Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims domestic priority under 35 USC 119e to provisional application filed on 4/20/2017.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 06/07/2021, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
5.    Applicant’s Oath was filed on 08/03/2020.

Drawings
6.    Applicant’s drawings filed on 08/03/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
7.    Applicant’s specification filed on 08/03/2020 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Terminal Disclaimer
10.	The terminal disclaimer filed on 2/9/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent No. 10,762,201 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

EXAMINER'S AMENDMENT
11.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

12.	Authorization for this examiner’s amendment was given in an interview with Wendy Kong on 1/27/2022.

The application has been amended as follows: 

21.          (Currently Amended) A method, comprising:
                determining, by an intrusion-detection kernel driver instantiated in kernel space of an operating system of a computing device communicatively coupled with a network and based on kernel-filter criteria, that a network packet processed by a network stack of the computing device is potentially malicious;
                associating, by the intrusion-detection kernel driver, the network packet with an identifier of an application executing in userspace of the operating system, the network packet being sent from or to the application; and
                sending, by the intrusion-detection kernel driver, a report of the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system, causing (1) the intrusion-detection agent to determine a malicious classification of the network packet by applying threat-classification criteria to the report and (2) remediation actions [[are]] to be performed, based on the malicious classification, to block or prevent malicious attacks to the computing device.


Reasons for Allowance
13.	Claims including all of the limitations of the base claim and any intervening claims are allowed.

Closest Prior Art:
U.S. Publication No. 20090013407 discloses on paragraph 0007 “In particular, by implementing kernel extensions that are specific to the packet inspection task, multi-gig seeds can be achieved. For example, conventional IDS and IPS approaches in this regard have generally made at least four copies of each packet for inspection by the user space IDS/IPS process. Specifically, an incoming packet from the network interface card (NIC) is copied to provide a new packet. The new packet is then copied to user space for access by the IDS/IPS process. The inspection process is then implemented, and the resulting inspected packet is then copied back from user space. Finally, the original packet is copied back to the network stack.” Paragraph 0009 “In accordance with one aspect of the present invention, a method and apparatus ("utility") is provided for  in-line analysis of packets by a user space process such as an IDS, an IPS or a network policy enforcement process. The utility involves establishing a mandatory path for packet transmission in relation to an interface of a network and monitoring the path for a packet or series of packets of interest for processing by the user space process. For example, the mandatory path may be implemented by the packet capture mechanism of an operating system (e.g., Linux). Upon identification of a packet of interest, the user space process is 

U.S. Publication No. 20160036838 discloses on paragraph 0056 “The
separation of functionality between the kernel space 802 and the user space 804
allows for multistage attack detection and mitigation (e.g., traffic from source IPs sending a TCP SYN attack can be forwarded to the DIP module 816 for deep packet inspection). The intuition behind co-locating detectors and mitigators on the same VM instance is that it reduces the critical overheads of traffic redirection, which can be significant, and leverages the caches to store the packet content. Further, this approach avoids controller overheads of managing different types of instances of the analyzer component.”

U.S. Publication No. 20160036837 discloses on paragraph 0063 “FIG. 3B is a block diagram of an attack detection system 300, according to implementations described herein. The system 300 includes a kernel space 320- 1 and user space 320-2. The spaces 320-1, 320-2 are operating system environments with different authorities for resources on the system 300. The user space 320-2 is where VIPs execute, with typical user permissions to storage, and other resources. The kernel space 320-1 is where the operating system executes, with authority to access all immediate system resources. Additionally, in the kernel space 320-1 data packets pass from a communications device, such as a network interface connector 326 to a software load balancer (SLB) mux 324. Alternatively, a hardware-based load balancer may be used. The mux 324 may be hosted on a virtual machine or a server, and includes a header parse program 330 and a destination IP (DIP) program 328. The header parse program 310 parses the header of each data packet. Typically, this program 310 looks at the flow-level fields, such as source IP, source port, destination IP, destination port and protocol including flags to determine how to process that packet. Additionally, the DIP program 328 determines the DIP for the VIP receiving the packet. A shim layer 322 includes a program 332 that runs in the user space 320-2, and retrieves data from a traffic summary representation 334 in the kernel space 320-1. The program 332 periodically syncs measurement data between the traffic summary representation 334 and a collector. Using the synchronized 

U.S. Publication No. 20140047541 discloses on paragraph 0054 and 0076 “In general, received packets from one or more network interfaces shown as 208 and 209 are initially processed by the Kernel Network Driver 207. Packets are then processed by the Packet Module 205 of the Agent Driver 203 according to the Compiled Security Profile 202. The Packet Module 205 may discard the packet if the contents of the packet match a rule in the Compiled Security Profile
202. Otherwise, the packet is passed in this case to the Kernel Network Stack 206 where it is processed by the operating system of the computer system in an ordinary way. Packets, which are intended for transmission from the computer system, originate from the Kernel Network Stack 206 and are also processed by the Packet Module 205 of the Agent Driver 203 according to the data in the Compiled Security Profile 202. Again, the Packet Module 205 may discard a packet if the contents of the packet match a rule in the Compiled Security Profile
202. Otherwise, the packet is passed to the appropriate network interface where it is processed and transmitted in an ordinary way.”

U.S. Patent No. 10171423 discloses on Col. 7 Lines 18-33 “As further shown in FIG. 4, process 400 may include inspecting the portion of the network traffic at the upper layer (block 430). For example, network device 220 may cause the portion of the network traffic to be inspected at the upper layer (e.g., L- 

U.S. Publication No. 20140181972 discloses on paragraph 0021 
“According to an aspect of some embodiments of the present invention there is provided a computerized system for preventing network attacks on a
communication device which receive a plurality of network packets in a wireless
communication network, the system comprising: a computer readable firmware, a

transmit the received packets to the Pattern detector module; and a computer
readable kernel extension module configure to receive the packets from the firmware module at an application level, detect the pattern of the marked packets and if the packets are not marked further examine the packets at the next lower software layer.”

The following is an Examiner’s Statement of Reasons for Allowance:
Claims 1-25 are allowable over prior art references taken individually or in combination fails to particularly disclose fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above.
Although the prior art discloses obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, obtain threat-classification criteria indicative of which reports of network packets identify potential attacks and classify the network packet as malicious and in response to classifying the network packet as malicious, no one or two references anticipates or obviously determining, by an intrusion-detection kernel driver instantiated in kernel space of an operating system of a computing device communicatively coupled with a network and based on kernel-filter criteria, that a network packet processed by a network stack of the computing device is potentially malicious.

Thereafter, sending, by the intrusion-detection kernel driver, a report of the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system, causing the intrusion-detection agent to determine a malicious classification of the network packet by applying threat-classification criteria to the report remediation actions to be performed, based on the malicious classification, to block or prevent malicious attacks to the computing device.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491