DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.  This is in response to the communications filed on 17 May 2021.
2.  Claims 1-18 are pending in the application.
3.  Claims 1-18 have been rejected.
Information Disclosure Statement
4.  The examiner has considered the information disclosure statement (IDS) filed on 09 June 2020 and 17 May 2021.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
5.  Claims 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 of U.S. Patent No. 10,735,374 B2 (hereinafter the ‘374 patent). Although the claims at issue are not identical, they are not patentably distinct from each other because the ‘374 patent teaches:
Claim 1, A device, comprising: 
at least one processor [column 15, line 24]; and 

receiving a file [column 15, lines 28-32]; 
running the file in the device to generate a first sequence of behaviors, wherein running the file in the device causes the first sequence of behaviors to occur, and wherein behaviors in the first sequence of behaviors comprise a first behavior and a second behavior, the first behavior has a different behavior type from the second behavior, and the first behavior and the second behavior respectively have a behavior type of the following behavior types: creating another file, modifying a registry, configuring a domain name, resolving an address, connecting to a network, loading a process, or adding a user [column 15, lines 33-47]; 
determining, according to the generated first sequence of behaviors, whether the file comprises an advanced persistent threat [column 15, lines 48-50]; and 
in response to determining that the file comprises the advanced persistent threat, running the file in the device at least one additional time to generate a plurality of sequence of behaviors, wherein each running of the file in the device causes a respective sequence of behaviors to occur, and the plurality of sequence of 
determining identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior types and a same behavior content in each sequence of behaviors [column 15, lines 58-62]; and 
identifying a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run [column 15, lines 63-67]; 
HW 884590513US12-27-generating a first indicator of compromise corresponding to the stable behavior feature [column 16, lines 1-4]; and 
sending the first indicator of compromise to a terminal, wherein the terminal is located in a protected network [column 16, lines 1-4].
Claim 9, A method, comprising: 
receiving a file by a device [column 15, lines 28-32]; 
running the file in the device to generate a first sequence of behaviors, wherein running the file in the device causes the first sequence of behaviors to occur, and wherein behaviors in the first sequence of behaviors comprise a first behavior and a second behavior, the first behavior has a different behavior type 
determining, according to the generated first sequence of behaviors, whether the file comprises an advanced persistent threat [column 15, lines 48-50]; and 
in response to determining that the file comprises the advanced persistent threat, running the file in the device at least one additional time to generate a plurality of sequence of behaviors, wherein each running of the file in the device causes a respective sequence of behaviors to occur, and the plurality of sequence of behaviors comprises the first sequence of behaviors [column 15, lines 51-57]; 
determining identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior HW 884590513US12-29-types and a same behavior content in each sequence of behaviors [column 15, lines 58-62]; and 
identifying a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run [column 15, lines 63-67]; 
generating a first indicator of compromise corresponding to the stable behavior feature [column 16, lines 1-4]; and 

Claim 14, A system, comprising: 
a terminal device, located in a protected network [column 17, line 20]; and 
a security protection device, configured to [column 17, line 21]: 
receive a file [column 17, lines 26-27]; 
run the file in the security protection device to generate a first sequence of behaviors, wherein running the file in the security protection device causes the first sequence of behaviors to occur, and wherein behaviors in the first sequence of behaviors comprise a first behavior and a second behavior, the first behavior has a different behavior type from the second behavior, and the first behavior and the second behavior respectively have a behavior type of the following behavior types: creating another file, modifying a registry, configuring a domain name, resolving an address, connecting to a network, loading a process, or adding a user [column 17, lines 28-40]; 
determine, according to the generated first sequence of behaviors, whether the file comprises an advanced persistent threat [column 17, lines 41-43]; and 
in response to determining that the file comprises the advanced persistent threat, run the file in the security protection device at least one additional time to generate a plurality of sequence 
determine identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior types and a same behavior content in each sequence of behaviors [column 18, lines 1-5]; and 
identify a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run [column 18, lines 6-10]; 
generate a first indicator of compromise corresponding to the stable behavior feature [column 18, lines 11-13]; and 
HW 884590513US12-31-send the first indicator of compromise to a terminal [column 18, lines 11-13]; and 
wherein the terminal device is configured to: [column 18, line 14] 
receive the first indicator of compromise from the security protection device [column 18, lines 15-16]; 
parse the received first indicator of compromise to obtain the stable behavior feature [column 18, lines 17-18]; and 

in response to determining that the behavior described by the stable behavior feature has occurred in the terminal device, determine that the terminal device has been infected with the advanced persistent threat [column 18, lines 23-26].
Allowable Subject Matter
6.  Claims 1-18 are allowed over the prior art.
The following is an examiner’s statement of reasons for allowance:
As to independent claims 1 and 9, the applicant has incorporated allowable limitations from U.S. Patent No. 10,735,374 B2 of “in response to determining that the file comprises the advanced persistent threat, running the file in the device at least one additional time to generate a plurality of sequence of behaviors, wherein each running of the file in the device causes a respective sequence of behaviors to occur, and the plurality of sequence of behaviors comprises the first sequence of behaviors”, “determining identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior types and a same behavior content in each sequence of behaviors” and “identifying a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run”.  As to independent claim 14, the applicant has incorporated allowable limitations from U.S. Patent No. 10,735,374 B2 of “in response to determining that the 
Any claims not directly addressed are allowed on the virtue of their dependency.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Relevant Prior Art
7.  The following references have been considered relevant by the examiner:
A.  Hussey et al US 2016/0330218 A1 directed to a method of protecting a network-connected device from an advanced persistent threat cyber-attack [abstract].
B.  Sowder US 2013/0276122 A1 directed to providing storage device-based advanced persistent threat (APT) protection [abstract].
C.  Haq et al US 2015/0096024 A1 directed to one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APT’s [abstract].
Conclusion
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARAVIND K MOORTHY whose telephone number is (571)272-3793. The examiner can normally be reached M-F 5:00-3:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center 





/ARAVIND K MOORTHY/            Primary Examiner, Art Unit 2492