Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the request for continued examination (RCE) dated November 03, 2021.
In the RCE dated on November 03, 2021, claims 1, 8 and 15-20 have been amended.
Claims 1-4, 7-13 and 15-20 are allowed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on November 03, 2021 has been entered.
 
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Ms. Jio Chen of registration number 69,479, on December 07, 2021.  During the telephone conference, Ms. Chen has agreed and authorized the examiner to further amend Claims 1-4, 7-13 and 15-20 on the request for continued examination dated on October 15, 2015.

Claims
Replacing Claims 1-4, 7-13 and 15-20 of the request for continued examination dated on November 03, 2021 with the following:

Claim 1: 	
A system comprising: 
a data repository storing known behaviors associated with known software components;
at least one processor; and 
memory storing instructions configured to instruct the at least one processor to: 
monitor a first application to be installed on a first user device;  
determine a usage history of a signing identifier used to sign the first application, the usage history comprising signing of a third application by the signing identifier, wherein the third application is installed on a second user device, and wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key; 
determine a plurality of software components of the first application, the plurality of software components including a first component having an associated behavior representing actions the first application is configured to perform on the first user device;
compare the associated behavior of the first component to a known behavior stored in the data repository, wherein the known behavior is observed on user devices other than the first user device, the known behavior is associated with execution of a second application identified as being similar to the first application, and the first application and the second application are different; and
in response to the comparison between the associated behavior of the first component to the known behavior stored in the data repository, generate a recommendation to configure or disable the first component of the first application.

Claim 2:	
The system of claim 1, wherein the instructions are further configured to instruct the at least one processor to assess security of a network used by an interactive service launched by the first user device to access a server.

Claim 3: 
the signing identifier used to sign the first application is observed.

Claim 4: 
The system of claim 1, wherein the instructions are further configured to instruct the at least one processor to assess a context of the first user device based on trust factors, wherein the trust factors comprise at least one of: 
a factor directed to whether the first user device is protected by an anti-malware software application;
a factor directed to identifying an application being accessed by a web browser running on the first user device, and determining whether the application being accessed by the web browser is a security threat; or
a factor related to a security feature of the first application.

Claims 5.-6: 		(Canceled) 

Claim 7: 
The system of claim [[5]]1, wherein the instructions are further configured to instruct the at least one processor to compare, by accessing the data repository, at least one behavior of the first application and a stored known behavior of the third application.

Claim 8: 

monitoring a first application to be installed on a first user device;
determining a usage history of a signing identifier used to sign the first application, the usage history comprising signing of a third application by the signing identifier, wherein the third application is installed on a second user device, and wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key; 
determining a plurality of software components of the first application, the plurality of software components including a first component having an associated behavior representing actions the first application is configured to perform on the first user device;
comparing the associated behavior of the first component to a known behavior stored in a data repository, wherein the known behavior is observed on user devices other than the first user device, the known behavior is associated with execution of a second application identified as being similar to the first application, and the first application and the second application are different; and
in response to the comparison between the associated behavior of the first component to the known behavior stored in the data repository, generating a recommendation to configure or disable the first component of the first application.

Claim 9: 


Claim 10: 
The method of claim 8, further comprising causing the first component to execute in conformance with a result from a query of an identity server.

Claim 11: 
The method of claim 10, further comprising confirming compliance of the first application with a user policy stored on the identity server.

Claim 12: 
The method of claim 8, further comprising disabling, based on the comparison between the associated behavior of the first component to the behavior in the data repository, execution of one or more components of the first application.

Claim 13: 
The method of claim 8, further comprising determining at least one of whether an application being accessed by a web browser running on the first user device is a security threat, or whether the first user device is protected by an anti-malware software application.
Claim 14: 	(Canceled) 

Claim 15: 
A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a computing apparatus to: 
monitor a first application to be installed on a first user device;
determine a usage history of a signing identifier used to sign the first application, the usage history comprising signing of a third application by the signing identifier, wherein the third application is installed on a second user device, and wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key; 
determine a plurality of software components of the first application, the plurality of software components including a first component having an associated behavior representing actions the first application is configured to perform on the first user device;
compare the associated behavior of the first component to a known behavior stored in a data repository, wherein the known behavior is observed on user devices other than the first user device, the known behavior is associated with execution of a second application identified as being similar to the first application, and the first application and the second application are different; and


Claim 16: 
The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the computing apparatus to receive, from the first user device, a user selection of at least one behavioral preference.

Claim 17: 
The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the computing apparatus to, based on the comparison between the associated behavior of the first component to the known behavior stored in the data repository, disable execution of at least one component of the first application.

Claim 18: 
The non-transitory computer-readable storage medium of claim 15, wherein a context of the first user device is assessed when [[a]]the signing identifier used to sign the first application is observed.

Claim 19: 


Claim 20: 
The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the computing apparatus to cause the first component to execute in conformance with a result from a query of an identity server.

Allowable Subject Matter
Claims 1-4, 7-13 and 15-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Independent claim 1 is allowable based on the amendment presented in the request for continued examination dated on November 03, 2021 and the examiner’s amendment dated on December 09, 2021.
Specifically, the independent claim 1 now recites limitations as follows:

“A system comprising: 

at least one processor; and 
memory storing instructions configured to instruct the at least one processor to: 
monitor a first application to be installed on a first user device;  
determine a usage history of a signing identifier used to sign the first application, the usage history comprising signing of a third application by the signing identifier, wherein the third application is installed on a second user device, and wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key; 
determine a plurality of software components of the first application, the plurality of software components including a first component having an associated behavior representing actions the first application is configured to perform on the first user device;
compare the associated behavior of the first component to a known behavior stored in the data repository, wherein the known behavior is observed on user devices other than the first user device, the known behavior is associated with execution of a second application identified as being similar to the first application, and the first application and the second application are different; and


The cited reference by Nalluri et al. (US PGPUB. # US 2015/0220734) discloses, application binaries 405 can be accessed or received by a disassembler data/control flow analyzer 410 which, in combination with ambient application knowledge 415 (e.g., collected from outside information sources as well as users, reviewers, etc.) such as application descriptions, reviews, comments, and other structured and unstructured data, can develop a model of the application logic 420 for each application binary 405. The disassembler and control flow analyzer 410 can identify behaviors 425 of the given application based on, for example, comparing code or application logic model with known functionality defined in or identifiable from a software development kit and/or common APIs utilized by the corresponding client device operating system as well as most or all applications compatible with the client device. Some examples include the Google Android software development kit, Apple iOS software development kit, Windows software development kit, among other examples. (Fig. 4(430), ¶37). Generally, a platform software development kit (or "SDK") can provide documentation, header files, libraries, (¶38).  For example, a behavior monitor 228 can assess applications to identify whether one or more functions and/or content of an application are good, bad, suspect, or of unknown quality, among other examples. The assessment can be based on information acquired from a variety of sources (e.g., 145), such as information servers, user feedback, and other sources. In instances where "bad" application functionality (Fig. 3, ¶36). Other information can be used by a behavior heuristics/rule engine 435 (e.g., of an example analysis engine (e.g., 228)) to determine behaviors of an application under assessment, such as global threat intelligence (GTI) 440 aggregating intelligence from a community of sources 445, rules 450, and other information. (¶40). Outside sources, such as intelligence databases, such as a global threat intelligence (GTI) feed, can be used for identifying malicious behaviors that have been detected across one or more networks that may be employed by applications assessed by behavioral analysis engines. For instance, (¶53). A rule engine of an application behavior analysis engine can access rules, for instance, from a rule database, including rules that have been custom defined for and/or by a particular user or set of users according, for example, to preferences of the users as well as policies applicable to the users (e.g., policies of an Internet service provider, enterprise network, broadband data provider, etc.). The rule engine can take as a further input an application logic model (e.g., developed based on a semantic representation of a platform SDK corresponding to the application) to assess the various operations and functionality of an application as identified in application logic model. The rule engine can assess the various operations and functionality of an application according to rules identified as applicable to the particular instance of an application, such as an instance of an application that has been attempted to be downloaded or installed on a particular user computing device of a user associated with the identified rules. Application behaviors can be identified by the rule engine including application behaviors identified as violating one or more rules (e.g., rules forbidding (Fig. 7, ¶44). An example code fragment allowing an application to send latitude and longitude information to an outside server is shown as having been processed to populate an API template, for instance, utilizing a behavior analysis engine. As shown in FIG. 12B, portions of the application code can be identified that correspond to the behavior of collecting geo-positional data and sending the geo-positional data to the outside server. In accordance with one example, the offending lines of code can be replaced, for example with code that masks or redirects the sending of the geo-positional data to prevent the application from tracking user location, among other examples. In another example, illustrated in FIG. 12C, a control flow can be identified within an application along with corresponding application code. As shown in the examples of FIGS. 12D-12E, remediation of a particular undesirable behavior can include deletion of an offending line of code, among other examples. The connection with the dynamic personalization of an application's behavior for particular user, the composite behaviors of the application and corresponding code segments can be identified. A user interface can be presented in connection with the healing or customization of the application allowing the user to select particular identified behaviors for (Fig. 11, Fig. 12A-12E, Fig. 13, ¶59-¶61). 
The reference by Jarno Niemela (US PGPUB. # US 2010/0011029) discloses, a database that maintains legitimate applications that are installed on a device. (¶11). Niemela further discloses, a method of detecting malware in a mobile telecommunication device such as a mobile phone. The method involves maintaining a database identifying legitimate (¶27). The malware detection unit 108 is responsible for maintaining the database 109 of legitimate applications and their expected behaviours. (Fig. 1(109), ¶32). The malware detection unit 108 compares the monitored data traffic with the behaviour expected according to the database 109, for those legitimate applications 107 identified as running on the mobile phone 101. (¶37). 
The reference by Jeong et al. (USPGPUB. # US 2014/0090077) discloses, a signature information storage 300 can separately store a vendor-provided whitelist 311, a vendor-provided blacklist 331, a user-specified whitelist 313 and a user-specified blacklist 333. The vendor-provided whitelist 311 and vendor-provided blacklist 331 can be updated by a vendor such as a manufacturer or operator, and the user-specified whitelist 313 and user-specified blacklist 333 can be updated by the user. (Fig. 3(311), ¶69). When the signature information of the application is not present in the blacklist 330, the control unit 170 checks whether the signature information of the application is present in the whitelist 310 (911). To this end, the control unit 170 can compare the signature information of the application with the whitelist 310 stored in the signature information storage 300. (Fig. 9(911), ¶108)
Zhaao et al. (US PGPUB. # US 2013/0055405) discloses, a method comprises extracting, by a first processor, identification information corresponding to a plurality of applications installed on a mobile device, sending the extracted identification information to a server, matching, by a second processor, the identification information to information stored in a database storage, receiving matched information from the database storage as a result of matching the identification information, sending the matched information to the mobile device, and presenting the matched information to a user of the mobile device. (Abstract).
Li et al. (US PGPUB. # US 2013/0212684) discloses, a method determines a permission list from an application and generates a set of potential behaviors. The potential behaviors are associated with actions that the application allows when executing on a mobile device where the potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the required behaviors to the potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the (Abstract).
Bhatia et al. (US PGPUB. # US 2014/0041037) discloses, a method includes receiving a plurality of trusted assets, generating a first signature set for a known software application, and generating a second signature set for a subject software application. Each trusted asset is associated with at least a threshold number of trusted authors. Each signature in the first signature set corresponds to a known asset that is associated with the known software application. Each signature in the second signature set corresponds to a subject asset that is associated with the subject software application. The method further includes generating first and second filtered signature set based on the first and second signature sets, respectively, by excluding signatures corresponding to the trusted assets. The method also includes generating a similarity rating for the subject application based on a comparison of the first filtered signature set and the second filtered signature set. (Abstract).
Tenenboym et al. (US PAT. # US 8,683,605) discloses, Long-Term Validation (LTV) of a digital signature status indicator is disclosed. In some embodiments, the Long-Term Validation of a digital signature status indicator includes automatically determining whether a digital signature of a digitally signed document is LTV enabled based at least in part on LTV information; and generating an LTV status indicator that displays whether (Abstract).
Selim Aissi (US PGPUB. # US 2014/0066015) discloses, a secure device enrollment process to enroll a mobile device for access to a service can include receiving an application package including an application used for accessing the service via the mobile device. The application authenticity and the application integrity of the downloaded application are determined. The device integrity of the mobile device is also determined. An automatic enrollment message digest is generated to facilitate enrollment of the mobile device. The enrolment message digest provides an association between the downloaded application, the mobile device, and user identifying information of a user of the mobile device; and is sent to a server associated with a service provider to enroll the mobile device for the service provided by the service provider. (Abstract).
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “…determine a usage history of a signing identifier used to sign the first application, the usage history comprising signing of a third application by the signing identifier, wherein the third application is installed on a second user device, and wherein the signing identifier is a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key..”, in combination with the rest of the limitations recited in the independent claim(s).
None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 8 is a method claim of above system claim 1 and Claim 15 is a non-transitory computer readable storage medium claim of above system claim 1, and therefore, they are also allowed.
Claims 2-4 and 7 depend on the allowed claim 1, and therefore, they are also allowed.
Claims 9-13 depend on the allowed claim 8, and therefore, they are also allowed.
Claims 16-20 depend on the allowed claim 15, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/Primary Examiner, Art Unit 2498