Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
           DETAILED ACTION
This office action is in response to the communication filed on 08/17/2021. Claims 1-22 are pending in the application. Claim 21 is objected. Claims 1-20 and 22 have been rejected. 

Response to Arguments
Applicant’s arguments, see remarks, filed on 08/17/2021, with respect to 35 USC 103 type rejections of claims 1-20 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection is made in view of  Fischer et al reference (please see office action below for detail explanations)

  Double Patenting 
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).


Claims 1-20 of the instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-22 of the commonly owned patent US 10,437,998 B2.
	             In particular, claims 1, 7 and 13 of the instant application is obvious over claims 1-3, 7-10 and 14-15 of the commonly owned patent US 10,437,998 B2; and claims 2-5, 8-10, 12 and 14-17 of the instant application is obvious over claims 2-4, 8-10 and 15-22  of the commonly owned patent US 10,437,998 B2; and claims 6, 11 and 18-20 of the instant application is obvious over claims 5-6, 10-13 and 17-18 of the commonly owned patent US 10,437,998 B2.
Conflicting claim set of both the instant application and the commonly owned patent are directed to a system of detecting malware exploits utilizing operating condition/ branch mispredict information. Differences between the conflicting claim of the instant application and the commonly owned patent are that the independent claims of the instant application are presented in alternate/ broader fashion.
However, at the time of invention, it would have been obvious to ordinary skill in the art to modify or re-arrange the claimed features of the commonly owned patent to present them alternatively since a claim with alternative/ broader scope would inherently encompass more features. 
This is an obviousness type double patenting rejection. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-12 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over  US 2014/0372701 A1 (hereinafter Komaromy et al) in view of US 2015/0067763 A1 (hereinafter Dalcher et al) further in view of  US 2014/0123281 A1 (hereinafter Fischer et al)
Regarding claim 1, Komaromy et al teaches a programmable device to detect malware exploits in an application, the programmable device comprising:
 hardware circuitry (note Figure 1.102: processing unit; and Figure 4.414: cache monitor)  to: 
determine a first number of return related instructions (note para 050, 068, 071, 076: detecting ROP exploits/ return instructions by determining hit/ miss activities);

determine a difference between the second number and the first number (note para 038, 050, 071, 075, 077); 
in response to the difference satisfying a   threshold,  detect a  valid  code sequence (note Figure 7.706 and 7.710; para 050-051, 069, 071, 075-076: threshold number for misses; detecting anomalous miss activity in executable code sequence);
Komaromy et al  fails to teach expressly in response to the difference satisfying a   threshold, detect a mispredicted branch; in response to a detection of the mispredicted branch, record a mispredict indicator in an entry of a last branch record stack; and a device driver to identify a translated version of original binary in the application based on binary translation of the application in response to the interrupt.
However, Dalcher et al teaches a device driver to identify a translated version of original binary in the application based on binary translation of the application in response to the interrupt (note para. 020-021, 061, 075:  execution profiling module may be further configured to check the code segment for use of return-oriented programming techniques, and monitor the event for the branch instruction using binary translation-based techniques) 
Dalcher et al and Komaromy et al are analogous art because they are from the same field of detecting and preventing anomalies/ exploitations in executable codes using various types of techniques. Therefore, at the time of effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Komaromy et al device to substitute the technique of detecting a return-oriented programming exploit responsive to determining anomalous miss activity by the technique of detecting a return-oriented programming exploit responsive to the binary translation (e.g. identifying a translated version of original binary in the application based on binary translation of the application in response to the interrupt) taught by Dalcher et al in order to provide users with an alternative and/ or optimized mechanism for detecting return oriented programming exploits using binary translation-based techniques (note Dalcher et al, Para 019-020) 
Modified Dalcher et al-Komaromy et al device fails to teach expressly in response to the difference satisfying a   threshold, detect a mispredicted branch; in response to a detection of the mispredicted branch, record a mispredict indicator in an entry of a last branch record stack.
However,  Fischer et al teaches in response to the difference satisfying a   threshold, detect a mispredicted branch (note para. 023-025, 029, 031: detecting/ determining number of mispredicted branch instruction; determining instructions exceeding predetermined number/ threshold) ; in response to a detection of the mispredicted branch, record a mispredict indicator in an entry of a last branch record stack (note para. 036: In still another example, the accumulator 142 may increment 
Fischer et al  and Komaromy et al are analogous art because they are from the same field of detecting and preventing anomalies/ exploitations in executable codes using various types of techniques. Therefore, at the time of effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Komaromy et al device to  further include the features of in response to the difference satisfying a   threshold, detect a mispredicted branch; and in response to a detection of the mispredicted branch, record a mispredict indicator in an entry of a last branch record stack taught by Fischer et al  in order to provide users with an alternative and/ or efficient mechanism for detecting return oriented programming exploits utilizing branch return misprediction  information (note Fischer et al , para. 036, 093) 
Regarding claim 2, Komaromy et al teaches the programmable device of claim 1, wherein the interrupt  is to indicate a possible return-oriented programming exploit (note para 050-051, 072: receiving interrupt that ascertain whether an anomalous cache miss or instruction fetch condition is detected)
Regarding claim 3, it is rejected applying as same motivation and rationale applied above rejecting claim 1, furthermore, Dalcher et al teaches the 
Regarding claim 4, it is rejected applying as same motivation and rationale applied above rejecting claim 1, furthermore, Dalcher et al teaches the programmable device wherein  the device driver  is to suspend the application in response to a detection of the return-oriented programming exploit (note Para 027, 068, 077: remedial actions; termination of execution upon detecting ROP exploit)
Regarding claim 5, Komaromy et al teaches the programmable device of claim 1, further including anti-malware software to take corrective action in response to a detection of a return-oriented programming exploit based on the translated version of the original binary (note figure 7.716; para 068, 076-077: remedial actions upon detecting ROP exploit)  
Regarding claim 6, it is rejected applying as same motivation and rationale applied above rejecting claim 1, furthermore, Dalcher et al teaches the programmable device wherein the device driver is to provide collected information to enable a binary translator to perform the binary translation (note para. 020, 021, 075), the collected information including at least one of  (1) a context of the application including register states of the application  (note para 021, 026, 075)  or (2) last branch record history corresponding to the application (note para 017, 
Regarding claim 7, Komaromy et al teaches at least one storage device or storage disk (note para 095: storage medium) comprising instructions that, when executed, cause one or more processors to at least:

in response to the mismatch, generate an interrupt (note para 050-051, 071-072: receiving interrupt that ascertain whether an anomalous cache miss or instruction fetch condition is detected), 
in response to the interrupt
initiate anti-malware software to combat a return-oriented programming exploit detected 
Komaromy et al fails to teach expressly recording a mispredict indicator in a register of a plurality of registers of the one or more processors; causing a binary translator to binary translate at least a portion of an application corresponding the one or more code flow anomalies; and initiating anti-malware software to combat a return-oriented programming exploit detected in the binary translation. 
However, Dalcher et al teaches causing a binary translator to binary translate at least a portion of an application corresponding to code flow anomalies (note para  020, 061, 065, 075) and detecting a return-oriented programming exploit in the binary translation (note para  020-021, 061, 075:  execution profiling module may be further configured to check the code segment for use of return-oriented programming techniques, and monitor the event for the branch instruction using binary translation-based techniques) 
Dalcher et al and Komaromy et al are analogous art because they are from the same field of detecting and preventing anomalies/ exploitations in executable codes using various types of techniques. Therefore, at the time of effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Komaromy et al device to substitute the technique of detecting a return-oriented programming exploit responsive to determining anomalous miss activity by the technique of detecting a return-oriented programming exploit responsive to the binary translation (e.g. causing a binary translator to binary translate at least a portion of an application corresponding to code flow anomalies; and detecting a return-oriented programming exploit in the binary translation) taught by Dalcher et al in order to provide users with an alternative and/ or optimized mechanism for detecting return oriented programming exploits using binary translation-based techniques (Note Dalcher et al, Para 019-020) 
Dalcher et al-Komaromy et al device fails to teach expressly recording a mispredict indicator in a register of a plurality of registers of the one or more processors.
However,  Fischer et al teaches recording a mispredict indicator in a register of a plurality of registers of the one or more processors  (note para. 036: In still another example, the accumulator 142 may increment and/or decrement the counter in response to a return misprediction (e.g., determined by interacting with the return stack buffer 136); also note para. 093: The processor may also include a return stack buffer  to detect a return misprediction, wherein the one or more control transfer events comprise the return misprediction.  The one or more control transfer events may include a branch misprediction, where the branch misprediction is detected by the branch  prediction unit)
Fischer et al  and Komaromy et al are analogous art because they are from the same field of detecting and preventing anomalies/ exploitations in executable codes using various types of techniques. Therefore, at the time of effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Komaromy et al device to  further include the features of recording a mispredict indicator in a register of a plurality of registers of the one or more processors  taught by Fischer et al  in order to provide users with an alternative and/ or efficient mechanism for detecting return oriented programming exploits utilizing branch return misprediction  information (note Fischer et al , para. 036, 093) 
Regarding claim 8, it is rejected applying as same motivation and rationale applied above rejecting claim 7, furthermore, Dalcher et al teaches the storage device or storage disk wherein the instructions, when executed, cause the one or 
Regarding claim 9, it is rejected applying as same motivation and rationale applied above rejecting claim 7, furthermore, Dalcher et al teaches the storage device or storage disk wherein the instructions, when executed, cause the one or more processors to configure a hardware performance monitor circuit to detect mispredicted branches (note para 017, 038, 075: monitoring branch instruction; detecting anomalies through instruction profile/ behavior)
Regarding claim 10, it is rejected applying as same motivation and rationale applied above rejecting claim 7, furthermore, Dalcher et al teaches the storage device or storage disk wherein the instructions, when executed, cause the one or more processors to configure a hardware return- oriented program heuristic circuit  to detect the code flow anomalies (note para 019-021, 065: profiling control module 110 may also be configured to handle new execution profiling events in order to create and/or optimize anti-malware heuristic (e.g., return-oriented programming detection))
Regarding claim 11, it is rejected applying as same motivation and rationale applied above rejecting claim 7, furthermore, DALCHER et al teaches the storage device or storage disk wherein the instructions, when executed, cause the one or more processors to:

perform forward instruction analysis (note para 020-021, 026); and
ignore code flow anomalies that do not indicate the return-oriented programming exploit based on an output of the forward instruction analysis  (note para 020-021, 026)
Regarding claim 12, Komaromy et al teaches the storage device or storage disk of claim 7, wherein the instructions, when executed, cause the one or more processors to inspect the return-oriented programming exploit to determine an action to combat the return-orientated programming exploit (note para 050-051, 072, 076: receiving interrupt that ascertain whether an anomalous cache miss or instruction fetch condition is detected; taking remedial actions)
Regarding claim 22, it is rejected applying as same motivation and rationale applied above rejecting claim 7, furthermore, Komaromy et al teaches the storage device or storage disk wherein the instructions, when executed, cause the one or more processors to:
identify frequently executed execution paths (note 042. 071: valid code sequence);
identify ones of the identified execution paths as trusted execution paths (note para 042, 071);

Komaromy et al fails to teach expressly removing security checks for ones of the trusted execution paths.
However, DALCHER et al teaches removing security checks for ones of the trusted execution paths (note para. 045: If the unauthorized code is detected, a security violation may be generated. Further, LBR filtering may be enabled to only include RET instructions from the process and/or thread that invoked the API; and see also para. 050: invoking a callback only when particular CR3 and ESP values are present and the instruction pointer value is outside a specified range; if CR3 contains a specific value)

Allowable Subject Matter
Claims 13-20 would be allowable if rewritten or amended (or if a terminal disclaimer is filed) to overcome the obviousness type double patenting rejection(s), set forth in this Office action. Claim 21 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

  Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHANTO ABEDIN whose telephone number is 571-272-3551.  The examiner can normally be reached on M-F from 10:00 AM to 6:30 PM.  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http:// www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jung (Jay) Kim, can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see 
/SHANTO ABEDIN/                Primary Examiner, Art Unit 2494