DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-20 as submitted on 12/16/21 are pending.  Applicant’s remarks directed towards the amended claims were fully considered, but are moot in view of new rejections made below in response to the amendments.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 11-12 and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 11-12 and 17 recite “the firmware” which lack antecedent basis.  Note that applicant’s amendments on 12/16/21 changed the independent claims from which these claims depend such that “boot firmware” is now recited in place of “firmware”, 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6, and 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of McDougal et al (US 2012/0330801) and Nachimuthu et al (US 2018/0150293).

Claim 1:
	Repasi discloses a client system comprising: 
a data interface (paragraphs 13 and 78); 
a processor (paragraphs 13 and 78; The computing devices listed all have one or more data interfaces and processors as standard components as well as storage containing computing instructions executed by processors to carry out tasks); and 
a storage device storing instructions executable by the processor (paragraph 78; Computing devices) to: 
collect firmware and/or hardware information relating to the client system (paragraphs 22-23 and 93-94); and 
transmit, via the data interface, data associated with the firmware and/or hardware information to an analysis device (paragraphs 93-94; Information related to the firmware of one or more hardware device of the client system are gathered and sent to analysis module 220 to determine if the firmware has been modified by malware).

Repasi does not disclose the analysis device is a remote cloud-hosted service.  However, McDougal discloses the analysis device is a remote device (paragraph 3; Analysis is offloaded from a client to a remote analysis console or consoles) and Nachimuthu discloses a remote device being a remote cloud-hosted service.  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Repasi’s invention so that the analysis device was remote device separate from the client system as taught by McDougal.  One of ordinary skill in the art would have been motivated to do so to minimize inefficiencies associated with malware detections and to share costs of analysis with multiple clients (McDougal: paragraph 3).  It would have also been obvious to one of ordinary skill in the art to further modify the combination invention of Repasi and McDougal using Nachimuthu’s teachings so that the remote device was a remote cloud-hosted service.  A remote cloud-hosted service is just another type of remote device, so the rationale for why it would be obvious to utilize a remote cloud-hosted service as taught by Nachimutu is that doing so is simple substitution of one known element (i.e. generic remote device) for another (i.e. remote-cloud service) to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).   

Claim 3:
	Repasi further discloses wherein the firmware and/or hardware information includes data and/or configuration information from the processor and/or a chipset hardware of the client system, system firmware, management controllers, the storage device, a network card, a graphics card, and/or an internal or add-on device (paragraph 87).

Claim 4:
	McDougal further discloses wherein transmitting the data associated with the firmware and/or hardware information comprises transmitting the data over an encrypted and authenticated channel to the remote device (paragraph 3; Encryption also ensures authentication between two communicating parties.  If one party is unable to decrypt the message, then one or more parties are not valid partners in the communication, thus are not authenticated).

Claim 6:
	Repasi further discloses wherein the instructions are further executable to review firmware binary images for predefined firmware implants based on indicators and/or markers of the firmware implants, the indicators and/or markers of the firmware implants including a signature within an image, network access, and/or firmware malicious components (paragraphs 95 and 97-99; Hash/checksum/pattern indicative of malware).

Claim 8:
	Repasi further discloses wherein the instructions are further executable to compare firmware binary images with predefined binary images stored in a database (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware).

Claim 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of McDougal et al (US 2012/0330801) and Nachimuthu et al (US 2018/0150293) in further view of Khoruzhenko (US 2020/0364340).
Claim 2:
	Repasi does not disclose, but Khoruzhenko discloses the client system further comprising a kernel driver, wherein the firmware and/or hardware information is collected by using the kernel driver (paragraphs 6 and 47).  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention so that the client system further comprising a kernel driver, wherein the firmware and/or hardware information is collected by using the kernel driver.  One skilled would have been motivated to do so as certain type of hardware require a kernel driver to read information from/about it (Khoruzhenko: paragraph 47).

Claims 5 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of McDougal et al (US 2012/0330801) and .
Claim 5:
	Repasi does not disclose, but Pfleger de Aguiar discloses wherein the instructions are further executable to perform real-time analysis of running system configuration and operation of the client system to determine suspicious behavior indicative of implants in the client system (paragraphs 18, 21, and 49).  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention to incorporate real-time analysis as taught by Pfleger de Aguiar as discussed above.  One skilled would have been motivated to do so as use of rea-time analysis would allow suspicious behavior to be caught as soon as possible, thus minimizing possible damages done by implants/malware/viruses.

Claim 7:
	Repasi does not disclose, but Pfleger de Aguiar discloses wherein the instructions are further executable to analyze behavioral data relating to the client system using a heuristic model and to generate an alert responsive to detecting a behavior anomaly, the behavioral data including unexpected timing changes or interrupts (paragraphs 8, 20, 35, 46, and 49; Analyze behavior of executing PLC/client compared to historical data to find any anomalies.  This is heuristic modeling).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention to .

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of McDougal et al (US 2012/0330801) and Nachimuthu et al (US 2018/0150293) in further view of York et al (US 2017/0048269).
Claim 9:
	Repasi further discloses wherein the instructions are further executable to update a report to indicate a detected threat to security of the client system (paragraphs 96 and 115).  Repasi does not disclose the report being a web-based interface, however, York discloses use of a web-based interface to report alerts (paragraph 137).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention to incorporate York’s invention so the report was given via a web-based interface.  The rationale for why one would have done so is that doing so is nothing more than simple substitution of one known element (i.e. type of alert delivery mechanism) for another (i.e. different type of alert mechanism) to obtain predictable results (see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).

Claims 10, 16, 11, 13, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over McDougal et al (US 2012/0330801) in view of Repasi et al (US 2007/0277241) and further in view of Nachimuthu et al (US 2018/0150293).
Claim 10:
	As per claim 10, McDougal discloses a server system (Fig 3; and paragraph 9; analysis console 104) comprising:
a data interface (Fig 3); 
a processor (Fig 3; Analysis console 104 is a computing device.  Such computing devices have one or more data interfaces, processors, and storage devices having program instructions executable by the processors as standard features); and
a storage device storing instructions executable by the processor (paragraph 9 and Fig 3) to: 
receive, via the data interface, data associated with a client system (paragraphs 3 and 14); and 
analyze the received data to detect security threats to the client system (paragraphs 3 and 14).

McDougal does not disclose, but Repasi discloses the data received being data associated with boot firmware and/or hardware information of a client system (paragraphs 7-8, 17, 22-23, 87, 92-94, 103, 118; BIOS is boot firmware and listed paragraphs also disclose firmware of other hardware being received, which are considered hardware information of a client system).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify McDougal’s invention to incorporate Repasi’s teachings discussed above.  The rationale for why it would be obvious is that doing so is nothing more than simple substation of one known element KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).  In this case, one merely substitute one data being analyzed for malware for another data also being analyzed for malware.
McDougal and Repasi do not disclose, but Nachimuthu discloses wherein the boot firmware is defined according to a Unified Extensible Firmware Interface (UEFI) (paragraphs 64 and 68).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify McDougal and Repasi’s combination invention using Nachimuthu’s teachings such that the boot firmware is defined according to UEFI as taught by Nachimuthu.  The rationale for why it would be obvious to do so is that the boot firmware must be defined in accordance with some format and using UEFI is nothing more than simple substitution of one known element (i.e. undefined format for the boot firmware) for another (i.e. specific format for the firmware, where the format is UEFI) to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  Note also that UEFI is a standard format for firmware and standards are meant to be used, thus it would also be obvious to use UEFI to define the boot firmware because it’d be using a standard as intended.

Claim 16:
Claim 16 recite a combination of limitations that are found in claims 1 and 10 combined, thus the rejection of claims 1 and 10 combined, using the teachings of McDougal, Repasi, and Nachimuthu, applies, mutatis mutandis, to claim 16.


Claim 11:
McDougal and Repasi further disclose (wherein the instructions are further executable to generate an alert responsive to detecting a security threat to the client system (McDougal: paragraph 43; Repasi: paragraphs 96 and 115), and wherein the firmware and/or hardware information includes data and/or configuration information from the processor and/or a chipset hardware of the client system, system firmware, management controllers, the storage device, a network card, a graphics card, and/or an internal or add-on device (Repasi: paragraph 87).

Claims 13 and 18:
	As per claim 13, Repasi further discloses wherein the instructions are further executable to review firmware binary images for predefined firmware implants based on indicators and/or markers of the firmware implants (paragraphs 95 and 97-99; Hash/checksum/pattern indicative of malware).
The rejection of claim 13 applies, mutatis mutandis, to claim 18.

Claim 20:
	Repasi further discloses wherein the instructions are further executable to compare firmware binary images for predefined firmware implants based on indicators and/or markers of the firmware implants (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware).


s 12, 14, 19, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over McDougal et al (US 2012/0330801) in view of Repasi et al (US 2007/0277241) in further view of Nachimuthu et al (US 2018/0150293) and in further view of Pfleger de Aguiar et al (US 2020/0202008).
Claim 12:
	The combination of McDougal and Repasi further disclose/make obvious wherein receving the data associated with the firmware and/or hardware comprises receiving the data over an encrypted and authenticated channel from the client system (McDougal: paragraph 3; Encrypted and authenticated channel; Repasi: paragraphs 22-23 and 92-94; data associated with the firmware and/or hardware).
	McDougal further discloses wherein the instructions are further executable to perform analysis of running system configuration and operation of the client system to determine suspicious behavior indicative of implants in the client system (paragraphs 3 and 12-14; Malware detection).  McDougal does not explicitly disclose the analysis is real-time analysis.  However, Pfleger de Aguiar discloses real-time analysis (paragraphs 18, 21, and 49).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify McDougal’s modified invention to incorporate real-time analysis as taught by Pfleger de Aguiar.  One skilled would have been motivated to do so as use of rea-time analysis would allow suspicious behavior to be caught as soon as possible, thus minimizing possible damages done by implants/malware/viruses.

Claims 14 and 19:
As per claim 14, McDougal does not disclose, but Pfleger de Aguiar discloses wherein the instructions are further executable to analyze behavioral data relating to the client system using a heuristic model and to generate an alert responsive to detecting a behavior anomaly (paragraphs 8, 20, 35, 46, and 49; Analyze behavior of executing PLC/client compared to historical data to find any anomalies.  This is heuristic modeling).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify McDougal’s modified invention to incorporate Pfleger de Aguiar’s teachings as discussed above.  One skilled would have done so as use of heuristic modeling/historical data analysis would allow increased chances of catching zero day malware which may not yet be well known.
The rejection of claim 14 applies, mutatis mutandis, to claim 19.


Claim 17:
	Claim 17 recite further limitations which are a combination of the limitations recited in claims 11 and 12, thus are rejected for similar reasons discussed in the rejections of claims 11 and 12.

Claim 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over McDougal et al (US 2012/0330801) in view of Repasi et al (US 2007/0277241) in further .
Claim 15:
	Repasi further disclose wherein the instructions are further executable to compare firmware binary images with predefined binary images stored in a database (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware), and wherein the instructions are further executable to update a report to indicate a detected threat to security of the client system (paragraphs 96 and 115).  Repasi does not disclose the report being a web-based interface, however, York discloses use of a web-based interface to report alerts (paragraph 137).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify McDougal’s modfied invention to incorporate York’s invention so the report was given via a web-based interface.  The rationale for why one would have done so is that doing so is nothing more than simple substitution of one known element (i.e. type of alert delivery mechanism) for another (i.e. different type of alert mechanism) to obtain predictable results (see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 





/PONNOREAY PICH/Primary Examiner, Art Unit 2495