DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 08/18/2021.
In the instant Amendment, no claims have been added; claims 1, 9, and 14 are currently amended; and claims 1, 9, and 14 are independent claims.  Claims 1-15 have been examined and are pending.  This Action is made Final.
Response to Arguments
The rejection of claims 9 and 11-13 under 35 U.S.C. § 102(a)(1) and 102(a)(2) are withdrawn as the claims have been amended.
Applicants’ arguments with respect to claims 1, 9, and 14 have been considered but are moot in view of the new ground(s) of rejection, which were necessitated by amendment.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

Claims 14-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 14, claim 14 recites the limitation “the behavior change”.  The claim does not have a previous recitation of “a behavior change”. The claim only previously introduces the elements of “a predetermined expected behavior change” and as a result, lacks proper antecedent basis. For example, a lack of clarity could arise where a claim refers to "said lever" or “the lever”, where the claim contains no earlier recitation or limitation of a lever and as a result, it would be unclear as to what element the limitation was making reference to (MPEP 2173.05(e) [R-07.2015]). A claim which refers to "said aluminum lever," but recites only "a lever" earlier in the claim, is indefinite because it is uncertain as to the lever to which reference is made. (MPEP 2173.05(e) [R-07.2015])  Appropriate correction to “the behavior change” is required to ensure proper claim interpretation.
Regarding claim 15, claim 15 is dependent upon independent claim 14 and inherits the 35 U.S.C. 112 (b) rejections of the independent claim 14.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over Ismael (US 9,225,740; Hereinafter “Ismael”) in view of Poornachandran et al. (US 2012/0167218; Hereinafter “Poornachandran”) in view of Vashisht et al. (US 10,902,119; Hereinafter “Vashisht”).
Regarding claim 1, Ismael teaches a system (Ismael: abstract, Fig. 1), comprising: a process operating in a general operating environment of the system (Ismael: Fig. 1, col. 2 lines 3-12, [application (108) = process]); and 
Ismael does not explicitly teach a protection module to modify the behavior of the process by modifying data associated with the process while the process is in operation to trigger a predetermined expected change of behavior in the process; to determine whether the predetermined expected change of behavior occurs during operation of the process.
In an analogous art, Poornachandran teaches a process operating in a general operating environment of the system; and an isolated environment comprising a protection module (Poornachandran: Fig. 1, Para. [0014]-[0017], Para. [0016], In one embodiment, a behavior analysis module 140 running in security engine 130 is used by host application 112 to provide signature-independent system behavior-based malware detection. Host application 112 requests services of security engine 130, including signature-independent system behavior-based malware detection, via security engine interface (SEI) 114. Behavior analysis module 140 may be implemented as firmware executed by security engine 130. Para. [0028], For example, a snapshot of the system may be sent to a remote server for analysis. The remote server may perform validation of the snapshot and/or analyze the snapshot for virus signatures.  Para. [0030], Communication/logging agent 244 logs snapshots of the state of the system periodically and may transmit this information to a remote server such as enterprise server 170 of FIG. 1 for verification and/or analysis purposes. Para. [0047])
a protection module to modify the behavior of the process by modifying data associated with the process while the process is in operation to trigger a predetermined expected change of behavior in the process (Poornachandran: Fig. 1, Para. [0014]-[0017], Para. [0016], In one embodiment, a behavior analysis module 140 running in security engine 130 is used by host application 112 to provide signature-independent system behavior-based malware detection. Host application 112 requests services of security engine 130, including signature-independent system behavior-based malware detection, via security engine interface (SEI) 114. Para. [0028]-[0029],  Para. [0030], Para. [0047], Para. [0009], In one embodiment, the method includes identifying a change in the current mode of operation of the processing system to a new mode of operation; identifying a second at least one process expected to be active; and adjusting the expected activity level based upon the new mode of operation and the second at least one process expected to be active.); 
to determine whether the predetermined expected change of behavior occurs during operation of the process (Poornachandran: Para. [0025], Behavior analysis module 240 monitors activity levels of resources in platform 200 and compares the actual activity levels to expected activity levels. Expected activity levels are determined based upon the mode of operation of the system and the processes expected to be active in that mode of operation. Para. [0009], Para. [0026], The source of unexpected activity is identified by behavior analysis module 240 by working with the kernel scheduler (not shown) to identify the currently active processes in the system. These currently active processes are mapped to applications that are currently expected to be running in the platform's current mode of operation. Para. [0027], Once the source of unexpected activity is identified, behavior analysis module 240 uses policy guidelines to determine whether the unexpected activity is legitimate.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Poornachandran with the system and method of Ismael to include a protection module to modify the behavior of the process by modifying data associated with the process while the process is in operation to trigger a predetermined expected change of behavior in the process; to determine whether the predetermined expected change of behavior occurs during operation of the process because this functionality provides isolated environments for characterizing whether unexpected activity is legitimate and classify the source of the unexpected activity as malware if the unexpected activity is indeed not legitimate (Poornachandran: Para. [0008]).
 Ismael, in combination with Poornachandran, does not explicitly teach to take a remedial action upon determining that the predetermined expected change of behavior of the process has not occurred. 
(Vashisht: Col. 10, Lines 53-67, The data procurement logic 530 is communicatively coupled to the event log 330.sub.1 to obtain data associated with the monitored behaviors, namely data produced by certain activities (e.g., actions such as issuance of function, system or Application Programming Interface "API" calls, modifying/closing/opening files, creating/deleting files, changing registry values, etc.) and/or inactivities (e.g., inactions such as withholding display of a window, non-entry of keystrokes, etc.). The behavior analysis logic 540 analyzes the data associated with the monitored behaviors. [inactivities, withholding, non-entry, and inactions meet the limitation of fails to exhibit the expected behavior change] Col. 11, Lines 1-12, Col. 11, Lines 34-67, This priority may be considered when determining what data (e.g., the modified object and meta information associated with that object such as its source object, time of creation, etc.) should be part of the stored post-analysis data. Overwriting (substitution) of certain post-analysis data may be performed during run-time, especially when the prescribed area is reaching capacity and higher priority data needs to be made available to the host system. [remedial activity may include restoring may include overwriting of portions of virtual image file that includes post analysis data ] Col. 2, Lines 57-67, According to one embodiment of the disclosure, during runtime, the data availability logic determines the post-analysis data and stores the post-analysis data within a prescribed area of a virtual image file. The virtual image file corresponds to a guest system snapshot (image of software running on the guest system). The prescribed area is managed by a virtual file system that may be part of the virtual image file, and the location of the prescribed area is known and accessible by the host system. Col. 3, Lines 4-18, Col. 4, Lines 1-15).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Vashisht with the system and method of Poornachandran and Ismael to include in response to failing to detect the predetermined expected behavior change, perform a remedial action with the security process because this functionality provides for restoring of a security process (Vashisht: Col. 11, Lines 1-12).
Regarding claim 2, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the isolated environment is one of a TrustZone system on chip, a hypervisor, a system management mode module, and an embedded controller (Poornachandran: Fig. 1, Para. [0017], Communication between security engine 130 and enterprise server 170 occurs via out-of-band communication channel 152. In one embodiment, out-of-band communication channel 152 is a secure communication channel between security engine 130 on the host system and enterprise server 170. Out-of-band communication channel 152 enables security engine 130 to communicate with external servers independently of the host operating system 105 of platform 100. Para. [0014], Para. [0015]).
Regarding claim 3, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the process is at least one of an antivirus process, a firewall process, an authentication process, a cryptography process, an intrusion prevention process, a digital rights management process, and an intrusion detection process (Poornachandran: Para. [0008], Embodiments of the present invention may provide a method, system, and computer program product for performing signature-independent system behavior-based malware detection.).
Regarding claim 4, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the remedial action is one of, alerting an entity that the process has been compromised, disabling a function of the system, restoring the process to a known valid state, and turning off the system (Ismael: Col. 12, Lines 11-20, Col. 13, Lines 44-50, Col. 16, Lines 49-57).
Regarding claim 5, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the protection module modifies the behavior of the process by at least one of: altering executable instructions of the process, altering a Boolean in memory to trigger whether a function of the process executes, overwriting null operation instructions in the executable instructions associated with the process with (Ismael: Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
Regarding claim 6, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the protection module verifies the behavior of the process based on one of: verifying a value received from the process, where the value is generated based on the behavior modified by the protection module, verifying that security reports provided by the process to the protection module include data collected as a result of the behavior modification, and verifying a state of in memory value modified by the process during the operation of the process, where the state depends on the modified behavior (Ismael: Col. 5, Lines 37-54, Col. 5, lines 10-58, col. 6, lines 23-43).
Regarding claim 7, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 1, where the protection module is to receive instructions for modifying the behavior of the process from a remote device (Poornachandran: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).
Regarding claim 8, Ismael, in combination with Poornachandran, and Vashisht, teaches the system of claim 7, where the protection module reports a result of the verification to the remote device (Poornachandran: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).

Claim 9-10 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Poornachandran et al. (US 2012/0167218; Hereinafter “Poornachandran”) in view of Vashisht et al. (US 10,902,119; Hereinafter “Vashisht”).
Regarding claim 9, Poornachandran teaches a non-transitory computer-readable medium storing executable instructions that, when executed, control a device to: 
(Poornachandran: Fig. 1, Para. [0014]-[0017], Para. [0016], In one embodiment, a behavior analysis module 140 running in security engine 130 is used by host application 112 to provide signature-independent system behavior-based malware detection. Host application 112 requests services of security engine 130, including signature-independent system behavior-based malware detection, via security engine interface (SEI) 114. Para. [0028]-[0029],  Para. [0030], Para. [0047], Para. [0009], In one embodiment, the method includes identifying a change in the current mode of operation of the processing system to a new mode of operation; identifying a second at least one process expected to be active; and adjusting the expected activity level based upon the new mode of operation and the second at least one process expected to be active.); 
monitoring execution of the security process to detect the predetermined expected behavior change (Poornachandran: Para. [0025], Behavior analysis module 240 monitors activity levels of resources in platform 200 and compares the actual activity levels to expected activity levels. Expected activity levels are determined based upon the mode of operation of the system and the processes expected to be active in that mode of operation. Para. [0009], Para. [0026], The source of unexpected activity is identified by behavior analysis module 240 by working with the kernel scheduler (not shown) to identify the currently active processes in the system. These currently active processes are mapped to applications that are currently expected to be running in the platform's current mode of operation. Para. [0027], Once the source of unexpected activity is identified, behavior analysis module 240 uses policy guidelines to determine whether the unexpected activity is legitimate.). 
Poornachandran does not explicitly teach in response to failing to detect the predetermined expected behavior change, perform a remedial action with the security process.
In an analogous art, Vashisht teaches in response to failing to detect the predetermined expected behavior change, perform a remedial action with the security  (Vashisht: Col. 10, Lines 53-67, The data procurement logic 530 is communicatively coupled to the event log 330.sub.1 to obtain data associated with the monitored behaviors, namely data produced by certain activities (e.g., actions such as issuance of function, system or Application Programming Interface "API" calls, modifying/closing/opening files, creating/deleting files, changing registry values, etc.) and/or inactivities (e.g., inactions such as withholding display of a window, non-entry of keystrokes, etc.). The behavior analysis logic 540 analyzes the data associated with the monitored behaviors. [inactivities, withholding, non-entry, and inactions meet the limitation of fails to exhibit the expected behavior change] Col. 11, Lines 1-12, Col. 11, Lines 34-67, This priority may be considered when determining what data (e.g., the modified object and meta information associated with that object such as its source object, time of creation, etc.) should be part of the stored post-analysis data. Overwriting (substitution) of certain post-analysis data may be performed during run-time, especially when the prescribed area is reaching capacity and higher priority data needs to be made available to the host system. [remedial activity may include restoring may include overwriting of portions of virtual image file that includes post analysis data ] Col. 2, Lines 57-67, According to one embodiment of the disclosure, during runtime, the data availability logic determines the post-analysis data and stores the post-analysis data within a prescribed area of a virtual image file. The virtual image file corresponds to a guest system snapshot (image of software running on the guest system). The prescribed area is managed by a virtual file system that may be part of the virtual image file, and the location of the prescribed area is known and accessible by the host system. Col. 3, Lines 4-18, Col. 4, Lines 1-15).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Vashisht with the system and method of Poornachandran to include in response to failing to detect the predetermined expected behavior change, perform a remedial action with the security process because this functionality provides for restoring of a security process after detection of inactivity by overwriting a virtual image file with post-analysis data thereby restoring to a prior state  (Vashisht: Col. 11, Lines 1-12).
Regarding claim 10, Poornachandran, in combination with Vashisht, teaches the non-transitory computer-readable medium of claim 9, where the first environment is an isolated environment, where the isolated environment is one of a Trustzone system on chip, a hypervisor, a system management mode module, and an embedded controller, and where the second environment is a primary processing environment of the device (Poornachandran: Fig. 1, Para. [0014]-[0015]).   
Regarding claim 14, Poornachandran teaches a method (Ismael: Abstract, Col. 2, Lines 3-67), comprising: 
alter, from a protected environment of a device, executable instructions associated with a security process in execution by a general operating environment of the device (Poornachandran: Fig. 1, Para. [0014]-[0017], Para. [0016], In one embodiment, a behavior analysis module 140 running in security engine 130 is used by host application 112 to provide signature-independent system behavior-based malware detection. Host application 112 requests services of security engine 130, including signature-independent system behavior-based malware detection, via security engine interface (SEI) 114. Para. [0028]-[0029],  Para. [0030], Para. [0047], Para. [0009], In one embodiment, the method includes identifying a change in the current mode of operation of the processing system to a new mode of operation; identifying a second at least one process expected to be active; and adjusting the expected activity level based upon the new mode of operation and the second at least one process expected to be active.), 
where altering the executable instructions triggers a predetermined expected behavior change in the security process (Poornachandran: Para. [0025], Behavior analysis module 240 monitors activity levels of resources in platform 200 and compares the actual activity levels to expected activity levels. Expected activity levels are determined based upon the mode of operation of the system and the processes expected to be active in that mode of operation. Para. [0009],);
monitor execution of the security process to detect whether the security process exhibits the predetermined expected behavior change (Poornachandran: Para. [0025], Para. [0026], The source of unexpected activity is identified by behavior analysis module 240 by working with the kernel scheduler (not shown) to identify the currently active processes in the system. These currently active processes are mapped to applications that are currently expected to be running in the platform's current mode of operation. Para. [0027], Once the source of unexpected activity is identified, behavior analysis module 240 uses policy guidelines to determine whether the unexpected activity is legitimate.). 
Poornachandran does not explicitly teach restore the security process to a known valid state when the security process fails to exhibit the behavior change.
In an analogous art, Vashisht teaches restore the security process to a known valid state when the security process fails to exhibit the behavior change (Vashisht: Col. 10, Lines 53-67, The data procurement logic 530 is communicatively coupled to the event log 330.sub.1 to obtain data associated with the monitored behaviors, namely data produced by certain activities (e.g., actions such as issuance of function, system or Application Programming Interface "API" calls, modifying/closing/opening files, creating/deleting files, changing registry values, etc.) and/or inactivities (e.g., inactions such as withholding display of a window, non-entry of keystrokes, etc.). The behavior analysis logic 540 analyzes the data associated with the monitored behaviors. [inactivities, withholding, non-entry, and inactions meet the limitation of fails to exhibit the behavior change] Col. 11, Lines 1-12, Col. 11, Lines 34-67, This priority may be considered when determining what data (e.g., the modified object and meta information associated with that object such as its source object, time of creation, etc.) should be part of the stored post-analysis data. Overwriting (substitution) of certain post-analysis data may be performed during run-time, especially when the prescribed area is reaching capacity and higher priority data needs to be made available to the host system. [restoring may include overwriting of portions of virtual image file that includes post analysis data ] Col. 2, Lines 57-67, According to one embodiment of the disclosure, during runtime, the data availability logic determines the post-analysis data and stores the post-analysis data within a prescribed area of a virtual image file. The virtual image file corresponds to a guest system snapshot (image of software running on the guest system). The prescribed area is managed by a virtual file system that may be part of the virtual image file, and the location of the prescribed area is known and accessible by the host system. Col. 3, Lines 4-18, Col. 4, Lines 1-15).
(Vashisht: Col. 11, Lines 1-12).
Regarding claim 15, Poornachandran, in combination with Vashisht, teaches the method of claim 14, comprising: receiving directions from a remote device regarding how to modify the behavior of the security process; reporting results of the verification to the remote device; and receiving a signal directing the restoration of the security process from the remote device (Poornachandran: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).

Claim 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Poornachandran et al. (US 2012/0167218; Hereinafter “Poornachandran”) in view of Vashisht et al. (US 10,902,119; Hereinafter “Vashisht”) and further in view of Ismael (US 9,225,740; Hereinafter “Ismael”).
Regarding claim 11, Poornachandran, in combination with Vashisht, teaches the non-transitory computer-readable medium of claim 9. Poornachandran, in combination with Vashisht, does not explicitly teach where the data associated with the security module are modified by: altering in memory executable instructions of the security process. 
In an analogous art, Ismael teaches where the data associated with the security module are modified by: altering in memory executable instructions of the security process (Ismael: Col. 7, Lines 22-35, For example, the data value stimuli function 314_1 may be used to set an instruction pointer to a specific value to begin or jump application execution to a specific point in the application's code. Likewise, the data value stimuli function 314_1 may be used to create/change/delete any data value within the register or system memory space that is processed by the application 308. This capability may be used, for instance, to change the state of the application 308 to any particular state so the application's behavior in response to the artificially set state can be observed. Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Ismael with the method and system of Poornachandran and Vashisht, to include where the data associated with the security module are modified by: altering in memory executable instructions of the security process because this functionality provides an improved framework for testing the safety and security of applications (Ismael: Col. 1, Lines 53-63).
Regarding claim 12, Poornachandran, in combination with Vashisht and Ismael teaches the non-transitory computer-readable medium of claim 11, where the executable instructions are modified by altering a Boolean in memory to trigger whether a function of the security process executes, overwriting null operation instructions in the executable instructions associated with the security process with instructions that call specific functions, where the null operation instructions were inserted in the security process at compile time by a specially configured compiler, overwriting a function call in the executable instructions to trigger an alternative function call, and altering a function pointer in memory (Ismael: Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
Regarding claim 13, Poornachandran, in combination with Vashisht, teaches the non-transitory computer-readable medium of claim 9.  Poornachandran, in combination with Vashisht, does not explicitly teach where verifying proper operation of the security module by one of: verifying a value received from the security process, where the value is generated based on the changed behavior, verifying that security reports provided by the security process include data collected as a result of the changed behavior, and verifying a state of in memory value modified by the security process during the operation of the security process, where the state depends on the changed behavior. 
In an analogous art, Ismael teaches a system and method where verifying proper operation of the security module by one of: verifying a value received from the security (Ismael: Col. 5 lines 10-58, Col. 6, Lines 23-43).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Ismael with the method and system of Poornachandran and Vashisht, to include where verifying proper operation of the security module by one of: verifying a value received from the security process, where the value is generated based on the changed behavior, verifying that security reports provided by the security process include data collected as a result of the changed behavior, and verifying a state of in memory value modified by the security process during the operation of the security process, where the state depends on the changed behavior because this functionality provides an improved framework for testing the safety and security of applications (Ismael: Col. 1, Lines 53-63).
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NELSON S. GIDDINS/             Primary Examiner, Art Unit 2437