DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see remarks, filed 11/8/2021, with respect to claims over prior art and definiteness have been fully considered and are persuasive, see for example page 8 paragraph 1, page 6 paragraph 4.  The 35 U.S.C. 103 and 112(b) rejection(s) of 1-20 has been withdrawn. In the interview dated 12/14/2021 the examiner and applicant agreed upon language to further amend the claims to overcome the 35 U.S.C 101 rejection of claims 14-19, see attached interview summary. 
Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The prior art, Lavi et al
The prior art, Sandoval et al (US 2019/0268152), discloses monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
However, the prior art, either alone or in combination does not expressly disclose a “kernel driver in a kernel mode supported by an operating system of the computer device, wherein the kernel driver, when executed by the hardware processor of the computer device, is configured to perform operations including: recording, in a token cache accessible to the kernel driver, an access token of a user process executed on the computer device; obtaining a current access token as presented by the user process subsequent to recording the access token via a request for an operation through the operating system of the computer device; and
detecting that the user process has been subject to an escalation of privilege attack by evaluating the current access token of the user process with reference to the access token as recorded in the token cache, wherein evaluating the current access token of the user process with reference to the access token as recorded in the token cache comprises determining that the current access token for the user process differs from a particular access token of a parent process of the user process; and in response to detecting that the user process has been subject to the escalation of privilege attack, causing a mitigation action with respect to the user process.”
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Adam Thompson on 12/14/2021.
PLEASE AMEND CLAIM 14 AS FOLLOWS:
14.	(Currently Amended) A computer device, comprising:
a hardware processor; and
a kernel driver in a kernel mode supported by an operating system of the computer device, wherein the kernel driver, when executed by the hardware processor of the computer device, is configured to perform operations including: 
recording, in a token cache accessible to the kernel driver, an access token of a user process executed on the computer device;

detecting that the user process has been subject to an escalation of privilege attack by evaluating the current access token of the user process with reference to the access token as recorded in the token cache, wherein evaluating the current access token of the user process with reference to the access token as recorded in the token cache comprises determining that the current access token for the user process differs from a particular access token of a parent process of the user process; and 
in response to detecting that the user process has been subject to the escalation of privilege attack, causing a mitigation action with respect to the user process.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Binotto et al (US 8,127,316): discloses a system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENDALL DOLLY whose telephone number is (571)270-1948. The examiner can normally be reached Monday-Thursday 7am-4pm(EST) and Friday 7am-11am(EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic 



/KENDALL DOLLY/Primary Examiner, Art Unit 2436