DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted 4/08/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
at the different location”. None of the parent claims recite a different location from anything.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to software per se under broadest reasonable interpretation. 
Claim 15 is a “system” comprising only a “processor”. The term “processor” is to be interpreted broadly as disclosed in [0034] of the filed specifications. Processors are well-known in the art to include software implementations, e.g. virtual processors, a program that translates another program is a processor, etc. Thus, the claim is directed a software system, and software are not patentable subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4, 5, 7, 8, 11, 12, 14, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0065745 to Araujo et al. (hereinafter, “Araujo”) in view of US 10,853,350 to Sharifi Mehr (hereinafter, “Mehr”).
As per claim 1: Araujo discloses: A method for regulating execution of a suspicious process, the method comprising (a new file system paradigm, which protects files at their place of rest [Araujo, ¶5]): determining a file system location of an executable file (protecting a file system [Araujo, ¶38]); suspicious process (a decoy file system is configured to overlay the base file system to protect the base files; for example, overlay 412 has the ability to hide base files, modify the content of base files by overlaying a different file with the same name (as well the same location as it is overlaying the base), and inject new decoy files [Araujo, ¶39; Fig. 4]).
Araujo does not disclose “encrypting the file” when it is determined to be “associated with [a] suspicious process”. However, Mehr discloses determining anomalous access attempts to data objects. In response to a determination of an anomalous attempt (“associated with the suspicious process”) to access a data object, such as the file in Araujo, a control action may be taken, including encrypting the data object (“encrypting the file”) [Mehr, col. 5, lines 3-7].
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to have implemented an additional layer of security in Araujo by encrypting the base files that are associated with suspicious accesses. The encryption of the file would protect it from being further accessed until an action, such as by a user or an administrator, is taken.

As per claim 2: Araujo in view of Mehr disclose all limitations of claim 1. Furthermore, Araujo in view of Mehr disclose: further comprising: using the wrapper as a proxy for the executable file associated with the suspicious process (“…this architecture allows for different directory and file trees to be overlayed (i.e., superimposed) over the base filesystem 300. To this end, and according this disclosure, a set of filesystem overlays 312 are then preferably deployed on a per-process basis, providing each process with a different view of the 

As per claim 4: Araujo in view of Mehr disclose all limitations of claim 1. Furthermore, Araujo in view of Mehr disclose: wherein creating a wrapper further comprises: generating an executable stub as a substitute for the file associated with the suspicious process (“...modify the content of a base file by overlaying a different file (e.g., one that is redacted or replaced) with the same name…” [Araujo, ¶39]).

As per claim 5: Araujo in view of Mehr disclose all limitations of claim 4. Furthermore, Araujo in view of Mehr disclose: further comprising: accepting a request, using the stub, to execute the suspicious process; and executing a payload associated with the suspicious process (“Filesystem events are then collected at step 604 for the selected first overlay. At step 606, the routine updates an overlay “context” for the overlay being monitored.” [Araujo, ¶46; Fig. 6]).

As per claim 7: Araujo in view of Mehr disclose all limitations of claim 1. Furthermore, Araujo in view of Mehr disclose: further comprising: executing a payload of the file associated with the suspicious process in an isolated execution environment (“…the decoy filesystem preferably includes an access control module 420, a decoy generation module 422, and a monitoring module 424. The access control module 420 controls access to the overlays 412 by the processes 426, which execute within one or more namespaces 428 configured in user 

As per claim 8: Araujo in view of Mehr disclose all limitations of claim 1. Furthermore, Araujo in view of Mehr disclose: further comprising: determining an action to be taken in respect of the suspicious process using one of a: policy; hash; metadata; machine learning; and user input (encrypting the data object includes other cryptographic operations, such as hashing [Mehr, col. 3, lines 46-48]); user provided control action to anomalous attempts [Mehr, col. 5, lines 7-13]).

As per claim 11: Araujo discloses: A non-transitory machine-readable storage medium encoded with instructions executable by a processor for monitoring control-flow integrity in a low-level execution environment (a new file system paradigm, which protects files at their place of rest [Araujo, ¶5]; a decoy file system overlays a base file system and controls access to the overlay by processes that are executed within one or more namespaces configured in the user space [Araujo, ¶40]), the machine-readable storage medium comprising: instructions to determine a file system location of an executable file (protecting a file system [Araujo, ¶38]); (a decoy file system is configured to overlay the base file system to protect the base files; for example, overlay 412 has the ability to hide base files, modify the content of base files by overlaying a different file with the same name (as well the same 
Araujo does not disclose “instructions to encrypt the file” when it is determined to be “associated with [a] suspicious process”. However, Mehr discloses determining anomalous access attempts to data objects. In response to a determination of an anomalous attempt (“associated with the suspicious process”) to access a data object, such as the file in Araujo, a control action may be taken, such as encrypting the data object (“encrypt the file”) [Mehr, col. 5, lines 3-7].
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to have implemented an additional layer of security in Araujo by encrypting the base files that are associated with suspicious accesses. The encryption of the file would protect it from being further accessed until an action, such as by a user or an administrator, is taken.

As per claim 12: Araujo in view of Mehr disclose all limitations of claim 11. Furthermore, Araujo in view of Mehr disclose: further comprising: instructions to process a request, using the stub, to execute the suspicious process; and instructions to execute a payload associated with the suspicious process (“Filesystem events are then collected at step 604 for the selected first overlay. At step 606, the routine updates an overlay “context” for the overlay being monitored.” [Araujo, ¶46; Fig. 6]).

As per claim 14: Araujo in view of Mehr disclose all limitations of claim 11. Furthermore, Araujo in view of Mehr disclose: further comprising: instructions to execute a payload of the file associated with the suspicious process in an isolated execution environment (“…the decoy filesystem preferably includes an access control module 420, a decoy generation module 422, and a monitoring module 424. The access control module 420 controls access to the overlays 412 by the processes 426, which execute within one or more namespaces 428 configured in user space 408.” [Araujo, ¶40]; a namespace isolates and virtualizes system resources for a collection of processes [Araujo, ¶34]).

As per claim 15: Claim 15 is different from overall scope of claim 1 and recites a system comprising of a processor performing the method of claim 1. Therefore, the response to claim 1 is also applicable to claim 15. 

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Araujo in view Mehr and in further view of US 2009/0300761 to Park et al. (hereinafter, “Park”). 
As per claim 9: Araujo in view of Mehr disclose all limitations of claim 1. Araujo in view of Mehr do not disclose the limitations of claim 9. However, Park discloses: further comprising; generating a hash of the executable file associated with the suspicious process, the hash including static metadata related to the executable file (generating an intelligent hash of a file by identifying metadata associated with said file [Park, ¶23]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to create a hash value of the base files in Araujo, or the 

As per claim 10: Araujo in view of Mehr and Park disclose all limitations of claim 9. Furthermore, Araujo in view of Mehr and Park disclose: further comprising; transmitting the hash of the executable file associated with the suspicious process to a memory for further analysis (“The client 150 then transmits the suspicious entity hash to the security server 110 for evaluation. Upon receiving a suspicious entity hash from a client 150, the security server 110 evaluates the intelligent hash by comparing it to the intelligent hashes in the database 174…” [Park, ¶25]).

Allowable Subject Matter
Claims 3 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 6 would be allowable if rewritten to overcome the rejection under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
These claims further define the claimed invention that are non-obvious and/or not disclosed by the cited prior arts of record. See additional relevant prior arts in the following section.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2017/0118233: Discloses intercepting web traffic to extract executable files. These files are compared with policies to identify suspicious executable files, which are sent to a packer tool to wrap the suspicious executable files and delivered to the client system. See ¶¶44-45.
US 2012/0210443: Discloses securing applications by wrapping them before or after they are downloaded on a device and before the applications are allowed access to the operating system of the device. See ¶6.
US 8,146,151: Discloses determining if a data file needs to be provided a protective file. The data file is wrapped in a protective file to protect it from being accessed/executed until the reputation of the data file is received. See Abstract.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-26-2022