DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Khesin (US 2015/0326586 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ismael (US 10,474,813 B1) in view of Nataraj (US 2019/0034254 A1) and Khesin (US 2015/0326586 A1).

Regarding claim 1, Ismael discloses: A network services system comprising: 
at least one memory configured to store program instructions; and 
at least one processor configured to execute the program instructions, the program instructions including: 
Refer to at least FIG. 2 and 4-5 of Ismael with respect to exemplary system architecture.
first instructions configured to: monitor notifications for electronic communications incoming to executing applications on the network services system; 
second instructions configured to: 
analyze the notifications; and 
Refer to at least Col. 3, Ll. 53-Col. 4, Ll. 9, Col. 7, Ll. 3-15, Col. 9, Ll. 8-36, Col. 11, Ll. 49-60, and Col. 13, Ll. 34-Col. 14, Ll. 23 of Ismael with respect to monitoring network and application traffic and/or calls and performing respective analysis.
identify one or more anomalies in the electronic communications for a first executing application of the executing applications based on the analysis; and 
Refer to at least Col. 7, Ll. 16-35, Col. 8, Ll. 48-55, Col. 9, Ll. 55-Col. 11, Ll. 27, and Col. 14, Ll. 24-47 of Ismael with respect to determining evidence of malware based on said analysis, including use of both static and/or dynamic analysis. 
third instructions configured to: determine an application context associated with the first executing application; 
Refer to at least Col. 9, Ll. 37-49, Col. 16, Ll. 17-35, Col. 16, Ll. 41-58, and Col. 17, Ll. 31-35 of Ismael with respect to determining, or having a prior knowledge of, a state and/or context of applications. 
based at least on application information;
Refer to at least Col. 11, Ll. 66-Col. 12, Ll. 5 and Col. 13, Ll. 55-63 and Ll. 34-42 of Ismael with respect to determining information associated with monitored traffic / calls.
Refer to at least Col. 18, Ll. 6-10 of Ismael with respect to determining a user of an endpoint of the application for notifying the user of detection and/or remediation. 
select one or more code solutions from a set of code solutions to correspondingly apply against the one or more anomalies based on the application context associated with the first executing application and the one or more anomalies, each code solution in the set of code solutions comprising at least one of a code block or a code assembly and being configured to resolve a specific anomaly for executing applications; and 
inject the selected one or more code solutions into the first executing application.
Refer to at least the abstract, FIG. 6, and Col. 14, Ll. 61-Col. 17, Ll. 5 of Ismael with respect to injecting code for repair associated with the malware. 
Ismael does not fully disclose: application information including one or more of: an expected number for the electronic communications based on the first executing application; or an actual number of the electronic communications for the first executing application; at least one of the selected one or more code solutions configured to cause a reallocating of a resource for the first executing application from another application. However, Ismael in view of Nataraj discloses: application information including one or more of: an expected number for the electronic communications based on the first executing application; or an actual number of the electronic communications for the first executing application.
Refer to at least the abstract, FIG. 9, [0048]-[0049], [0058], [0067], [0074], [0078], [0100], and [0115] of Nataraj with respect to monitoring applications and associated network traffic, establishing a baseline behavior (e.g., a certain amount of packets in a given time), and determining an anomaly based on a deviation from the baseline.
Ismael-Nataraj does not disclose: at least one of the selected one or more code solutions configured to cause a reallocating of a resource for the first executing application from another application. However, Ismael-Nataraj in view of Khesin discloses: at least one of the selected one or more code solutions configured to cause a reallocating of a resource for the first executing application from another application.
Refer to at least FIG. 3, [0034], and [0049]-[0051] of Khesin with respect to remediating an application by identifying system and method calls to be replaced with prestored custom code. Changing, e.g., system calls used by the application is considered to be a form of the claimed reallocated resource. 
The teachings of Ismael and Nataraj concern network monitoring, application monitoring, and remediation, and are considered to be within the same field of endeavor and combinable as such. The teachings of Khesin likewise concern application monitoring and remediation and are considered to be further combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ismael to further include baselines for network traffic associated with applications for at least the purpose of improving detection as per the cited portions of Nataraj (i.e., aggregating and correlating multiple metrics to better identify an anomaly and its cause). It further would have been obvious to include remediation such as replacing system/method calls for at least the purpose of preventing malicious access or malicious transmission of data. 

Regarding claim 2, Ismael-Nataraj-Khesin discloses: The network services system of claim 1, wherein the set of code solutions is stored in the at least one memory; the program instructions further comprising fourth instructions configured to: receive a generated code solution for an anomaly of the one or more anomalies; and store the generated code solution as part of the set of code solutions in the at least one memory.
Refer to at least Col. 16, Ll. 36-52 and Col. 17, Ll. 30-35 of Ismael with respect to obtaining injectable code from, e.g., a cloud service or a database. 

Regarding claim 3, Ismael-Nataraj-Khesin discloses: The network services system of claim 1, wherein the second instructions are configured to identify an anomaly of the one or more anomalies for a second executing application of the applications based on a separate notifications analysis for the second executing application; and wherein the third instructions are configured to: determine an application context associated with the second executing application; select the one or more code solution from the set of code solutions to apply against the anomaly of the one or more anomalies for the second executing application based on the application context associated with the second executing application and the anomaly of the one or more anomalies for the second executing application; and inject the selected one or more code solution into the second executing application.
Refer to at least FIG. 6 of Ismael with respect to applicability towards a plurality of applications and associated malware and further associated injectable code. 

Regarding claim 4, Ismael-Nataraj-Khesin discloses: The network services system of claim 1, wherein the program instructions further comprise fifth instructions configured to: track a state of the first executing application; capture the state prior to the selected one or more code solutions being injected into the first executing application; store the state in the at least one memory; and return the first executing application to the stored state, or cause an injected code solution to become dormant, based on a rollback condition.
Refer to at least Col. 9, Ll. 37-49, Col. 16, Ll. 17-35, Col. 16, Ll. 41-58, and Col. 17, Ll. 31-35 of Ismael with respect to determining, or having a prior knowledge of, a state and/or context of applications. 
Refer to at least the abstract of Ismael with respect to restoration. 
Regarding claim 5, it is rejected for substantially the same reasons as claims 4 and 1 above (i.e., the citations).

Regarding claim 6, Ismae-Nataraj-Khesin discloses: The network services system of claim 1, wherein at least one of the code solutions is configured to cause one or more of: limiting a number of requests from clients to the first executing application; ignoring one or more requests from clients to the first executing application; deferring one or more requests from clients to the first executing application; servicing requests from clients to the first executing application in an order of priority; scaling a channel for the first executing application; or creating a new channel for a subservice related to the first executing application.
Refer to at least [0054] and [0112] of Nataraj with respect to exemplary remedial actions.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ismael to further include additional forms of remedial actions for at least the purpose of additionally securing a network of applications (i.e., better / more choices in responding to anomalies).

Regarding claim 7, it is rejected for substantially the same reason as claim 1 above (i.e., the portions of Ismael concerning code injection; further refer to at least [0101]-[0103] and [0116] of Nataraj with respect to root cause analysis and remediation based on identifying the root cause).

Regarding independent claim 8, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claims 9, 11-14, they are substantially similar to claims 2-7 above, and are therefore likewise rejected. 

Regarding claim 10, Ismael-Nataraj-Khesin discloses: The method of claim 8, further comprising: identifying the one or more anomalies based at least on performing a communications analysis for the first executing application against first expected application communications; and identifying the at least one  of the one or more anomalies for the second executing application based at least performing a separate communications analysis for the second executing application against second expected application communications
Refer to at least Col. 13, Ll. 38-47 of Ismael with respect to signatures for identifying exploits and malware in processes.

Regarding claim 15, it is rejected for substantially the same reasons as elements of claim 1 above (i.e., the citations concerning monitoring network communications / application calls / messages generally).

Claims 16-18 and 20 are is/are rejected under 35 U.S.C. 103 as being unpatentable over Ismael (US 10,474,813 B1) in view of DiGiambattista (US 2018/0159887 A1).

Regarding independent claim 16, it is substantially similar to elements independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations). Ismael does not disclose the following limitations of claim 16: responsive to said analyzing and said identifying, automatically generating a new code solution based on a machine learning algorithm against the one or more anomalies and storing the new code solution in set of code solutions; including the new generated code solution; the generated new code solution configured to cause a reallocating of a resource for the first executing application from another application. However, Ismael in view of DiGiambattista discloses: responsive to said analyzing and said identifying, automatically generating a new code solution based on a machine learning algorithm against the one or more anomalies and storing the new code solution in set of code solutions; including the new generated code solution.
Refer to at least the [0098]-[0099] of DiGiambattista with respect to a remediation response being generated by a machine learning software based on its identification of similar instances.
Ismael-DiGiambattista does not disclose: the generated new code solution configured to cause a reallocating of a resource for the first executing application from another application. However, Ismael-DiGiambattista in view of Khesin discloses: the generated new code solution configured to cause a reallocating of a resource for the first executing application from another application.
Refer to at least FIG. 3, [0034], and [0049]-[0051] of Khesin with respect to remediating an application by identifying system and method calls to be replaced with prestored custom code. Changing, e.g., system calls used by the application is considered to be a form of the claimed reallocated resource. 
The teachings of Ismael and DiGiambattista each concern vulnerability analysis and remediation; Ismael further concerns dynamic patching. Accordingly, the teachings are considered to be within the same field of endeavor and combinable as such. The teachings of Khesin likewise concern application monitoring and remediation and are considered to be further combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ismael to further include machine learning techniques for determining dynamic patching because design incentives or market forces provided a reason to make an adaptation, and the invention resulted from application of the prior knowledge in a predictable manner (i.e., automation). It further would have been obvious to include remediation such as replacing system/method calls for at least the purpose of preventing malicious access or malicious transmission of data. 	

Regarding claims 17-18 and 20, they are substantially similar to claims 2-5 and 7 above, and are therefore likewise rejected. 

 Claim 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ismael-DiGiambattista-Khesin as applied to claims 16-18 and 20 above, and further in view of Nataraj (US 2019/0034254 A1).

Regarding claim 19, it is substantially the same as claims 6 and 13 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432