Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The amendment dated 11/18/2021 was received and considered.
Claims 1-20 and 29-43 are pending.

Claim Interpretation
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 1 recites “a fingerprint generator”, “a fingerprint comparator” and “a security action enforcer”.  Claim 15 recites “means for” as part of an apparatus.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “generator”, “comparator”, etc. as described above in claims 1-7.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Applicant’s specification recites:
“When reading any of the apparatus or system claims of this patent to cover a purely software and/or firmware implementation, at least one of the example event monitor 210, the example DLL path determiner 220, the example fingerprint generator 230, the example fingerprint comparator 240, the example telemetry interface 250, the example security action enforcer 260, the example database 270, and/or the example reference fingerprint(s) 275 is/are hereby expressly defined to include a non-transitory computer readable storage device or storage disk Specification, ¶72)

Therefore, the claim elements listed above are not interpreted as purely software, per se (with regard to 35 U.S.C. §101) and are have sufficient structure recited in the specification to support the functional language recited in the claims (at least one non-transitory computer readable storage device or storage disk for execution by a device or processor with regard to 35 U.S.C. §112).  
Claims 8-14 are directed to “At least one non-transitory computer readable storage medium comprising instructions that, when executed, cause at least one processor to at least…”  Applicant’s specification recites “As used herein, the term non-transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media” (Specification, ¶120).

Allowable Subject Matter
Claims 1-20 and 29-43 are allowed.
The following is an examiner’s statement of reasons for allowance: 
GB 2572637 B to Suominen is considered the closest prior art.  Suominen discloses an apparatus to detect an attack at a computing device, the apparatus comprising: a fingerprint generator to: determine a first dynamic-link library (DLL) fingerprint of a first DLL (hash of clean version of DLL, p. 9, lines 12-19) referenced by an operating system (OS) event, the OS event generated by the computing device (execution of application suspected of hijacking, p. 9, lines 8-10), the first DLL stored at a first OS path (clean version of DLL stored in system directories, p. 9, lines 12-19); and in response to determining that a second DLL is stored at a second OS path (determining the non-standard directory of potentially malicious DLL, p. 9, lines 12-16), determine a second DLL fingerprint of the second DLL (potentially malicious DLL, p. 9, lines 12-
US 20170032121 A1 to Kim et al. teaches detecting duplicate DLLs in multiple system paths (¶¶100-105), determines a potential malicious DLL via white and/or black lists of paths and potentially deletes a duplicate DLL.  
US 2021/0160265 A1 to Chittaro teaches a security action enforcer to execute a security action to protect the computing device from the attack in response to the deviation threshold being satisfied (determining a malicious DLL and preventing the process from being loaded again, Fig. 7).
US 20090133126 A1 to Jang et al. teaches comparing DLL information from an image file of an executable and comparing it to second information loaded in memory to detect DLL hijacking.  
The references to Kwon et al., FireEye and Min et al. are cited for teaching DLL side-loading attacks and signature-based prevention techniques.  
While Suominen discloses a fingerprint comparator to determine whether at least one of the first DLL fingerprint or the second DLL fingerprint satisfies a deviation threshold (Suominen discloses that a fingerprint of the DLL located in the non-standard directory can be compared to a fingerprint of the “clean” DLL), the prior art lacks “based on a comparison of the first DLL fingerprint and the second DLL fingerprint to a reference DLL fingerprint”, in combination with the claims as a whole.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841.  The examiner can normally be reached on Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
November 30, 2021