DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 04/14/2020, wherein claims 1-20 are pending and ready for examination.

  Continued Examination Under 37 CFR 1.114
2.  A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/14/2022 has been entered.

Response to Arguments
3.  Applicant’s arguments, see Remarks, filed 04/14/2022, with respect to 35 U.S.C. 35 112(b) rejection of Claim 20; the 35 U.S.C. 35 102 rejection of claims 1, 6-12, 14, 16, and 18-20 anticipated by Li; and the 35 U.S.C. 35 102 rejection of claims 2-5, and 15 as being unpatentable over Li and San Miguel have been fully considered and are persuasive.  The rejection of Claims 1-20 has been withdrawn due to Examiner’s Amendment. 
 
Examiner’s Amendment
4. An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in via electronic correspondence on 5/30/2019 in response to an Examiner Initiated Interview with Brian Tucker, Reg. No. 62,529 on 4/29/2022.

Please amend claims 1, 10-11, and 14-20, as follows and adding new claims 21-28 :

1.	(Currently Amended) A method for detecting malware comprising:
detecting that a system call has been made, wherein the system call comprises a mechanism by which a user mode object requests that a kernel of an operating system provides a service to the user mode object;
in response to detecting that the system call has been made, monitoring execution of a system call function that the system call invokes, wherein the system call function comprises code that the kernel of the operating system executes to provide the service to the user mode object;
in conjunction with monitoring the execution of the system call function, creating a feature vector for the system call function, the feature vector defining a plurality of features of the system call function that are identified while monitoring the execution of the system call function;
evaluating the feature vector for the system call function using a multidimensional anomaly detection algorithm to thereby generate a score indicating whether the feature vector for the system call function is anomalous; and
when the score indicates that the feature vector for the system call function is anomalous, blocking the system call, whereas when the score indicates that the feature vector for the system call function is not anomalous, allowing the system call.

9.	(Cancelled) 

10.	(Currently Amended) The method of claim 1, wherein the multidimensional anomaly detection algorithm is trained using feature vectors for known-safe system call functions.

11.	(Currently Amended) The method of claim 1, wherein the multidimensional anomaly detection algorithm is the Local Outlier Factor (LOF) algorithm.

14-20. 	(Cancelled)

21.	(New) The method of claim 1, wherein the plurality of features of the system call function comprise:
a number of steps feature;
a delete count feature;
an open count feature;
a create count feature;
a by user feature;
a new system feature; and
a via library feature.

22.	(New) One or more computer storage media storing computer executable instructions which when executed implement a method for detecting malware comprising:
detecting that a system call has been made, wherein the system call comprises a mechanism by which a user mode object requests that a kernel of an operating system provides a service to the user mode object;
in response to detecting that the system call has been made, monitoring execution of a system call function that the system call invokes, wherein the system call function comprises code that the kernel of the operating system executes to provide the service to the user mode object;
in conjunction with monitoring the execution of the system call function, creating a feature vector for the system call function, the feature vector defining a plurality of features of the system call function that are identified while monitoring the execution of the system call function;
evaluating the feature vector for the system call function using a multidimensional anomaly detection algorithm to thereby generate a score indicating whether the feature vector for the system call function is anomalous; and
when the score indicates that the feature vector for the system call function is anomalous, blocking the system call, whereas when the score indicates that the feature vector for the system call function is not anomalous, allowing the system call.

23.	(New) The computer storage media of claim 22, wherein the plurality of features of the feature vector includes a number of steps feature. 

24.	(New) The computer storage media of claim 23, wherein the number of steps feature identifies a number of system call functions that are invoked during execution of the system call function. 

25.	(New) The computer storage media of claim 22, wherein the plurality of features of the feature vector includes one or more count features.

26.	(New) The computer storage media of claim 22, wherein the plurality of features of the feature vector includes a via library feature that identifies whether the system call function uses a library to invoke a known-safe system call function.

27.	(New) The computer storage media of claim 22, wherein the feature vector includes a by user feature that identifies whether the system call is made by a user component.

28.	(New) The computer storage media of claim 22, wherein the plurality of features of the feature vector includes a new system feature that identifies whether a system on which the system call is made is new.  


Allowable Subject Matter
5.    Claims 1-8, and 10-13 are allowed as amended, with new claims 21-28.

Examiner’s Reason for Allowance
6.    The following is an examiner’s statement of reasons for allowance:  in conjunction with monitoring the execution of the system call function, creating a feature vector for the system call function, the feature vector defining a plurality of features of the system call function that are identified while monitoring the execution of the system call function.  The closest prior art being "Li" (US 20210064751 A1), “San Miguel” (US 20210105613 A1), “Pradadarao” (US 20080052696 A1), and newly cited “Solis” (US 20200162484 A1). Li discloses systems and methods for a provenance based threat detection tool that builds a provenance graph including a plurality of paths using a processor device from provenance data obtained from one or more computer systems and/or networks; samples the provenance graph to form a plurality of linear sample paths, and calculates a regularity score for each of the plurality of linear sample paths using a processor device; selects a subset of linear sample paths from the plurality of linear sample paths based on the regularity score, and embeds each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device; detects anomalies in the embedded paths to identify malicious process activities, and terminates a process related to the embedded path having the identified malicious process activities. San Miguel discloses embodiments focus on identifying malicious applications and verifying the absence of malicious code in applications that the enterprises and their users seek to utilize. The analysis toolbox supplements static analysis, which is a pre-installation vetting technique designed to insure that malware is never installed in devices on an enterprise network. Pradadarao, discloses a technique for the dynamic instrumentation of a running software system. One or more callable instrumentation functions are accessible in a first memory space associated with the software system. The one or more callable instrumentation functions are adapted to probe an operation of the software system and return data regarding the probed operation. Probed operation environment information needed by the one or more instrumentation functions is provided to a second memory space associated with the software system. Newly search art Solis discloses a computer-implemented method, a system and a computer program for identifying malicious URI data items are provided. The method a) gathers URI data items and b) analyses said URI data items to classify them into malicious URI data items and non-malicious URI data items. The method also c1) intercepts communications with malicious servers, identified by malicious URIs, from several computing entities, using sinkholing techniques, and uncovers and retrieves information which is being exfiltrated to said malicious or supervised servers, and c2) periodically monitors a status of the malicious servers identified by the malicious URIs, to control if they have been taken down or not, and simulates an infected bot to get updates of the commands sent from said malicious servers.

7. What is missing from the prior art of record to include newly search Solis detecting that a system call has been made, wherein the system call comprises a mechanism by which a user mode object requests that a kernel of an operating system provides a service to the user mode object, and in response to detecting that the system call has been made, monitoring execution of a system call function that the system call invokes, wherein the system call function comprises code that the kernel of the operating system executes to provide the service to the user mode object.  The Examiner finds novel the feature in conjunction with monitoring the execution of the system call function, creating a feature vector for the system call function, the feature vector defining a plurality of features of the system call function that are identified while monitoring the execution of the system call function.  The examiner is further persuaded by applicant representative on the deficiencies of the prior art based on applicant amendments (See Remarks 04/14/2022, pages 8-9).  The secondary references and newly searched art fails to overcome the features of claims 1 and 22 as amended.

Thus the prior art does not teach or suggest, either individually or in combination, the subject matter as claimed in claims 1 and 22. Therefore claims 1 and 22 are deemed allowable over the prior art of record. The corresponding depending claims, which further limit claims 1 and 22 also contain allowable subject matter by virtue of their dependency.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

 /WILLIAM B JONES/Examiner, Art Unit 249104/30/2022

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491