DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 02/03/2022.
In the instant Amendment, Claims 1-2, 13-14, and 17-18 have been amended. Claims 1, 13 and 17 are independent claims. Claims 1-20 have been examined and are pending. This Action is made FINAL.

	
Response to Arguments
Applicant’s arguments, see Applicant Arguments/Remarks Made in an Amendment, filed 02/03/2022 with respect to the rejections of claims 1-20 have been fully considered but are not persuasive.
As to independent claims 1, 13 and 17, Applicants stated in arguments that the combination of Strogov (US 20190286821) and Pan (20090320021) fails to teach or suggest “analyzing a memory start address attributed to a thread and determining whether the memory start address attributed to the thread is within a memory address range of at least one of the one or more images loaded into the at least one memory.” (Applicant Arguments/Remarks, 02/03/2022, pages 8).
The Examiner disagrees with the Applicants. The Examiner respectfully that the combination of Strogov and Pan do disclose the cited limitations. For example, Pan discloses analyzing a memory start address attributed to a thread and determining whether the memory start address attributed to the thread is within a memory address range of at least one of the one or more images loaded into the at least one memory (Pan: par 0053; fig. 4; the Performance Evaluator tracks and records system events and inter-thread interactions relating to a task suspected or having anomalous performance; par 0061; in completing a task begun at time t.sub.b, if a thread T.sub.0 needs to read data from a disk, that thread first sends an I/O request, at time t.sub.I/O, to the device; par 0127; calculated based on the call stack of an operation and the start address of the thread where the operation is executed).
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (313) 446-6644 to schedule an interview.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-13, 15-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Strogov et al. (“Strogov,” US 20190286821, published on 09/19/2019) and in view of Pan et al. (“Pan,” US 20090320021, published on 12/24/2009)
Regarding Claim 1; 
	Strogov discloses a computer-implemented method comprising:
obtaining information pertaining to one or more processes running on a user device (par 0031; fig. 1; the file protector driver configured to receive (e.g., from the process) an execution stack);   
obtaining information pertaining to one or more images loaded into at least one memory associated with at least one of the one or more processes running on the user device (par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread);   
obtaining information pertaining to one or more threads created in connection with at least one of the one or more processes running on the user device (par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread; par 0033; the file protector driver restore all modifications made by the injected threads that had been identified using control points);   
identifying at least one of the one or more threads as a security risk (par 0031; fig. 3; the execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread; par 0039; the file protector driver determines whether any activity has been detected on the one or more control points of the first process. If so the file protector driver generates an indication that the execution of the first process is malicious); and 
performing at least one action based at least in part on the identification of at least one of the one or more threads as a security risk (par 0040; responsive to receiving the indication that the execution of the first process is malicious, perform one or more remedial actions that protects against malicious actions by the first process); 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory (par 0013; system for detecting a malicious application is provided that includes a memory device, and a processor coupled to the memory device).  
Strogov discloses identifying at least one of the one or more threads as a security risk; performing at least one action based at least in part on the identification of at least one of the one or more threads as a security risk as recited above, but do not explicitly disclose automatically identifying at least one of the one or more threads as a security risk by analyzing a memory start address attributed to a thread and determining whether the memory start address attributed to the thread is within a memory address range of at least one of the one or more images loaded into the at least one memory; performing at least one automated action.
  However, in an analogous art, Pan discloses analysis of thread system/method that includes:
automatically identifying at least one of the one or more threads as a security risk by analyzing a memory start address attributed to a thread and determining whether the memory start address attributed to the thread is within a memory address range of at least one of the one or more images loaded into the at least one memory (Pan: par 0012; fig. 4; anomaly is identified automatically by locating one or more time-consuming operations in particular threads; par 0053; the Performance Evaluator tracks and records system events and inter-thread interactions relating to a task suspected or having anomalous performance; par 0061; in completing a task begun at time t.sub.b, if a thread T.sub.0 needs to read data from a disk, that thread first sends an I/O request, at time t.sub.I/O, to the device; par 0127; calculated based on the call stack of an operation and the start address of the thread where the operation is executed); 
performing at least one automated action (Pan: par 0033; when a performance anomaly is identified, either automatically or manually, a control pattern is then extracted from the recorded trace data for the tracking period).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Pan with the method/system of Strogov to include automatically identifying at least one of the one or more threads as a security risk by analyzing a memory start address attributed to a thread and determining whether the memory start address attributed to the thread is within a memory address range of at least one of the one or more images loaded into the at least one memory; performing at least one automated action. One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 3;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Pan further discloses wherein automatically identifying the at least one thread as a security risk comprises automatically identifying the at least one thread as a security risk upon a determination that the memory start address attributed to the at least one thread is not within a memory address range of at least one of the one or more images (Pan: par 0012; anomaly is identified automatically by locating one or more time-consuming operations in particular threads; par 0077; the Performance Evaluator includes a tracer that collects important system events from the interactions among threads and stores them into a buffer, or other computer-readable medium, during some tracking period. The length of the tracking period is either automatically determined by the Performance Evaluator, limited as a function of buffer size, or set via a user interface; par 0128; the information of start address of the current thread may not be included in the call stack since OPInfo structure contains a static array field to store the call stack of an operation.).  
One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 4;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Pan further discloses wherein automatically identifying the at least one thread as a security risk comprises automatically identifying one or more activities carried out by the at least one thread identified as a security risk (Pan: par 0012; anomaly is identified automatically by locating one or more time-consuming operations in particular threads; par 0038; the processes enabled by the Performance Evaluator begin operation by using a tracer module to capture all system events generated by threads associated with individual running tasks. The system events captured by the tracer module are either written to a trace file, or stored in a temporary or circular buffer prior to being written by the trace file).  
One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 5;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Pan further discloses wherein performing the at least one automated action comprises automatically outputting the identification of at least one of the one or more threads as a security risk to a network security server (Pan: par 0012; anomaly is identified automatically by locating one or more time-consuming operations in particular threads; par 0038; the processes enabled by the Performance Evaluator begin operation by using a tracer module to capture all system events generated by threads associated with individual running tasks. The system events captured by the tracer module are either written to a trace file, or stored in a temporary or circular buffer prior to being written by the trace file; par 0046; the entire pre-evaluated control pattern database can be provided to the client as a download that is periodically updated by the server, or the client can simply send full or partial control patterns to the server for a remote comparison, with the server then reporting the results back to the client; par 0053; the Performance Evaluator then evaluates the corresponding control patterns and automatically determines the root causes of the abnormal or anomalous performance).  
One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 6;
Strogov in combination with Pan disclose the computer-implemented method of claim 5, 
Pan further discloses automatically performing one or more remedial actions with respect to the user device in response to input from the network security server (Pan: par 0046; the entire pre-evaluated control pattern database can be provided to the client as a download that is periodically updated by the server, or the client can simply send full or partial control patterns to the server for a remote comparison, with the server then reporting the results back to the client; par 0033; when a performance anomaly is identified, either automatically or manually, a control pattern is then extracted from the recorded trace data for the tracking period; par 0136; abnormal program or task termination can occur for a number of reasons. The trace file may contain only a partial record of any anomalous behavior that was occurring at the time of the abnormal termination). 
One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 7;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Strogov further discloses wherein obtaining information pertaining to the one or more images comprises registering to a kernel callback using at least one application programming interface (Strogov: par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread; par 0035; the file protector driver can be implemented as file system filter drivers, which are kernel-mode components that run as part of the operating system).  

Regarding Claim 8;  	
Strogov in combination with Pan disclose the computer-implemented method of claim 1,
Strogov further discloses wherein the information pertaining to the one or more images comprises at least one of: process association information, image path information, memory start address, memory end address, and image size information (Strogov: par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread [] the plurality of values stored in the execution stack at a given time (e.g., return addresses, parameters, local variables, etc.) provide an input data set that can be analyzed using machine learning to identify tendencies and patterns indicating of malicious software using attack vectors such as shared-service processes).  

Regarding Claim 9;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Strogov further discloses wherein obtaining information pertaining to the one or more threads comprises registering to a kernel callback using at least one application programming interface (Strogov: par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread; par 0035; the file protector driver can be implemented as file system filter drivers, which are kernel-mode components that run as part of the operating system).  

Regarding Claim 10;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Strogov further discloses wherein the information pertaining to the one or more threads comprises at least one of: identification of the process creating a given one of the one or more threads, identification of the process in which a given one of the one or more threads is created, a memory start address, a memory end address, and thread identifier information (Strogov: par 0031; fig. 1; the file protector driver configured to receive an execution stack for a specified control points. The execution stack is a data structure used by the operating system to store and manage data values related to the execution state of the thread [] the plurality of values stored in the execution stack at a given time (e.g., return addresses, parameters, local variables, etc.) provide an input data set that can be analyzed using machine learning to identify tendencies and patterns indicating of malicious software using attack vectors such as shared-service processes).  
  
Regarding Claim 11;
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Pan further discloses wherein the information pertaining to the one or more processes running on the user device comprises at least one of: path-related information, filename information, and user information (Pan: par 0014; system events and inter-thread interactions relating to the task are then recorded to a buffer or trace file as those events occur. "Control patterns" are then extracted from the trace file for the task. Note that a "control pattern" is defined as including the set of critical paths during the period of handling a task, and contains an identification of all participant threads and the causal relations of the operations that happen in those threads; par 0039; the control pattern represents the critical paths and causal relations of multiple threads that cooperate to complete a task).
One would have been motivated to track system events to diagnose root causes of application performance anomalies (pan: abstract).

Regarding Claim 12; 
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Strogov further discloses wherein the at least one processing device comprises the user device (Strogov: par 0022; the system includes computer hardware that supports execution of one or more user-level processes or OS thread processes executing in an operating system (OS) environment provided by an operating system. Each user process may be associated with a user application; par 0049; the computer readable program instructions execute entirely on the user's computer).  

Regarding Claim 13;
This Claim recites a non-transitory processor-readable storage medium that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 15;
This Claim recites a non-transitory processor-readable storage medium that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 16;
This Claim recites a non-transitory processor-readable storage medium that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  


Regarding Claim 17;
This Claim recites an apparatus that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 19;
This Claim recites an apparatus that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 20;
This Claim recites an apparatus that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  


Claims 2, 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Strogov et al. (US 20190286821) and in view of Pan et al. (US 20090320021) and further in view of Gupta et al. (“Gupta,” US 20190138648, published on 05/09/2019)
Regarding Claim 2; 
Strogov in combination with Pan disclose the computer-implemented method of claim 1, 
Pan further discloses wherein performing at least one automated action (Pan: par 0033; when a performance anomaly is identified, either automatically or manually, a control pattern is then extracted from the recorded trace data for the tracking period).
Strogov in combination with Pan disclose performing at least one automated action as recited above, but do not explicitly disclose action includes providing contextual data about an action that occurred on the user device to a server, wherein the contextual data includes file-related information, process-related information, or registry-related information.
However, in an analogous art, Gupta discloses analytics interface system/method that includes:
action includes providing contextual data about an action that occurred on the user device to a server, wherein the contextual data includes file-related information, process-related information, or registry-related information (Gupta: par 0135; the dialog planner sends and receives contextual
information to and from the context manager; par 0136; contextual information includes, but is not limited to, users' previously requested analytics tasks, ordered sequences of analytics tasks, rankings of previously executed analytics tasks, slots and slot values of previously executed analytics tasks, and common slots and slot values among analytics tasks).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gupta with the method/system of Strogov and Pan to include action includes providing contextual data about an action that occurred on the user device to a server, wherein the contextual data includes file-related information, process-related information, or registry-related information. One would have been motivated to provide the intelligent analytics interface to facilitate an exchange between the systems and a user to determine values for the analytics task (Gupta: abstract).

Regarding Claim 14;
This Claim recites a non-transitory processor-readable storage medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 18;
This Claim recites an apparatus that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  









                                                                                                                                                         

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham  can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439    



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439