39DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 2, 9, 14, 17, and 18 were amended. Claims 7, 8, 15, and 16 were cancelled, Claims 1-6, 9-14, 17-20 are pending.
DP rejection were withdrawn due applicant filed terminal disclaimer was approved.
Priority
This application discloses and claims only subject matter disclosed in prior application no 15/701128, filed 09/11/2017, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation or division. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.
Response to Arguments
Applicant's arguments filed 10/27/21 with regards to claim 18 have been fully considered but they are not persuasive. Claim require “executing a privilege operation to determine the request is one of permanently allowed and not-permanently allowed” . 
Russello [0020] teaches executing a privilege operation to determine the request is not-permanently allowed, as claim require to satisfy one of : permanently allowed and not-permanently allowed.  


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  The omitted steps are: Claim recites “determines a match exists for one of an action object and a group action”; “determines a match does not exist for neither of the action object and the group object” but there are no steps after determining match (Note: there are no use of “the action object” and “the group action” suggests these are for intended use, although claim 3 further explain when “a match exist”  but examiner not sure applicant referring a new match or “the match exist” in claim 2).  Again, there is no statement after when a match does not exist. Appropriate correction required.

Dependent claims 2-6, do not cure the deficiencies, also rejected accordingly. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim  18 are rejected under 35 U.S.C. 103 as being unpatentable over Russello (US 20150332043 A1) and in view of Ramabhatta et al(US 20130145472 A1).

With regards to claim 18, Russello teaches,  A method for detecting, identifying, and mitigating advanced persistent threats in a computer network comprising one or more computers, the method, comprising: 
a processor in the computer network receiving a request to access a resource in the computer network ([0057] a security system service running at the application layer that is operable to access stored configurable security policies for the applications of the application layer, and which communicates with each process monitor in the Linux layer the security policies corresponding to its attached process, and wherein each process monitor is configured to retrieve and enforce the security policy configured for its attached process based on the parameters of the detected system calls.); 
identifying the request as originating from an application executing on the computer network (FIG 18 and associated text; [0059] Each process monitor may be configured to enforce security policies based on parameters extracted from the detected system calls. For explicit system calls, the security policies may be evaluated and enforced based directly on extracted system call parameters. For implicit system calls, the process monitors may be configured to retrieve further information about the system call from the security system service in the application layer before evaluating and enforcing the security policies.); 
executing an anomaly operation to determine a behavior of the application is one of anomalous and not anomalous ([0168] The analysis system may be used in as a profiler tool for a security expert or administrator to analyse the execution of applications 
executing a privilege operation to determine the request is one of permanently allowed and not-permanently allowed ([0020] In an embodiment, the monitoring entities are configured to stall or pause execution of the application on detection of a system call invocation, and awaits a security decision for enforcement, the security decision being an instruction on how to handle the execution of the detected system call invocation. By way of example, in one embodiment, the security decision may be any one of the following: allow the system call to execute, deny the system call from executing, modifying the system call, or killing the application execution altogether.); 
granting access to the resource for a non-anomalous-behaving application ([0020] In an embodiment, the monitoring entities are configured to stall or pause execution of the application on detection of a system call invocation, and awaits a security decision for enforcement, the security decision being an instruction on how to handle the execution of the detected system call invocation. By way of example, in one embodiment, the security decision may be any one of the following: allow the system call to execute, deny the system call from executing, modifying the system call, or killing the application execution altogether); and 
Russello  does not exclusively but, Ramabhatta teaches, 
granting access to the resource for a permanently allowed request ([0077] Consequently, because def.com 508 is known to be safe, anti-malware module 114 may allow the attempted access of task scheduler 116)
generating and displaying, on a graphical user interface of the computer network, and a prompt for either an anomalous-behaving application or a not-permanently allowed request ([0017] In one embodiment, anti-malware module 114 may display results to user 111 and accept selected corrective action.).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Russell’s  system  with teaching of Ramabhatta in order to preventing malware attacks  (Ramabhatta [003]). 

Claims 19-20, are rejected under 35 U.S.C. 103 as being unpatentable over Russello (US 20150332043 A1) and in view of Ramabhatta et al(US 20130145472 A1) and Saidi et al(US 20130232540 A1).

With regards to claim 19,  Russello in view of Ramabhatta do not but Saidi teaches, determining, by a processor, a request as one of permanently allowed and not permanently allowed comprises consulting a privilege profile for the application (FIG 5 514 and associated text; ); for a not permanently allowed request; generating, by the processor, a volatile access control list for the not- permanently-allowed request, providing the prompt comprising a plurality of actions, receiving, by the processor, an action selection by way of the graphical user interface, and storing the action selection for the request in the privilege profile for the application; (Saidi for a permanently allowed request: invoking a persistent access control list privilege operation (FIG 5 526 and associated text;), and storing the access control list privilege operation in the privilege profile for the application (FIG 2 220 and associated text;[0068]; [0068] At block 220, the method 200 creates the new application package 148 including the MEC 160, 162, 164 and the updated application priority information. ).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Russello in view of Ramabhatta’s  system  with teaching of Saidi  in order to secure privacy, prevent attack(Saidi [0003]).


With regards to claim 20 Russello in view of Ramabhatta and Saidi teaches, comprising: the processor generates the volatile access control list for the request when the request status is one of temporarily allowed, denied, and not in the privilege profile (Saidi FIG 1 118 and associated text; Note: when suspicious/unknown call process of creating a new ACL is processed in RAM /volatile memory).


Allowable Subject Matter

Claims 1, 9-14, 17 are allowed.

The following is an examiner’s statement of reasons for allowance:
The prior art of record does not teach or fairly suggest in combination of steps as recited in the Applicant’s independent claims as amended, performs an application analysis to generate expected runtime properties, wherein the expected runtime properties are likely application properties each expected runtime property comprising a mathematical description of observed relationships among the expected runtime properties and wherein the expected runtime properties form an operational abstraction that is syntactically identical to a formal specification, including preconditions, postconditions, and objects.

The dependent claims, being definite, further limiting, and fully enabled by the specification are also allowed.

	
Claims 2-6 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498