Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/1/21 has been entered.
 
Claims 1-15 and 17-30 are pending with claims 29 and 30 withdrawn.

Response to Amendment


Claim Interpretation
Claim 1 as amended is a method that requires two steps: receiving a signal and monitoring a signal.  The monitoring is based on probabilistic model.  The model 
As per claim 12, the same rationale can be applied to render subject matter directed to the model accounts as lacking patentable weights. 

Response to Arguments
Applicant's arguments filed 2/1/22 have been fully considered but they are not persuasive.  While the Examiner can appreciate some of the mentioned features presented in the arguments, they are not claimed and thus cannot be weighed against the claims’ language.  For example, page 11, says the claims recite a sequence model (such as a state machine).  The claims do not use this term.  The claim recited a probabilistic model and sequence of events.  Applicant purports the claim’s sequence In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  Applicant arguments unfortunately read like the written description and do not address the deficiencies of the claim actual requirements.  The arguments are propped up by a purported difference between the written description and the prior art.  In order to distinguish from the prior art’s features the differences need to be in the claims.  Merely calling a model probabilistic does not mean the claims inherit all of the properties of the model and what is actually does.  Examiner suggested in the previous Office Action to incorporate how the model is used to analyze the monitored signal to achieve a result.  Using the adjective probabilistic does not afford the claimed model with all of the specificities that a probabilistic model may have in the general mathematically sense.  Applicant makes the point to say the model can account for all possible program sequence that might even number into the trillions of trillions.  This sounds like a bold statement until Applicant states, “[t]he pending Claims recite using a sequence model (such as a state machine)” [top of page11].  Therefore, more detail is needed in the claims because a finite statement machine is not novel.  If a FSM can account for every .
Regarding claim 24 specifically, Applicant alleges the claims provides “provides information not only that there was an anomaly at some point in the recent past, but also identifies in which part of the code this has occurred (with precision that corresponds to a few basic blocks or even a few instructions) and when (with a precision of a few tens processor cycles or even a few processor cycles)”.  Again, this is not in the claims and do not require these particular limitations.  There is no mention of “recent” past, basic blocks or few instructions in the claims.   


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.





Claims 1-15, 17-28 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by USP Application Publication  2016/0342791 to Gonzalez et al., hereinafter Gonzalez.

Note: claim 1 is interpreted as having limitations directed to intended use as detailed above and is rejected accordingly.  It is separately rejected under 35 USC §103 below.

As per claim 1, Gonzalez teaches receiving a signal from a monitored device [target device] comprising hardware and running a software program (0006); and
 monitoring the signal representative of an actual execution [side-channel information] of the software program running on the monitored device based upon (0024 and 0034):
possible expected normal sequences of hardware/software interaction events of an expected normal execution of the software program running on the monitored device [expected sequences, detects out of context; 0087]; and
a probabilistic software model that:  
is representative of the expected normal execution of the software program running on the monitored device (0052 and 0087 [knows normal order of instructions]);
can account for all of possible expected normal sequences of hardware/software interaction events (intended use - program segments 0087, 0052 and 0054); and 
can account for how likely each of the possible expected normal sequences of hardware/software interaction events [segment of code] is for the software program running on the monitored device [intended use].

As per claim 2, Gonzalez teaches the probabilistic software model defines the hardware/software interaction events that are possible during the expected normal execution of the program executions on the monitored device (0046 and 0047).
As per claim 3, Gonzalez teaches determining a probability that the monitored device is compromised (0036 and 0038).
As per claim 4, Gonzalez teaches determining the probability, that the monitored device is compromised is based upon the monitoring of the signal representative of the actual execution of the software program running on the monitored device (0036).
As per claim 5, Gonzalez teaches determining, the probability that the monitored device is compromised comprises applying signal processing to the received signal to compute the probability [confidence] that an anomalous event is uncovered within the actual execution of the program executions on the monitored device (0038 and 0041).
As per claim 6, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device [side channel info on app events]; and the expected normal execution of the software program running on the monitored device [reference data; 0034 and 0035].
As per claim 7, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device (0034); and both the expected normal execution of the software program running on the monitored device (0035 and 
As per claim 8, Gonzalez teaches performing spectral monitoring on the signal to identify a loop or program module of program code in the actual execution of the software program running on the monitored device (0028, 0031, and 0098).
As per claim 9, Gonzalez teaches determining code blocks [code segment] executed by the monitored device corresponding to the signal (0087); wherein at least one code block is selected from the group consisting of a loop and a program module [program segment/key instructions] of program code (0087).
As per claim 10, Gonzalez teaches the probabilistic software model comprises one or more of a control flow graph at basic code block granularity, instruction-level representation of the program [key instructions; 0087], and intermediate-representation of the program.


As per claim 11, Gonzalez teaches the expected normal set of hardware/software interaction events of the software program running on the monitored device is based upon a probabilistic hardware-software interaction model (0046 and 0051).
As per claim 12, Gonzalez teaches wirelessly receiving [205/206 wirelessly receive signals through wireless network 204; 0029] a signal emanating [target device produces electromagnetic emissions; 0022] from a monitored device comprising hardware and running a software program (0006); and 

an expected normal sequences of software interaction events of the software program running on the monitored device [expected sequences, detects out of context; 0087];
an expected normal sequences of hardware/software interaction events of the software program running on the monitored device [expected sequences, detects out of context; 0087]

a probabilistic software model representative of an expected normal set of a sequence of software interaction event (segments; 0087) of the software program running on the monitored device (software model of same code; 0054) accounts for the expected normal set of the sequence of software interaction events of the software program running on the monitored device, and accounts for how likely the expected normal set of the sequence of software interaction events is for the software program running on the monitored device [intended use]; and 
a probabilistic hardware-software interaction model representative of an expected normal set of hardware/software interaction events of the software program running on the monitored device [model building the target device (0046) by testing the device in a known good state (0051) with various input vectors to trigger operation of the device and use this as one of the bases for comparison to actual detected signals; 0034).  Both models, which are part of the reference data, are fed back into the PFP references database 207 so that PFP analytics will be able to retrieve the reference 
determining a probability that the monitored device is compromised (0036 and 0038).

As per claim 24, Gonzalez teaches a method comprising: 
storing a set of predicted computational activities reflective of a processing activity of a monitored device that is uncompromised (0034); 
wirelessly receiving [205/206 wirelessly receive signals through wireless network 204; 0029] signals emanating from the monitored device [target device produces electromagnetic emissions; 22], the signals reflective of a set of actual computational activities of the monitored device during the processing activity (0024 and 0034); 
determining a probability that the monitored device is compromised (0038 and 0041) by evaluating variance between the set of predicted computational activities [reference data] to the set of actual computational activities [side-channel information] (0035), which provides a probability that an anomalous event exists within the actual computational activities of the monitored device (0038 and 0041); and 
transmitting data indicative of the probability that an anomalous event exists (0041); wherein if the probability that an anomalous event evidences an actual anomalous event, the data indicative of the actual anomalous event comprises: 
at what point in the processing activity the anomalous event occurred [gathering intelligence and forensic information from the attack] (0087 and 0103); 

in which part of the program code in the actual execution of the software program running on the monitored device the anomalous event occurred (0087; precision down to the key instructions).

As per claim 13, Gonzalez teaches the probabilistic software model defines a set of the sequence of software interaction events that are possible during the expected normal execution of the program executions on the monitored device (0046 and 0047).
As per claim 17, Gonzalez teaches determining that the monitored device is compromised is based upon the monitoring of the signal representative of the actual execution of the software program running on the monitored device (0036).
As per claim 18, Gonzalez teaches determining that the monitored device is compromised comprises applying signal processing to the received signal to compute the probability [confidence] that an anomalous event is uncovered within the actual execution of the program executions on the monitored device (0038 and 0041).
As per claim 19, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device [side channel info on app events]; and the expected normal execution of the software program running on the monitored device [reference data; 0034 and 0035].
As per claim 20, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device (0034); and both the expected 
As per claim 21, and 27, Gonzalez teaches performing spectral monitoring on the signal to identify a loop or program module of program code in the actual execution of the software program running on the monitored device (0028, 0031, and 0098).
As per claim  22, Gonzalez teaches determining code blocks [code segment] executed by the monitored device corresponding to the signal (0087); wherein at least one code block is selected from the group consisting of a loop and a program module [program segment/key instructions] of program code (0087).
As per claim 23, Gonzalez teaches the probabilistic software model comprises one or more of a control flow graph at basic code block granularity, instruction-level representation of the program [key instructions; 0087], and intermediate-representation of the program.
As per claim 14, Gonzalez teaches the probabilistic hardware-software interaction model defines the set of the sequence of hardware/software interaction events that are possible at each point [key instructions along the execution path] during the expected normal execution of the software program executions on the monitored device (0082 and 0087).
As per claim 15, Gonzalez teaches one or both of: the probabilistic SW model defines a set of program executions that are possible during the expected normal execution of the program executions on the monitored device (0046, 0047, and 0052); 

As per claim 25, Gonzalez teaches the set of predicted computational activities is provided by a software model and a hardware-software interaction model of the monitored device (0046, 0051, and 0046).

As per claim 26, Gonzalez teaches the software model defines a set of program executions that are possible during uncompromised software execution in the monitored device (0046, 0047, and 0052); and wherein the hardware-software interaction model defines the set of hardware/software interaction events that are possible at each point during the uncompromised software execution on the monitored device (0082 and 0087).






Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


In the event that the claims are amended to require the limitations interpreted above as intended use and in the interest of compact prosecution, claim 1-11 are also rejected under this statute.  

 Claims 1-11 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez in view of USP Application Publication 2016/0021121 to Cui et al., hereinafter Cui.
As per claim 1, Gonzalez teaches receiving a signal from a monitored device [target device] comprising hardware and running a software program (0006); and
 monitoring the signal representative of an actual execution [side-channel information] of the software program running on the monitored device based upon (0024 and 0034):
possible expected normal sequences of hardware/software interaction events of an expected normal execution of the software program running on the monitored device [expected sequences, detects out of context; 0087]; and
a probabilistic software model that:  
is representative of the expected normal execution of the software program running on the monitored device (0052 and 0087 [knows normal order of instructions]);
can account for all of possible expected normal sequences of hardware/software interaction events (program segments 0087, 0052 and 0054); and 


As per claim 2, Gonzalez teaches the probabilistic software model defines the hardware/software interaction events that are possible during the expected normal execution of the program executions on the monitored device (0046 and 0047).
As per claim 3, Gonzalez teaches determining a probability that the monitored device is compromised (0036 and 0038).
As per claim 4, Gonzalez teaches determining the probability, that the monitored device is compromised is based upon the monitoring of the signal representative of the actual execution of the software program running on the monitored device (0036).

As per claim 6, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device [side channel info on app events]; and the expected normal execution of the software program running on the monitored device [reference data; 0034 and 0035].
As per claim 7, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device (0034); and both the expected normal execution of the software program running on the monitored device (0035 and 0087) and the expected normal execution of the set of hardware/software interaction events of the software program running on the monitored device (0046 and 0051).
As per claim 8, Gonzalez teaches performing spectral monitoring on the signal to identify a loop or program module of program code in the actual execution of the software program running on the monitored device (0028, 0031, and 0098).
As per claim 9, Gonzalez teaches determining code blocks [code segment] executed by the monitored device corresponding to the signal (0087); wherein at least one code block is selected from the group consisting of a loop and a program module [program segment/key instructions] of program code (0087).


As per claim 11, Gonzalez teaches the expected normal set of hardware/software interaction events of the software program running on the monitored device is based upon a probabilistic hardware-software interaction model (0046 and 0051).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431