PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/211,092
Filing Date:   December 5, 2018
Appellant(s): Sisimon SOMAN



__________________
Ankur Garg (Reg. No. 62,463)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed on 23 August 2021 appealing from the Office action mailed on 12 March 2021.

(1) Grounds of Rejection to be Reviewed on Appeal 
Every ground of rejection set forth in the Office action dated 12 March 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.” New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
The following ground(s) of rejection are applicable to the appealed claims.
1.1.	Claims 1-7, 9-15, and 17-20  are rejected under 35 U.S.C. 103 as being unpatentable over Ristovski et al. (U.S. 2013/0333056 A1), hereinafter “Ristovski”, in view of Brezinski (U.S. 9,348,742 B1), further in view of Russello (U.S. 2015/0332043 A1).
1.2.	Claims 8 and 16  are rejected under 35 U.S.C. 103 as being unpatentable over Ristovski et al. (U.S. 2013/0333056 A1), in view of Brezinski (U.S. 9,348,742 B1), in view of Russello (U.S. 2015/0332043 A1), further in view of Rebelo (U.S. 10,445,505 B2), hereinafter “Rebelo”.

(2) Response to Argument
1. The Office Action fails to demonstrate that references Ristovski, Brezinski, and Russello, alone or in combination, describe both of “the login session having a default security context” and “creating a de-elevated security context for the login session” of independent claim 1
 (a) Appellants submit:
“1. The Office Action fails to demonstrate that references Ristovski, Brezinski, and Russello, alone or in combination, describe both of “the login session having a default security context” and “creating a de-elevated security context for the login session” of independent claim 1”  (see appeal brief, page 15, 3rd par)
 “Yet, nothing in the cited portions of Ristovski describe both of: (1) a “login session having a default security context,” and (ii) “a de-elevated security context for the login session, wherein the de-elevated security context has fewer privileges than the default security context,” as recited in claim 1.” (see appeal brief, page 16, 2nd par)
Examiner maintains:
th entry, procmgr_aid_getid get the groups ID or session ID of a process; page 5, claim 5, line 10  ‘session ID’).
Therefore, Ristovski discloses or suggests the login session, as session IDs are often used to identity a user that has logged into a system, such as a website. 
Ristovski further discloses “Accordingly a process may be created with a default set of privileges [i.e., where a default set of privileges corresponding to ‘the default security context’] and subsequently the privileges may be modified to include only a sub-set of the default privileges [i.e., where a sub-set of the default privileges corresponding to ‘the de-elevated security context’] thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
Therefore, Ristovski discloses the default security context, creating a de-elevated security context.
Additionally, Russello further discloses or suggests a login session (see Russello, [0238] ‘establish a new connection or monitor a communication session that is already in progress.’) 
Therefore, the combination of references at least suggests both of “the login session having a default security context” and “creating a de-elevated security context for the login session” of independent claim 1. 
           (b) Appellants submit:
	“That is, Ristovski fails to describe both of a default security context and a de-elevated security context that are associated with a login session, and both of the default security context and the de-elevated security context exist prior to creation of a process.” (see appeal brief, page 16, 2nd par) 
 “Yet, nothing in the cited portions of Ristovski describe both of: (1) a “login session having a default security context,” and (ii) “a de-elevated security context for the login session, wherein the de-elevated security context has fewer privileges than the default security context,” as recited in claim 1.” (see appeal brief, page 16, 2nd par) 
	Examiner maintains:
Examiner notes that claim 1 does not specify the timing of creating a de-elevated security context for the login session.

Ristovski discloses “session ID” (see Ristovski, page 2, table 1, left col., 8th entry, procmgr_aid_getid get the groups ID or session ID of a process; page 5, claim 5, line 10  ‘session ID’).
Therefore, Ristovski discloses or suggests the login session, as session IDs are often used to identity a user that has logged into a system, such as a website. 
Ristovski further discloses “Accordingly a process may be created with a default set of privileges [i.e., the default security context] and subsequently the privileges may be modified to include only a sub-set of the default privileges [i.e., the de-elevated security context] thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
Therefore, Ristovski discloses both of a default security context and a de-elevated security context that are associated with a login session.
Ristovski further discloses “A default set of privileges [i.e., the default security context] is associated with each of one or more user-ids 302.” (see Ristovski, [0016])
Therefore, Ristovski discloses the default security context exists prior to creation of a process.
Ristovski further discloses “When the request to modify is received, the kernel may modify the set of privileges [i.e., the de-elevated security context ]  assigned to the process.  The process creator may further create one or more child processes on behalf of the process.  Each child process may be assigned the set of privileges assigned to it's parent process at the time of the child process' creation.” (see Ristovski, [0023]).
Therefore, Ristovski discloses the de-elevated security context exists prior to creation of a process, such as a child process.
Therefore, Ristovski discloses both of the default security context and the de-elevated security context exist prior to creation of a process.
Additionally, Russello further discloses or suggests a login session (see Russello, [0238] ‘establish a new connection or monitor a communication session that is already in progress.’)  


2. The Office Action fails to demonstrate that Brezinski, alone or in combination with Russello and Ristovski, describes determining whether a process is malicious “prior to creating the process,” as recited in independent claim 1
	(c)	Appellants submit:
	“2. The Office Action fails to demonstrate that Brezinski, alone or in combination with Russello and Ristovski, describes determining whether a process is malicious “prior
to creating the process,” as recited in independent claim 1” (see appeal brief, page 17, 3rd par)
	“Here, although the Examiner correctly summarizes the cited portions of Brezinski, it is unclear how the Examiner has determined that a process could exhibit an anomalous memory allocation prior to that process being created.” (see appeal brief, page 20, 2nd par) 
	Examiner maintains:
           Ristovski discloses “Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
When a process is maliciously exploited, e.g. by a hacker, to perform an attack, such as changing system configuration files, the process is considered malicious. The process itself may be benign.  However, the behavior of the process is malicious.  When a supposed to be benign process performs an act that is considered malicious, the process is called ‘a potentially compromised process’, the term used in Brezinski. 
So, determining whether a process potentially malicious can be based on:
(i)  the process itself, e.g., its code is malicious; or
(ii)  the behaviors, acts performed by the process, e.g., its behavior is malicious. 

	Therefore, Ristovski discloses taking a mitigation action for the process, where the mitigation action comprises modifying the default set of privileges of the process to only a sub-set of the default privileges, where the process has been identified as being maliciously exploited, e.g. by a hacker, to perform an attack. 
	Therefore Ristovski’s mitigation action for the process is being necessitated by identifying the process being maliciously exploited, e.g. by a hacker, to perform an attack, and consequently, Ristovski suggests determining the process is potentially malicious.
	In addition, Brezinski discloses “In some cases, the alert module 124 may also 
perform one or more automatic interdiction actions to mitigate the risk due to the potentially compromised process 104.” (see Brezinski, col. 6, line 32)
	Therefore, Brezinski discloses that the mitigation action (“performing one or more automatic interdiction actions”) is necessitated by determining the process potentially malicious (“the potentially compromised process 104”).
Brezinski discloses at col. 2, line 51 “Once a baseline memory allocation is established, the performance data collected for executing processes may be compared to the baseline.  A process that exhibits an anomalous memory allocation [i.e., where a process exhibiting an anomalous memory allocation corresponding to ‘the digital profile of the computing device’] compared to the baseline [i.e., where the baseline corresponding to ‘an intended state’] may be designated as a potential security risk and flagged for further analysis to determine whether malicious code has been injected into the process.”
Therefore, Brezinski suggests determining whether the process is potentially malicious by comparing an intended state and a digital profile of the computing device.
Ristovski further discloses “The process may create a child process 402.  The child process may be created using any mechanism provided by the operating system including, for example, the fork( ) and spawn( ) mechanisms available in UNIX.RTM.-like operating systems. …The set of privileges assigned to the process may change 
Therefore, Ristovski discloses the parent process may be determined potentially malicious prior to forking a child process, and the security privileges associated with the parent process will be modified according to the determination. If the parent process is determined potentially malicious [i.e., prior to creation of the child process], the child process is thereby determined potentially malicious also [i.e., prior to creation of the child process] , the child process will be created via fork system call, and will inherit a sub-set of the default privileges from the parent process; if the parent process is determined non-malicious [i.e., prior to creation of the child process], the child process is thereby determined non-malicious also [i.e., prior to creation of the child process], the child process will be created via fork system call, and will inherit a default set of privileges from the parent process.
Russello explicitly discloses detecting a process to be created prior to creation of the process, determining a security policy for the process based on the process launch instruction, and early linking the determined security policy to the process prior to creation of the process (see Russello, fig. 12 discloses a timeline for creating a process, 402 ‘(early) link security policy to new process’, 400 ‘new application launch instruction’ [i.e., detecting a process to be created prior to the process actually being created], 404 ‘mother process forks new child process’ [i.e., where ‘mother process forks a new child process’ corresponding to ‘the process actually being created’]).
Thus, the combination of references at least suggest prior to creation of the process, determining whether a process is potentially malicious by comparing an intended state and a digital profile of the computing device [i.e., determining whether a process, such as a child process, is potentially malicious based on whether its parent process is determined potentially malicious, wherein the determining step is performed prior to creation of the process, such as a child process].
(d)   Appellants submit:
st par)
Examiner maintains:
Ristovski discloses “The process may create a child process 402.  The child process may be created using any mechanism provided by the operating system including, for example, the fork( ) and spawn( ) mechanisms available in UNIX.RTM.-like operating systems. …The set of privileges assigned to the process may change (e.g. when a request to modify 114 is received as described with reference to FIG. 3) between instances of creating a child process.  Each child process may be assigned the set of privileges assigned to it's parent process at the time of child process creation.” (see Ristovski, [0017]).
Therefore, Ristovski discloses the parent process may be determined potentially malicious prior to forking a child process, and the security privileges associated with the parent process will be modified according to the determination. If the parent process is determined potentially malicious [i.e., prior to creation of the child process], the child process is thereby determined potentially malicious also [i.e., prior to creation of the child process] , the child process will be created via fork system call, and will inherit a sub-set of the default privileges from the parent process; if the parent process is determined non-malicious [i.e., prior to the creation of the child process], the child process is thereby determined non-malicious also [i.e., prior to creation of the child process], the child process will be created via fork system call, and will inherit a default set of privileges from the parent process.
Therefore, Ristovski discloses determining whether a process, such as a child process, is potentially malicious prior to creation of the process. 
Therefore, Ristovski’s ‘lifespan of a process’ includes the time prior to creation of the process, where the time prior to creation of the process refers to the stage to determine whether the process, such as a child process, is potentially malicious.

Thus, the combination of Ristovski and Russello at least suggests determining whether a process is potentially malicious prior to creation of the process. 

3. The Office Action fails to demonstrate that Ristovski, alone or in combination with Russello and Brezinski, teaches or suggests “determining whether the process is potentially malicious,” as recited in independent claim 1   
	(e)	Appellants submit:
	“3. The Office Action fails to demonstrate that Ristovski, alone or in combination with Russello and Brezinski, teaches or suggests “determining whether the process is
potentially malicious,” as recited in independent claim 1” (see appeal brief, page 21, 3rd par)
	Examiner maintains:
Ristovski discloses “Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
When a process is maliciously exploited, e.g. by a hacker, to perform an attack, such as changing system configuration files, the process is considered malicious. The process itself may be benign.  However, the behavior of the process is malicious.  When a supposed to be benign process performs an act that is considered malicious, the process is called ‘a potentially compromised process’, the term used in Brezinski. 
So, determining whether a process potentially malicious can be based on:
(i)  the process itself, e.g., its code is malicious; of
(ii)  the behaviors, acts performed by the process, e.g., its behavior is malicious. 
	Ristovski discloses “mitigating the risk of malicious exploitation of the process through attack”. Therefore, Ristovski discloses that the process has been identified as 
	Therefore, Ristovski discloses taking a mitigation action for the process, where the mitigation action comprises modifying the default set of privileges of the process to only a sub-set of the default privileges, where the process has been identified as being maliciously exploited, e.g. by a hacker, to perform an attack. 
	Therefore Ristovski’s mitigation action for the process is being necessitated by identifying the process being maliciously exploited, e.g. by a hacker, to perform an attack, and consequently, Ristovski suggests determining the process is potentially malicious.
	In addition, Brezinski discloses “In some cases, the alert module 124 may also 
perform one or more automatic interdiction actions to mitigate the risk due to the potentially compromised process 104.” (see Brezinski, col. 6, line 32)
	Therefore, Brezinski discloses that the mitigation action (“performing one or more automatic interdiction actions”) is necessitated by determining the process potentially malicious (“the potentially compromised process 104”).
Brezinski discloses at col. 2, line 51 “Once a baseline memory allocation is established, the performance data collected for executing processes may be compared to the baseline.  A process that exhibits an anomalous memory allocation [i.e., the digital profile of the computing device] compared to the baseline [i.e., where the baseline corresponding to ‘an intended state’] may be designated as a potential security risk and flagged for further analysis to determine whether malicious code has been injected into the process.”
Therefore, Brezinski discloses determining whether the process is potentially malicious by comparing an intended state and a digital profile of the computing device.
	Thus, the combination of references at least suggests “determining whether the process is potentially malicious,” as recited in independent claim 1.

4. The Office Action fails to demonstrate that Ristovski teaches or suggests “launching the process using the default security context when determining that the process is not potentially malicious,” and “launching the process using the de-elevated security context when determining that the process is potentially malicious,” as recited in independent claim 1
	(f)	Appellants submit:
	“4. The Office Action fails to demonstrate that Ristovski teaches or suggests “launching the process using the default security context when determining that the process is not potentially malicious,” and “launching the process using the de-elevated security context when determining that the process is potentially malicious,” as recited in
independent claim 1” (see appeal brief, page 22, 4th par)
	Examiner maintains:
Ristovski discloses “Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
When a process is maliciously exploited, e.g. by a hacker, to perform an attack, such as changing system configuration files, the process is considered malicious. The process itself may be benign.  However, the behavior of the process is malicious.  When a supposed to be benign process performs an act that is considered malicious, the process is called ‘a potentially compromised process’, the term used in Brezinski. 
So, determining whether a process potentially malicious can be based on:
(i)  the process itself, e.g., its code is malicious; or
(ii)  the behaviors, acts performed by the process, e.g., its behavior is malicious. 
	Ristovski discloses “mitigating the risk of malicious exploitation of the process through attack”. Therefore, Ristovski discloses that the process has been identified as being maliciously exploited, e.g. by a hacker, to perform an attack, and a mitigation action is necessary for “mitigating the risk”.
	Therefore, Ristovski discloses taking a mitigation action for the process, where the mitigation action comprises modifying the default set of privileges of the process to only a sub-set of the default privileges, where the process has been identified as being maliciously exploited, e.g. by a hacker, to perform an attack. 

	In addition, Brezinski discloses “In some cases, the alert module 124 may also 
perform one or more automatic interdiction actions to mitigate the risk due to the potentially compromised process 104.” (see Brezinski, col. 6, line 32)
	Therefore, Brezinski discloses that the mitigation action (“performing one or more automatic interdiction actions”) is necessitated by determining the process potentially malicious (“the potentially compromised process 104”).
Brezinski discloses at col. 2, line 51 “Once a baseline memory allocation is established, the performance data collected for executing processes may be compared to the baseline.  A process that exhibits an anomalous memory allocation [i.e., the digital profile of the computing device] compared to the baseline [i.e., where the baseline corresponding to ‘an intended state’] may be designated as a potential security risk and flagged for further analysis to determine whether malicious code has been injected into the process.”
Therefore, Brezinski discloses determining whether the process is potentially malicious by comparing an intended state and a digital profile of the computing device.
Ristovski further discloses “The process may create a child process 402.  The child process may be created using any mechanism provided by the operating system including, for example, the fork( ) and spawn( ) mechanisms available in UNIX.RTM.-like operating systems. …The set of privileges assigned to the process may change (e.g. when a request to modify 114 is received as described with reference to FIG. 3) between instances of creating a child process.  Each child process may be assigned the set of privileges assigned to it's parent process at the time of child process creation.” (see Ristovski, [0017]).
Therefore, Ristovski discloses the parent process may be determined potentially malicious prior to forking a child process, and the security privileges associated with the parent process will be modified according to the determination. If the parent process is determined potentially malicious [i.e., prior to creation of the child process], the child process is thereby determined potentially malicious also [i.e., prior to creation of the 
Thus, the combination of references at least suggests “launching the process using the default security context when determining that the process is not potentially malicious,” and “launching the process using the de-elevated security context when determining that the process is potentially malicious,” as recited in independent claim 1.

 5. The alleged motivation to combine Ristovski with Russello fails to establish a prima facie case of obviousness
	(g)	Appellants submit:
	“5. The alleged motivation to combine Ristovski with Russello fails to establish a prima facie case of obviousness” (see appeal brief, page 23, 3rd par)  
	“As such, “linking a security policy to an application” can't properly serve as a motivation to combine.” (see appeal brief, page 25, 2nd par)  
	“Appellant submits that the proposed combination would not “provide an improved security system” to Ristovski because the Examiner’s proposal is simply a redundant combination of processes.” (see appeal brief, page 26, 1st par)
	Examiner maintains:
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). 
Ristovski teaches "a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
Ristovski further discloses “Each child process may be assigned the set of privileges assigned to it's parent process at the time of child process creation.” (see Ristovski, [0017]).
Therefore, Ristovski teaches detecting a process, such as a child, to be created prior to creation of the process; and assigning the set of privileges assigned to its parent process to the child process at the time of child process creation. 
Russello discloses detecting a process to be created prior to the process actually being created, determining an appropriate security policy for the detected process based on the process launch instruction, and early linking a security policy to the detected process prior to creation of the process (see Russello, fig. 12 discloses a timeline for creating a process, 402 ‘(early) link security policy to new process’, 400 ‘new application launch instruction’ [i.e., detecting a process to be created prior to the process actually being created], 404 ‘mother process forks new child process’ [i.e., where ‘mother process forks a new child process’ corresponding to ‘the process actually being created’]).
Therefore, Russello’s teaching could enhance the system of Ristovski, because Russello’s teaching of determining an appropriate security policy based on the process launch instruction for the detected process, and early linking a security policy to the detected process prior to creation of the process, would be more dynamic, and therefore more robust than Ristovski’s teaching of a process, such as a child process, merely inheriting the set of privileges from its parent process.

 6. Remaining independent claims 9 and 17
(h)  Appellants submit:
“Therefore, without repeating the above argumentation in support of claim 1, Appellant respectfully submits that the rejections of claims 9 and 17 should be reversed for the same reasons as claim 1.” (see appeal brief, page 26, 3rd par)
Examiner maintains:


7. The Office Action fails to demonstrate that reference Ristovski, alone or in
combination with Brezinski and Russello, describes the features of dependent claims 2, 10, and 18 
(i)	Appellants submit:
	“For example, what aspect of Ristovski is alleged to describe the “helper process,” “special security context,” or the “copy of the default security context”?” (see appeal brief, page 27, 2nd par)
	Examiner maintains: 
	Ristovski discloses “The process manager 102 [i.e., where ‘the process manager 102’ corresponding to the helper process] may be responsible for creating processes such as illustrated example processes 108 and 110 and for assigning a set of privileges to the processes at process creation time.” (see Ristovski, [0015]).
	Therefore, Ristovski discloses the process manager, which corresponds to the helper process.
	Ristovski further discloses “Some systems may include one or more user-ids that are designated as system administrator users (a.k.a.  root user, root, or sys admin) that may be given all possible privileges [i.e., where ‘be given all possible privileges’ corresponding to ‘a special security context’].” (see Ristovski, [0011]).
	Therefore, Ristovski discloses a root user, root, or sys admin may be given all possible privileges, where ‘be given all possible privileges’ corresponds to the special security context.
Ristovski further discloses “Accordingly a process may be created with a default set of privileges [i.e., where a default set of privileges corresponding to ‘the default security context’] and subsequently the privileges may be modified to include only a sub-set of the default privileges [i.e., where a sub-set of the default privileges corresponding to ‘the de-elevated security context’] thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]). 

Ristovski further discloses “Each process executing on the computing platform may be assigned a set of privileges.  The set of privileges assigned to a process may be based on the set of privileges [i.e., where ‘assigned… based on the set of privileges’ corresponding to ‘a copy’] associated with the user-id of the owner of the process.” (see Ristovski, [0012]).
Therefore, Ristovski discloses assigning a set of privileges to a process, such as a default set of privileges, where assigning a set of privileges corresponds to a copy of the set of privileges.
Thus, the reference discloses or suggests “a helper process,” “a special security context,” and the “a copy of the default security context”. 

8. The Office Action fails to demonstrate that reference Ristovski, alone or in
combination with Brezinski and Russello, describes the features of dependent claims 3, 11, and 19 
(j)	Appellants submit:
	“For example, claims 3, 11, and 19 describe the special security context as “a process enabled to create or cause other processes, including the helper process, to create security contexts.”” (see appeal brief, page 28, 1st par)
	Examiner maintains:
	Ristovski discloses “The process manager 102 [i.e., the helper process ] may be responsible for creating processes such as illustrated example processes 108 and 110 and for assigning a set of privileges to the processes at process creation time.” (see Ristovski, [0015]).
	Therefore, Ristovski discloses the process manager, which corresponds to the helper process.
	Ristovski further discloses “Some systems may include one or more user-ids that are designated as system administrator users (a.k.a.  root user, root, or sys admin) that may be given all possible privileges [i.e., where ‘be given all possible privileges’ corresponding to ‘a special security context’ ].” (see Ristovski, [0011]).

Ristovski further discloses “Accordingly a process may be created with a default set of privileges [i.e., where a default set of privileges corresponding to ‘the default security context’ ] and subsequently the privileges may be modified [i.e., where modifying the privileges corresponding to create a security context, such as a de-elevated security context ] to include only a sub-set of the default privileges [i.e., where a sub-set of the default privileges corresponding to ‘the de-elevated security context’ ] thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]). 
Therefore, Ristovski discloses modifying a default set of privileges to include only a sub-set of the default privileges, which corresponds to creating a security context.
Therefore, the reference discloses or suggests the special security context as “a process enabled to create or cause other processes, including the helper process, to create security contexts”.

9. The Office Action fails to demonstrate that reference Ristovski, alone or in
combination with Brezinski and Russello, describes the features of dependent claims 4, 12, and 20 
(k)	Appellants submit:
“… no indication of how paragraph 11 relates to “removing an association of the copy of the default security context with an administrative security group,” or to any feature of the dependent claims.” (see appeal brief, page 28, last par)
Examiner maintains: 
Ristovski discloses “Some systems may include one or more user-ids that are designated as system administrator users (a.k.a.  root user, root, or sys admin) that may be given all possible privileges.” (see Ristovski, [0011])
Therefore, Ristovski discloses the copy [i.e. where ‘may be given all possible privileges’ corresponding to ‘copy’] of the default security context with an administrative security group, wherein the copy of the default security context for the administrative security group contains all possible privileges, wherein ‘all possible privileges’ 
Ristovski further discloses “Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).
Therefore, Ristovski discloses creating a sub-set of privileges by removing certain privileges from the copy of the default privileges assigned for the administrative security group [e.g., removing (1) privileges for administrative security group, but keep (2) privileges for ordinary users in the sub-set of privileges].  Therefore, the created sub-set of privileges includes only (2) privileges for ordinary users, but without (1) privileges for the administrative security group, thereby the created sub-set of privileges ‘creating the de-elevated security context by removing an association of the copy of the default security context with an administrative security group, causing a removal of privileges associated with the administrative security group from the copy of the default security context.’.
Therefore, the reference discloses or suggests ‘creating the de-elevated security context by removing an association of the copy of the default security context with an administrative security group, causing a removal of privileges associated with the administrative security group from the copy of the default security context.’, as claimed in claim 4, 12, and 20.

10. The Office Action fails to demonstrate that reference Ristovski, alone or in combination with Brezinski and Russello, describes the features of dependent claims 5 and 13 
(l)	Appellants submit:
“…no indication of how paragraph 12 relates to “a security agent,” let alone “duplicating the de-elevated security context to a security agent.”” (see appeal brief, page 29, 3rd par)
Examiner maintains: 
The specification discloses:

Therefore, the specification discloses that the helper process is a special instance of the security agent in certain aspects.
Ristovski discloses “The process manager 102 [i.e., the helper process ] may be responsible for creating processes such as illustrated example processes 108 and 110 and for assigning a set of privileges to the processes at process creation time.” (see Ristovski, [0015]).
Therefore Ristovski discloses the process manager which corresponds to the helper process. 
Since the helper process is a special instance of the security agent in certain aspects according to the specification,  Ristovski discloses or suggests the security agent. 
Ristoviski discloses “Herein are described systems and methods wherein the set of privileges assigned to a process may be modified responsive to a request… sub-set of the default privileges…” (see Ristovski, [0014]).
Therefore, Ristovski discloses the sub-set of the default privileges, which corresponds to the de-elevated security context.
Ristovski further discloses “The child process [i.e., a security agent] may be assigned the set of privileges assigned to it's parent process 404 and thereby inherits it's parent process' set of privileges [i.e., where ‘inherits it’s parent process’s set of privileges’ corresponding to duplicating the security context ].” (see Ristovski, [0017]).
Therefore, Ristovski discloses a child process inherits its parent process’s set of privileges, where ‘inherit’ corresponds to duplicating a security context, such as a de-elevated security context.
In addition, Rusello explicitly discloses a security agent (see Rusello, fig. 17, item 918 ‘analysis agent’).
Therefore, the references disclose or suggest “a security agent,” and “duplicating the de-elevated security context to a security agent.”, as claimed.

11. Remaining dependent claims
(m)	Appellants submit:

Examiner maintains:
Please see examiner’s responses in sections 1-5 with respect to claim 1.


For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/PEILIANG PAN/
Examiner, Art Unit 2492

Conferees:
Saleh Najjar 
/SALEH NAJJAR/           Supervisory Patent Examiner, Art Unit 2492                                                                                                                                                                                             
Zachary A. Davis 
/Zachary A. Davis/           Primary Examiner, Art Unit 2492                                                                                                                                                                                             

Requirement to pay appeal forwarding fee. In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in
effect on March 18, 2013.