DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.  This is in response to the communications filed on 18 April 2022.
2.  Claims 1-18 are pending in the application.
3.  Claims 1-18 have been allowed.
Terminal Disclaimer
4.  The terminal disclaimer filed on 18 April 2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent No. 10,735,374 B2 has been reviewed and is accepted.  The terminal disclaimer has been recorded.
Allowable Subject Matter
5.  Claims 1-18 are allowed over the prior art.
The following is an examiner’s statement of reasons for allowance:
As to independent claims 1 and 9, the applicant has incorporated allowable limitations from U.S. Patent No. 10,735,374 B2 of “in response to determining that the file comprises the advanced persistent threat, running the file in the device at least one additional time to generate a plurality of sequence of behaviors, wherein each running of the file in the device causes a respective sequence of behaviors to occur, and the plurality of sequence of behaviors comprises the first sequence of behaviors”, “determining identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior types and a same behavior content in each sequence of behaviors” and “identifying a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run”.  As to independent claim 14, the applicant has incorporated allowable limitations from U.S. Patent No. 10,735,374 B2 of “in response to determining that the file comprises the advanced persistent threat, run the file in the security protection device at least one additional time to generate a plurality of sequence of behaviors, wherein each running of the file in the security protection device causes a respective sequence of behaviors to occur, and the first sequence of behaviors is comprised in the plurality of sequence of behaviors”, “determine identical behaviors that exist in each sequence of behaviors comprised in the plurality of sequence of behaviors, wherein the identical behaviors have a same behavior types and a same behavior content in each sequence of behaviors”, “identify a set of behaviors, the set of behaviors comprising the determined identical behaviors, and determining the set of behaviors to be a stable behavior feature, wherein the stable behavior feature is a behavior that occurs each time the file is run”, “generate a first indicator of compromise corresponding to the stable behavior feature”, “parse the received first indicator of compromise to obtain the stable behavior feature”, “search an operating system and a file system of the terminal device to determine whether a behavior described by the stable behavior feature has occurred in the terminal device” and “in response to determining that the behavior described by the stable behavior feature has occurred in the terminal device, determine that the terminal device has been infected with the advanced persistent threat”.
Any claims not directly addressed are allowed on the virtue of their dependency.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Relevant Prior Art
6.  The following references have been considered relevant by the examiner:
A.  Zadok et al US 2005/0273858 A1 directed to network files systems, and more particularly to stackable file systems [0002].
B.  Ciu et al US 2014/0373087 A1 directed to detecting instances within a web application where code and data are not separated [abstract].
C.  Kouznetsov et al US 2003/0233574 A1 directed to scanning a mobile wireless device for malware [abstract].
Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARAVIND K MOORTHY whose telephone number is (571)272-3793. The examiner can normally be reached M-F 5:00-3:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ARAVIND K MOORTHY/            Primary Examiner, Art Unit 2492