DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to amendments filed 08/20/2021. This application claims benefit of a Continuation Application No. 15/448,476 now Patent No.10534909, filed 03/02/2019, wherein claims 1 – 8 are pending and ready for examination claims 9-16 were cancelled.  

Response to Arguments
Applicant's arguments filed 08/20/2021 have been fully considered but they are not persuasive. 

Applicant Asserts: Claims 1-16 were rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-5, 8, and 10-12 of Patent No.10534909. In response, the subject matter of the claims has been amended and is now directed towards non-transitory
computer-readable media. This subject matter was not part of the ‘909 patent. Therefore, Applicant respectfully submits that double patenting rejection is obviated..

Examiner Response:  Respectfully, the Examiner does not deem the amendments to claims 1-8 direct the claims to different subject matter from US Patent No. 10534909.  Applicant has amended the claims from a method to a non-transitory computer-readable that carries out the instructions of the method claims of the patent ‘909. Therefore, the Examiner maintains the double patent rejection of instant claim 1-8 over the claims 1-8 of the US Patent No. 10534909. Although the amendments cite a non-transitory computer readable medium the medium stores .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 



Claims 1-8 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-5, 8, and 10-12 of Patent No.10534909. Although the claims at issue are not identical, they are not patentably distinct from each other because.

Instant 16730892
15448476 (Patent No.10534909)
1. A non-transitory computer-readable
media storing source code that, when executed by a
processor, performs a method comprising:
receiving, by a virtual sandbox appliance, a file that has been tagged by a network security device based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device, wherein the virtual multi-tiered sandbox appliance includes a plurality of virtualization layers each having different resource requirements and wherein the plurality of virtualization layers include:

a virtualization application based environment, representing a least resource intensive virtualization layer of the plurality of virtualization layers and acting as an intermediary between executable code, an operating system (OS) application programming interface (API), and an 

a full hypervisor based environment, representing a most resource intensive virtualization layer of the plurality of virtualization layers; and

a container-based environment, representing an intermediate resource intensive virtualization layer of the plurality of virtualization layers; causing, by the virtual sandbox appliance, the file to exhibit a first set of behaviors by running the file within the virtualization application based environment;

causing, by the virtual sandbox appliance, the file to exhibit a second set of behaviors by running the file within the container based environment;

determining, by the virtual sandbox appliance, differences, if any, between the first set of behaviors and the second set of behaviors; and classifying, by the virtual sandbox appliance, the file as malicious when the differences are greater than a predefined or configurable threshold.

method of claim 1, further comprising prior to said receiving, the file is tagged using a pre-filter based on a threat-level associated with the file as determined by the pre-filter.

1. A method comprising:
receiving, by a computer system, a file;
causing the file to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system, wherein the virtualization application based environment is created based on an application to which the file pertains;

causing the file to exhibit a second set of behaviors by processing the file within a container of a plurality of containers of a container based environment of the computer system, wherein the plurality of containers share a common kernel of a particular operating system;



classifying, by the computer system, the file as malicious when the differences are greater than a predefined or configurable threshold.




2. The non-transitory computer-readable
media of claim 1, wherein in the method, when the differences are less than or equal to the predefined or configurable threshold, the method further comprises: causing, by virtual sandbox appliance, the file to exhibit a third set of behaviors by running the file within the full hypervisor based environment; and 
classifying, by the virtual sandbox appliance, the file as malicious when differences, if any, between any of the first set of behaviors, the second set of behaviors and the third set of behaviors are greater than the predefined or configurable threshold.
2. (Original) The method of claim 1, wherein when the differences are less than or equal to the predefined or configurable threshold, the method further comprises

causing the file to exhibit a third set of behaviors by processing the file within a full hypervisor based environment of the computer system; and classifying, by the computer system, the file as malicious when differences, if any, between any of the first set of behaviors, the second set of behaviors and the third set of behaviors are greater than a predefined or configurable threshold.
3. The non-transitory computer-readable
media of claim 2, wherein in the method, said running the file within the virtualized application based environment and said running the file within the container based environment are performed in parallel.
3. (Currently Amended) The method of claim 2, wherein said processing the file within a virtualized application based environment and said processing the file within a container based environment are performed in parallel[[;]].

media of claim 3, wherein in the method, the first set of behaviors and the second set of behaviors are provided as an input to the full hypervisor based environment prior to said running the file within the full hypervisor based environment.
4. (Previously Presented) The method of claim 3, wherein the first set of behaviors and the second set of behaviors are provided as an input to the full hypervisor based environment prior to said processing the file within the full hypervisor based environment.
5. The non-transitory computer-readable
media of claim 1, wherein in the method, the hypervisor based environment employs a first level of entropy generation for creation of the hypervisor based environment that is greater than a second level of entropy generation employed in connection with creation of the container based environment, and wherein the second level of entropy generation is greater than a third level of entropy generation employed in connection with creation of the virtualization application based environment.
5. (Previously Presented) The method of claim 2, wherein the full hypervisor based environment employs a first level of entropy generation for creation of the full hypervisor based environment that is greater than a second level of entropy generation employed in connection with creation of the container based environment, and wherein the second level of entropy generation is greater than a third level of entropy generation employed in connection with creation of the virtualization application based environment.
6. The non-transitory computer-readable
media of claim 1, wherein the method further comprising queuing the file prior to said running the file within the virtualized application based environment and prior to said running the file within the container based environment.
10. (Original) The method of claim 1, further comprising queuing the file prior to said processing the file within a virtualized application based environment and prior to said processing the file within a container based environment.
7. The non-transitory computer-readable
media of claim 6, wherein in the method, said queuing enables separation of the file from corresponding network security threat data.
11. (Original) The method of claim 10, wherein said queuing enables separation of the file from corresponding network security threat data.
8. The non-transitory computer-readable
media of claim 1, wherein in the method, the virtualization application based environment and the container based environment use a pointer system through a change root environment rather than using a full operating system
12. (Original) The method of claim 1, wherein the virtualization application based environment and the container based environment use a pointer system through a change root environment rather than using a full operating system.



THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249111/14/2021
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491