DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Initial Remarks
	This action is in response to communication: 04/10/2020.  Claims 1-20 are pending.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  Claim 6 recites “wherein a starting address associated with the allocated one or more decoy memory segments is larger than a starting address associated with the allocated one or more decoy memory segments.”  The language of claim 6 is unclear because, in the event of one decoy segment being allocated, its starting address cannot be larger than itself.  Examiner is interpreting the claim language to mean wherein there is more than one allocated decoy memory segments, the associated starting addresses are located among/throughout the stack (i.e. addresses/locations may vary from the beginning to the end of the stack).  Appropriate action/clarification is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-8, 10-14 and 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kawatani (J.P. 2009-259078).
Regarding claim 1, Kawatani teaches a method of detecting unexpected behavior associated with a process, comprising: receiving a memory allocation request (a request from the program – pg. 2: “Description:” para. 6; outputs the executable program – pg. 3: para. 14-16), the request indicating one or more memory segments to be allocated in memory of a computing system (detecting a buffer overflow that occurs when a program is executed by a computer, wherein the computer allocates a buffer memory area in a memory in response to a request from the program; An allocation step of allocating dummy memory areas to the addresses before and after adjacent to each other – pg. 2: “Description:” para. 6; predetermined function is called to allocate first dummy area, a buffer area and second dummy variable sequentially on the stack – pg. 3: para. 14-16); 
allocating the one or more memory segments in the memory based on the memory allocation request (allocates a buffer area in a memory in response to a request from the program – pg. 2; “Description;” para. 6; buffer variable allocated on the stack memory – pg. 3: para. 14-16); 
allocating one or more decoy memory segments in the memory based on the memory allocation request (allocating dummy memory areas to the addresses before and after the allocated buffer, adjacent to each other – pg. 2: “Description:” para. 6; first and second dummy variables allocated to the stack memory – pg. 3: para. 14-16); 
trapping an input/output (I/O) operation (CPU detects overflow and generates an interrupt/interrupt function called - pg. 3; para. 2; detected that the data in the dummy variable memory areas 61 and 63 has been updated (S24: YES), the debugging unit 14 generates an interrupt and calls an interrupt function – pg. 3: para. 19); 
detecting an unexpected behavior associated with the I/O operation based on determining that the I/O operation impacts at least one of the one or more decoy memory segments (CPU detects overflow and generates an interrupt/interrupt function called - pg. 3; para. 2; detected that the data in the dummy variable memory areas 61 and 63 has been updated (S24: YES), the debugging unit 14 generates an interrupt and calls an interrupt function – pg. 3: para. 19); and 
performing one or more actions based on the detection (by detecting this interrupt, the execution unit 13 (the program 34 being executed) detects the occurrence of a buffer overflow (S25); By executing the interrupt function, predetermined error processing (forcibly terminating the program / function being executed, collecting log information, etc.) is performed (i.e. one or more actions) – pg. 3: para. 19).  

	Regarding claims 10 and 16, claims 10 and 16 comprise the same or similar language as claim 1 and are, therefore, rejected for the same or similar reasons.  Note, regarding Claim 10, Kawatani teaches a memory comprising executable instructions; and a processor in data communication with the memory and configured to execute the instructions to cause the computer system to (a general-purpose computer system including at least a CPU, a memory, and an external storage device such as an HDD can be used. In this computer system, each function of the detection apparatus 1 is realized by the CPU executing a program loaded on the memory – pg. 3: para. 5).

Regarding claim 2, Kawatani teaches wherein the allocated one or more decoy memory segments are contiguous with respect to the allocated one or more memory segments (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 below; at least dummy segment(s) (61) being contiguous with buffer segment (62)).  

[AltContent: textbox (Illustrated Fig. 6)]
    PNG
    media_image1.png
    427
    424
    media_image1.png
    Greyscale




[AltContent: rect]

[AltContent: rect]



	Regarding claims 11 and 17, claims 11 and 17 comprise the same or similar limitations as claim 2 and are, therefore, rejected for the same or similar reasons.

Regarding claim 3, Kawatani teaches wherein the allocated one or more decoy memory segments are non-contiguous with respect to the allocated one or more memory segments (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (61) being non-contiguous with next/sequential buffer segment (62*)).  

Regarding claim 12, claim 12 comprises the same or similar limitations as claim 3 and is, therefore, rejected for the same or similar reasons.

Regarding claim 4, Kawatani teaches wherein the allocated one or more decoy memory segments are contiguous with respect to each other (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (63) being contiguous with sequential/next dummy segment (61*)).  

Regrading claim 5, Kawatani teaches wherein the allocated one or more decoy memory segments are not contiguous with respect to each other (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (61) being non-contiguous with dummy segment (63)).  

Regarding claim 6, Kawatani teaches wherein a starting address associated with the allocated one or more decoy memory segments is larger than a starting address associated with the allocated one or more decoy memory segments (dummy segment 63 address larger than dummy segment 61 address (i.e. location within the buffer/stack - see Fig. 6 and illustrative Fig. 6 above). Note, this analysis is subject to the interpretation from the 35 U.S.C. 112(b) rejection above.  

Regarding claim 7, Kawatani teaches further comprising: receiving a first indication of a computer security risk associated with the computer system (preprocessing unit 11 performs preprocessing before compiling a source program stored in advance in the program storage unit 15; compiling unit 12 reads the preprocessed source program output to the program storage unit; execution unit 13 executes the executable program and detects a buffer overflow – pg. 2: “Description;” para. 12-13; i.e. an overflow is a “computer security risk”); and 
prior to receiving the memory allocation request, enabling a decoy memory allocation mechanism for use in detecting unexpected behavior (The debugging unit 14 is a debugging function of the CPU (hardware) of the detection apparatus 1 and detects an error that occurs when an executable program (such as an application program) in the program storage unit 15 is executed; which generates an interrupt (i.e. before the program is executed) – pg. 3: para 1-2).  

Regarding claims 13 and 18, claims 13 and 18 comprise the same or similar limitations as claim 7 and are, therefore, rejected for the same or similar reasons.

Regarding claim 8, Kawatani teaches further comprising: receiving a second indication indicative of the computer security risk being resolved; and disabling the decoy memory allocation mechanism (By executing the interrupt function, predetermined error processing (forcibly terminating the program (i.e. an indication of termination)/ function being executed, collecting log information, etc.) is performed – pg. 3: para. 19; i.e. once interruption has been executed, the debugging mechanism is no longer needed/disabled until another overflow instance is detected/occurs).  

Regarding claims 14 and 19, claims 14 and 19 comprise the same or similar limitations as claim 8 and are, therefore, rejected for the same or similar reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 9, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kawatani (J.P. 2009-259078) in view of Iwamura (J.P. 2006-053760).
Regarding claim 9, While Kawatani teaches detecting and preventing buffer/stack overflow and executing an interrupt function which may forcibly terminate the program/function being called, collect log information, etc., Kawatani may not necessarily teach the overflow is part of a computer security attack and executing the interrupt function and performing the one or more actions comprises at least one of examining: a timing associated with the I/O operation; a payload of the I/O; and information that is read from or written to the one or more decoy memory segments based on the I/O operation.
Iwamura teaches wherein: the unexpected behavior is a computer security attack (detection means for detecting the occurrence of a buffer overflow attack – Iwamura; pg. 3; para. 14) and performing the one or more actions comprises at least one of examining: a timing associated with the I/O operation; a payload of the I/O (as the analysis information to be provided, the information on the location of the buffer that was the target of the attack and information on the function that secured the buffer are extracted, and the function call history from the buffer allocation to the buffer overflow attack – Iwamura; pg. 3: para. 13; the analysis information may be provided to the developer and modifications may be made based on the analysis information (i.e. at least examination of data/information associated a payload of the I/O) – Iwamura; pg. 4: paras. 11-14); and information that is read from or written to the one or more decoy memory segments based on the I/O operation. Note, the claim limitation comprises multiple alternatives, in which only a single alternative may be rejected. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Kawatani to have wherein overflows may occur beyond just mere computer/programming error (i.e. potential malicious code/attacks), and analysis/interpretation of the data/information associated with the attack, as taught by Iwamura.  The suggestion/motivation for doing so would have been to further detect/prevent buffer overflow attacks and provide additional information (to be examined) in order to clarify the cause of the attack and to more quickly perform countermeasures. (Iwamura; pg. 3: para. 12-13). Therefore, it would have been obvious to combine Kawatani and Iwamura for the benefits shown above to obtain the invention as specified in the claims.

Regarding claims 15 and 20, claims 14 and 20 comprise the same or similar limitations as claim 9 and are, therefore, rejected for the same or similar reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
J.P. 2006-053760 – “Buffer overflow vulnerability analysis method, data processor, analysis information providing device, program for extracting analysis information, and program for providing analysis information;” information on call history of the function from the buffer securement to buffer overflow attack can be extracted; extracted analysis information – Abstract; 
U.S. Patent Pub. No. 2021/0110040 – “Protecting against out-of-bounds buffer references;” out of bounds checking/managing for memory buffers – Abstract; 
U.S. Patent Pub. No. 2015/0169869 – “Stack entry overwrite protection;” allocating stacks based on class – Abstract;
Eleanor Birrell’s “Lecture 1: Buffer Overflows;” General overview/examples/prevention techniques/etc. regarding stack smashing;
Krerk Piromspoa’s et. al. “Survey of Protections from Buffer-Overflow Attacks;” General overview/examples/prevention techniques/etc. regarding Buffer-overflow attacks; and
Hector Marco-Gisbert’s et. al. “SSPFA: effective stack smashing protection for Android OS;” Frame canaries – pg. 521; Fig. 1;
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD L SUTTON whose telephone number is (571)272-1709. The examiner can normally be reached M-F 9:30 - 5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arpan Savla can be reached on (571) 272-1077. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/R.L.S./Examiner, Art Unit 2137                                                                                                                                                                                                        

/PRASITH THAMMAVONG/Primary Examiner, Art Unit 2137