Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
DETAILED ACTION
           This action is in response to the communication filed on 3/26/2021. 
Claims 2-6, 8-13, 15-19 and 21 are allowed.
Claims 1, 7, 14, 20 are cancelled.

Allowable Subject Matter
Claims 2-6, 8-13, 15-19 and 21 are allowed.  
			
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative, Mr. Bruce Johnson on 1/28/2022. 

Terminal Disclaimer
The terminal disclaimer filed on 1/31/2021 has been reviewed and is accepted.  
The terminal disclaimer has been recorded.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/31/2022, 1/21/2021 and 11/13/2020.  Accordingly, the information disclosure statement is being considered by the examiner.

Amendments to the Claims
	The listing of claims will replace all prior versions, and listings, of claims in the application:
Listing of Claims:

1.	(Cancelled)

2.	(Currently Amended)	A method for monitoring execution of a process for unsafe behavior, comprising: 
upon execution of a process, at a monitor agent, searching a database for a pre-authorization of the process;
when the pre-authorization for the process is found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process to determine whether the process is executing within an expected behavior of a mask for the process;
if the process is determined not to be executing with the expected behavior of the mask for the process, issuing an alert; and
if the process is determined to be executing within the expected behavior of the mask for the process, continuing execution of the process and continuing to monitor the process for the expected behavior of the mask for the process; and
when the pre-authorization for the process is not found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process;
based on said monitoring of the execution of the process, generating a mask for the process;
wherein the database is one of a local database stored on a machine or a shared database stored on a central server for saving information for a plurality of processes and accessed by a plurality of monitor agents executing on client machines, and when the pre-authorization for the process is not found in the database and as result of said monitoring of the execution of the process, generating the mask comprises:
determining that the process is not executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill effects or results in a computing environment, attempting to connect to a known unsafe website or database, or taking an action that is known to be unsafe;
modifying the mask to include information associated with the unsafe behavior; and
storing the modified mask in the community database for the process, thereby enabling monitor agents to access the mask when executing the process.

3.	(Previously Presented)	The method of claim 2, wherein the database is one of: a local database stored on a machine that also executes the process, or a community database stored on a central server for saving information for a plurality of processes, the plurality of processes executing on a plurality of client machines executing a plurality of monitor agents, the process information comprising a pre-authorization flag for each process and a mask for each process.

4.	(Previously Presented)	The method of claim 2, wherein the pre-authorization for the process is received from a trusted authority comprising an anti-malware company, an authorization organization, or a governmental department.  

5.	(Previously Presented)	The method of claim 2, wherein when the pre-authorization for the process is found in the database and as result of said monitoring of the execution of the process, the process is determined not to be executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill effects or results in a computing environment, attempting to connect to a known unsafe website or database, or taking an action that is known to be unsafe.  



Claim 7 (Canceled)

8.	(Previously Presented)	The method of claim 2, wherein the database is a community database stored on a central server and accessed by a plurality of monitor agents executing on client machines, and generating the mask comprises: 
	comparing the behavior of the execution of the process to known behaviors and modifying the mask based on Previously Presented behaviors; and
	 storing the modified mask in the community database, thereby enabling monitor agents to access the mask when executing the process.

9.	(Currently Amended)	A system for monitoring execution of a process for unsafe behavior, comprising: 
a processor;
memory coupled to the processor, the memory comprising computer executable instructions that, when executed by the processor, perform a method for monitoring execution of a process for unsafe behavior; comprising:
upon execution of a process, at a monitor agent, searching a database for a pre-authorization of the process;
when the pre-authorization for the process is found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process to determine whether the process is executing within an expected behavior of a mask for the process;
if the process is determined not to be executing with the expected behavior of the mask for the process, issuing an alert; and
if the process is determined to be executing within the expected behavior of the mask for the process, continuing execution of the process and continuing to monitor the process for the expected behavior of the mask for the process; and
when the pre-authorization for the process is not found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process; and
;
wherein the database is one of a local database stored on a machine or a shared database stored on a central server for saving information for a plurality of processes and accessed by a plurality of monitor agents executing on client machines, and when the pre-authorization for the process is not found in the database and as result of said monitoring of the execution of the process, generating the mask comprises:
determining that the process is not executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill effects or results in a computing environment, attempting to connect to a known unsafe website or database, or taking an action that is known to be unsafe;
modifying the mask to include information associated with the unsafe behavior; and
storing the modified mask in the community database for the process, thereby enabling monitor agents to access the mask when executing the process.

10.	(Previously Presented)	The system of claim 9, wherein the database is one of: a local database stored on a machine that also executes the process, or a community database stored on a central server for saving information for a plurality of processes, the plurality of processes executing on a plurality of client machines executing a plurality of monitor agents, the process information comprising a pre-authorization flag for each process and a mask for each process.

11.	(Previously Presented)	The system of claim 9, wherein the pre-authorization for the process is received from a trusted authority comprising an anti-malware company, an authorization organization, or a governmental department.  

12.	(Previously Presented)	The system of claim 9, wherein when the pre-authorization for the process is found in the database and as result of said monitoring of the execution of the process, the process is determined not to be executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill 

13.	(Previously Presented)	The system of claim 12, wherein the issuing the alert comprises terminating the process or contacting a trusted authority that issued the pre-authorization for the process to confirm that the unsafe behavior is unsafe.  

Claim 14 (Canceled)

15.	(Previously Presented)	The system of claim 9, wherein the database is a community database stored on a central server and accessed by a plurality of monitor agents executing on client machines, and generating the mask comprises: 
	comparing the behavior of the execution of the process to known behaviors and modifying the mask based on Previously Presented behaviors; and
	 storing the modified mask in the community database, thereby enabling monitor agents to access the mask when executing the process.

16.	(Currently Amended)	A computer program product comprising a non-transitory computer readable medium storing instructions executable by a processor to perform a set of operations for monitoring execution of a process for unsafe behavior, the set of operations comprising:
upon execution of a process, at a monitor agent, searching a database for a pre-authorization of the process;
when the pre-authorization for the process is found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process to determine whether the process is executing within an expected behavior of a mask for the process;
if the process is determined not to be executing with the expected behavior of the mask for the process, issuing an alert; and
if the process is determined to be executing within the expected behavior of the mask for the process, continuing execution of the process and continuing to monitor the process for the expected behavior of the mask for the process; and
when the pre-authorization for the process is not found in the database,

based on said monitoring of the execution of the process, generating a mask for the process;
wherein the database is one of a local database stored on a machine or a shared database stored on a central server for saving information for a plurality of processes and accessed by a plurality of monitor agents executing on client machines, and when the pre-authorization for the process is not found in the database and as result of said monitoring of the execution of the process, generating the mask comprises:
determining that the process is not executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill effects or results in a computing environment, attempting to connect to a known unsafe website or database, or taking an action that is known to be unsafe;
modifying the mask to include information associated with the unsafe behavior; and
storing the modified mask in the community database for the process, thereby enabling monitor agents to access the mask when executing the process.

17.	(Previously Presented)	The computer program product of claim 16, wherein the database is one of: a local database stored on a machine that also executes the process, or a community database stored on a central server for saving information for a plurality of processes, the plurality of processes executing on a plurality of client machines executing a plurality of monitor agents, the process information comprising a pre-authorization flag for each process and a mask for each process.

18.	(Previously Presented)	The computer program product of claim 16, wherein the pre-authorization for the process is received from a trusted authority comprising an anti-malware company, an authorization organization, or a governmental department.  

19.	(Previously Presented)	The computer program product of claim 16, wherein when the pre-authorization for the process is found in the database and as result of said monitoring of the execution of the process, the process is determined not to be executing within the expected 

Claim 20 (Canceled)

21.	(Previously Presented)	The computer program product of claim 16, wherein the database is a community database stored on a central server and accessed by a plurality of monitor agents executing on client machines, and generating the mask comprises: 
	comparing the behavior of the execution of the process to known behaviors and modifying the mask based on Previously Presented behaviors; and
	 storing the modified mask in the community database, thereby enabling monitor agents to access the mask when executing the process.

Prior Art of Record
            The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Ahuja et al US Patent 8,850,591 discloses identifying root term and determining concept based on search or incident list. 

Stoyen et al US Patent 7,926,029 discloses software development infrastructure for multi-platform computing environment with generic root product node and tiers of constructs, facilities, and complexities to create special application(s). 

Imai et al US Patent 7,895,436 discloses mutual authentication between server and terminal with pre-stored authentication parameters and concatenation of mask operation with random number and other parameters. 

Hoffberg et al US Patent 7,813,822 discloses set top box with uses interface models to understand content, and content-descriptive metadata with DRM features. 


Cohen et al US Patent 7,296,274 discloses checking of alteration in data flow by intercepting and modifying operation of system call of OS. 

Koui et al US Publication 2008/0282349 discloses detecting signature in exec.file as virus as a region of the signature item and in predetermined region of information of exec. file. 

Lowrey et al US Publication 2007/0289019 discloses assessing threats within the hidden processes in systems memory and associated data object(s). 
             			
REASONS FOR ALLOWANCE
          The following is an examiner’s statement of reasons for allowance:
Examiner finds amended claims dated 1/28/2022 are persuasive for reason of allowance.  

Claims ‘ .. process for unsafe behavior, comprising: 
upon execution of a process, at a monitor agent, searching a database for a pre-authorization of the process;
when the pre-authorization for the process is found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process to determine whether the process is executing within an expected behavior of a mask for the process;
if the process is determined not to be executing with the expected behavior of the mask for the process, issuing an alert; and
if the process is determined to be executing within the expected behavior of the mask for the process, continuing execution of the process and continuing to monitor the process for the expected behavior of the mask for the process; and
when the pre-authorization for the process is not found in the database,
executing the process and, at the monitor agent, monitoring the execution of the process;
based on said monitoring of the execution of the process, generating a mask for the process;
wherein the database is one of a local database stored on a machine or a shared database stored on a central server for saving information for a plurality of processes and accessed by a plurality of monitor agents executing on client machines, and when the pre-authorization for the process is not found in the database and as result of said monitoring of the execution of the process, generating the mask comprises:
determining that the process is not executing within the expected behavior of the mask for the process when a behavior of the process comprises unsafe behavior comprising ill effects or results in a computing environment, attempting to connect to a known unsafe website or database, or taking an action that is known to be unsafe;
modifying the mask to include information associated with the unsafe behavior; and
storing the modified mask in the community database for the process, thereby enabling monitor agents to access the mask when executing the process.’ with additional detailed steps in claim(s) as described in independent claim(s) on 1/28/2022. 

However, each of the cited references or reference from the updated search, at least, fails to teach or suggest in combination with the rest of the limitations recited in the independent claim(s).

None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim(s) under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.

Dependent claims depend on allowed independent claims, therefore they are allowed. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431