DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 103, 107 and 109.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The disclosure is objected to because of the following informalities:
In Paragraph [0037] Line 8, “Supervisor Mode Access Prevention (SMEP)” should read “Supervisor Mode Access Prevention (SMAP)”.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-4, 7-9, 13-16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sidiroglou et al. (U.S. 20080141374A1), hereinafter Sidiroglou in view of Drake (U.S. 6006328A) and Araujo et al. (U.S. 20190068640A1), hereinafter Araujo. 
Regarding claim 1, Sidiroglou teaches a computer-implemented method for software intrusion detection (Sidiroglou: [0005] provides for a method for software intrusion detection using honeypots and anomaly detection systems), comprising: 
generating a honeypot patch configured to convert a computing system having software, the software comprised of at least one of: an operating system and an application, into a honeypot system (Sidiroglou: Abstract, Fig. 3, [0005] [0006] [0009] [0021] provide for the honeypot patch to convert a computing system into honeypot system), 
generating a security event indicating an attempt to exploit a software vulnerability (Sidiroglou: Fig. 4, [0005] and [0006] provide for indicating an attempt to exploit a software vulnerability). 
Sidiroglou does not teach about the honeypot patch comprising a live update having program code for detecting an unexpected change to an original data structure of the software and/or CPU registers that represents a system invariant of the computing system. However, Drake teaches this limitation (Drake: Col. 6 Lines 25-31 provides for the live update for detecting an unexpected change to a processor application representing a system invariant of the computing system.)
Sidiroglou and Drake are both considered to be analogous to the claimed invention because they are in the same field of software intrusion detection. Therefore, it would have been 
Sidiroglou and Drake do not explicitly teach about modifying the software installed on the computing system using the generated honeypot patch without restarting the software. However, Araujo teaches this limitation (Araujo: Fig. 1, [0025] provide for modifying the software using the “booby trapped function” that can be represented by the honeypot patch in live processes).
Sidiroglou, Drake and Araujo are all considered to be analogous to the claimed invention because they are in the same field of software intrusion detection. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sidiroglou/Drake to incorporate the teachings of Araujo and provide a honeypot patch to modify the software installed on the computing system. Doing so would aid in providing added protection to the software from outside attacks or intrusion. 
Claim 13 recites the same limitations as claim 1 for a software intrusion detection system and is thereby rejected under the same rationale.
Claim 20 recites the same limitations as claim 1 for a non-transitory computer readable medium comprising computer executable instructions for software intrusion detection and is thereby rejected under the same rationale.


adding program code configured to create a new shadow data structure corresponding to the original data structure of the software that represents the system invariant (Araujo: Fig. 1, [0026] [0027] provide for the decoy sandbox representing a shadow data structure corresponding to the original data structure of the software); and 
replacing original program code that refers to the original data structure with program code referring to the shadow data structure (Araujo: Fig. 1, [0025] provide for replacing the original program code with program code referring to the decoy sandbox representing a shadow data structure).
Claim 14 recites the same limitations as claim 2 for a software intrusion detection system and is thereby rejected under the same rationale.
Regarding claim 3, Araujo further teaches the method of claim 1, wherein modifying the software using the generated honeypot patch comprises: modifying the program code for detecting the change in a system function of the software ((Araujo: Fig. 1, [0025] provide for modifying the software using the “booby trapped function” that can be represented by the honeypot patch in live processes).
Claim 15 recites the same limitations as claim 3 for a software intrusion detection system and is thereby rejected under the same rationale.
Regarding claim 4, Araujo further teaches the method of claim 3, wherein the modified system function comprises at least one of: a system function related to a file open, a system function related to a process fork, a system function related to a process execution, and a system 
Claim 16 recites the same limitations as claim 4 for a software intrusion detection system and is thereby rejected under the same rationale.
Regarding claim 7, Araujo further teaches the method of claim 1, wherein the honeypot system is configured to, in response to detecting attempts to exploit the software vulnerability of the software, save a state of processes running on the honeypot system for further analysis (Araujo: [0032] [0037] provide for saving a state of processes for further analysis).
Claim 19 recites the same limitations as claim 7 for a software intrusion detection system and is thereby rejected under the same rationale.
Regarding claim 8, Araujo further teaches the method of claim 1, wherein the honeypot system is configured to, in response to detecting attempts to exploit the software vulnerability of the software, live migrate processes associated with the detected attack to an isolated system or a virtual machine (Araujo: Fig. 1, [0026] [0027] provide for the migrating processes associated with the detected attack to a decoy sandbox).
Regarding claim 9, Araujo further teaches the method of claim 1, wherein current or future connections from an attacking address are routed to the isolated system or the virtual machine where the processes were migrated (Araujo: Fig. 1 and [0026] provide for the connections from the attacking address routed to the decoy sandbox).
Claims 5, 6, 10, 11, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sidiroglou (U.S. 20080141374A1), Drake (U.S. 6006328A) and Araujo (U.S. 20190068640A1), in view of Mehner (U.S. 20190238570A1).

Claim 17 recites the same limitations as claim 5 for a software intrusion detection system and is thereby rejected under the same rationale.
Sidiroglou, Drake, Araujo and Mehner are all considered to be analogous to the claimed invention because they are in the same field of software intrusion detection. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sidiroglou/Drake/Araujo to incorporate the teachings of Mehner and provide reporting the attempts to exploit the software vulnerability to a system administrator. Doing so would aid in providing prompt action to prevent the exploit.
Regarding claim 6, Sidiroglou, Drake and Araujo do not explicitly teach about killing or blocking intruder processes in response to detecting attempts to exploit the software vulnerability. Mehner teaches this limitation (Mehner: [0037] provides the protective measures including shutting down the intruder processes).
Claim 18 recites the same limitations as claim 6 for a software intrusion detection system and is thereby rejected under the same rationale.
Regarding claim 10, Sidiroglou, Drake and Araujo do not explicitly teach about blocking a login of a user in response to detecting attempts to exploit the software vulnerability. Mehner teaches this limitation (Mehner: [0026] provides for blocking the IP address of the attacker representing blocking a login of the user associated with the attack).
.
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Sidiroglou (U.S. 20080141374A1), Drake (U.S. 6006328A) and Araujo (U.S. 20190068640A1), in view of Bhimanaik et al. (U.S. 10079024B1), hereinafter Bhimanaik.
Regarding claim 12, Sidiroglou, Drake and Araujo do not explicitly teach about faking to the attacker that the detected attack was successful in response to detecting attempts to exploit the software vulnerability. Bhimanaik teaches this limitation (Bhimanaik: Col. 9 Lines 5-14 provides for faking to the attacker that the detected attack was successful).
Sidiroglou, Drake, Araujo and Bhimanaik are all considered to be analogous to the claimed invention because they are in the same field of software intrusion detection. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sidiroglou/Drake/Araujo to incorporate the teachings of Bhimanaik and provide faking to the attacker that the detected attack was successful. Doing so would aid in keeping the computing system protected while deceiving the attackers and luring them into honeypot systems. 


Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Keromytis et al. (U.S. 20060195745A1) teaches methods and systems for repairing applications. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 





/YASMIN JAHIR/Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432