Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are presented for examination.
Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
	A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	Claims 1, 3, 4, 9, 11, 12, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Tolpin et al. (US Patent/ Publication No.2018/0082060 ) in view of  Gupta et al. (US Publication No. 2018/0324195).
	As per claims 1, 9 and 17, Tolpin discloses a method for detecting multiple malicious processes, the method comprising: 	identifying a first process and a second process launched on a computing device (paragraph [0030]-[0031], “[t]here maybe multiple processes 202”, “[a]s processes 202 execute, processes 202 generate system calls 204A-N”, paragraph [0033], vector generator trace system calls generated by multiple processes and generate count vectors 206A-N, paragraph [0044], “vector generator 114 may retrieve the process ID from one of the arguments passed to a system call”); 
receiving from the first process a first execution stack indicating (paragraph [0033], “vector generator 114 may trace system calls 204 (execution stack) generated by multiple process 202” (i.e., first and second process), paragraph [0031], recites the system calls include or indicates  for example , exit, fork, read, write, open and close, which corresponds to the claimed execution stack)  indicating at least one first control point used to monitor at least one thread associated with the first process); receiving from the second process a second execution stack  indicating (paragraph [0033], “vector generator 114 may trace system calls 204 (execution stack) generated by multiple processes 202” (i.e., first and second processes), paragraph [0031] recites the system calls include or indicates for example , exit, fork, read, write, open and close, which corresponds to the claimed execution stack ); determining that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point, wherein the machine learning classifier is configured to evaluate maliciousness for a plurality of processes based on control points of each process (paragraphs [0046]-[0047], malware detection module 116 receives vector packets 402 from multiple computing devices 104, other servers 106, etc. Each vector packet 402 includes one or more count vectors 206 that represent system call information generated by one of processes 202.  Malware detection module 116 may include machine learning architecture that uses count vectors 206 to detect malware in or masquerading as process 202); and generating an indication that an execution of the first process and the second process is malicious (paragraph [0056], “alert generator 508 generates and alert when malware detection module 116 identifies a novel process, a masquerade process or non-grata process).
	Tolpin does not explicitly disclose but in an analogous art, Gupta discloses first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process (paragraph [0116],“in monitoring mode, as runtime information arrives and is analyzed by the Analysis engine, it generates notifications that are directed to the designated security analysis”); and second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process (paragraph [0116], in monitoring mode, runtime information is analyzed by Analysis engine and it generates notification. Paragraph [0107] discloses Analysis engine performs runtime analysis for multiple applications (i.e., first process and second process), which shows that the analysis and notification recited in paragraph 0116 is performed for multiple (first, second, etc.)  applications (processes)).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed inventio to combine Tolpin with Gupta. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to accurately identify and block the malware attacks before the malware successfully carries out its malicious intent. 
	As per claim 3, 11 and 19, Tolpin furthermore discloses wherein the machine learning classifier is trained using a dataset that maps control point states of the plurality of processes to a plurality of multi-target injecting identities (paragraph [0050], “[t]he probability classifier determines a probability that the processes in the process list generated by FC  module 504 are process 202. [d]pending on whether the process in the process list map to the process ID 404 or are processes known to the SM module 506 as malware processes, SM module 506 determines whether process 202 that generated count vectors 206 includes or is malware”).
	As per claim 4, 12 and 20, Tolpin discloses , wherein identifying the first process and the second process launched on the computing device further comprises: detecting one of a modification, creation, and deletion of a thread on the computing device  (paragraph [0040], system call indicates, fork, open , read, write (modification )) and determining that the first process and the second process are associated with the one of the modification, creation, and deletion of the thread ( paragraph [0047]-[0048], malware detection nodule 116 receives vector packets 402…[e]ach vector packet 402 includes one or more count vector 206 that represent system call information generated by one of processes 202…malware detection module 116 may include machine learning architecture that users count vector 206 to detect malware in or masquerading as process 202”).
	

	Claims 2, 6, 10, 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Tolpin in view of  Gupta, further in view of Shevchenko (US Publication No. 2009/0049550).
	As per claims  2, 10 and 18, Tolpin in view of Gupta discloses all limitations of claim as applied to claims 1, 9 and 17 above. Tolpin in view of Gupta  does not explicitly disclose but in an analogous art, Shevchenko discloses, determining an identifier of an injecting party associated with thread creation in the first process and the second process, wherein the generated indication comprises the identifier of the injecting party (paragraph [0088], “[a]s soon as the memory scanning system 400 detects malicious code, but fails to establish what file is associated with the malicious code, it looks up the map constructed by the monitor it looks up the map constructed by the monitor to find which process injected the code and the address of the process, as this code was found to be malicious”) .
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Tolpin and Gupta with Shevchenko. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to identify the source of the malicious code).
	As per claim 6 and 14, Tolpin in view of Gupta teaches all limitations of claim as applied to claims 1 and 9 above. Tolpin in view of Gupta  does not explicitly disclose but in an analogous art, Shevchenko discloses, wherein the at least one first control point and the least one second control point are associated with a system call to create a remote thread that runs in a virtual address space of a second process (paragraph [0088], “[a]t this point, the memory scanning system 400 may engage a proactive defense monitor to find out the source of the code that allocated, injected the malicious code, and started a remote thread to execute the injected malicious code. [i]n order to find out which process injected the malicious code into the place where it was found by the memory scanning system 400, the memory scanning system 400 may hook a number of APIs that are responsible for injecting the code into the virtual space of another process. For example,…CreateRemoteThread( )”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Tolpin and Gupta with Shevchenko. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to resolve timing issue of scanning a process after it unpacked and determine and block the process before it initiates its malicious payload.

	Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Tolpin in view of  Gupta, further in view of Wang  et al. (US Patent No. 10,489,583).
	As per claim 5 and 13 Tolpin in view of Gupta discloses all limitations of claim as applied to claims 1 and 9 above. Tolpin in view of Gupta does not explicitly disclose but in an analogous art Wang discloses at least one first control point and the least one second control point are associated with events comprising at least one of: create a file, clean up a file, close a file, duplicate a handle, rename a file, delete a file, and create a thread (claim 7, deleting function, creating function).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed inventio to combine Tolpin and Gupta with Wang. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to  achieve the predictable result of detecting the files deleted or modified by the malwares.

	Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Tolpin in view of  Gupta, further in view of Powell  et al. (US Patent No. 8,250,652).
	 As per claim 8 and 16,  Tolpin in view of Gupta discloses all limitations of claim as applied to claims 1 and 9 above. Tolpin in view of Gupta furthermore discloses performing the remedial action comprises termination of at least one of the first process and the second process (Gupta, paragraph [0010], “termination of one or more threads”). The motivation to combine is similar to the motivation provided in claim 1.
	Tolpin in view of Gupta does not explicitly disclose but in an analogous art Powell discloses  restoration of a file modified by at least one of the first process and the second process (column 5, lines 38-50, “restore the executable files to its original state”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Tolpin and Gupta with Powell. This would have been obvious because one of ordinary skill in the art would have been motivated to restore the files to their original state after removing the detected security threats.

Allowable Subject Matter
Claims 7 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Zunino et al, (US Publication No. 2006/0005085) discloses,  the platform for computer process monitoring may include monitoring at least one process of at least one computer using a monitoring
package that provides multiple monitors. The monitors may be selectable so that one or more may be implemented for a process at the same time to simultaneously look for different types of events that may signify a defective process.
	Agarwal et al, (US Pub No.2012/0311708) discloses, a system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/ALI S ABYANEH/Primary Examiner, Art Unit 2437