Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 1/27/2022. Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s amendments and arguments regarding 35 USC 101 rejections of claim 19 have been considered.  These have been found to be persuasive, as a result these 35 USC 101 rejections have been withdrawn.

	B) Applicant’s arguments with respect to claim(s) 1, 10 and 19 have been considered but are moot because the new ground of rejection does not rely on the same combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically teachd as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) is/are 1, 4, 5, 10, 13, 14, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dwyer et al. (US 2019/0230100) in view of King-Wilson (US 10,122,751).

	As per claim 1, Dwyer teaches a system, comprising: a processor configured to (Dwyer, Paragraph 0025 recites “a multiprocessor system, a processor-based system, and/or any other computing device configured to store and access data, and/or to execute software and related applications consistent with the present disclosure.”):
	monitor an endpoint for malicious activity using an endpoint agent, wherein the endpoint comprises a local device; detect malicious activity associated with an application on the endpoint based on real-time system events using the endpoint agent based on a set of rules (Dwyer, Paragraph 0025 recites “The system 10 further includes one or more endpoint agents 20(1)-20(n) deployed to endpoint devices 16(1)-16(n). As will be described in greater detail herein, the endpoint agents 20 may be configured to continuously monitor and record activity across the enterprise, specifically monitoring activity on the respective endpoint devices 16, and subsequently deliver data (i.e., event data generated as a result of monitoring) to a Logic Engine (LE), which is configured to detect and block, based on detection and response logic, any malicious processes that may otherwise invade the enterprise and cause issues.”); 
	in response to detecting malicious activity on the endpoint based on real-time system events using the endpoint agent, perform a security response based on a security to policy (Dwyer, Paragraph 0022 recites “specifically monitoring activity on endpoint devices in an organization and subsequently detecting and blocking any malicious processes that may otherwise invade the enterprise and cause issues.”);
(Dwyer, Paragraph 0030 recites “The computing system 100 further includes main memory 112, such as random access memory (RAM), and may also include secondary memory 114.”).
	But fails to teach wherein the set of rules includes one or more updated detection rules provided as an update to the endpoint agent without requiring a binary or code update, and wherein the set of rules are compiled into a lookup tree for pattern matching using the lookup tree to facilitate optimized detection logic.
	However, in an analogous art King-Wilson teaches wherein the set of rules includes one or more updated detection rules provided as an update to the endpoint agent without requiring a binary or code update, and wherein the set of rules are compiled into a lookup tree for pattern matching using the lookup tree to facilitate optimized detection logic (King-Wilson, Claim 9 recites “outputting said predicted future computer-based threat activity to one or more firewalls, to improve accuracy in identifying computer based threats on the one or more computer networks, strengthen their accuracy through the detection of anomalous firewall policy rules, into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy, wherein the method is performed by one or more computers comprising one or more hardware processors; one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use King-Wilson’s Assessing And Managing Cyber Threats with Dwyer’s endpoint security architecture with programmable logic engine because the use of updating policies ensures that the security preventing anomalous behavior has the most current information on hand.

	As per claim 4, Dwyer in combination with King-Wilson teaches the system of claim 1 Dwyer further teaches wherein the processor is further configured to: detect an attempt by the application to take an action that would violate the set of rules, and report the attempt to a user of the endpoint (Dwyer, Paragraph 0045 recites “The alert action functions similarly to the forward action with the exception that it is used to indicate events requiring urgent attention. It causes the endpoint agent 20 to send a message to the endpoint server that contains a copy of the event that matched the rule as well as the metadata describing the logic rule that triggered the alert action.”  It would be an obvious variation to notify user or the server of any event requiring attention).

	As per claim 5, Dwyer in combination with King-Wilson teaches the system of claim 1 Dwyer further teaches wherein the processor is further configured to: detect an attempt by the application to take an action that would violate the set of rules, and report the attempt to a remote server (Dwyer, Paragraph 0045 recites “The alert action functions similarly to the forward action with the exception that it is used to indicate events requiring urgent attention. It causes the endpoint agent 20 to send a message to the endpoint server that contains a copy of the event that matched the rule as well as the metadata describing the logic rule that triggered the alert action.”).

Regarding claims 10 and 19, claims 10 and 19 are directed to a method and a computer program product associated with the system of claim 1. Claims 10 and19 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claim 13, claim 13 is directed to a similar method associated with the system of claim 4 respectively. Claim 13 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 14, claim 14 is directed to a similar method associated with the system of claim 5 respectively. Claim 14 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale.  
	
	As per claim 20, Dwyer in combination with King-Wilson teaches the computer program product recited in claim 19, Dwyer teaches detecting an attempt by the application to take an action that would violate the set of rules (Dwyer, Paragraph 0022 recites “specifically monitoring activity on endpoint devices in an organization and subsequently detecting and blocking any malicious processes that may otherwise invade the enterprise and cause issues.”).
	And King-Wilson teaches wherein the set of rules includes one or more updated detection rules (King-Wilson, Claim 9 recites “outputting said predicted future computer-based threat activity to one or more firewalls, to improve accuracy in identifying computer based threats on the one or more computer networks, strengthen their accuracy through the detection of anomalous firewall policy rules, into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy, wherein the method is performed by one or more computers comprising one or more hardware processors; one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use King-Wilson’s Assessing And Managing Cyber Threats with Dwyer’s endpoint security architecture with programmable logic engine because the use of updating policies ensures that the security preventing anomalous behavior has the most current information on hand.

Claims 2 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dwyer et al. (US 2019/0230100) and King-Wilson (US 10,122,751) and in further view of Deerman et al. (US 2014/0245374).

	As per claim 2, Dwyer in combination with King-Wilson teaches system of claim 1, Dwyer further teaches wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules (Dwyer, Paragraph 0022 recites “specifically monitoring activity on endpoint devices in an organization and subsequently detecting and blocking any malicious processes that may otherwise invade the enterprise and cause issues.”).
But fails to teach wherein the lookup tree is implemented as a Rete tree that is compiled to provide optimized detection logic based on an optimized decision tree.
However, in an analogous art Deerman teaches wherein the lookup tree is implemented as a Rete tree that is compiled to provide optimized detection logic based on an optimized decision tree (Deerman, Paragraph 0094 recites “In yet a further aspect of the invention, a method for identifying an anomalous behavior in a network of host computing elements is teachd comprising the steps of providing 1-n network sensors in a computer network and in data communication therewith, each network sensor configured to output a sensor notification upon the satisfaction of a predetermined set of network data conditions, outputting the 1-n sensor notifications to 1-n Rete net-based rule engines configured to execute one or more Rete algorithms configured for the deterministic detection of anomalous behavior in the network based on the notifications, executing the one or more Rete algorithms, and, outputting an alarm signal upon the detection of the anomalous behavior.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Deerman’s Device And Method For Detection Of Anomalous Behavior In A Computer Network with Dwyer’s endpoint security architecture with programmable logic engine because the use of a rete algorithm will efficiently apply many rules or patterns to many objects.

Regarding claim 11, claim 11 is directed to a method associated with the system of claim 2. Claim 11 is of similar scope to claim 2, and are therefore rejected under similar rationale.


Claims 3, 9, 12 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dwyer et al. (US 2019/0230100) and King-Wilson (US 10,122,751) and in further view of Mahaffey et al. (US 9,740,852).

	As per claim 3, Dwyer teaches the system of claim 1, but fails to teach wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules, and wherein the set of rules comprises a whitelisted set of behaviors observed at a remote server during emulation of a sample in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation.
	However, in an analogous art Mahaffey teaches wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules, and wherein the set of rules comprises a whitelisted set of behaviors observed at a remote server during emulation of a sample in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation (Mahaffey, Col. 24 Lines 48-57 recites “In an embodiment, server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run. In an embodiment, the virtual or physical device is instrumented so that it reports behavioral data for the data object. In an embodiment, the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151. For example, a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance.” Col. 25 Lines 12-21 recites “Aside from capabilities of a data object, it may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application. In an embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Mahaffey’s System and method for assessing an application to be installed on a mobile communications device with Dwyer’s endpoint security architecture with programmable logic engine because the use of an emulation in a virtual environment is safer than using a normal system with potentially malicious data. 

	As per claim 9, Dwyer teaches the system of claim 1, but fails to teach wherein a remote server is configured to evaluate the application at least in part by executing the 
	However, in an analogous art Mahaffey teaches wherein a remote server is configured to evaluate the application at least in part by executing the application in a virtualized environment, and wherein endpoint agent is configured to implement, at the endpoint, a set of rules restricting behaviors of an application (Mahaffey, Col. 24 Lines 48-57 recites “In an embodiment, server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run. In an embodiment, the virtual or physical device is instrumented so that it reports behavioral data for the data object. In an embodiment, the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151. For example, a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance.” Col. 25 Lines 12-21 recites “Aside from capabilities of a data object, it may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application. In an embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Mahaffey’s System and method for assessing an application to be installed on a mobile communications device with Dwyer’s endpoint security 

	Regarding claim 12, claim 12 is directed to a similar method associated with the system of claim 3 respectively. Claim 12 is similar in scope to claim 3, respectively, and are therefore rejected under similar rationale.  
	Regarding claim 18, claim 18 is directed to a similar method associated with the system of claim 9 respectively. Claim 18 is similar in scope to claim 9, respectively, and are therefore rejected under similar rationale.  

Claims 6, 7, 15 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dwyer et al. (US 2019/0230100) and King-Wilson (US 10,122,751) and in further view of Kostyushko et al. (US 2020/0311268).

	As per claim 6, Dwyer teaches the system of claim 1, but fails to teach wherein the processor is further configured to report the detected malicious activity to a remote server, wherein in response to receiving the report, the remote server performs an evaluation of a sample provided by the endpoint, wherein the sample is associated with the detected malicious activity.
	However, in an analogous art Kostyushko teaches wherein the processor is further configured to report the detected malicious activity to a remote server, wherein in response to receiving the report, the remote server performs an evaluation of a sample provided by the endpoint, wherein the sample is associated with the detected malicious (Kostyushko, Paragraph 0009 recites “According to one aspect of the disclosure, a system is provided for deep dynamic analysis of applications, the system comprising at least one processor configured to: by a deep dynamic analysis tool of a server in a safe isolated environment, launch a deep analysis process for determining whether a received sample of an application is a malware, the launching of the process including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parse dependencies of run-time linkages, hook system functions, create an initial application memory map with separate application and system code areas, transfer control back to the application code, and perform an on-sample-execution activity, obtain control of exception handler and monitor attempts to use the exception handler, by the registered exception handler, change an available area, log accesses, inspect exception reasons, and apply policies based on the exception reasons, analyze data related to the logged access and determine whether the application of the sample is a malware, and send, to the endpoint device, a final verdict indicating whether or not the application is a malware.” And Paragraph 0090 recites “The deep analysis tool 360 provides the analysis and malware detection for both single-threading applications and multi-threading applications. In one aspect, different approaches may be used for disguising the access control and analytical tools for single-threading and multi-threading applications. ”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kostyushko’s methods and systems for performing a dynamic analysis of applications for protecting devices from malwares with Dwyer’s endpoint 

	As per claim 7, Dwyer teaches the system of claim 1, but fails to teach wherein the set of rules restrict processes associated with a sample to behaviors observed during an execution of the sample in a virtualized environment.
	However, in an analogous art Kostyushko teaches wherein the set of rules restrict processes associated with a sample to behaviors observed during an execution of the sample in a virtualized environment (Kostyushko, Paragraph 0009 recites “According to one aspect of the disclosure, a system is provided for deep dynamic analysis of applications, the system comprising at least one processor configured to: by a deep dynamic analysis tool of a server in a safe isolated environment, launch a deep analysis process for determining whether a received sample of an application is a malware, the launching of the process including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parse dependencies of run-time linkages, hook system functions, create an initial application memory map with separate application and system code areas, transfer control back to the application code, and perform an on-sample-execution activity, obtain control of exception handler and monitor attempts to use the exception handler, by the registered exception handler, change an available area, log accesses, inspect exception reasons, and apply policies based on the exception reasons, analyze data related to the logged access and determine whether the application of the sample is a malware, and send, to the endpoint device, a final verdict indicating whether or not the application is a malware.” And Paragraph 0090 recites “The deep analysis tool 360 provides the analysis and malware detection for both single-threading applications and multi-threading applications. In one aspect, different approaches may be used for disguising the access control and analytical tools for single-threading and multi-threading applications. ”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kostyushko’s methods and systems for performing a dynamic analysis of applications for protecting devices from malwares with Dwyer’s endpoint security architecture with programmable logic engine because the use of further analysis is a good way of ensuring that the data is in fact malicious. 

	Regarding claim 15, claim 15 is directed to a similar method associated with the system of claim 6 respectively. Claim 15 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale.  

	Regarding claim 16, claim 16 is directed to a similar method associated with the system of claim 7 respectively. Claim 16 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale.  


Claims 8 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dwyer et al. (US 2019/0230100) and King-Wilson (US 10,122,751) and in further view of Baset et al. (US 2018/0089437).

	As per claim 8, Dwyer teaches the system of claim 1, but fails to teach wherein a remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated.

	However, in an analogous art Baset teaches wherein a remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated (Baset, Paragraph 0052 recites “ Additionally or alternatively, the scanning component 302 can scan the server device 112 to determine one or more mobile applications stored on the server device 112 that satisfy other defined criterion related to, for example, an amount of time that a mobile application is stored on the server device 112, a determination that a change has occurred with respect to a mobile application (e.g., a mobile application is updated to a new version), an amount of time since a previous analysis of a mobile application is performed, a determination that a mobile application is not previously analyzed by the testing component 102, an indication that is provided via user input (e.g., a user desires a mobile application to be analyzed by the testing component 102), debugging reports for a mobile application, etc. For example, the testing component 102 can receive the mobile application from the server device 112 in response to a determination, based on a scan of the server device 112 by the scanning component 302, that an amount of time that the mobile application is stored on the server device 112 satisfies a defined criterion, that a change has occurred with respect to the mobile application (e.g., the mobile application is updated to a new version), that an amount of time since a previous analysis of the mobile application satisfies a defined criterion, that the mobile application is not previously analyzed by the testing component 102 at a previous instance in time, that an indication provided by user input indicates to analyze the mobile application, that a debugging report for the mobile application satisfies a defined criterion, etc. It is to be appreciated that, in certain implementations, the mobile application received from the server device 112 can be received via a network (e.g., the network 114 or another network that includes one or more wireless networks and/or one or more wired networks).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Baset’s automated security testing for a mobile application or a backend server with Dwyer’s endpoint security architecture with programmable logic engine because the use of scanning an updated application is a good way to ensure that applications are safe for use in an environment because some changes could be malicious.

	Regarding claim 17, claim 17 is directed to a similar method associated with the system of claim 8 respectively. Claim 17 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale.  








Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439