DETAILED ACTION
1.	Claims 1-20 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Allowable Subject Matter
4.	Claims 7, 14 and 20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, as well as overcoming nonstatutory obviousness-type double patenting rejection. 

Double Patenting
5.1.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

 5.2.	Claims 1, 7-8, 14-15, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4, 8, 11 of U.S. Patent No. 10387642 US Patent Application No. 20090119681 to Bhogal et al (“Bhogal”) in view of China Application Patent No. CN1694411 to Jinpeng et al (“Jinpeng”).

Instant application No. 
Claims: 8, 14,
Patent No. 12/603,229
Claims: 8
8. A storage disk or storage device comprising instructions that, when executed, cause at least one processor to at least: 

deploy respective ones of a plurality of standard detection algorithms and content (SDACs) to respective ones of a first endpoint and a second endpoint; 

deploy a first set of enhanced detection algorithms and content (EDACs) to the first endpoint; deploy a second set of the EDACs to the second endpoint, the second set of EDACs different from the first set of EDACs; and 












in response to obtaining a notification indicative of an exploit attack from the first endpoint, distribute the first set of EDACs to the second endpoint to facilitate detection of the exploit attack at the second endpoint.

14. The storage disk or storage device of claim 8, wherein the first set of EDACs is to cause the first endpoint to: 
generate behavioral data associated with the first endpoint; extract a first profile corresponding to the behavioral data; 


access standard detection algorithms and content (SDACs); 


access a first set of enhanced detection algorithms and content (EDACs) of a plurality of sets of EDACs, the SDACs and different ones of the sets of EDACs to be initially deployed to respective ones of the endpoints from a server; 

generate a first set of behavioral data associated with the processor of the first endpoint based on the SDACs; generate a 
transmit an alert indicative of the exploit attack to an endpoint security product associated with the server to cause the server to distribute the first set of EDACs to a second one of the endpoints to facilitate detection of the exploit attack at the second endpoint.


Claim 1. ……generate a first set of behavioral data associated with the processor of the first endpoint based on the SDACs; generate a second set of behavioral data associated 


As to claim 8, Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature of US patent application no 10387642 as seen above table.  Furthermore, US patent application no 10387642 does not explicitly disclose first and second endpoint. However, Bhogal discloses first and second endpoint (Bhogal, [0015], virus protection software installed on each other computing device in the plurality of computing devices associated with the social group.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of US patent application no 10387642 with the teaching of Bhoga by including the feature of different endpoints, in order for US patent application no 10387642’s system to provide antivirus software to all endpoint for complete protection as a result all endpoints are secured and protected from attacked. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of US patent application no 10387642 with the teaching of Jinpeng/ Bhogal by including the feature of different analysis algorithms, in order for US patent application no 10387642’s system to provide a novel network intrusion detection system, which has a secondary decision-making kernel, wherein each level of decision-making kernel adopts different analysis algorithms, thereby effectively avoiding the defects of an existing single analysis algorithm, reducing false positives and reporting phenomena, and improving the detection effect (Jinpeng, page 3).

 Claims 1, 7, 15, and 20 of Instant application are rejected for similar reasons as stated above.
This is a nonstatutory obviousness-type double patenting rejection. 



Claim Rejections - 35 USC § 103
6.1.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


6.2.	Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 20090119681 to Bhogal et al (“Bhogal”) in view of China Application Patent No. CN1694411 to Jinpeng et al (“Jinpeng”).
 	As per claim 1, Bhogal discloses a server to improve detection of computer security exploit attacks, the server comprising: at least one processor; and memory including instructions that, when executed, cause the at least one processor to: deploy respective ones of a plurality of standard detection algorithms and content (SDACs) to respective ones of a first endpoint and a second endpoint ([0015], virus protection software installed on each other computing device in the plurality of computing devices associated with the social group.);
deploy a first set of enhanced detection algorithms and content (EDACs) to the first endpoint [0016], potential exposure to the computer virus and that the update or patch has already been installed on an associated computing device also see [0053], [0055]);

in response to obtaining a notification indicative of an exploit attack from the first endpoint, distribute the first set of EDACs to the second endpoint to facilitate detection of the exploit attack at the second endpoint ([0017] installing the update or patch in virus protection software of the at least one of the one or more second computing devices, and running the virus protection software of the at least one of the one or more second computing devices… The notification message may include an indication of a timeframe in which the computer virus was spread to other computing devices in the plurality of computing devices., also see [0057], [0052], [0055]).
Additionally, Bhogal discloses the determination of the particular update/patch required to block or eradicate the virus [0053] …tailored/customized to the specific client computing devices 112-114 based on their current update/patch status as identified in the social group update/patch status data structure [0055], however Bhogal does not explicitly disclose but in the same field of endeavor, Jinpeng discloses the second set of EDACs different from the first set of EDACs (Page 3, The network intrusion detection system has a two-stage decision kernel, each level of decision-making kernel adopts different analysis algorithms..,          ​The first-stage decision-making kernel, The second-stage decision-making kernel, first stage and the second stage are respectively distributed on different hosts, also see page 6-7, decision analysis logic in the decision core B should be performed at different angles from the kernel A.);


Claims 8, and 15, are rejected for similar reasons as stated above.

6.3.	Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bhogal and Jinpeng as applied to claim above, and in view of US Patent Application No. 20040210653 to Kanoor et al (“Kanoor”).

As per claim 2, the combination of Bhogal and Jinpeng discloses the invention as described above. Bhogal and Jinpeng does not explicitly disclose however in the same field of endeavor, Kanoor discloses the server of claim 1, wherein the at least one processor is to transmit a security policy to the first and the second endpoints, the security policy to cause the first endpoint to request the first set of EDACs and to cause the second endpoint to request the second set of EDACs (Kanoor, [0012], based on policy data … forwarding the patch from the second device to the target device and applying the patch to the target device).

.
Claims 9, and 16, are rejected for similar reasons as stated above.

6.4.	Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bhogal and Jinpeng as applied to claim above, and in view of US Patent Application No. 20190317465 to Wei et al (“Wei”).

As per claim 3, the combination of Bhogal and Jinpeng discloses the invention as described above. Bhogal and Jinpeng do not explicitly disclose however in the same field of endeavor, Wei discloses the server of claim 1, wherein the at least one processor is to: determine a type of the exploit attack based on data included in the notification; and distribute a third set of EDACs to the first and the second endpoints based on the type of the exploit attack ([0036],a new vulnerability is disclosed, either by a device within the automation environment or by an external source. At step 345, the SOC verifies and reproduces the vulnerability. Next, at step 350, the SOC creates a new vulnerability exploitation detection signature which will enable a particular device to identify the vulnerability and attempts to exploit it. Then, at step 325, a virtual patch is created and distributed to each customer that the signature is applicable to (based e.g., on matching firmware version, hardware, and other parameters).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bhogal with the teaching of Jinpeng / Wei by including the feature of virtual patch is created and distributed to each customer that the signature is applicable, in order for Bhogal’s system to improving the resiliency of control systems, with respect to cyberattacks, with virtual patching and automated distribution of security context information. The virtual patch described herein may be deployed as PLC kernel module application with in-depth low level access to the operating system and memory to detect and, if configured, intercept suspicious activities or configuration commands. Virtual patching for PLCs may be applied to greatly mitigate the problems associated with patching of live production 

Claims 10, and 17, are rejected for similar reasons as stated above.

6.5.	Claims 4-5, 11-12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Bhogal and Jinpeng as applied to claim above, and in view of US Patent Application No. 105631332 to Weishu et al (“Weishu”).

As per claim 4, the combination of Bhogal and Jinpeng discloses the invention as described above. Bhogal and Jinpeng do not explicitly disclose however in the same field of endeavor, Weishu discloses the server of claim 1, wherein the at least one processor is to transmit a command to the first endpoint to kill or suspend execution of affected code associated with the exploit attack (page 2, Scanning files in the mobile terminal to find at least one malicious program; Clearing the malicious program; If the clearing fails, a process list is obtained based on the process view command; Finding a process of the malicious program based on the process list, and ending the process of the malicious program; Isolate the malicious program).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bhogal with the teaching of Jinpeng/ Wei by including the feature of kill or suspend execution of attack/code, in order for Bhogal’s system by scanning the files in the mobile terminal, after the 

As per claim 5, the combination of Bhogal, Jinpeng and Weishu discloses the server of claim 1, wherein the at least one processor is to transmit a command to the first endpoint to move execution of affected code associated with the exploit attack to a protected sandbox of the first endpoint (Weishu, page 2, Scanning files in the mobile terminal to find at least one malicious program; Clearing the malicious program;
If the clearing fails, a process list is obtained based on the process view command;
Finding a process of the malicious program based on the process list, and ending the process of the malicious program; Isolate the malicious program). The motivation regarding the obviousness of claim 4 is also applied to claim 5. 
Claims 11-12, and 18, are rejected for similar reasons as stated above.


6.6.	Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bhogal and Jinpeng as applied to claim above, and in view of “Creating A Patch And Vulnerability Management Program” by  Mell et al (“Mell”).


Additionally, Bhogal discloses in paragraph ([0017] installing the update or patch in virus protection software of the at least one of the one or more second computing devices, and running the virus protection software of the at least one of the one or more second computing devices… The notification message may include an indication of a timeframe in which the computer virus was spread to other computing devices in the plurality of computing devices., also see [0057], [0052], [0055]).
Bhogal and Jinpeng do not explicitly disclose however in the same field of endeavor, Mell discloses in response to not obtaining the notification by a second time, deploy a third set of EDACs to the first endpoint, the second time after the first time (Page 15, If the host does not respond to the request or the response indicates that the host is not fully patched, the network device causes the host to be placed onto a separate VLAN. This allows the organizations to update the unpatched hosts… Once a host on the VLAN has been fully updated, it is moved automatically from the VLAN to the organizationís regular network. The VLAN strategy can be particularly helpful for ensuring that mobile hosts are fully patched.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bhogal with the teaching .

7.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892).
 a). US Patent Application No. 20060098585 to Singhel al., discloses method and apparatus for detecting malicious attacks is described. The method may comprise obtaining routing information from a packet communicated via a network and maintaining a count of packets associated with a device associated with the routing information. For example, the routing information may a source or destination IP address, a port number, or any other routing information. The device may be classified as a potentially malicious device when the count exceeds a threshold. The count may be incremented when the TCP SYN flag is set and the TCP ACK flag is not set. An embodiment comprises obtaining a source hash of the source IP address and a destination hash of the destination IP address. Thereafter, the source hash and the destination hash may be mapped to multi stage filters. The device associated with the packet may then be selectively categorizing as a suspicious device.

Conclusion
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195. The examiner can normally be reached 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

HARUNUR . RASHID
Primary Examiner




/HARUNUR RASHID/Primary Examiner, Art Unit 2497