DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a Non-Final Office Action in response to the communication filed on March 27, 2019.
Claims 1-20 have been examined.


Drawings
The drawings filed on March 27, 2019 are acceptable for examination proceedings.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on May 10, 2021, June 08, 2021, August 19, 2021, and November 15, 2021 were filed after the mailing date of the application 16/366065 on March 27, 2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhatkar et al. (U.S. Patent No.: US 8,555,385 B1 / or “Bhatkar” hereinafter) in view of Pilipenko et al. (U.S. Patent No.: US 10,169,585 B1 / or “Pilipenko” hereinafter).
	
Regarding claim 1, Bhatkar discloses “A system comprising ” (Col 4: a system and method for behavior based malware analysis is disclosed):  
“at least one processor” (Fig. 2: Central Processor 214); 
“and memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operations, the set of operations comprising” (Fig. 2: System Memory 217):
“evaluating a rule in a rule data store, wherein the rule is associated with one or more events, and wherein at least one event of the one or more events is associated with activating the rule” (Col 9: 45-49; and Col 12:1-5, generates signatures for one or more actions/events);
“registering to receive an event indication associated with at least one event of the one or more events” (Fig. 6 ; and Col 6: 28-30, user interface for reporting malware behavioral analysis); 
“when an event indication is received, identifying a target rule associated with the received event indication” (Col 6: 1-11, match rule set with events; and Col 11: 34-38, one or more events to identity actions where one or more rules relate to the one or more events);
“generating an event packet based on the received event indication” (Col 12:9-11, produce logs, reports or other information associated with behavior bases malware analysis); and 
Bhatkar further discloses “…a trace file may be obtained using one or more debug techniques and/or tools. According to some embodiments, an API trace may be performed using a user level hook in a secure environment such as a sandboxed virtual machine” (Bhatkar, Col 12: 26-30).
But Bhatkar does not explicitly teach providing an event packet to a virtual rule machine (VrM).
However, Pilipenko discloses “providing the generated event packet to a rule virtual machine executing the target rule” (Pilipenko, Col 10: 61-67, a transition event is detected i.e., an “event packet” is detected by a virtual machine evaluating an object).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of providing an event packet to a virtual rule machine of Pilipenko to the Techniques for Behavior Based Malware Analysis of Bhatkar to create a system where “…the state of the VM is such that the VM and the processes running therein do not know of the execution of the transition event, but instead the emulation of the instruction at the POI causes the VM and the processes running therein to interpret the process flow in a manner such that the instruction at the POI was executed natively, without VMM involvement” (Pilipenko ,Col 11: 22-28) and the ordinary person skilled in the art would have been motivated to combine in order for the “…VMMI emulated the instruction at the POI 

Regarding claim 2, in view of claim 1, Bhatkar in view of Pilipenko disclose “wherein the set of operations further comprises: evaluating an event using a matching rule associated with the rule in the rule data store to determine a match for the matching rule; and based on determining the match for the matching rule, instantiating the rule virtual machine for the target rule” (Pilipenko, Col 7:65-67 to Col 8:1-4, an object is evaluated based on rules [see claim 1 for motivation]) .

Regarding claim 3, in view of claim 2, Bhatkar in view of Pilipenko disclose “wherein the rule virtual machine for the target rule is instantiated for a predetermined context” (Pilipenko, Col 7:65-67 to Col 8:1-4, where the rule is associated with known malware i.e., a “predetermined context”).

Regarding claim 4, in view of claim 1, Bhatkar in view of Pilipenko disclose “wherein providing the generated event packet to the rule virtual machine comprises adding the generated event packet to an event queue associated with the rule virtual machine” (Pilipenko, Col 10: 61-67, a transition event is detected i.e., an “event packet” is detected by a virtual machine evaluating an object [see claim 1 for motivation]).


wherein providing the generated event packet to the rule virtual machine further comprises placing the rule virtual machine in a pending execution state” (Pilipenko, Col 10: 61-67, where processing is halted and control is transferred [see claim 1 for motivation]).

Regarding claim 6, in view of claim 1, Bhatkar in view of Pilipenko disclose “wherein registering to receive an event indication comprises performing at least one operation from the group of operations consisting of” (Bhatkar, Fig. 6 ; and Col 6: 28-30, user interface for reporting malware behavioral analysis): 
“generating a hook associated with the at least one event of the one or more events” (Bhatkar, Col 12:16-32, hook is generated ); 
registering an interrupt handler; 
registering an event handler; 
monitoring a file system; 
monitoring an event log; 
monitoring a registry entry; and 
monitoring a network connection.

Regarding claim 7, in view of claim 1, Bhatkar in view of Pilipenko disclose “wherein the set of operations further comprises: identifying a rule virtual machine for which execution is halted to indicate a determination associated with a behavior described by a rule associated with the rule virtual machine” (Pilipenko, Col 10: 61-67, where processing is halted and control is transferred [see claim 1 for motivation]); 
“and performing an action based on the determination, wherein the action is selected from a group of actions consisting of: 
providing an indication of the determination; 
automatically mitigating the behavior; and 
“logging the determination” (Bhatkar, Col 12:9-11, produce logs, reports or other information associated with behavior based malware analysis).

Regarding claim 8, Bhatkar discloses “A method for performing behavioral threat detection, comprising” (Col 4: a system and method for behavior based malware analysis is disclosed): 
“registering to receive an event indication associated with a rule of a rule data store” (Fig. 6 ; and Col 6: 28-30, user interface for reporting malware behavioral analysis); 
“receiving a first event indication associated with the rule and a context” (Col 6: 1-11, match rule set with events; and Col 11: 34-38, one or more events to identity actions where one or more rules relate to the one or more events); 
“evaluating an event using a matching rule associated with the rule in the rule data store to determine a match for the matching rule based on the first event indication” (Col 9: 45-49; and Col 12:1-5, generates signatures for one or more actions/events); 
[based on determining the match for the matching rule, instantiating a rule virtual machine for the rule, wherein the rule virtual machine is associated with the context; 
adding an event packet to an event queue of the rule virtual machine; 
determining that the rule virtual machine is halted, thereby indicating a determination associated with the rule and the context]; 
“performing an action based on the determination, wherein the action is selected from a group of actions consisting of: 
providing an indication of the determination; 
automatically mitigating the behavior; 
and logging the determination” (Col 12:9-11, produce logs, reports or other information associated with behavior bases malware analysis).
Bhatkar further discloses “…a trace file may be obtained using one or more debug techniques and/or tools. According to some embodiments, an API trace may be performed using a user level hook in a secure environment such as a sandboxed virtual machine” (Bhatkar, Col 12: 26-30).
But Bhatkar does not explicitly teach instantiating a virtual rule machine (VrM), adding an event packet to and event queue of the VrM, and extracting a decision by the VrM.  
However, Pilipenko discloses “based on determining the match for the matching rule, instantiating a rule virtual machine for the rule, wherein the rule virtual machine is associated with the context” (Pilipenko, Col 7:65-67 to Col 8:1-4, an object is evaluated based on rules); 
“adding an event packet to an event queue of the rule virtual machine” (Pilipenko, Col 10: 61-67, a transition event is detected i.e., an “event packet” is detected by a virtual machine evaluating an object); 
“determining that the rule virtual machine is halted, thereby indicating a determination associated with the rule and the context” (Pilipenko, Col 11: 1-13, a determination is made whether the object under analysis is associated with an anomalous activity). 
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of instantiating a virtual rule 
involvement” (Pilipenko ,Col 11: 22-28) and the ordinary person skilled in the art would have been motivated to combine in order for the “…VMMI emulated the instruction at the POI so that, if the object is associated with advanced malware, the advanced malware will not be able to detect a disruption in the flow of execution…” (Pilipenko, Col 10: lines48-62).

Regarding claim 9, in view of claim 8, Bhatkar in view of Pilipenko disclose “wherein the event packet comprises information relating to a second event indication” (Bhatkar, Col 11: 34-38, one or more events to identity actions where one or more rules relate to the one or more events).

Regarding claim 10, in view of claim 8, Bhatkar in view of Pilipenko disclose “wherein the context relates to at least one of” (Bhatkar, Col 6: 1-11, match rule set with events): 
“an application;  a process; a thread; a network connection; or a file” (Bhatkar, Col 11: 34-65, context relates to low level actions or high level actions).

wherein adding the event packet to the event queue of the rule virtual machine further comprises placing the rule virtual machine in a pending execution state” (See rejection of claim 3).

Regarding claim 12, in view of claim 8, Bhatkar in view of Pilipenko disclose “wherein registering to receive an event indication comprises performing at least one operation from the group of operations consisting of: generating a hook associated with the at least one event of the one or more events; registering an interrupt handler; registering an event handler; monitoring a file system; monitoring an event log; monitoring a registry entry; and monitoring a network connection” (See rejection of claim 6).

Regarding claim 13, in view of claim 8, Bhatkar in view of Pilipenko disclose “wherein the determination is one of: a positive match indicating a presence of a potential threat;  a negative match indicating an absence of the potential threat; and  an uncertain match indicating the context is a candidate for additional analysis” (Pilipenko, Col 11: 1-13, a determination is made whether the object under analysis is associated with an anomalous activity).

Regarding claim 14, Bhatkar discloses “A method for performing behavioral threat detection, comprising” (Col 4: a system and method for behavior based malware analysis is disclosed): 
“evaluating a rule in a rule data store, wherein the rule is associated with one or more events (i.e.,  observed threat, incident, attack) and wherein at least one event of the one or more events is associated with activating the rule” (Col 9: 45-49; and Col 12:1-5, generates signatures for one or more actions/events);
 “registering to receive an event indication associated with at least one event of the one or more events” (Fig. 6 ; and Col 6: 28-30, user interface for reporting malware behavioral analysis);  
“when an event indication  is received, identifying a target rule associated with the received event indication” (Col 6: 1-11, match rule set with events; and Col 11: 34-38, one or more events to identity actions where one or more rules relate to the one or more events);
“generating an event packet [what to look for in the detected threat] based on the received event indication ” (Col 12:9-11, produce logs, reports or other information associated with behavior based malware analysis); 
Bhatkar further discloses “…a trace file may be obtained using one or more debug techniques and/or tools. According to some embodiments, an API trace may be performed using a user level hook in a secure environment such as a sandboxed virtual machine” (Bhatkar, Col 12: 26-30).
But Bhatkar does not explicitly teach providing an event packet to a virtual rule machine (VrM).
However, Pilipenko discloses “and providing the generated event packet to a rule virtual machine executing the target rule ” (Pilipenko, Col 10: 61-67, a transition event is detected i.e., an “event packet” is detected by a virtual machine evaluating an object).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of providing an event packet to a virtual rule machine of Pilipenko to the Techniques for Behavior Based Malware Analysis of 

Regarding claim 15, in view of claim 14, Bhatkar in view of Pilipenko disclose “wherein the method further comprises: evaluating an event using a matching rule associated with the rule in the rule data store to determine a match for the matching rule; and based on determining the match for the matching rule, instantiating the rule virtual machine for the target rule” (See rejection of claim 2).

Regarding claim 16, in view of claim 15, Bhatkar in view of Pilipenko disclose “wherein the rule virtual machine for the target rule is instantiated for a predetermined context” (See rejection of claim 3).

Regarding claim 17, in view of claim 14, Bhatkar in view of Pilipenko disclose “wherein providing the generated event packet to the rule virtual machine comprises adding the generated event packet to an event queue associated with the rule virtual machine” (See rejection of claim 4).
wherein providing the generated event packet to the rule virtual machine further comprises placing the rule virtual machine in a pending execution state” (See rejection of claim 5).

Regarding claim 19, in view of claim 14, Bhatkar in view of Pilipenko disclose “wherein registering to receive an event indication comprises performing at least one operation from the group of operations consisting of: generating a hook associated with the at least one event of the one or more events; registering an interrupt handler; registering an event handler; monitoring a file system; monitoring an event log; monitoring a registry entry; and monitoring a network connection” (See rejection of claim 6).

Regarding claim 20, in view of claim 14, Bhatkar in view of Pilipenko disclose “further comprising: identifying a rule virtual machine for which execution is halted to indicate a determination associated with a behavior described by a rule associated with the rule virtual machine; and performing an action based on the determination, wherein the action is selected from a group of actions consisting of: providing an indication of the determination; automatically mitigating the behavior; and logging the determination” (See rejection of claim 7).
Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Thomas et al. (US 2016/0080417 A1) discloses mechanism for protecting a key by removing key material from an endpoint after behavioral threat detection system indicating that the endpoint is compromised (Para 0213).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431