Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
Response to Amendment
This is a reply to the application filed on 09/14/2021, in which, claim(s) 1, 3-12 and 14-24 is/are pending. 
Claim(s) 2 and 13 is/are cancelled.

Claim Rejections - 35 U.S.C. § 112:
Applicants’ arguments with respect to 112 2nd paragraph with rejection of claim(s) 12-22 have been fully considered and are persuasive.  The rejection have been withdrawn in view of the amendment to claim.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Attorney James Barta at 314.302.1451 on 09/24/2021.
The application has been amended as follows:

monitoring behaviors of one or more applications executing on one or more user devices to determine behavioral fingerprints of the one or more applications, wherein the behaviors of an application represent actions performed by the application;
determining behavioral fingerprints of known malware based on observed behaviors of the known malware, wherein the observed behaviors of the known malware represent actions performed by the known malware;
comparing the behavioral fingerprints of the one or more applications to the behavioral fingerprints of the known malware;
determining if any behavioral fingerprints of at least one of the one or more applications are similar to the behavioral fingerprints of the known malware; [[and]]
applying security policies to the at least one of the one or more applications based on a similarity of the behavioral fingerprints of the at least one of the one or more applications with the behavioral fingerprints of the known malware; and 
wherein at least one of the one or more applications executing on the one or more user devices is an unknown application, wherein the security policies are applied to the unknown application based on an age of the unknown application and calculating a trust score of the unknown application based on the age of the unknown application.
2. (Canceled)

4. (Previously Presented) The method of claim 1, further comprising identifying polymorphic viruses based on whether the one or more applications with different file hashes than the known malware exhibit similar observed behaviors as the known malware.
5. (Previously Presented) The method of claim 1, further comprising identifying a unique application that only occurs on a single device as a malware based on whether the unique application exhibits similar observed behaviors as the malware.
6. (Previously Presented) The method of claim 1, wherein the polymorphic malware is a malware that mutates to change contents of files containing the malware and behavior of the malware with respect to previous versions of the malware.
7. (Cancelled)
8. (Previously Presented) The method of claim 1, further comprising receiving, by a security policy system, behavioral information from the one or more user devices, the behavioral information indicating behaviors of the one or more applications executing on the one or more user devices.
9. (Previously Presented) The method of claim 8, wherein the security policy system stores the behavioral information from the one or more user devices in a behavioral history database.
at least one of the one or more applications 
11. (Previously Presented) The method of claim 1, wherein the monitored behaviors include one or more of forming network connections, making system application programming interface (API) calls, accessing, creating and loading files, changing system configurations including modifying system registry values, and monitoring user inputs including turning on microphones or monitoring keystrokes of the user devices.
12. (Currently Amended) A system for identifying polymorphic malware on user devices, the system comprising:
at least one processor and memory, wherein the processor is programmed to:

monitor behaviors of [[the]] one or more applications executing on [[the]] one or more user devices to determine behavioral fingerprints of the one or more applications, wherein the behaviors of an application represent actions performed by the application;
determine behavioral fingerprints of [[the]] known malware based on observed behaviors of the known malware, wherein the observed behaviors of the known malware represent actions performed by the known malware;
compare the behavioral fingerprints of the one or more applications to the behavioral fingerprints of the known malware;
determine if any behavioral fingerprints of at least one of the one or more applications are similar to the behavioral fingerprints of the known malware;
apply security policies to the at least one of the one or more applications based on a similarity of the behavioral fingerprints of the at least one of the one or more applications with the behavioral fingerprints of the known malware; and 
wherein at least one of the one or more applications executing on the one or more user devices is an unknown application, wherein the security policies are applied to the unknown application based on an age of the unknown application and calculating a trust score of the unknown application based on the age of the unknown application.
13. (Canceled) 
14. (Previously Presented) The system of claim 12, further comprising identifying the one or more applications as polymorphic variations of specific instances of the known malware based on behaviors exhibited by the specific instances of the known malware and the monitored behaviors of the one or more applications.
15. (Previously Presented) The system of claim 12, further comprising identifying polymorphic viruses based on whether the one or more applications with different file hashes than the known malware exhibit similar observed behaviors as the known malware.

17. (Previously Presented) The system of claim 12, wherein the polymorphic malware is a malware that mutates to change contents of files containing the malware and behavior of the malware with respect to previous versions of the malware.
18. (Cancelled)
19. (Currently Amended) The system of claim 12, further comprising receiving, by a security policy system, 
20. (Previously Presented) The system of claim 19, wherein the security policy system comprises a behavioral history database storing the behavioral information from the one or more user devices.
21. (Currently Amended) The system of claim 19, wherein applying the security policies to the at least one of the one or more applications comprises the security policy system updating the security policies based on the behavioral information, sending the updated security policies to the one or more user devices, and a security agent software executing on the one or more user devices enforcing the updated security policies.

23. (Currently Amended) One or more non-transitory computer readable media storing instructions that upon execution by a computing device perform a method comprising:
monitoring behaviors of one or more applications executing on one or more user devices to determine behavioral fingerprints of the one or more applications, wherein the behaviors of an application represent actions performed by the application;
determining behavioral fingerprints of known malware based on observed behaviors of the known malware, wherein the observed behaviors of the known malware represent actions performed by the known malware;
comparing the behavioral fingerprints of the one or more applications to the behavioral fingerprints of the known malware;
determining if any behavioral fingerprints of at least one of the one or more applications are similar to the behavioral fingerprints of the known malware; [[and]]
applying security policies to the at least one of the one or more applications based on a similarity of the behavioral fingerprints of the at least one of the one or more applications with the behavioral fingerprints of the known malware; and 
wherein at least one of the one or more applications executing on the one or more user devices is an unknown application, wherein the security policies are applied to the unknown application based on an age of the unknown application and calculating a trust score of the unknown application based on the age of the unknown application.
24. (Currently Amended) The one or more non-transitory computer readable media of claim 23, wherein the at least one of the one or more applications executing on the one or more user devices is an unknown application, wherein the security policies are applied to the unknown application based on determining whether the unknown application displayed a visible window.

Allowable Subject Matter
Claims 1, 3-6, 8-12, 14-17 and 19-24 are allowed.

The following is an examiner’s statement of reasons for allowance: 
This communication warrants No Examiner's Reason for Allowance as it was previously stated in the Final Rejection filed on 07/01/2021, as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998.  The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAO Q HO/Primary Examiner, Art Unit 2432