Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 100.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
“A process monitor” in claim 11 which is a means for monitoring all the computing resource (CR) processes on the operating system kernel on the communicating device, determining the process parameters for each computing resource (CR) process and determining the connecting CR process by determining whether the computer resource (CR) process is connecting to the proxy server, without being modified by any structure.
“An event generator” in claim 12 which is a means for comparing the at least one of the process parameters for each connecting CR process with the computing resource (CR) whitelist, and generating the event notification when the at least one process parameter for the connecting CR process does not match any record in the computing resource (CR) whitelist, without being modified by any structure.
“An event remediator” in claim 13 which is a means for arranging to remediate said connecting CR process having said at least one process parameter, without being modified by any structure.
“An event logger” in claim 14 which is a means for arranging to create a record containing the process parameters for the connecting CR process and store the record in a storage on the communicating device, without being modified by any structure.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 11-14 and 19-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim limitation “A process monitor” in claim 11 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “process monitor” is described in paragraph [0007] as part of the operating system that is arranged to monitor all the computing resource processes on the operating system kernel on the communicating device. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any particular algorithm for achieving each of the claimed functions. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Claim limitation “An event generator” in claim 12 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “event generator” is described in 
Claim limitation “An event remediator” in claim 13 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “event remediator” is described in paragraph [0009] as part of the operating system that is arranged to remediate said connecting CR process having said at least one process parameter. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any particular algorithm for achieving each of the claimed functions. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Claim limitation “An event logger” in claim 14 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “event logger” is described in paragraph [0009] as part of the operating system that is arranged to create a record containing the process parameters for the connecting CR process and store the record in a storage on the communicating device. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any particular algorithm for achieving each of the claimed functions. 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 4, 5, 10-13, 16-18 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Banerjee et al. (U.S. 20170093918A1), hereinafter Banerjee in view of Johansson et al. (U.S. 10341345B1), hereinafter Johansson and Fahrny et al. (U.S. 20170244729A1), hereinafter Fahrny.
 	 Regarding claim 10, Banerjee teaches a system for detecting and remediating malicious code in a communicating device on a computer network that connects to a target node, the system comprising (Banerjee: Abstract, [007] [0021] [0026] [0037] provide for detecting and remediating malicious codes in a computing environment including client computing system and server computing system connecting to the internet): 
monitoring all computing resource (CR) processes on the communicating device (Banerjee: [0051] provides for operating system kernel drivers to intercept inbound and outbound communications); 
determining process parameters for each computing resource (CR) process, including at least one of a canonical path, a process name, and a process identification number (Banerjee: 
determine, for each computing resource (CR) process, whether the computing resource (CR) process is a connecting CR process by determining whether the computer resource (CR) process is connecting to the target node (Banerjee: [0050]-[0052] provide for the connecting CR processes by determining if the processes are connecting to the target server node),
comparing at least one of the process parameters for each connecting CR process with a computing resource (CR) whitelist (Banerjee: [0052] provides for comparing process parameters for each connecting process with a whitelist); 
generating an event notification when the at least one process parameter for a connecting CR process does not match any record in the computing resource (CR) whitelist (Banerjee: [0052] provides for raising an alert representing an event notification when the process parameters do not match with the whitelist); and 
remediating said connecting CR process having said at least one process parameter (Banerjee: [0052] provides for remediating for example, by preventing the inbound or outbound connection using the connecting CR process).
Banerjee fails to teach wherein the target node is a proxy server through which the communicating device is accessing the internet. However, Johansson teaches this limitation (Johansson: Col. 15 Lines 11-21 and Fig. 7 provide for the proxy server as the target node through which the client computing device communicates). 
Banerjee and Johansson are both considered to be analogous to the claimed invention because they are in the same field of network communication management. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the 
Banerjee and Johansson do not explicitly teach about an operating system arranged to provide all the limitations mentioned above, including monitoring processes on an operating system kernel on the communicating device. However, Fahrny teaches this limitation (Fahrny: [0021] provides for the operating system to contain an intrusion detection agent to monitor all processes on the operating system kernel and prevent the malicious process from causing an application to control or gain access to device’s resources). 
Banerjee, Johansson and Fahrny are all considered to be analogous to the claimed invention because they are in the same field of monitoring network communication. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Banerjee/Johansson to incorporate the teachings of Fahrny and provide the security agent to be moved into the Operating System. Doing so would aid in reducing the overhead on transferring data between the OS and outside security agent and vigilantly performing all the necessary functions of the system within the OS. 
Regarding claim 1, the claim recites the limitations of claim 10 for a method and is thereby rejected under same rationale. 
Regarding claim 22, the claim recites the limitations of claim 10 for a non-transitory computer readable storage medium and is thereby rejected under same rationale. 

Regarding claim 11, the claim recites the same limitations of claim 10 for a process monitor and is thereby rejected under the same rationale. 
Regarding claim 12, the claim recites the same limitations of claim 10 for an event generator and is thereby rejected under the same rationale. 
Regarding claim 13, the claim recites the same limitations of claim 10 for an event remediator and is thereby rejected under the same rationale. 
Regarding claim 3, Banerjee teaches the method in claim 1, wherein the computing resource (CR) whitelist comprises a list of processes authorized to run on the operating system kernel (Banerjee: [0051] provides for the kernel drivers to intercept the inbound and outbound communications and the whitelist containing the processes authorized to run on the kernel drivers).
Regarding claim 16, the claim recites the limitations of claim 3 for a system and is thereby rejected under same rationale. 
Regrading claim 4, Fahrny teaches the method in claim 1, wherein the remediating said connecting CR process comprises terminating said connecting CR process (Fahrny: Abstract, [0003] [0050] provide for remediating for example, by terminating the malicious process).
Regarding claim 17, the claim recites the limitations of claim 4 for a system and is thereby rejected under same rationale. 
Regarding claim 5, Banerjee teaches the method in claim 1, wherein the remediating said connecting CR process comprises sending the event notification to another communicating device on the computer network to execute a remedial action (Banerjee: [0052] provides for the 
Regarding claim 18, the claim recites the limitations of claim 5 for a system and is thereby rejected under same rationale. 
Claims 2, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Banerjee (U.S. 20170093918A1), in view of in view of Johansson (U.S. 10341345B1), Fahrny (U.S. 20170244729A1), and Lahav et al. (U.S. 20180144124A1), hereinafter Lahav.
 Regarding claim 2, Banerjee further teaches the method in claim 1, wherein said at least one of the process parameters comprises the process name (Banerjee: [0055] provides for the process parameters to comprise the process information and path).
Banerjee does not teach about the process parameters comprising canonical path. However, Lahav teaches this limitation (Lahav: [0023] provides for a canonical, absolute version of the path for the client application requesting process).
Banerjee, Johansson, Fahrny and Lahav are all considered to be analogous to the claimed invention because they are in the same field of monitoring network communication. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Banerjee/Johansson/Fahrny to incorporate the teachings of Lahav and provide canonical path as process parameter. Doing so would aid in detecting and remediating malicious code comparing the canonical path information of the processes with the whitelist parameters. 
Regarding claim 15, the claim recites the limitations of claim 2 for a system and is thereby rejected under same rationale. 

Claims 6, 8, 14, 20 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Banerjee (U.S. 20170093918A1), in view of Johansson (U.S. 10341345B1), Fahrny (U.S. 20170244729A1), and Singh (U.S. 20200287802A1).
Regarding claim 6, Banerjee does not teach about creating a record containing the process parameters for the connecting CR process and storing the record in a storage on the communicating device. However, Singh teaches this limitation (Singh: [0010] provides for creating record containing the process parameters for the connecting CR process and storing the record in a storage on the communicating device).
Banerjee, Johansson, Fahrny and Singh are both considered to be analogous to the claimed invention because they are in the same field of network communication with processes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Banerjee, Johansson, Fahrny to incorporate the teachings of Singh and provide a stored record with process parameters when the process was determined to be connecting to the proxy server. Doing so would aid in analyzing the performance of the processes and creating an audit trail for the proper management of the network. 
Regarding claim 14, the claim recites the limitations of claim 6 for a system and is thereby rejected under same rationale. 
Regarding claim 23, the claim recites the limitations of claim 6 for a non-transitory computer readable storage medium and is thereby rejected under same rationale. 
Regarding claim 8, Banerjee does not explicitly teach about the stored record including a timestamp when the connecting process was determined to be connecting to the proxy server. 
Banerjee and Singh are both considered to be analogous to the claimed invention because they are in the same field of network communication with processes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Banerjee to incorporate the teachings of Singh and provide a stored record with timestamp when the process was determined to be connecting to the proxy server. Doing so would aid in identifying the time when the process is connected to the network which can be an important element to be compared with the data in whitelist to detect malicious code. 
Regarding claim 20, the claim recites the limitations of claim 8 for a system and is thereby rejected under same rationale. 
Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Banerjee (U.S. 20170093918A1), in view of Johansson (U.S. 10341345B1), Fahrny (U.S. 20170244729A1), Singh (U.S. 20200287802A1) and Lahav (U.S. 20180144124A1).
Regarding claim 7, Singh teaches the method in claim 6, wherein the stored record includes the process name, and process identification number (Singh: [0010] provide for the stored record of the process containing process parameters, for example path name, ID etc.).
Singh does not teach about the process parameters comprising canonical path. However, Lahav teaches this limitation (Lahav: [0023] provides for a canonical, absolute version of the path for the client application requesting process).
Banerjee, Johansson, Fahrny, Singh and Lahav are all considered to be analogous to the claimed invention because they are in the same field of monitoring network communication. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective 
Regarding claim 19, the claim recites the limitations of claim 7 for a system and is thereby rejected under same rationale. 
Claims 9 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Banerjee (U.S. 20170093918A1), in view of Johansson (U.S. 10341345B1), Fahrny (U.S. 20170244729A1), Singh (U.S. 20200287802A1) and Jain (U.S. 20210160192A1).
Regarding claim 9, Banerjee does not explicitly teach about the process identification number which is generated by the operating system kernel. However, Jain teaches this limitation (Jain: Abstract, [0032] provide for the process identification number being generated by the operating system kernel).
Banerjee and Jain are both considered to be analogous to the claimed invention because they are in the same field of network communication with processes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Banerjee/Johansson to incorporate the teachings of Jain and provide generate and use a process identification number to uniquely processes. One of ordinary skill in the art would be motivated to use process identification numbers to adopt common practices for uniquely identifying processes.
Regarding claim 21, the claim recites the limitations of claim 9 for a system and is thereby rejected under same rationale. 
Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Borders (U.S. 20090158430A1) recites a method, system and computer program product for detecting at least one of security threats and undesirable computer files.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        



/YASMIN JAHIR/Examiner, Art Unit 2432