Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.  This action is in response to the amendment filed 7/27/2021.
2.  Claims 1-20 have been examined and are pending in the application.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


3.  Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Steinberg U.S Patent No. 10,846,117.
As to claim 1, Steinberg teaches an intrusion detection system (…facilitate run-time security analysis, including exploit and malware detection and threat intelligence…, lines 57-58 column 6), comprising: 
a monitor to receive messages from a target over a communication link comprising a controlled access memory structure logically positioned between the target and the monitor using a point-to-point interconnect, the controlled access memory structure to store the messages including a message from the target indicating that the target has entered a controlled mode of operation (…a guest-to-host (G2H) buffer 610 is used as a first message box configured to provide unidirectional communication from the guest (agent 360) to the host (threat protection component 354) and a host-to-guest (H2G) buffer 620 is used as a second message box configured to provide unidirectional communication from the threat protection component 354 (virtualization layer 310) to the agent 360. The buffers cooperate to transform the virtual device into a low-latency, high-bandwidth communication interface 600 configured for bi-directional transfer of information between the agent process 360 and the threat protection component (hyper-process) of the virtualization layer 310, wherein the communication interface 600 also includes a signaling (doorbell) mechanism 650 configured to notify any of the processes (i.e., the agent or hyper-process) that information is available for transfer over the interface…, line 8 column 15 to line 6 column 16),
the monitor to compare the messages retrieved from the controlled access memory structure to information of an expected behavior of the target, for detecting a deviation from the expected behavior that is indicative of an intrusion (…The threat protection component 354 may include instrumentation logic implemented as heuristics configured to determine the presence of an exploit or malware 25 in any suspicious guest operating system process (kernel or user mode). To that end, the threat protection component 354 may include software program code (e.g., executable machine code) in the form of instrumentation logic (including decision logic) configured to analyze one or more interception points originated by one or more guest processes 13 112070-0021UP01-1310.02computer executable instructions executed by the CPU 210 to perform operations that initialize and implement the instrumentation logic.  As used herein, an interception point is a point in an instruction stream where control passes to (e.g., is intercepted by) the virtualization layer 310, e.g., the micro- s hypervisor 320. Illustratively, the micro-hypervisor can intercept execution inside the guest operating system at arbitrary points such as (i) inside any guest process, (ii) inside the guest operating system kernel, and/or (iii) on transitions between guest processes and the guest operating system kernel. Malicious behavior may then be analyzed by the virtualization layer (e.g., the threat protection component 354), wherein the behavior may io occur anywhere in the guest operating system, including in any guest process or in the guest operating system kernel. The virtualization layer 310 may, thus, place interception points at appropriate instruction stream points, whether in a process or in the kernel…, lines 36-65 column 8).
As to claim 2, Steinberg further teaches the controlled access memory structure comprises a linear or circular array in which messages are processed in an order in which the messages are received (…the virtual communication device may be implemented as a bi-directional memory buffer, as well as one or more (i) queues, (ii) first-in first-out (FIFO) buffers…, lines 49-51 column 15). 
As to claim 3, Steinberg further teaches a physical address of the target is mapped to the monitor (…The nested page tables10430 may be utilized to perform a second translation from the guest-physical address 425 to a host-physical address 435, lines 11-25 column 12). 
As to claim 4, Steinberg further teaches the monitor has exclusive access to the communication link while the target is executing (…a low-latency, high-bandwidth communication interface 600 configured for bi-directional transfer of information between the agent process 360 and the threat protection component (hyper-process) of the virtualization layer 310…, line 65 column 15 to line 2 claim 16).
 As to claim 5, Steinberg further teaches the monitor comprises a virtual machine instantiated over physical hardware allocated in a virtualized system using a hypervisor (Fig. 3 and associated specification; …secure communication between any process of the virtualization layer 310 (including the micro-hypervisor 320) and any kernel or user mode process of the guest operating system…, lines 41-44 column 15). 
As to claim 6, Steinberg further teaches the controlled access memory structure is provided as part of the target or the monitor or as a standalone component (…a backing store for the shared memory buffers is allocated (provided) by the virtualization layer, e.g., in host-physical memory, such that the agent is the only in-lines 8-18 column 18).
As to claim 7, note the discussion of claim 1 above.  Steinberg further teaches indicating that the target has entered a System Management Mode (…The guest mode may employ a first set of four protection rings, e.g., guest mode rings 0-3, wherein one or more guest applications (guest processes 240) run in guest mode ring 3 at a lowest guest mode privilege level, and the guest operating system (guest operating system kernel 230) runs in guest mode ring 0 25 at a highest guest mode privilege level. The virtualization layer 310 operates in host mode of the virtualization architecture, which includes a second set of four protection rings, e.g., host mode rings 0-3. Illustratively, various user mode components embodied as hyper-processes 350 of the virtualization layer 310 run in host mode ring 3 at a lowest10 112070-0021UP01-1310.02host mode privilege level, and a kernel portion (i.e., micro-hypervisor 320) of the virtualization layer runs in host mode ring 0 at a highest host mode privilege level…, lines 38-53 column 6).
As to claims 8-9, note the discussions of claims 3-4 above, respectively. 
As to claims 10-13, note the discussions of claims 1-3 and 5 above, respectively. 
As to claim 14, Steinberg further teaches the virtual machine comprises a secure execution environment inaccessible to other components of the virtualized system (…guest processes 240 to invoke the services, e.g., accesses to the hardware resources, of the guest operating 30 system kernel 230…, lines 44-47 column 8). 
As to claim 15, note the discussion of claim 7 above. 
As to claim 16, Steinberg further teaches the controlled mode of operation is a System Management Mode (…The guest mode may employ a first set of four protection rings, e.g., guest mode rings 0-3, wherein one or more guest applications (guest processes 240) run in guest mode ring 3 at a lowest guest mode privilege level, and the guest operating system (guest operating system kernel 230) runs in guest mode ring 0 25 at a highest guest mode privilege level. The virtualization layer 310 operates in host mode of the virtualization architecture, which includes a second set of four protection rings, e.g., host mode rings 0-3. Illustratively, various user mode components embodied as hyper-processes 350 of the virtualization layer 310 run in host mode ring 3 at a lowest10 112070-0021UP01-1310.02host mode privilege level, and a kernel portion (i.e., micro-hypervisor 320) of the virtualization layer runs in host mode ring 0 at a highest host mode privilege level…, lines 38-53 column 6).
As to claim 17, note the discussion of claim 7 above. 
As to claim 18, Steinberg further teaches the monitor comprises the hypervisor (Fig. 3 and associated specification; …secure communication between any process of the virtualization layer 310 (including the micro-hypervisor 320) and any kernel or user mode process of the guest operating system…, lines 41-44 column 15).
As to claim 19, note the discussion of claim 16 above. 
As to claim 20, note the discussion of claim 1 above. 

Response to Arguments
4.  Applicant’s arguments have been fully considered but they are not persuasive.
Applicant argues the cited reference does not teach: “the monitor to compare the messages retrieved from the controlled access memory structure to information of an expected behavior of the target, for detecting a deviation from the expected behavior that is indicative of an intrusion” and “a System Management Mode” (Remarks, pages 7-8).  In response, the applicant argues new limitations that were not claimed before.  However, these new limitations are still met by the cited reference as disclosed in the claim rejections above.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andy Ho whose telephone number is (571) 272-3762.  A voice mail service is also available for this number.  The examiner can normally be reached on Monday – Friday, 8:30 am – 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Dennis Chow can be reached on (571) 272-7767. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIM) system. Status information for published applications may be obtained from either Private PAIR or' Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2100.
Any response to this action should be mailed to:
Commissioner for Patents 
P.O Box 1450
Alexandria, VA 22313-1450
	Or fax to:
AFTER-FINAL faxes must be signed and sent to (571) 273 - 8300.
OFFICAL faxes must be signed and sent to (571) 273 - 8300.
NON OFFICAL faxes should not be signed, please send to (571) 273 – 3762

/Andy Ho/
Primary Examiner
Art Unit 2194