Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/04/2022 has been entered.

Response to Arguments
3.	Applicant’s arguments filed on 03/04/2022, with respect to the 35 U.S.C 103 rejection of claims 1-20 as being unpatenable over U.S. Publication No. 20140137255 hereinafter Wang in view of U.S. Publication No. 20160314298 hereinafter Martini, and further in view of U.S. Publication No. 20180077187 hereinafter Garman have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


3. 	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20140137255 hereinafter Wang in view of U.S. Publication No. 20180077187 hereinafter Garman, and further in view of U.S. Publication No. US 20080022281 hereinafter Dubhashi.

As per claim 1, Wang discloses:
A method for analyzing received computer data (para 0010 “A method for detecting malicious code includes: monitoring execution of an instruction in a virtual machine supervisor of a host computer, where the instruction is generated in escape mode when a read-write request generated during execution of program code in a virtual machine of the host computer is delivered to the virtual machine supervisor; obtaining execution characteristics of the program code according to execution of the instruction; and comparing the obtained execution characteristics with pre-stored execution characteristics of known malicious code, and determining that the program code is malicious code when the obtained execution characteristics and the pre-stored execution characteristics are the same.”), the method comprising:
receiving a first set of computer data that includes instructions executable by a processor (para 0118 “Step 601: The cluster antivirus device receives program code or execution characteristics of the program code sent by 
executing the instructions included in the first set of computer data by the processor, wherein the execution of the instructions resulting in one or more actions being performed by the processor (para 0119 “Step 602: The cluster antivirus device executes the program code by using the sandboxing technology or other technologies similar to sandboxing, and obtains an execution result; and step 603 Is performed.”)
identifying as a result of a comparison that sets of actions correspond to the known good actions of the known good program code (para 0126 “Step 607: The cluster antivirus device compares the execution characteristics sent by the host computer with execution characteristics of known normal code in the whitelist in the extended database; if the execution characteristics are the same as the execution characteristics of the known normal code in the whitelist, step 608 is performed; if the execution characteristics are different, step 609 is performed.”):

Wang does not disclose:
receiving a first set of computer data that includes instructions executable by a processor before the first set of computer data is received by an intended destination;

executing a parent process to compare the set of actions of the first set of computer data with known good actions of known good program code, 
comparing state identifiers associated with normal program code operation relative to those of the first set of computer data
and  the first received set of computer data to be sent to the intended destination based on the identification that the set of actions correspond to the known good actions and based on identifying that the state identifiers correspond to the normal program code operation.

Garman discloses:
executing instructions included in the first set of computer data based on creation of a child process by the processor wherein the execution of the instructions of the first set of computer data results in a set of actions being performed by the processors (para 0058 “Some examples of inter-process operations include opening a handle to another process, opening a handle to a thread of another process, creating a thread within another process, spawning a child process, etc. The suspicious activity database 110 may store security data characterizing inter-process operations associated with security problems. Such security data may include data identifying the target process (e.g., the path of the 
Therefore, it would have been obvious to one of ordinary skill in the art
before the effective filing date of the claimed invention to modify the method for
detecting malicious code of Wang to include creating a child process by the processor executing instructions of a designated parent process and executing the instructions included in the first set of received computer data as part of the child process by the processor, as taught by Garman.
The motivation would have been to properly validate/filter parent and child
processes before allowing execution. 

Wang in view of Garman does not disclose:
receiving a first set of computer data that includes instructions executable by a processor before the first set of computer data is received by an intended destination;
executing a parent process to compare the set of actions of the first set of computer data with known good actions of known good program code, 

and  the first received set of computer data to be sent to the intended destination based on the identification that the set of actions correspond to the known good actions and based on identifying that the state identifiers correspond to the normal program code operation

	Dubhashi discloses:
receiving a first set of computer data that includes instructions executable by a processor before the first set of computer data is received by an intended destination (para 0008 “In another embodiment, a method to identify a child process to a parent process on an operating system in computer software involves the use of a process identifier. The parent process uses the API of an operating system to initiate a logon session. The API returns a token that can identify security information of the logon session back to the parent process. The parent process then creates an RPC communications endpoint and establishes a parent server that can respond to communication requests. Thereafter, a child process is spawned by the parent process. During spawning, the parent process passes the RPC communications endpoint as a command-line parameter. A child process identifier of the child process is generated by the OS during spawning. The parent process keeps a track of the child process identifier.”);
executing a parent process to compare the set of actions of the first set of computer data with known good actions of known good program code, para 0008 “Further, the parent process waits for a child process termination notification from the API of the operating system, which indicates the termination of a child process. On receiving the child process termination notification, the parent process refuses communication with the child process and closes the RPC communications endpoint. While waiting for the child process termination notification, the parent process may receive a child-initiated request for communication. The requestor-initiated request includes a requesting process identifier. In order to verify the identity of the requestor, the parent process queries the operating system for a spawned child process identifier. On receiving the spawned child process identifier from the operating system, the parent process compares the requestor process identifier with the spawned child process identifier.”)
and  the first received set of computer data to be sent to the intended destination based on the identification that the set of actions correspond to the known good actions and based on identifying that the state identifiers correspond to the normal program code operation (para 0008 “In case the comparison of the requestor identifier and the spawned child process identifier is a match, the parent process responds to the child-initiated request.” Para 0038 “In one embodiment, the child-initiated communications request may include, for example, a request for sending or receiving data from parent process 304. Child process 306 addresses the child-initiated request to the RPC communications endpoint.” Para 0039 “At step 412, parent process 304 compares the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method for detecting malicious code of Wang in view of Garman to include c receiving a first set of computer data that includes instructions executable by a processor before the first set of computer data is received by an intended destination, as taught by Garman.
The motivation would have been to properly validate/filter parent and child processes.

As per claim 2, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, further comprising: comparing data collected when the processor executes the instructions included in the first set of computer data when identifying, that the collected data corresponds to the normal program code operation (Wang para 0074 and 0085) and (Dubhashi para 0008, 0038 and 0039, The motivation would have been to properly validate/filter parent and child processes).

As per claim 3, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, wherein the instructions included in the first set of computer data are executed by the processor for an amount of time that corresponds to a time threshold (Wang para 0048, 0110, 0111, 0120 and 0173).

As per claim 4, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, further comprising: receiving a second set of computer data that includes instructions executable by the processor; executing by the processor the instructions included in the second set of received computer data, the execution of the instructions included in the second set of computer data resulting in a second set of set of actions being performed by the processor; identifying that at least one action of the second set of set of actions do not correspond to the known good actions; and preventing the second set of computer data from being sent to a recipient device, the preventing of the sending of the second set of computer data to the recipient device based on the identification that the at least one action does not correspond to the known good actions (Wang Figs. 3, 4a and 4b) and (Dubhashi para 0008, 0038 and 0039, the process is repeated. The motivation would have been to properly validate/filter parent and child processes.) 

As per claim 5, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, further comprising: 

executing by the processor the instructions included in the second set of received computer data that results in a second set of data being collected (Wang Figs. 3, 4a and 4b, para 0095 and 0096);
identifying that the second set of collected data does not correspond to the normal program code operation (Wang Figs. 3, 4a and 4b, para 0095 and 0096);
and preventing the second set of computer data from being sent to a recipient device based on the identification that the second set of collected data does not correspond to the normal program code operation 

As per claim 6, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, further comprising: collecting the set of actions performed by the known good program code when a central processing unit (CPU) executes known good program code; associating the collected set of actions with the known good actions; collecting known good data associated with operation of the known good program code when the CPU executes the instructions of the known good program code; and associating the known good collected data with the normal program code operation (Wang Figs. 3, 4a and 4b, para 0035, 0039 and 0048).

As per claim 7, Wang in view of Garman and Dubhashi discloses:


As per claim 8, Wang in view of Garman and Dubhashi discloses:
The method of claim 6, further comprising: retrieving the known good actions inclusive of the collected set of actions from the database; and retrieving the known good collected data from the database (Wang para 0070, 0071, 0147, 0154 and 0194).

As per claim 9, Wang in view of Garman and Dubhashi discloses:
The method of claim 1, further comprising: associating each action of the set of actions and accessed memory locations with a respective state, a respective known good action, and with a respective memory location based on execution of the parent process; and identifying that data collected when the instructions included in the first set of computer data are executed correspond to normal program code operation is based on each of the accessed memory locations corresponding to the respective state, the respective known good action, and the respective memory location (Garman para 0035 “A pattern of activity may characterize activity (e.g., occurrences or types of activity) involving (e.g., initiated by) a particular user or group of users, activity involving (e.g., using) a particular resource (e.g., process, application, file, registry entry, peripheral device, path in a file directory, memory address, etc.) or type Para 0067 “Referring again to FIG. 1, the behavioral baselining module 150 may identify behavioral baselines (e.g., expected patterns of activity) associated with a computer system and store data indicative of those behavioral baselines in the behavioral baseline database 130. In some cases, the data stored in the behavioral baseline database 130 may be indicative of expected patterns of suspicious types of activity, for example, patterns of activity that are generally considered to be suspicious (as defined by data in the suspicious activity database 110), but which are expected on a particular computer system. In this way, the data in the behavioral baseline database 130 may customize the incident detection engine 100 by defining exceptions to general definitions of suspicious behavior embodied by the data in the suspicious activity database 110. For example, if the suspicious activity database 110 indicates that a particular group of workstations are executive workstations and that any access to developer workstations by office workers is suspicious, the behavioral baseline database 130 may identify exceptions to this general rule (e.g., the behavioral baseline database 130 may 

As per claim 10, the implementation of the method of claim 1 will execute the non-transitory (Wang paragraph 0205) of claim 10. The claim is analyzed with respect to claim 1. 

As per claim 11, the claim is analyzed with respect to claim 2. 

As per claim 12, the claim is analyzed with respect to claim 3. 

As per claim 13, the claim is analyzed with respect to claim 4. 

As per claim 14, the claim is analyzed with respect to claim 5. 

As per claim 15, the claim is analyzed with respect to claim 6. 

As per claim 16, the claim is analyzed with respect to claim 7. 

As per claim 17, the claim is analyzed with respect to claim 8. 

As per claim 18, the claim is analyzed with respect to claim 9.

As per claim 19, the implementation of the method of claim 1 will execute
the apparatus of claim 19. The claim is analyzed with respect to claim 1.

As per claim 20, the claim is analyzed with respect to claim 9.

 Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 





/GARY S GRACIA/Primary Examiner, Art Unit 2491