DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 7 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 7, the phrase "or malware like behaviours" renders the claim indefinite because the claim includes elements not actually disclosed (those encompassed by "or the like"), thereby rendering the scope of the claim unascertainable.  See MPEP § 2173.05(d).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –



Claims 1-3, 5, 7, 9-12, 14, and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Eytan et al, U.S. Patent 9,582,665.

As per claim 1, it is taught of a method comprising:
receiving, at a server device, a record of an event (data files) transmitted from a client device, 5wherein the event occurred on a client device generating, at the server device, by a processor, a record of the event (col. 15, lines 10-13 & 38-43);
comparing the received record with the record generated at the server device (col. 15, lines 31-48); 10and,
when at least a portion of the record generated at the server device is not found in the received record (teachings disclose of detecting anticipated behavior in a sandbox, and any unexpected behavior is deemed malicious, which can include hidden code (col. 15, lines 38-43, the Examiner is interpreting the claimed “portion of the record generated is not found in the record” as being equivalent to the teachings Eytan et al), issuing an alert (anti-malware engine notifies the data integrity server)(col. 15, lines 45-48 and col. 16, lines 33-45).
As per claim 2, it is disclosed wherein triggering the event at the client device, wherein the event is associated with a malicious action (col. 15, lines 1-7 & 10-13).
As per claim 3, it is taught wherein generating, at the server device, the record of the event comprises generating an event, wherein generating the event results in the generation of the record of the event (col. 15, lines 45-48 and col. 16, lines 33-45).
As per claim 5, it is taught wherein comparing the received record with the 25record generated at the server device comprises, when at least a portion of the record generated at the server device is 
As per claim 7, it is taught wherein the event comprises at least one of: downloading a file, creating a file, running malware (or malware like behaviours), running blacklisted code or non-whitelisted code, updating a signature list, updating a root CONFIDENTIALWO 2019/236088PCT/US2018/036460 15 certificate list, installing a new piece of software, disabling or changing at least one security checking function; disabling or change at least one security setting (the type of data file and its characteristics are checked, col. 11, lines 25-34 and col. 16, lines 10-17).
As per claim 9, it is taught of a processing apparatus comprising:
a server device comprising: 10
a data receiving module to receive a record of an event (data file) which occurred on, and was transmitted from, a client device (col. 15, lines 10-13 & 38-43); and
an event analytics module to generate data corresponding to the event which 15occurred on the client device, and to compare the generated data with the record received by the data receiving module (col. 15, lines 31-48), and to issue an alert if at least a portion of the generated data is not found in the record (teachings disclose of detecting anticipated behavior in a sandbox, and any unexpected behavior is deemed malicious, which can include hidden code (col. 15, lines 38-43), the Examiner is interpreting the claimed “portion of the record generated is not found in the record” as being equivalent to the teachings Eytan et al) received by the data receiving module (col. 15, lines 45-48 and col. 16, lines 33-45).
As per claim 10, it is disclosed wherein the event is associated with 20a malicious action (col. 15, lines 1-7 & 10-13).
As per claim 11, it is taught wherein the event comprises at least one of:

As per claim 12, it is disclosed wherein the event analytics module comprises: 30
an event generating module to generate an event, wherein generating data corresponding to the event which occurred on the client device comprises generating an event at the event generating module (col. 15, lines 45-48 and col. 16, lines 33-45).
As per claim 14, it is disclosed of a non-transitory machine-readable storage medium, encoded with instructions executable by a processor, the machine-readable storage medium comprising instructions to cause the processor to:
10receive a record of an event (data file) associated with a malicious action (col. 15, lines 10-13 & 38-43);
generate data corresponding to the event (col. 15, lines 31-48); and
compare the generated data with the received record and issue an alert if at least 15a portion of the generated data is not found in the received record (teachings disclose of detecting anticipated behavior in a sandbox, and any unexpected behavior is deemed malicious, which can include hidden code (col. 15, lines 38-43), the Examiner is interpreting the claimed “portion of the record generated is not found in the record” as being equivalent to the teachings Eytan et al, see col. 15, lines 45-48 and col. 16, lines 33-45).
As per claim 15, it is disclosed wherein the event comprises at least one of:
downloading a file, creating a file, running malware, running blacklisted code or non-whitelisted code, updating a signature 20list, updating a root certificate list, installing a new piece of software, .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Eytan et al, U.S. Patent 9,582,665 in view of Wagner et al, US 2016/0110208.

As per claim 204, it is disclosed by Eytan et al of generating an event, however the teachings fail to disclose of the event comprising inputting a seed into a pseudo-random number generator, and wherein the output of the pseudo-random number generator corresponds to a generated event.  The teachings of Wagner et al disclose of an event comprising inputting a seed into a pseudo-random number generator, and wherein the output of the pseudo-random number generator corresponds the event to be generated (see paragraph 0080).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to ensure that a generated output was free from tampering and that ensured that its integrity is intact.  The teachings of Wagner et al disclose of using a given seed that is applied to a pseudo-random number generator that generates a specific outcome for a session identifier that can be compared with an expected session .

Claim 6, 8, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Eytan et al, U.S. Patent 9,582,665 in view of Touboul, U.S. Patent 7,418,731.

As per claims 6, 8, and 13, it is disclosed by Eytan et al wherein issuing a generic alert in response to detected malware (col. 17, lines 27-30), however the teachings fail to disclose of the alert comprises collecting 30statistics and tagging the 5received record with additional information associated with the received record.  The teachings of Touboul disclose of an alert (security profile to summarize) comprises collecting 30statistics and tagging the 5received record with additional information (summarizing potentially malicious computer operations) associated with the received record (file)(col. 6, lines 17-21).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to provide detailed listing of malicious operations in order to inform a recipient for protection purposes.  The teachings of Touboul disclose that the security profile indicates whether the transmission of the requested file to a recipient should be restricted (col. 4, lines 63-67).  Although the teachings of Eytan et al disclose of issuing alerts based upon the detection of malware in a file, the teachings of Touboul disclose of providing additional information as to the nature of the malicious operations, and add a dynamic approach that can update the security profile that lists new malicious operations if the file has changed (col. 7, lines 22-27) to further protect the client device of Eytan et al.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.15a portion of the generated data is not found in the received record.

Jiang et al, US 2018/0082061 is relied upon for disclosing of notifying a client of a scanned feature data pertaining to unknown program files, see paragraph 0008.
Goldschmidt, U.S. Patent 8,745,001 is relied upon for disclosing of a backup server comparing client file characteristics (col. 5, lines 13-22) to determine if they’ve been tampered with (col. 5, lines 27-30).
As per claim 15, it is taught wherein the event comprises at least one of:
downloading a file, creating a file, running malware, running blacklisted code or non-whitelisted code, updating a signature 20list, updating a root certificate list, installing a new piece of software, disabling or changing at least one security checking function; disabling or change at least one security setting ().
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional 
































/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431