Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
           This action is in response to the communication filed on 10/1/2021. 
Claims 1, 2, 4-12, 14-22 are allowed.
Claims 3 and 13 are cancelled.
 
Allowable Subject Matter
Claims 1, 2, 4-12, 14-22 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative, Mr. Sean Crandall on 12/14/2021. 

CLAIM LISTING

This listing of claims will replace all prior versions, and listings, of claims in the application:

1. (Currently Amended) A computing apparatus, comprising: 
a hardware platform comprising a processor and a memory; 
a user application; and 
instructions encoded within the memory to instruct the processor to: 
provide telemetry probes to collect telemetry about use of the user application; 
provide a detection proxy to collect a usage profile from the telemetry probes, wherein the detection proxy comprises a unidirectional forwarder function for the telemetry data; 
forward the usage profile to a detection cloud service; 
receive from the detection cloud service a detection message that the usage profile deviates from a heuristic usage baseline for the user application; 
take remedial action responsive to the detection message; and 
provide an anti-malware engine, wherein the detection proxy cooperates with anti-malware engine to detect malicious modification of the user application through changes to behavior patterns. 

2. (Original) The computing apparatus of claim 1, wherein the user application includes an internal anti-tampering mechanism. 

3. (Canceled) 



5. (Original) The computing apparatus of claim 1, wherein the detection proxy includes logic to block telemetry from known bad telemetry sources. 

6. (Original) The computing apparatus of claim 1, wherein the telemetry data comprise network traffic request data. 

7. (Original) The computing apparatus of claim 6, wherein the traffic request data comprise request type, request order, and request timing. 

8. (Original) The computing apparatus of claim 6, wherein the traffic request data comprise source internet protocol (IP) address or destination IP address. 

9. (Original) The computing apparatus of claim 1, wherein the telemetry data include execution environment data. 

10. (Original) The computing apparatus of claim 9, wherein the execution environment data include CPU load, memory footprint, battery charge value, battery charging state, free local storage, network latency, bandwidth, time of day, date, or geographic location. 



12. (Original) The computing apparatus of claim 1, wherein the detection proxy is to provide continuous monitoring of the user application. 

13. (Canceled) 

14. (Currently Amended) One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to instruct a processor to: 
install telemetry probes for a local application’s access to a remote application programming interface (API), the telemetry probes including probes for application sequence and time between actions; 
install an application backend for the local application, the application backend comprising a detection engine, the detection engine comprising instructions to record and forward a usage profile, based at least in part on the telemetry about the remote API calls, to a detection cloud service, wherein the application backend comprises a unidirectional forwarder function for the telemetry data; 
receive from the detection cloud service a tampering notification, the tampering notification including information that the usage profile deviates from a heuristic model for the application; 
provide an anti-malware engine, wherein the application backend cooperates with anti-malware engine to detect malicious modification of the user application through changes to behavior patterns; and act on the tampering notification. 

15. (Original) The one or more tangible, non-transitory computer-readable media of claim 14, wherein the local application is a game, financial application, or medical application. 

16. (Original) The one or more tangible, non-transitory computer-readable media of claim 14, wherein the local application includes at least one paid feature, and wherein the tampering notification indicates that the application reached the paid feature without appropriate remuneration. 

17. (Original) The one or more tangible, non-transitory computer-readable media of claim 14, wherein the telemetry probes comprise application programming interface (API) hooks. 

18. (Currently Amended) A server apparatus, comprising: hardware platform comprising a processor and a memory; 
a network interface; and 
instructions encoded within the memory to instruct the processor to: 
receive, from a detection proxy of an endpoint comprising a unidirectional forwarder for telemetry data, telemetry data related to a user application of the 
compare the telemetry data to a heuristic model of expected behavior for the user application; 
determine, based at least in part on the comparison, that the user application exhibits behavior deviant from the heuristic model; and 
send a notification to the endpoint that the user application may be compromised, the notification for use by an anti-malware engine of the endpoint that is to detect malicious modification of the user application through changes to behavior patterns. 

19. (Original) The server apparatus of claim 18, wherein sending the notification comprises sending the notification to a third-party cloud service that provides the one or more remote APIs. 

20. (Original) The server apparatus of claim 18, wherein sending the notification comprises notifying a security agent on the endpoint. 

21. (New) The one or more tangible, non-transitory computer readable media of claim 14, wherein the application backend includes logic to block telemetry from known bad telemetry sources. 

.

Prior Art of Record
            The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Barton et al US Patent 11,201,877 discloses analysis of telemetry data for plurality of encrypted traffic flows observed in network with flow-level features of the obtained telemetry data including malware-related traffic telemetry data with sequence of packet lengths and time. 

Zawadowskiy et al US Patent 11,093,605 discloses analysis of network stream with first instruction pointer and string of characters with second instruction pointer and other stream analysis for secure / insecure patches. 

Grill et al US Patent 11,019,095 discloses analysis of log data regarding replication of files stored on an endpoint client to file replication service with device tracks based on obtained logs and encrypted changes to files. 

Patel et al US Patent 10,547,560 discloses controller and hardware forwarding component with network packets and assigning network microcode engine for network queues, depth and memory of hardware. 

Kurtz et al US Publication 2021/0117544 discloses detection of malware by security as a service module based on random data samples and other steps as described in Fig 1-3.
Le Strat et al US Publication 2020/0374324 discloses malware detection based on collaboration channel between multiple devices and shared location on memory as described in Fig 5, 8 and 10.
Komarek et al US Publication 2020/0204569 discloses network security service to detection different malware classes with vector descriptor as described in Fig 4A-D.
Luthra et al US Publication 2020/0089887 discloses crowdsourcing and machine learning to improve computer system security process to generate risk profile of users as described in Fig 1, 5-6.

                                         REASONS FOR ALLOWANCE
          The following is an examiner’s statement of reasons for allowance:
Examiner finds amended claims dated 12/14/2021 are persuasive for reason of allowance.  
The prior art of record does not explicitly disclose, in light of other features recited in independent claims 1, 14 and 18 as follows :
Claims ‘ .. telemetry probes to collect telemetry about use of the user application; 
wherein the detection proxy comprises a unidirectional forwarder function for the telemetry data; 
forward the usage profile to a detection cloud service; 
receive from the detection cloud service a detection message that the usage profile deviates from a heuristic usage baseline for the user application; 
take remedial action responsive to the detection message; and 
provide an anti-malware engine, wherein the detection proxy cooperates with anti-malware engine to detect malicious modification of the user application through changes to behavior patterns.’ with additional detailed steps in claim(s) as described in independent claim(s) on 12/14/2021. 

However, each of the cited references or reference from the updated search, at least, fails to teach or suggest in combination with the rest of the limitations recited in the independent claim(s).

None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim(s) under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.

. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431