DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on December 28, 2021 in response to the first office action on merit.

Remarks
Pending claims for reconsideration are claims 1-20. Applicant has
Amended claims 2, and 8. 

Response to Arguments
Applicant’s arguments filed on December 28, 2021 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
In response to argument (Page 9, Para: 3-4) - Examiner respectfully disagrees with applicant’s argument that Thioux fails to teach “…discovering a chain of junction calls preceding the event in a form of a sequence of call and return addresses…” and “… ... analyzing, ….the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability ...” of independent claims 1, 8, and 15.  To begin with, the phrase a “chain of function calls” is recited in the claims and in drawings of the applicant provided specification but the specification fails to expand onto it.  However, applicant provided specification describes “…generating of an event from a chain of calls which utilizes return oriented programming (ROP” [see, Specification, Para 0044]. Furthermore, applicant provided specification is missing detail of how the ROP works. However, Thioux describes detail of ROP as:
In particular, a malware writing technique known as ROP has become fairly widespread recently. ROP is an exploit that allows a writer of malware to chain together sequences of instructions through return instructions thereby accomplishing one or more tasks via the execution of the chain of sequences of instructions. ROP techniques were developed as a way to circumvent data execution prevention (DEP) techniques, which have been recently implemented in many operating systems to thwart unauthorized activities including malicious attacks [Col 1:40-49, See also Col 3:1-25].
	
	As described by Thioux, the ROP is an exploit i.e., an “event” which exploits or take advantages of a normal program such as an application, or a program, or a file being executed. To put it simply, the ROP hijack a normal ending the normal program and tries to executes its hidden agenda. The detection of the ROP involves looking at calls made, and memory addresses used by the normal program, and the calls made by the ROP. Again, to the discover the ROP one must look at calls made by the normal program and calls made the ROP program; therefore, discovering the ROP entails “…discovering a chain of junction calls preceding the event [i.e., ROP] in a form of a sequence of call and return addresses”.  
The applicant claimed invention is dealing a ROP and instruction or calls that are observed for the ROP. Likewise, Thioux also deals with the ROP and sequences of instructions of calls made by the ROP. Furthermore, the determination is made whether the “sequence of instructions” is a gadget or a ROP attack (See, Thioux, Col 12:26-62). Finally, absence of detail describing what the “chain of calls” entails examiners assets that Thioux discloses the claimed limitation.
Claim Rejections - 35 USC § 101
Applicant has amended claim 8 which was rejected under 35 U.S.C. 101 because the claimed invention is directed non-statutory subject matter; therefore, the rejection is withdrawn.

Claim Objections
Applicant has amended claims 2, 9, and 16 which were objected to because of informalities; therefore, the claim objection is withdrawn.
 
Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-6, 8-13, and 15-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Thioux et al. (U.S. Patent No.: US 9,594,912 B1 / or “Thioux” hereinafter) [provided by the applicant].

Regarding claim 1, Thioux discloses “A method for forming a log during an execution of a file with vulnerabilities in a virtual machine, the method comprising” (Col 11:31-36, discloses a method for detecting a return oriented programming (ROP) exploit in a virtual machine (VM); and Col 7:6-13, the reporting logic may issue alert or report i.e., “forming a log” to a security administrator): 
“discovering, by an interceptor, an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes one or more conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file” (Col 7:40-44, “For instance, management system 220 is responsible for automatically updating a list of function calls to be observed by a portion of the virtual execution logic 270 and trigger the ROP exploit detection within some or all of TDP systems 210-1 - 210N; and Col 11:16-30, the ROP detection module may overserve function calls initiated by an application; and “The observing of a function call by the ROP detection module 321 may trigger a ROP exploit detection process…”); 
“analyzing, by the interceptor, a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses” (Col 12:29-35, “the ROP detection module 321 begins to perform function call observing ("hooking") on the application 310, e.g., from within the VM 275 of FIG. 3. In block 602, the ROP detection module 321 observes a function call made by the application 310 and takes a snapshot 500 of the stack 322. In block 603, the ROP detection module 321 analyzes the contents within the snapshot 500”; and Col 3:4-13, “However, if an address within the predetermined address range is a valid address in memory allocated to one of the modules, the contents located at that address, and, in some embodiments, the next valid address or addresses in the stack, are further analyzed to determine if the address or addresses contain a gadget (i.e., computer code with less than a predefined number of instructions that are chained together followed by a "return" instruction). If they do contain one or more gadgets, a ROP exploit may have been uncovered.”); 
“analyzing, by the interceptor, the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability” (Col 3:4-13, “However, if an address within the predetermined address range is a valid address in memory allocated to one of the modules, the contents located at that address, and, in some embodiments, the next valid address or addresses in the stack, are further analyzed to determine if the address or addresses contain a gadget (i.e., computer code with less than a predefined number of instructions that are chained together followed by a "return" instruction). If they do contain one or more gadgets, a ROP exploit may have been uncovered.”); 
“and when the conditions of the trigger, which relate to the attempt to exploit the vulnerability of the file, are fulfilled, saving, by the interceptor, information about the chain of function calls in a log” (Col 10:41-51, “…the reporting logic 160 may store the classification results 281 (including the static-based results 140 and the VM-based results 150) in the database 255 for future reference”).

Regarding claim 2, in view of claim 1, Thioux discloses “further comprising: saving a dump of a memory region connected with the fulfillment of the conditions of the trigger in the log” (Col 10:55-65, observes a virtual heap i.e., a “dump of the memory region”).

Regarding claim 3, in view of claim 1, Thioux discloses “wherein the event includes at least one of: a calling of an API function during the execution of the thread of the process; a return from an API function; a system call; a return from a system call; and a receiving of a notification from an operating system” (Col 11:16-30, API call is disclosed).

Regarding claim 4, in view of claim 1, Thioux discloses “wherein the triggers describe one or more events and conditions accompanying the events, the events relating to the attempt to exploit the vulnerability of the file: 
a generating of an event from a chain of calls which utilizes return oriented programming (ROP)” (Col 10:1-10, ROP exploit is detected); 
“a generating of an event by execution on a heap” (Col 10:55-65, observes a virtual heap); 
“a generating of an event by execution on a stack; a changing of the stack” (Col 11:37-51);  
an alteration of a data structure describing rights and privileges of a process in an operating system; an event generated by a first execution from a memory page; and a dynamic allocation of memory and placement of objects the dynamically allocated memory” (Col 14:63-67 and Col 15:1-4,” Furthermore, the monitoring logic 276 monitors in real-time during runtime, and may also log, at least the instruction sequences located at valid addresses allocated to the application 310 when the valid addresses correspond to contents within the snapshot 500. The monitoring logic 276 analyzes contents within the snapshot 500 of the stack and inspects the instruction sequence(s) located at one or more of the addresses to identify one or more gadgets”).

Regarding claim 5, in view of claim 1, Thioux discloses “the opening of the file including one of: the execution of the file, when the file is executable; or the opening of the file by an application, when the file is not executable” (Col 10:65-67).

Regarding claim 6, in view of claim 1, Thioux discloses “wherein a security module performs at least one of: launching the virtual machine; or selecting the security module from previously created virtual machines” (Col 9:21-28, VM is used).

Regarding claim 8, Thioux discloses “A system for forming a log during an execution of a file with vulnerabilities in a virtual machine instantiated on a computing device, comprising” (Abstract, threat detection system is disclosed):
 “at least one hardware processor configured to” (Col 8:34-38, one more processors are disclosed):
 “discover, by an interceptor, an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes one or more conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file;
 analyze, by the interceptor, a stack of the process created upon opening the file, and discover a chain of function calls preceding the event in a form of a sequence of call and return addresses; 
analyze, by the interceptor, the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability; and 
when the conditions of the trigger, which relate to the attempt to exploit the vulnerability of the file, are fulfilled, save, by the interceptor, information about the chain of function calls in a log” (See rejection of claim 1).

Regarding claim 9, in view of claim 8, Thioux discloses “the processor further being configured to: save a dump of a memory region connected with the fulfillment of the conditions of the trigger in the log” (See rejection of claim 2).

Regarding claim 10, in view of claim 8, Thioux discloses “wherein the event includes at least one of: a calling of an API function during the execution of the thread of the process; a return from an API function; a system call; a return from a system call; and a receiving of a notification from an operating system” (See rejection of claim 3).

Regarding claim 11, in view of claim 8, Thioux discloses “wherein the triggers describe one or more events and conditions accompanying the events, the events relating to the attempt to exploit the vulnerability of the file: a generating of an event from a chain of calls which utilizes return oriented programming (ROP); a generating of an event by execution on a heap; a generating of an event by execution on a stack; a changing of the stack; an alteration of a data structure describing rights and privileges of a process in an operating system; an event generated by a first execution from a memory page; and a dynamic allocation of memory and placement of objects the dynamically allocated memory” (See rejection of claim 4).

Regarding claim 12, in view of claim 8, Thioux discloses “the opening of the file including one of: the execution of the file, when the file is executable; or the opening of the file by an application, when the file is not executable” (See rejection of claim 5).

Regarding claim 13, in view of claim 8, Thioux discloses “wherein a security module performs at least one of: launching the virtual machine; or selecting the security module from previously created virtual machines” (See rejection of claim 6).

Regarding claim 15, Thioux discloses “A non-transitory computer readable medium storing thereon computer executable instructions for forming a log during an execution of a file with vulnerabilities in a virtual machine, including instructions for” (Col 4:9-15, computer read medium is disclosed): 
“discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes one or more conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file; 
analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses; 
analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability; and 
when the conditions of the trigger, which relate to the attempt to exploit the vulnerability of the file, are fulfilled, saving information about the chain of function calls in a log” (See rejection of claim 1).

Regarding claim 16, in view of claim 15, Thioux discloses “the instructions further comprising: saving a dump of a memory region connected with the fulfillment of the conditions of the trigger in the log” (See rejection of claim 2).

Regarding claim 17, in view of claim 15, Thioux discloses “wherein the event includes at least one of: a calling of an API function during the execution of the thread of the process; a return from an API function; a system call; a return from a system call; and a receiving of a notification from an operating system” (See rejection of claim 3).

Regarding claim 18, in view of claim 15, Thioux discloses “wherein the triggers describe one or more events and conditions accompanying the events, the events relating to the attempt to exploit the vulnerability of the file: a generating of an event from a chain of calls which utilizes return oriented programming (ROP); a generating of an event by execution on a heap; a generating of an event by execution on a stack; a changing of the stack; an alteration of a data structure describing rights and privileges of a process in an operating system; an event generated by a first execution from a memory page; and a dynamic allocation of memory and placement of objects the dynamically allocated memory” (See rejection of claim 4).

Regarding claim 19, in view of claim 15, Thioux discloses “the opening of the file including one of: the execution of the file, when the file is executable; or the opening of the file by an application, when the file is not executable” (See rejection of claim 5).

Regarding claim 20, in view of claim 15, Thioux discloses “wherein a security module performs at least one of: launching the virtual machine; or selecting the security module from previously created virtual machines” (See rejection of claim 6).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 7, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Thioux in view of Ian Oliver (U.S. Patent No.: US 8,805,995 B1 / or “Oliver” hereinafter).
	
Regarding claim 7, in view of claim 1, Thioux discloses a ROP detection module may trigger a ROP exploit detection process (Col 11:16-30).
But Thioux fails to specially disclose a trigger describing an actual event, the occurrence of which activates the trigger, and the conditions of the trigger based on the actual event.
However, Oliver discloses “wherein the trigger describes: the actual event, the occurrence of which activates the trigger, and the conditions of the trigger accompanying the actual event which relate to the attempt to exploit the vulnerability of the file” (Oliver, Col 10:60-67 and Col 11:1-8, disclose triggering events, activity related to the triggering events, and suspicious activity related to the triggering events).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of a trigger describing an actual event, the occurrence of which activates the trigger, and the conditions of the trigger based on the actual event of Oliver to the Return-Oriented Programming Detection of Thioux to create a system where by defining/classifying condition for triggering “…the processor of the client processing system classifying the trigger event to determine whether one or more further events can continue to be performed by the client processing system at step 530” and the ordinary person skilled in the art would have been motivated to combine to “… being able to execute further events prior to acritical malicious event occurring in the client processing system allows additional data to be collected about the potential threat” (Oliver, Col 10:13-29).

Regarding claim 14, in view of claim 8, Thioux in view of Oliver disclose “wherein the trigger describes: the actual event, the occurrence of which activates the trigger, and the conditions of the trigger accompanying the actual event which relate to the attempt to exploit the vulnerability of the file” (See rejection of claim 7).

Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Ince et al. (US 2018/0096147 A1) discloses “…In an embodiment, this execution monitoring window may span several blocks of code, where a block is defined as a sequence of instructions that ends with an indirect branch, CALL or RET instruction. The number of blocks analyzed in this manner may be between approximately 100 and 1000 and can be set to an empirical value with limited runtime overhead and a good malware detection rate. If an end of an execution monitoring window has not been reached, the BT engine may perform the forward execution until a next indirect instruction (e.g., RET instruction) is encountered, at block 170” (Para 0015).



Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
  /LYNN D FEILD/  Supervisory Patent Examiner, Art Unit 2431