DETAILED ACTION
This communication is responsive to the application # 16/694,714 filed on November 25, 2019. By preliminary amendment Claims 1-20 are pending and are directed toward METHODS AND APPARATUS FOR DEFENDING AGAINST EXPLOITATION OF VULNERABLE SOFTWARE.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Peinado et al. (US 2009/0144827, Pub. Date: Jun. 4, 2009), hereinafter referred to as Peinado.
As per claim 1, Peinado teaches an apparatus comprising:
an inventory controller to identify a vulnerable application corresponding to one or more files including a security defect (A further methodology that can be adopted utilizes static program analysis to extract the program logic that processes the attack data and triggers the vulnerability. Peinado, [0007]);
an origination identifying generator to identify an origination source of incoming data, the origination source tagged as suspicious (For example, one modality employs dynamic data flow analysis over the execution on attack input and generates a signature in the form of symbolic predicates. Such attack signatures generated by such dynamic data flow analysis can be inherently specific to the attack input used in the data flow analysis. Peinado, [0007]);
a workload analyzing controller to query, in response to the suspicious origination source, an inventory datastore to determine if the incoming data is to be accessed by the vulnerable application (The extracted logic can be expressed in the form of Turing Machines, symbolic predicates, or regular expressions as vulnerability signatures. Peinado, [0007]); and
a policy application executor to, in response to determining the incoming data is to be accessed by the vulnerable application, apply a policy action to the vulnerable application to protect the vulnerable application from exposing the security defect to malicious data in the incoming data (In particular, the claimed subject matter provides fast, patch-level protection in the form of data patches rather than the more traditional software patch. A data patch typically can serve as a policy for a data filter, and is generally based on vulnerabilities and/or software flaws that require protection. The data filter can utilize the data patch to identify parts of input data to cleanse as input data is being consumed. Peinado, [0028]).
As per claim 2, Peinado teaches the apparatus of claim 1, wherein the inventory controller is to perform a vulnerability assessment on the vulnerable application to determine one or more files with the security defect (Similarly, files can be crafted maliciously to exploit vulnerabilities in applications that consume file input. With the rise of such exploits, anti-virus software vendors have started using vulnerability signatures for data files to defend against new attack variants. It should be noted that the terms "data patch" and "vulnerability signature" can be, and have with out limitation been employed interchangeably herein. The term "data patch" when emphasizing its purpose as a patch and the term "vulnerability signature" when emphasizing its form as a signature. Peinado, [0028]).
As per claim 3, Peinado teaches the apparatus of claim 1, further including a comparator to compare the origination source to one or more violation definitions to determine if the origination source is suspicious (For example, attack detector 102 can utilize dynamic data flow analysis where the detector instruments software that is to be monitored and tracks how its input data ( e.g., network packets or files) propagates in an address space as the program executes. Attack detector 102 can thereafter utilize this information to test for a wider range of vulnerability conditions. For example, a simple condition would be to test before executing a ret instruction whether input data has propagated into the return address on the stack. A small set of simple conditions of this type can be sufficient to give this type of detector a very broad coverage for low-level control and data flow vulnerabilities. This can include buffer overflows, arbitrary vulnerabilities that result in code injection or overwriting function pointers or return-to-libc style attacks. Peinado, [0039]).
As per claim 4, Peinado teaches the apparatus of claim 1, wherein the workload analyzing controller is to wait for an attempted access of the incoming data before determining if the incoming data is to be accessed by the vulnerable application (Attack detector 102 in accordance with one illustrative aspect can be based on dynamic data flow analysis and can implement three vulnerability conditions. Attack detector 102 can test for arbitrary execution control (AEC); whether input data is about to be moved into the instruction pointer. Such a test detects attempts to overwrite return addresses on the stack, or function pointers on the stack or heap. Attack detector 102 can also assay for arbitrary code execution (ACE) ( e.g., before executing instructions, the detector tests whether instructions depend on a program's input) which detects attempts to execute injected code. Peinado, [0040]).
As per claim 5, Peinado teaches the apparatus of claim 1, wherein the policy application executor is to retrieve the policy action from a policy datastore, the policy action corresponding to the origination source and the vulnerable application (Further, network security device 106 can also employ application layer filters wherein all packets traveling to or from applications (e.g., File Transfer Protocol (FTP), Web Browsers, Domain Name Service (DNS), telnet, and the like) can be intercepted and certain of these intercepted packets blocked (e.g., dropping them without acknowledgement to the originator). Peinado, [0037]).
As per claim 6, Peinado teaches the apparatus of claim 1, wherein the policy application executor is to apply the policy action to the one or more files including the security defect (Additionally and/or alternatively, network security device 106 can be effectuated as a proxy device responding to input packets ( e.g., correction requests, and the like) in the manner of an application, whilst blocking other packets. Peinado, [0037]).
As per claim 7, Peinado teaches the apparatus of claim 6, wherein the policy application executor is to remove access to the one or more files including the security defect and allow access to one or more non-vulnerable files of the vulnerable application (Further, attack detector 102 can also test for arbitrary function arguments (AFA) wherein prior to performing certain critical system calls, for instance, creating a process, the detector can check whether certain critical arguments depend on a programs input. Peinado, [0040]).
Claims 8-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492