DETAILED ACTION
This is the first office action regarding application number 16/286,962, filed February 27, 2019.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Abstract
Applicant is reminded of the proper content of an abstract of the disclosure.
A patent abstract is a concise statement of the technical disclosure of the patent and should include that which is new in the art to which the invention pertains. The abstract should not refer to purported merits or speculative applications of the invention and should not compare the invention with the prior art.
If the patent is of a basic nature, the entire technical disclosure may be new in the art, and the abstract should be directed to the entire disclosure. If the patent is in the nature of an improvement in an old apparatus, process, product, or composition, the abstract should include the technical disclosure of the improvement. The abstract should also mention by way of example any preferred modifications or alternatives. 
Where applicable, the abstract should include the following: (1) if a machine or apparatus, its organization and operation; (2) if an article, its method of making; (3) if a chemical compound, its identity and use; (4) if a mixture, its ingredients; (5) if a process, the steps.
Extensive mechanical and design details of an apparatus should not be included in the abstract. The abstract should be in narrative form and generally limited to a single paragraph within the range of 50 to 150 words in length.

The abstract of the disclosure is objected to because the abstract contains more than 150 words. Correction is required. See MPEP § 608.01(b).

Drawings
The drawings are objected to because of the following informalities:
Figure 2: Reference character 235 is used twice on two different elements in the figure: one instance to reference a single network aggregator, and another instance to reference a plurality of network aggregators that are distinct and shown separate from the single network aggregator. Appropriate correction is required.
Figure 2: Reference character 240 does not contain an associated label. Appropriate correction is required.
Figure 2: The element labeled as “Cloud” does not have an associated reference character. Appropriate correction is required.
Figure 2: There is a bi-directional dotted line from OS SDK instances 230 to both intelligent controller 220 and sensor for tools/monitors 250, but the applicant’s specification p.16 line 25 and p.22 lines 4-8 only describe one direction (from OS SDK instances/sensors to either intelligent controller or sensor for tools/monitors), and hence it is not clear the purpose and significance of the second direction (from the sensor for tools/monitors and intelligent controller to the OS SDK instances/sensors). Appropriate correction is required.
Figure 2: It is unclear the significance of the dotted arrows versus the solid arrows shown in the figure, as there is no figure legend describing the representation shown by a dotted arrow versus a solid arrow. For example, it is unclear whether these two sets of arrows are used to distinguish different types of flow paths (control vs. data path) or other types of flow paths (installation/configuration flow, or other logical flows). Applicant is asked to provide clarification, and if necessary make appropriate corrections to the figure such that it does not introduce new matter.
Figure 3: This figure contains two “HIERARCHY” labels with no associated reference characters (one instance with a bi-directional arrow between a first “HIERARCHY” label and a plurality of network aggregators, and another instance with another bi-directional arrow between a second “HIERARCHY” label and a plurality of predictive user-level response models). It is unclear whether these two “HIERARCHY” labels represent the same or different hierarchy, and correspondingly, whether they lead to the same termination point for both the plurality of network aggregators and the plurality of predictive user-level response models. Applicant is asked to provide clarification, and if necessary make appropriate corrections to the figure such that it does not introduce new matter.
Figure 3: It is unclear the significance of the dotted arrows versus the solid arrows shown in the figure, as there is no figure legend describing the representation shown by a dotted arrow versus a solid arrow. For example, it is unclear whether these two sets of arrows are used to distinguish different types of flow paths (control vs. data path) or other types of flow paths (installation/configuration flow, or other logical flows). Applicant is asked to provide clarification, and if necessary make appropriate corrections to the figure such that it does not introduce new matter.
Figure 3: Certain dotted arrows shown in this figure are not described in applicant’s specification p.15 line 4-p.16 line 3 where Figure 3 is being described, for example, bi-directional dotted arrow between the SYSTEM OS 135 and SENSOR 210, and the directed dotted arrow from a plurality of Predictive User-Level Response Model 305 to intelligent controller 220. Applicant is asked to provide clarification, and if necessary make appropriate corrections to the figure such that it does not introduce new matter. 
Figure 4: It is unclear the significance of the dotted arrows versus the solid arrows shown in the figure, as there is no figure legend the representation shown by a dotted arrow versus a solid arrow. For example, it is unclear whether these two sets of arrows are used to distinguish different types of flow paths (control vs. data path) or other types of flow paths (installation/configuration flow, or other logical flows). Furthermore, the bi-directional dotted arrow between Application Code 412 and System Resources 430 is not described in the applicant’s 
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Specification
The disclosure is objected to because of the following informalities:
p.8 lines 28-29: “Insome embodiments, …” should be corrected as “In some embodiments, …”. Appropriate correction is required.
p.11 line 28: Use registered trademark symbols for the following: MICROSOFT® WINDOWS™, LINUX®, ANDROID™. Appropriate correction is required.
p.16 lines 1-3 and line 15: The terms “system-level configuration 200” and “endpoint device 200” point to the same reference character 200, where the meaning of these terms are not functionally equivalent. Furthermore, these terms do not appear to be consistent with what is shown in the corresponding Figure 2 and its associated figure description found on p.10. According to both the figure description and Figure 2, the term “endpoint device 200” should be corrected to indicate “endpoint device 2051”, while the term “system-level configuration 200” should be re-labeled as “cyber-resiliency architecture 200”. Appropriate correction is required.
p.16 lines 4-5: Expand the term “sensors 210” to “sensors 2101, 2102, 2103 (a set of sensors 210)” to clarify usage of the subscript reference characters in the rest of the specification. Similarly, the term “actuators 212” should also be expanded (i.e., change to actuators 2121, 2122, 2123 (a set of actuators 212)”) clarify usage of the subscript reference characters in the rest of the specification. Appropriate correction is required.
p.16 lines 4-5: Expand the term “applications 1371, 1372” to “applications 1371, 1372 (a set of applications 137)” to clarify usage of the reference character 137 in the rest of the specification. Appropriate correction is required.
p.16 line 8: The term “an endpoint device 205” should be corrected as “an endpoint device 2051” to correspond with the correct element shown in Figure 2. Appropriate correction is required.
p.16 line 10: Expand the term “API shim 225” to “API shim 2251, 2252, 2253 (a set of API shims 225)” to clarify usage of the reference character 225 in the rest of the specification. Appropriate correction is required.
p.16 line 20: Expand the term “OS SDK instance 230” to “OS SDK instance 2301, 2302, 2303 (as a set of OS SDK instances 230)” to clarify usage of the reference character 230 in the rest of the specification. Appropriate correction is required.
p.16 line 29: The term “intelligent controllers 220” should be corrected as “intelligent controller 220” as there is only one intelligent controller shown in Figure 2.
p.18 line 25: The abbreviation “SMB” is not defined anywhere in the specification. Appropriate correction is required.
p.22 lines 5-6: Use registered trademark symbols for the following: WINDOWS™. Appropriate correction is required.
p.26 line 19: The terms “intelligent controller 415” and “device 415” point to the same reference character 415, where the meaning of these terms are not functionally equivalent. Furthermore, these terms do not appear to be consistent with what is shown in corresponding Figure 4. According to Figure 4, the term “device 415” should be clarified and corrected as “endpoint device 400”. Appropriate correction is required.
p.31 line 3: Remove the dangling phrase: “What is claimed is:”. Appropriate correction is required.

Claim Objections
Claims 1-4, 6, 10-15, 17, and 21-22 are objected to because of the following informalities: 
Claims 1-4, 6, 12-15, and 17: The term “the controller” is used throughout the identified claims, where it appears to reference “an intelligent controller” identified in both independent Claims 1 and 12, as the applicant’s specification only discloses a single intelligent controller as part of the claimed invention. Applicant is asked to make the necessary corrections throughout the relevant claims to use consistent terminology when referencing the single intelligent controller (i.e., change the reciting of “the controller” to “the intelligent controller” in the independent and associated dependent claims). 
Claims 1 and 12: The term “each of the applications” is used in independent Claims 1 and 12, where it appears to reference “a plurality of user applications” identified earlier in the respective independent Claims 1 and 12. Applicant is asked to make the necessary corrections in independent Claims 1 and 12 to use consistent terminology when referencing the plurality of user applications (i.e., change the reciting of “each of the applications” to “each of the user applications”).
Claims 1, 10, 12, and 21: The terms “monitoring calls” and “the monitored calls” is used throughout the identified claims, where it appears to reference “operating-system calls” identified earlier in the respective independent Claims 1 and 12. Applicant is asked to make the necessary corrections in dependent Claims 10 and 21 to use consistent terminology when referencing the operating-system calls (i.e., change the reciting of “monitoring calls” to “monitoring operating-system calls”, and similarly, change the reciting of “the monitored calls” to “the monitored operating-system calls”).
Claims 11 and 22: Both claims appear to recite an incorrect claim dependency, since the term “the classifier” in the limitation “wherein the classifier is a Bayes classifier” does not have a corresponding antecedent in respective independent Claims 1 and 12 as currently recited. Instead, the antecedent for the term “the classifier” appears to be in the limitation “wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system” found in respective dependent Claims 10 and 21. Applicant’s specification p.8 Sensors may each include a classifier for assessing a risk associated with the monitored calls to the operating system. In some embodiments, the classifier is a Bayes classifier.” and “In some embodiments, the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system. For example, the classifier may be a Bayes classifier.”. Other areas in the specification reciting a Bayes classifier also identifies the Bayes classifier as the classifier associated with the sensor (applicant’s specification p.21 lines 12-15; p.30 lines 12-15). Hence the term “the classifier” in Claims 11 and 22 will be interpreted in the context of the above claim limitation identified in respective Claims 10 and 21. Applicant is asked to correct the claim dependency for both Claims 11 and 22 to show the proper claim dependency, as shown below:
Claim 11: The system of claim [[1]]10, wherein the classifier is a Bayes classifier.
Claim 22: The method of claim [[12]]21, wherein the classifier is a Bayes classifier. 

Claim Rejections - 35 USC § 112







The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding Claim 1, 
	Claim 1 recites the limitation “further wherein the analysis by the predictive response model is responsive to operating-system calls previously made by other applications” in lines 15-17, which renders this claim as being indefinite. Under its broadest reasonable interpretation, the term “other” defined in Merriam-Webster dictionary indicates an item that is different or excluded by something else (i.e., excluded from a current item). Hence, it is unclear whether “other applications” refers to “a plurality of user applications” that was earlier identified in independent Claim 1, or whether “other applications” is to identify a group or subset of user applications excluding the current user application and its associated endpoint device (such as a group of user applications residing on different (i.e., “other”) endpoint devices, such that they are considered as “other applications”). For the purposes of examination, the term “other applications” will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (i.e., “other”) client devices (thus corresponding to “other applications”).
	Claims 2-11 are dependent claims tracing back to the parent independent Claim 1, and hence inherit the same indefiniteness issue identified in Claim 1. Hence, Claims 2-11 are also rejected as being indefinite by virtue of dependency.
Regarding Claim 5, 
	Claim 5 recites the limitation “wherein the predictive response model is responsive to operating-system calls previously made by other applications via the statistical resource utilization model” in lines 1-2, which renders this claim as being indefinite. Under its broadest reasonable interpretation, the term “other” defined in Merriam-Webster dictionary indicates an item that is different or excluded by something else (i.e., excluded from a current item). Hence, it is unclear whether “other applications” refers to “a plurality of user applications” that was earlier identified in independent Claim 1, or whether “other applications” is to identify a group or subset of user applications excluding the current user application and its associated endpoint device (such as a group of user applications residing on different (other) endpoint devices, such that they are considered as “other applications”). For the purposes of examination, the term “other applications” will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (other) client devices (thus corresponding to “other applications”).
Regarding Claim 12, 
wherein the analysis by the predictive response model is responsive to operating-system calls previously made by other applications” in lines 9-10, which renders this claim as being indefinite. Under its broadest reasonable interpretation, the term “other” defined in Merriam-Webster dictionary indicates an item that is different or excluded by something else (i.e., excluded from a current item). Hence, it is unclear whether “other applications” refers to “a plurality of user applications” that was earlier identified in independent Claim 12, or whether “other applications” is to identify a group or subset of user applications excluding the current user application and its associated endpoint device (such as a group of user applications residing on different (other) endpoint devices, such that they are considered as “other applications”). For the purposes of examination, the term “other applications” will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (other) client devices (thus corresponding to “other applications”)..
	Claims 12-22 are dependent claims tracing back to the parent independent Claim 12, and hence inherit the same indefiniteness issue identified in Claim 12. Hence, Claims 12-22 are also rejected as being indefinite by virtue of dependency.
Regarding Claim 16, 
	Claim 16 recites the limitation “wherein the predictive response model is responsive to operating-system calls previously made by other applications via the statistical resource utilization model” in lines 1-2, which renders this claim as being indefinite. Under its broadest reasonable interpretation, the term “other” defined in Merriam-Webster dictionary indicates an item that is different or excluded by something else (i.e., excluded from a current item). Hence, it is unclear whether “other applications” refers to “a plurality of user applications” that was earlier identified in independent Claim 12, or whether “other applications” is to identify a group or subset of user applications excluding the current user application and its associated endpoint device (such as a group of user applications residing on different (other) endpoint devices, such that they are considered as “other applications”). For the purposes of examination, the term “other applications” will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (other) client devices (thus corresponding to “other applications”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 6-7, 9, 12-14, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Klonowski et al., U.S. PGPUB 2019/0005234, filed 6/28/2017 [hereafter referred as Klonowski] in view of Erich et al., U.S. PGPUB 2014/0215495, published 7/31/2014 [hereafter referred as Erich].
Regarding Claim 1, Klonowski teaches
A computational system comprising: 
a. a processor (Examiner’s note: Klonowski teaches the operating environment of a computing system contains a processing unit and memory (Klonowski Figure 4, elements 402, 404; and [0031]-[0032]: “… operating environment 400 typically includes at least one processing unit 402 and memory 404.”).); 
b. an operating system (Examiner’s note: Klonowski teaches an operating system (Klonowski [0014]: “… system 100 may include any of hardware components (e.g., used to execute/run operating system (OS)), …” and [0017]: “… client devices 102A-C may enable the software content to interact with a kernel or kernel-level components of client devices 102A-C. A kernel, as used herein, may refer to the central computer program of an operating system. … Generally the kernel is loaded into a protected area of memory …”).); 
c. a computer memory (Examiner’s note: As indicated earlier, Klonowski Figure 4, elements 402, 404; and [0031]-[0032] teaches the operating environment of a computing system contains a processing unit and memory.); 
d. a plurality of user applications (Examiner’s note: Klonowski teaches a plurality of client devices, each containing software content including applications, with these applications residing on client devices. Klonowski [0023] teaches that the computing system and corresponding method may be applied on a distributed network running web services. A person having ordinary skill in the art would understand that web service access would require user applications such as web browsers, and as such, the applications identified on the client devices would include web browsers, thus corresponding to user applications (Klonowski [0016]: “… client devices 102A-C may comprise, or have access to, software content. Examples of software content may include software programs or applications, services, …”) and Klonowski [0023]: “… method 300 may be executed (e.g., computer-implemented operations) by one of more components of a distributed network, such as a web service …”).); 
e. a plurality of sensors for monitoring calls by the user applications to the operating system (Examiner’s note: In light of applicant’s specification p.7 lines 8-14, a sensor is a software component that monitors and analyzes computational activity. Klonowski [0016]-[0017] teaches a set of monitoring utilities present on client devices that monitor, identify, and analyze one or more points of interest in a software content execution path by detecting interactions with the kernel through one or more system calls. These utilities monitor these interactions to produce performance data such as process trace information to identify one or more modules or code segments loaded into memory in response to a request/task. Klonowski [0021] further teaches a monitoring engine performing the detection of the loading of monitoring instructions/utilities/modules into processing components (with the processing components loading code corresponding to user applications as well as monitoring utilities), with these Klonowski [0025]-[0027] and Figure 3, operations 304, 306, 308).); and 
f. an intelligent controller (Examiner’s note: In light of applicant’s specification p.7 lines 8-14, an intelligent controller is a software component that receives data from sensors and performs analysis on received behavior or resource usage. Klonowski [0022] teaches a behavioral analysis engine containing a predictive machine learning model that processes a list of system calls to identify behavior signatures that may indicate malicious intent or action, where the behavioral analysis performs operations including receiving these identified system calls of interest and applying them to a behavior algorithm/model to identify malicious content, such that this behavioral analysis engine functions as an intelligent controller (Klonowski [0029]-[0030] and Figure 3, operations 312, 314).), wherein: 
i. each of the applications is configured to redirect operating-system calls … of one of the sensors (Examiner’s note: As indicated earlier, Klonowski [0016]-[0017] teaches a set of monitoring utilities (functioning as sensors) on client devices detecting interactions with the kernel through one or more system calls, and monitoring these interactions to produce performance data such as process trace information, with a monitoring engine applying these monitoring utilities into the same execution environment to evaluate, instrument, profile the instructions/code modules in processes, where evaluation of the monitored instructions/code modules is performed in the behavioral analysis engine, thus representing a re-direction of the system calls from the sensors (Klonowski [0025]-[0027] and Figure 3, operations 304, 306, 308, 312 and [0029]).) … 
ii. the sensors are configured to submit, to the intelligent controller, each operating-system call (Examiner’s note: As indicated earlier, Klonowski [0022], [0025], and [0029] teaches a behavioral analysis engine containing a predictive machine learning model that receives a list of system calls and processes this list to identify behavior signatures that may indicate malicious intent or action, where this list of system calls from the monitoring utilities are evaluated by a behavioral analysis engine (functioning as the intelligent controller) either residing locally on the same computing system as the behavioral analysis engine (Klonowski Figure 2 and [0018]: “In alternative examples, a single system (comprising one or more components such as processor or memory) may perform processing described in systems 100 and 200, respectively.”), or from a client device and sent through the network to a server device containing a behavioral analysis engine (Klonowski Figure 1 and [0014]: “… input may be entered on a client device and information may be processed or accessed from other devices in a network, such as one or more server devices.”).) … 
iii. the controller implements a predictive response model to detect anomalous behavior (Examiner’s note: As indicated earlier, Klonowski [0022] teaches a behavioral analysis engine (functioning as an intelligent controller) containing a predictive machine learning model that processes a list of system calls to identify behavior signatures that may indicate malicious intent or action, with these malicious behavior signatures representing anomalous behavior.), and
 based on an analysis of the operating-system call by the predictive response model, allows or disallows the operating-system call (Examiner’s note: As indicated earlier, Klonowski teaches a behavioral analysis engine containing a predictive machine learning model, where the behavioral analysis performs operations including receiving these identified calls of interest and applying them to a behavior algorithm/model to identify malicious content, and based on the identified software behavior, trigger actions to a remediation component to effect an action such as pausing or termination the operations of the software content (interpreted as allowing or disallowing an operating-system call, Klonowski [0029]-[0030] and Figure 3, operations 312, 314).), and 
further wherein the analysis by the predictive response model is responsive to operating-system calls previously made by other applications (Examiner’s note: As indicated earlier, the term “other applications” exhibits a 112(b) indefiniteness issue, and will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (other) client devices (thus corresponding to “other applications”). As indicated earlier, Klonowski Figure 1, elements 102A-C and [0016]-[0017] teach that the monitoring utilities present on the client devices monitor system calls on the user applications residing on a plurality of client devices, and Klonowski [0022], [0025], and [0029] teaches the behavioral analysis engine receives a list of system calls for processing and  Klonowski Figure 1 and [0014]).).  
While Klonowski teaches applications being instrumented with monitoring utilities to collect system call paths, and a behavioral analysis engine receiving the list of system call paths from user applications, Klonowski does not explicitly teach
i. … redirect operating-system calls to an intercept handler … 
ii. … submit … each operating-system call received by an intercept handler, 
Erich teaches
i. … redirect operating-system calls to an intercept handler (Examiner’s note: Erich Figure 1B, elements 134, 142, 140 and [0010], [0021]-[0022] teaches the concept of providing hook functions into message queues for different applications, where the indicated hook function (functioning as an intercept handler) operates in the context and address space of the application, such that the hook function non-intrusively intercepts system-related event messages that are exchanged between application and operating system, effectively redirecting the system calls to an intercept handler for further handling.) … 
ii. … submit … each operating-system call received by an intercept handler (Examiner’s note: As indicated earlier, Examiner’s note: Erich teaches hook functions that non-intrusively intercept system-related event messages that are exchanged between application and operating system, where the hook function (functioning as the intercept handler) transfers these events into a journal file, and forwards these system events (i.e., the journal file) to an external application such as an observer agent for further monitoring and processing, where the observer agent uses a machine learning algorithm to further analyze, process, and update this event data stored in the journal file (Erich [0028]-[0030]).), 
Both Klonowski and Erich are analogous art since they both teach monitoring and intercepting system calls triggered by user applications for identifying and analyzing behavior patterns.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take monitoring utilities taught in Klonowski and implement the hook functions taught in Erich as a way to provide the mechanism for sending the system call information to a separate Erich [0010], [0021]).
Regarding Claim 2, Klonowski in view of Erich teaches
The system of claim 1, wherein the controller is locally executed with the user applications and the sensors by the processor (Examiner’s note: As indicated earlier, Klonowski [0018] teaches that a single system can be used to implement the client devices and input processing device containing the behavior analysis engine, such that the behavioral analysis engine resides on the same single system using the same processor as the client devices (and their corresponding user applications) (Klonowski Figure 1, element 100, Figure 2, element 200, and [0018]: “… In alternative examples, a single system (comprising one or more components such as processor and/or memory) may perform processing described in systems 100 and 200, respectively.”).).  
Regarding Claim 3, Klonowski in view of Erich teaches
The system of claim 1, wherein the controller is remote and is configured to communicate with the processor via a network (Examiner’s note: As indicated earlier, Klonowski Figure 1 and [0014] teaches that the identified system components may be spread across multiple devices, such that input may be entered on a client device and information may be processed or accessed from other devices in a network, where those other devices are one or more server devices, and where the server devices implement the input processing unit containing the behavioral analysis engine (Klonowski [0019]-[0020]).).  
Regarding Claim 6, Klonowski in view of Erich teaches
The system of claim 1, wherein the predictive response model of the intelligent controller is a machine-learning model (Examiner’s note: As indicated earlier, Klonowski [0022] teaches a behavioral analysis engine containing a predictive machine learning model that processes a list of system calls to identify behavior signatures that may indicate malicious intent or action.).  
Regarding Claim 7, Klonowski in view of Erich teaches
The system of claim 6, wherein the machine-learning model includes a supervised learning algorithm (Examiner’s note: In light of applicant’s specification p.19 lines 21-24, a neural network is considered as a supervised learning algorithm. Klonowski [0022] teaches a machine learning model where “ … a model may be a … machine-learning regressor, a machine-learning classifier, a neural network …”.).  
Regarding Claim 9, Klonowski in view of Erich teaches
The system of claim 1, wherein the predictive response model is user-specific (Examiner’s note: As indicated earlier, Erich teaches transferring event-related data collected by the hooks into a journal file, where this journal file that stores the event-related data can also be created for each user session, resulting in different historical event-related data stored in the journal file collected for each user (Erich [0033]-[0034]), thus making the processing and resulting predictions performed by the predictive response model user-specific.).  
Regarding Claim 12, Klonowski teaches
A computational method comprising the steps of: 
at a plurality of endpoint devices, executing, by a processor, a plurality of user applications (Examiner’s note: Klonowski teaches a plurality of client devices, each containing software content including applications, with these applications residing on client devices corresponding to user applications. Klonowski [0023] teaches that the computing system and corresponding method may be applied on a distributed network running web services. A person having ordinary skill in the art would understand that web service access would require user applications such as web browsers, and as such, the applications identified on the client devices would include web browsers, thus corresponding to user applications (Klonowski [0016]: “… client devices 102A-C may comprise, or have access to, software content. Examples of software content may include software programs or applications, services, …”) and Klonowski [0023]: “… method 300 may be executed (e.g., computer-implemented operations) by one of more components of a distributed network, such as a web service …”).) and 
executing a sensor associated with each of the applications (Examiner’s note: In light of applicant’s specification p.7 lines 8-14, a sensor is a software component that monitors and analyzes . Klonowski [0016]-[0017] teaches a set of monitoring utilities present on client devices that monitor, identify, and analyze one or more points of interest in a software content execution path by detecting interactions with the kernel through one or more system calls. These utilities monitor these interactions to produce performance data such as process trace information to identify one or more modules or code segments loaded into memory in response to a request/task. Klonowski [0021] further teaches a monitoring engine performing the detection of the loading of monitoring instructions/utilities/modules into processing components (with the processing components loading code corresponding to user applications as well as monitoring utilities), with these monitoring instructions/utilities/modules functioning as sensors for the user applications (Klonowski [0025]-[0027] and Figure 3, operations 304, 306, 308).), 
each of the applications being configured to redirect operating-system calls … of the associated sensor (Examiner’s note: As indicated earlier, Klonowski [0016]-[0017] teaches a set of monitoring utilities (functioning as sensors) on client devices detecting interactions with the kernel through one or more system calls, and monitoring these interactions to produce performance data such as process trace information, with a monitoring engine applying these monitoring utilities into the same execution environment to evaluate, instrument, profile the instructions/code modules in processes, where evaluation of the monitored instructions/code modules is performed in the behavioral analysis engine, thus representing a re-direction of the system calls from the sensors (Klonowski [0025]-[0027] and Figure 3, operations 304, 306, 308, 312 and [0029]).); 
submitting, by the sensors, each operating-system call received … to an intelligent controller (Examiner’s note: In light of applicant’s specification p.7 lines 8-14, an intelligent controller is a software component that receives data from sensors and performs analysis on received behavior or resource usage. As indicated earlier, Klonowski [0022] teaches a behavioral analysis engine containing a predictive machine learning model that receives a list of system calls and processes this list to identify behavior signatures that may indicate malicious intent or action, where this list of system calls is sent from the monitoring utilities either residing locally on the same computing system as the behavioral analysis engine (Klonowski Figure 2 and [0018]: “In alternative examples, a single system (comprising one or more components such as processor or memory) may perform processing described in systems 100 and 200, respectively.”), or from a client device and sent through the network to a server device containing a behavioral analysis engine (Klonowski Figure 1 and [0014]: “… input may be entered on a client device and information may be processed or accessed from other devices in a network, such as one or more server devices.”).); 
analyzing, by the intelligent controller, each of the submitted operating-system calls in accordance with a predictive response model to detect anomalous behavior (Examiner’s note: As indicated earlier, Klonowski [0022] teaches a behavioral analysis engine (functioning as an intelligent controller) containing a predictive machine learning model that processes a list of system calls to identify behavior signatures that may indicate malicious intent or action.), and 
based thereon, allowing or disallowing the operating-system call (Examiner’s note: As indicated earlier, Klonowski teaches a behavioral analysis engine containing a predictive machine learning model, where the behavioral analysis performs operations including receiving these identified calls of interest and applying them to a behavior algorithm/model to identify malicious content, and based on the identified software behavior, trigger actions to a remediation component to effect an action such as pausing or termination the operations of the software content (interpreted as allowing or disallowing the operating-system call, Klonowski [0029]-[0030] and Figure 3, operations 312, 314).), 
wherein the predictive response model is responsive to operating-system calls previously made by other applications (Examiner’s note: As indicated earlier, the term “other applications” exhibits a 112(b) indefiniteness issue, and will be interpreted as indicating that the predictive response model is responsive by receiving and processing input received from user applications residing on different (other) client devices (thus corresponding to “other applications”). As indicated earlier, Klonowski Figure 1, elements 102A-C and [0016]-[0017] teach that the monitoring utilities present on the client devices monitor system calls on the user applications residing on a plurality of client devices, and Klonowski [0022], [0025], and [0029] teaches the behavioral analysis engine receives a list of system calls for processing and evaluation, where the list of system calls are received from multiple client devices, as shown in Klonowski Figure 1 and [0014]).).  
However, Klonowski does not explicitly teach
… redirect operating-system calls to an intercept handler … 
submitting … each operating-system call received by an intercept handler … 
Erich teaches
… redirect operating-system calls to an intercept handler (Examiner’s note: Erich Figure 1B, elements 134, 142, 140 and [0010], [0021]-[0022] teaches the concept of providing hook functions into message queues for different applications, where the indicated hook function (functioning as an intercept handler) operates in the context and address space of the application, such that the hook function non-intrusively intercepts system-related event messages that are exchanged between application and operating system, effectively redirecting the system calls to an intercept handler for further handling.) … 
submitting … each operating-system call received by an intercept handler (Examiner’s note: As indicated earlier, Erich teaches hook functions that non-intrusively intercept system-related event messages that are exchanged between application and operating system, where the hook function (functioning as the intercept handler) transfers these events into a journal file, and forwards these system events (i.e., the journal file) to an external application such as an observer agent for further monitoring and processing, where the observer agent (functioning as an intelligent controller) uses a machine learning algorithm to further analyze, process, and update this event data stored in the journal file (Erich [0028]-[0030]).) … 
Both Klonowski and Erich are analogous art since they both teach monitoring and intercepting system calls triggered by user applications for identifying and analyzing behavior patterns.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take monitoring utilities taught in Klonowski and implement the hook functions taught in Erich as a way to provide the mechanism for sending the system call information to a separate behavioral analysis component for further analysis and processing. The motivation to combine is taught in Erich, as provided in the prior art claim mapping of Claim 1 recited above.
Regarding Claim 13, Klonowski in view of Erich teaches
The method of claim 12, wherein the controller is locally executed with the user applications and the sensors by the processor (This claim limitation is similar in scope to a corresponding claim limitation in Claim 2, and hence is rejected under similar rationale.).  
Regarding Claim 14, Klonowski in view of Erich teaches
The method of claim 12, wherein the controller is remote and is configured to communicate with the processor via a network (This claim limitation is similar in scope to a corresponding claim limitation in Claim 3, and hence is rejected under similar rationale.).  
Regarding Claim 17, Klonowski in view of Erich teaches
The method of claim 12, wherein the predictive response model of the intelligent controller is a machine-learning model (This claim limitation is similar in scope to a corresponding claim limitation in Claim 6, and hence is rejected under similar rationale.).  
Regarding Claim 18, Klonowski in view of Erich teaches
The method of claim 17, wherein the machine-learning model includes a supervised learning algorithm (This claim limitation is similar in scope to a corresponding claim limitation in Claim 7, and hence is rejected under similar rationale.).  
Regarding Claim 20, Klonowski in view of Erich teaches
The method of claim 12, wherein the predictive response model is user-specific (This claim limitation is similar in scope to a corresponding claim limitation in Claim 9, and hence is rejected under similar rationale.).  
Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Klonowski et al., U.S. PGPUB 2019/0005234, filed 6/28/2017 [hereafter referred as Klonowski] in view of Erich et al., U.S. PGPUB 2014/0215495, published 7/31/2014 [hereafter referred as Erich] as applied to Claims 1 and 12; in further view of Grebenev, Dmitry, U.S. PGPUB 2005/0022063, Kernel Level Method of Flagging Problems in Applications, published 1/27/2005 [hereafter referred as Grebenev].
Regarding Claim 4, Klonowski in view of Erich as applied to Claim 1 teaches
The system of claim 1, …
… for all applications hosted by the system (Examiner’s note: Klonowski teaches a plurality of client devices, each containing software content including applications (e.g., web browser applications), services, code segments, set of instructions, code modules representing all applications present on a system (Klonowski [0016]: “… client devices 102A-C may comprise, or have access to, software content. Examples of software content may include software programs or applications, services, a set of instructions, code modules, or the like …”; Klonowski [0020]: “The software content may represent software programs, applications, services, code segments, files, etc.”) and Klonowski [0023]: “… method 300 may be executed (e.g., computer-implemented operations) by one of more components of a distributed network, such as a web service …”).) …
However, Klonowski in view of Erich does not explicitly teach
wherein the controller is further configured to construct and store, in the computer memory, a statistical resource utilization model for all applications hosted by the system based on the received operating-system calls.
Grebenev teaches
wherein the controller is further configured to construct and store, in the computer memory, a statistical resource utilization model … based on the received operating-system calls (Examiner’s note: In light of applicant’s specification p.29 lines 10-12, a statistical resource utilization model is a database of system resources. Grebenev [0010], [0013] teaches using linking libraries to map certain system calls in order to collect kernel level data related to the execution of user program processes, and using existing debugging tools to collect and send the kernel level data to a data collection module (functioning as an intelligent controller, Grebenev Figure 1, element 132). This kernel level data includes data pertaining to usage of system resources that were accessed by the user program process (such as memory accesses for corresponding processes), where the system resource statistics obtained by the user program process is further stored in a file, with the contents of the file representing a database of system resources (Grebenev [0013]-[0015], [0018], [0021] and Figure 2, operations 206, 208).).
Both Klonowski in view of Erich and Grebenev are analogous art since they both teach monitoring and intercepting system calls triggered by user applications for identifying and analyzing behavior patterns.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take the system call information received by the behavior analysis engine taught in Klonowski in view of Erich and apply the method performed in the data collection module to record the associated system resource information taught in Grebenev as a way to construct a statistical system resource utilization database in an intelligent controller. The motivation to combine is taught in Grebenev, as a way to monitor and collect system resource information for user applications to detect and identify Grebenev [0004]-[0005], [0013], [0021]).
Regarding Claim 15, Klonowski in view of Erich as applied to Claim 12 teaches
The method of claim 12, …
… for all applications executable by each of the endpoint devices (Examiner’s note: Klonowski teaches a plurality of client devices, each containing software content including applications (e.g., web browser applications), services, code segments, set of instructions, code modules representing all applications present on a system (Klonowski [0016]: “… client devices 102A-C may comprise, or have access to, software content. Examples of software content may include software programs or applications, services, a set of instructions, code modules, or the like …”; Klonowski [0020]: “The software content may represent software programs, applications, services, code segments, files, etc.”) and Klonowski [0023]: “… method 300 may be executed (e.g., computer-implemented operations) by one of more components of a distributed network, such as a web service …”).).
However, Klonowski in view of Erich does not explicitly teach
further comprising constructing and storing, by the controller, a statistical resource utilization model …  
Grebenev teaches
further comprising constructing and storing, by the controller, a statistical resource utilization model (Examiner’s note: In light of applicant’s specification p.29 lines 10-12, a statistical resource utilization model is a database of system resources. Grebenev [0010], [0013] teaches using linking libraries to map certain system calls in order to collect kernel level data related to the execution of user program processes, and using existing debugging tools to collect and send the kernel level data to a data collection module (functioning as an intelligent controller, Grebenev Figure 1, element 132). This kernel level data includes data pertaining to usage of system resources that were accessed by the user program process (such as memory accesses for corresponding processes), where the system resource statistics obtained by the user program process is further stored in a file, with the contents of the file representing a Grebenev [0013]-[0015], [0018], [0021] and Figure 2, operations 206, 208).) …  
Both Klonowski in view of Erich and Grebenev are analogous art since they both teach monitoring and intercepting system calls triggered by user applications for identifying and analyzing behavior patterns.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take the system call information received by the behavior analysis engine taught in Klonowski in view of Erich and apply the method performed in the data collection module to record the associated system resource information taught in Grebenev as a way to construct a statistical system resource utilization database in an intelligent controller. The motivation to combine is taught in Grebenev, as provided in the prior art claim mapping of Claim 4 recited above.
Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Klonowski et al., U.S. PGPUB 2019/0005234, filed 6/28/2017 [hereafter referred as Klonowski] in view of Erich et al., U.S. PGPUB 2014/0215495, published 7/31/2014 [hereafter referred as Erich], in further view of Grebenev, Dmitry, U.S. PGPUB 2005/0022063, published 1/27/2005 [hereafter referred as Grebenev] as applied to Claims 4 and 15; in even further view of Chen et al., U.S. PGPUB 2018/0018456, published 1/18/2018 [hereafter referred as Chen].
Regarding Claim 5, Klonowski in view of Erich, in further view of Grebenev as applied to Claim 4 teaches
The system of claim 4, wherein the predictive response model is responsive to operating-system calls previously made by other applications …  
While Klonowski in view of Erich, in further view of Grebenev teaches collecting system call information to identify behavior signatures associated with the system calls as being malicious, and collecting system resource data from operating system calls to formulate a system resource database, Klonowski in view of Erich, in further view of Grebenev does not explicitly teach
… via the statistical resource utilization model.
Chen teaches
… via the statistical resource utilization model (Examiner’s note: Chen [0056], [0058], and [0064] teaches a behavior observer module that receives collected information related to system call APIs containing system resource usage information related to opening/closing/accessing files, where the number of process forks, memory access operations, number of files open over a period of time is also tracked (thus corresponding to a statistical resource model), and where this set of system resource usage observations are used to reduce or filter a small subset of relevant observations to generate a lean classifier model for determining whether a particular mobile device behavior and its subsystems, processes, and/or applications are benign or not benign (e.g., malicious or performance-degrading) (Chen [0069]-[0072], [0073]-[0074]), where the determination of performance degradation involves inspecting the associated system resource usage for the system calls from a user application process.).
Both Klonowski in view of Erich, in further view of Grebenev and Chen are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take behavior analysis engine taught in Klonowski in view of Erich, in further view of Grebenev and incorporate the behavior observer module methods taught in Chen as a way to pre-process or select a number of observations that are considered most relevant to identify malicious behavior associated with performance degradation. The motivation to combine is taught in Chen, since using observations based on system resource information can help reduce or filter a large set of coarse observations down to a more manageable level of relevant observations before this set is delivered to the behavior analyzer module for further classification, resulting in a lean classifier model at the behavior analyzer module, thus improving the efficiency of the classifier in the behavior analyzer module to focus on a set of most relevant observations that would determine whether a particular software application is benign or not benign (e.g., malicious or performance-degrading) (Chen [0069]-[0072]).
Regarding Claim 16, Klonowski in view of Erich, in further view of Grebenev as applied to Claim 15 teaches
The method of claim 15, wherein the predictive response model is responsive to operating- system calls previously made by other applications …
Klonowski in view of Erich, in further view of Grebenev teaches collecting system call information to identify behavior signatures associated with the system calls as being malicious, and collecting system resource data from operating system calls to formulate a system resource database, Klonowski in view of Erich, in further view of Grebenev does not explicitly teach
… via the statistical resource utilization model.
Chen teaches
… via the statistical resource utilization model (This claim limitation is similar in scope to a corresponding claim limitation in Claim 5, and hence is rejected under similar rationale.).  
Both Klonowski in view of Erich, in further view of Grebenev and Chen are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take behavior analysis engine taught in Klonowski in view of Erich, in further view of Grebenev and incorporate the behavior observer module methods taught in Chen as a way to pre-process or select a number of observations that are considered most relevant to identify malicious behavior associated with performance degradation. The motivation to combine is taught in Chen, as provided in the prior art claim mapping of Claim 5 recited above.
Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Klonowski et al., U.S. PGPUB 2019/0005234, filed 6/28/2017 [hereafter referred as Klonowski] in view of Erich et al., U.S. PGPUB 2014/0215495, published 7/31/2014 [hereafter referred as Erich] as applied to Claims 6 and 17; in further view of Burguera et al., Crowdroid: Behavior-Based Malware Detection System for Android, SPSM '11, October 17, 2011, ACM 978-1-4503-1000-0/11/10, 11 pages [hereafter referred as Burguera].
Regarding Claim 8, Klonowski in view of Erich as applied to Claim 6 teaches
The system of claim 6.  
While Klonowski in view of Erich teaches a behavior analysis engine containing a machine learning model, Klonowski in view of Erich does not explicitly teach
… wherein the machine-learning model includes an unsupervised learning algorithm.  
Burguera teaches
… wherein the machine-learning model includes an unsupervised learning algorithm (Examiner’s note: In light of applicant’s specification p.19 lines 21-24, a clustering or k-means algorithm is considered as an unsupervised learning algorithm. Burguera Figure 1, Figure 3, and pp.3-5 Section 3 Behavior Based Malware Detection System Framework teaches loading a Crowdroid app which monitors Linux kernel system calls and sending this data to a centralized remote server, where the behavior-based malware detection component located on the remote server uses a k-means algorithm to cluster the received data to differentiate between benign applications that demonstrate similar system call patterns and malicious applications (Burguera p.4 col.1 2nd paragraph: “We chose k-means algorithm [25] due to it’s simplicity, efficiency, speed, and a known number of k=2 cluster as an input parameter …” and p.5 col.1 Malware analysis and detection: “This component is responsible for analyzing and clustering the feature vectors obtained from the previous phase … using K-means clustering over system call count feature vectors.”).).  
Both Klonowski in view of Erich and Burguera are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take machine learning model that includes a supervised learning algorithm taught in Klonowski in view of Erich and replace the supervised learning algorithm with an unsupervised machine learning algorithm taught in Burguera as a way to perform detection, analysis, and classification of malicious behavior. The motivation to combine is taught in Burguera, taught in Burguera p.4 col.1 Section 3 Behavior-Based Malware Detection System Framework 2nd paragraph, since the k-means algorithm was chosen due to its simplicity, efficiency, and speed in identifying benign or malicious applications, resulting in a system that implements this algorithm more computationally efficient.
Regarding Claim 19, Klonowski in view of Erich as applied to Claim 17 teaches
The method of claim 17, 
While Klonowski in view of Erich teaches a behavior analysis engine containing a machine learning model, Klonowski in view of Erich does not explicitly teach
… wherein the machine-learning model includes an unsupervised learning algorithm.  

… wherein the machine-learning model includes an unsupervised learning algorithm (This claim limitation is similar in scope to a corresponding claim limitation in Claim 8, and hence is rejected under similar rationale.).  
Both Klonowski in view of Erich and Burguera are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take machine learning model that includes a supervised learning algorithm taught in Klonowski in view of Erich and replace the supervised learning algorithm with an unsupervised machine learning algorithm taught in Burguera as a way to perform detection, analysis, and classification of malicious behavior. The motivation to combine is taught in Burguera, as provided in the prior art claim mapping of Claim 8 recited above.
Claims 10-11 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Klonowski et al., U.S. PGPUB 2019/0005234, filed 6/28/2017 [hereafter referred as Klonowski] in view of Erich et al., U.S. PGPUB 2014/0215495, published 7/31/2014 [hereafter referred as Erich] as applied to Claims 1 and 12; in further view of Mas'ud et al., Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection, 2014 International Conference on Information Science Applications (ICISA), May 2014, 5 pages [hereafter referred as Mas'ud].
Regarding Claim 10, Klonowski in view of Erich as applied to Claim 1 teaches
The system of claim 1.  
While Klonowski in view of Erich teaches monitoring utilities functioning as sensors, Klonowski in view of Erich does not explicitly teach
wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system.  
Mas’ud teaches
wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system (Examiner’s note: In light of applicant’s specification p.21 lines 2-5 and 13-a classifier assessing a risk associated with the monitored calls” is directed towards a classifier performing calculation of conditional probabilities for the monitored operating system calls. Mas’ud p.3 Figure 2 teaches data collection, data selection, and machine language classification performed on four Android tablets, where the data collection involves collecting system call information from running applications on the tablets using the strace call tool, and where the machine language classification involves using a Naïve Bayes classifier as one of the algorithms to perform classification on the datasets containing system call information (Mas’ud p.3 col.1 3rd paragraph). According to Mas’ud p.3 Table 2, Naïve Bayes classification algorithm uses the Bayes rule of conditional probability to analyze and classify the system calls in the dataset as being malicious or benign (Mas’ud p.2 col.1 Section II. Related Works 2nd paragraph, p.4 Section IV.A. Performance Metrics, 1st paragraph).).  
Both Klonowski in view of Erich and Mas’ud are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take the monitoring utilities taught in Klonowski in view of Erich and enhance them by including a classifier taught in Mas’ud as a way to perform initial classification of the system calls detected on the user applications. The motivation to combine is taught in Mas’ud, since the Naïve Bayes classifier provides comparable accuracy and performance with other classification algorithms, and demonstrates reasonable accuracy when the number of selected features from each dataset decreases, indicating that the algorithm is still efficient in providing reasonable classification accuracy on datasets that contain fewer features captured by the system call information, which helps in terms of reducing the amount of memory needed to store this information on mobile devices (Mas’ud p.4 Section IV.B Experiment Result, Table 4, Figure 3, and p.4 Section V. Conclusion: “…The result shows that it is possible to achieve a good detection performance while the features selection use in the classifier is reduce, consequently this small number of feature selection can reduce the size of log collection in the mobile device.”).
Regarding Claim 11, Klonowski in view of Erich, in further view of Mas’ud teaches
The system of claim [[1]]10, wherein the classifier is a Bayes classifier (Examiner’s note: As indicated earlier, the term “the classifier” will be interpreted as being within the context of the recited claim language identified in dependent Claim 10. As indicated earlier, Mas’ud p.3 Figure 2 teaches data collection, data selection, and machine language classification performed on four Android tablets, where the data collection involves collecting system call information from running applications on the tablets using the strace call tool, and where the machine language classification involves using a Naïve Bayes classifier as one of the algorithms to perform classification on the datasets containing system call information (Mas’ud p.3 col.1 3rd paragraph).).
Regarding Claim 21, Klonowski in view of Erich as applied to Claim 12 teaches
The method of claim 12.  
While Klonowski in view of Erich teaches monitoring utilities functioning as sensors, Klonowski in view of Erich does not explicitly teach
wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system.
Mas’ud teaches
wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system (This claim limitation is similar in scope to a corresponding claim limitation in Claim 10, and hence is rejected under similar rationale.).  
Both Klonowski in view of Erich and Mas’ud are analogous art since they both teach monitoring and intercepting of system calls triggered by user applications to detect, analyze, and classify malicious behavior using machine learning algorithms.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to take the monitoring utilities taught in Klonowski in view of Erich and enhance them by including a classifier taught in Mas’ud as a way to perform initial classification of the system calls detected on the user applications. The motivation to combine is taught in Mas’ud, as provided in the prior art claim mapping of Claim 10 recited above.
Regarding Claim 22, Klonowski in view of Erich, in further view of Mas’ud teaches
The method of claim [[12]]21, wherein the classifier is a Bayes classifier (Examiner’s note: As indicated earlier, the term “the classifier” will be interpreted as being within the context of the recited claim language identified in dependent Claim 21. As indicated earlier, Mas’ud p.3 Figure 2 teaches data collection, data selection, and machine language classification performed on four Android tablets, where the data collection involves collecting system call information from running applications on the tablets using the strace call tool, and where the machine language classification involves using a Naïve Bayes classifier as one of the algorithms to perform classification on the datasets containing system call information (Mas’ud p.3 col.1 3rd paragraph).).  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM WAI YIN KWAN whose telephone number is 303-297-4332.  The examiner can normally be reached on Monday-Friday 8:00am - 4:30pm PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on 571-272-3768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Li B. Zhen/Supervisory Patent Examiner, Art Unit 2121