Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Applicants arguments have been fully considered and were found persuasive particularly in view of Paragraphs [0044]-[0046] (appended below) and Figure 5 of the filed specification.
(Present Application Paragraphs [0044]-[0046], “FIG. 5 is a flowchart representative of machine readable instructions which may be executed to implement the example monitoring agent 202 of FIGS. 2-4 to monitor communications from processes at the data link layer (Layer 2) and manage detected threats in one or more of the monitored communications. The example process of FIG. 5 begins at block 502 at which the example connection detector 404 (FIG. 4) receives a communication at a data link layer (Layer 2) of the OSI model. The example connection detector 404 analyzes the data link layer (Layer 2) communication (block 504) to determine whether it is a request for a connection to the endpoint device 204 (FIGS. 2 and 3) at the data link layer (Layer 2). For example, the connection detector 404 monitors communications at the data link layer (Layer 2) from applications (e.g., the Application-5 208 of FIG. 2 and/or applications on the external computer 302 and/or the local endpoint device 304 of FIG. 3) to detect requests to establish data link layer (Layer 2) connections in the endpoint device 204. To detect such connection requests, the example connection detector 404 may employ the dynamic tracer 410 and/or the raw socket interface monitor 412 using techniques described above. For example, the connection detector 404 may employ the dynamic tracer 410 by using one or more operating system APIs to monitor communications from ones of the processes 402 (FIG. 4) that issue file open requests to a particular file (e.g., file open requests to a /dev/bpf0 character file using bpf, etc.) which allows connection via the data link layer (Layer 2). Additionally or alternatively, the connection detector 404 employs the example raw socket interface monitor 412 to detect communications from ones of the processes 402 that call raw socket APIs to connect to the data link layer (Layer 2). 
At block 506, the example connection detector 404 detects the communication as including a request to connect to the endpoint device 204 at the data link layer (Layer 2) of the OSI model. The example threat monitor 406 determines whether the communication is a threat (block 508). For example, the threat monitor 406 checks privilege levels and/or trust levels of an application corresponding to the communication, and/or checks whether the application is known to be suspicious or malicious, as described above in connection with FIG. 2. In some examples, the threat monitor 406 additionally or alternatively checks whether the application is identified as a whitelisted application and/or is identified in an administrator policy as being allowed to connect at the data link layer (Layer 2). If the threat monitor 406 does not find the application is whitelisted or allowed based on an administrator policy, and/or the threat monitor 406 determines that the application does not have a sufficient privilege level and/or trust level, and/or the threat monitor 406 determines that the application is identified as a suspicious or malicious application, the threat monitor 406 confirms that the communication is a threat. In such instances, the threat may be a potential threat that the monitoring agent 202 treats as a threat to prevent malicious activity on the endpoint device 204. 
If the threat monitor 406 determines at block 508 that the communication is a threat, the example threat manager 408 manages the threat (block 510) by generating a notification to prompt a user (e.g., a network administrator) about the threat and/or blocking the communication. The threat manager 408 may perform one or more responsive actions in response to the detected threat in an automatic manner and/or a user-driven manner as described above. Otherwise, if the threat monitor determines at block 508 that the communication is not a threat, the example threat manager 408 allows the communication (block 512). A corresponding one of the processes 402 that issued the communication is allowed by the threat manager 408 to continue (block 514) because it did not present a threat. After managing the threat at block 510 or after the process 402 continues at block 514, the example process of FIG. 5 ends.)
The claimed invention demonstrates a particular method directed to monitoring of connection requests at layer 2 as opposed to ongoing monitoring at layer 2 that was not found in the prior art. Preventing Layer 2 security threats (Bartlomiejczyk et al.) details some of the nature of security threats at Layer 2 and ongoing style monitoring interventions. But does not show the present application’s layer 2 connection request specific monitoring. 
Claims 1-20 allowed.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through 






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434