypervisor memory monitor. c. Modifying thread state, such as the start address. This may be done from a user mode hook in candidate malicious object 510. d. Modifying data, such as the process environment block (PEB) or 
Regarding claim 18, Kapoor or Gupta do not explicitly teach wherein the one or more control points are associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread.
Macleod teaches minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., open, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320, see Macleod [0083-0085, 0090]).
Kapoor, Gupta and Macleod are analogous to malware detection. Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor, Gupta and Macleod for the purpose of logging and isolating suspicious files so the user can restore the files if they were a false positive, see Macleod [0097].
Regarding claim 19, Kapoor teaches wherein the one or more control points are associated with a system call to create a remote thread that runs in a virtual address space of a second process (It should also be noted that candidate malicious object 510 may comprise more than one discrete malware process cooperating to exploit legitimate process 520. For example, if candidate malicious object 510 (A) intends to compromise legitimate process 520 (B), the following may occur, by way of illustrative and nonlimiting example: a. A creates B suspended. b. A creates C, D, and E. c. C injects code into B (legitimate object 520).  d. D creates a thread into B. e. E resumes the main thread in B (see Kapoor [0099-0104]).
Regarding claim 20, Kapoor does not explicitly teach 
Gupta teaches the second process comprises a shared-service process configured to import third-party processes to be embedded in the second process as separate threads (The application may also leverage its own or third party libraries, [0119]).
Kapoor and Gupta are analogous to automated runtime detection of malware. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor with Gupta for the purpose of detecting one or more security events and tracking the security events using a state machine, to prevent malware attacks (see Gupta abstract and [0002-0003]).
Regarding claim 21, Kapoor teaches further comprising: responsive to receiving the indication that the execution of the first process is malicious, performing a remedial action comprising restoration of a file modified by the first process and termination of the first process (Remedial action may then be taken as appropriate or necessary, see Kapoor abstract, [0010, 0041, 0080, 0105-0106].
Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kapoor et al. US 20160378979 (“Kapoor”) in view of Gupta et al. US 20180324195 (“Gupta”), in view of MacLeod et al. US 20180351968 (“MacLeod”) and further in view of Modani et al. US 20080010526 (“Modani”).
Regarding claim 2, Kapoor as modified above does not explicitly recite wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring.
Modani recites wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring (a method for identifying names of uninformative functions in call-stack traces. The method comprises the steps of obtaining a set of call-stacks and information indicative of which call-stack traces in the set match a particular call-stack trace; for each matching call-stack trace pair, incrementing a false negative counter for each function name above a first matching function name in a respective call-stack trace pair; for each non-matching call-stack trace 
Kapoor, Gupta and Modani are analogous to identifying uninformative function names in a call stack trace. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor and Gupta with Modani for the purpose of diagnosing software problems based on known software problems that are useful in helpdesk and autonomic computing applications (see Modani abstract).
Regarding claim 9, Kapoor or Gupta do not explicitly recite wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring.
Modani recites wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring (a method for identifying names of uninformative functions in call-stack traces. The method comprises the steps of obtaining a set of call-stacks and information indicative of which call-stack traces in the set match a particular call-stack trace; for each matching call-stack trace pair, incrementing a false negative counter for each function name above a first matching function name in a respective call-stack trace pair; for each non-matching call-stack trace pair, incrementing a false positive counter for each function name above a first non-matching function name in a respective call-stack pair, [0015-0021]).
Kapoor, Gupta and Modani are analogous to identifying uninformative function names in a call stack trace. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor and Gupta with Modani for the purpose of diagnosing software problems based on known software problems that are useful in helpdesk and autonomic computing applications (see Modani abstract).
Regarding claim 16, Kapoor or Gupta do not explicitly recite 
Modani recites wherein the monitoring the at least one thread associated with the first process is performed using call stack trace monitoring (a method for identifying names of uninformative functions in call-stack traces. The method comprises the steps of obtaining a set of call-stacks and information indicative of which call-stack traces in the set match a particular call-stack trace; for each matching call-stack trace pair, incrementing a false negative counter for each function name above a first matching function name in a respective call-stack trace pair; for each non-matching call-stack trace pair, incrementing a false positive counter for each function name above a first non-matching function name in a respective call-stack pair, [0015-0021]).
Kapoor, Gupta and Modani are analogous to identifying uninformative function names in a call stack trace. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Kapoor and Gupta with Modani for the purpose of diagnosing software problems based on known software problems that are useful in helpdesk and autonomic computing applications (see Modani abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mirza Israr Javed whose telephone number is (571)270-0332.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Lynn Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/Mirza Israr Javed/Examiner, Art Unit 2437                                                                                                                                                                                                        

/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437