DETAILED ACTION
This is a non-final office action in response to applicant’s application filed on 11/10/2020.
Claims 1-18 are pending and being considered. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. GB1916345, filed on 11/11/2019.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/10/2020 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Claim Objections
Claims 1-2, 6, 8-10, 14, 16-18 are objected to because of the following informalities:  
Claim 17 recites “A computer program… according to claim 9” (whereas claim 9 is A computer apparatus), is objected, as being of improper dependent form for failing to include all the limitations of the claim upon which it depends. Applicant may cancel the claim(s), amend the claim(s)to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form.
Claim 18 recites “A computer program product …”, is objected, as being of improper dependent form for failing to include all the limitations of the claim upon which it depends. Applicant may cancel the claim(s), amend the claim(s)to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form.
Claim 1 line 3 line 3, “… that said process” may read “that the new process” or “that said new process”. Similarly, claim 9 line 4.
Claim 1 line 4, “at which one or more external code modules…” may read “at which one or more of the external code modules…”. Similarly, claim 9 line 5.
Claim 1 line 5, “relative to the process starting time” may read “relative to new process starting time” or more appropriate form. Similarly, claim 9 line 6.
Claim 1 line 6, “determining that the usage of an external code module …” may read “determining that 
Claim 1 line 7, “between the start of the process and loading of” may read “between the start of the new process and the loading of”. Similarly, claim 9 line 8.
Claim 1 line 11, “based on determining that …” may read “based on the determining that …”. Similarly, claim 9 line 11.
Claim 2 lines 1-2, “comprises the execution of …” may read “comprises  execution of …”. Similarly, claim 10 line 2.
Claim 6 line 4, “… if the new code module load/unload is …” may read “… if the new code modules loaded or unloaded are …”. Similarly, claim 14 line 4.
Claim 8 lines 2-3, “… comprises one or more of the list of:” may read “… comprises one or more of.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 3-4, 7, 9, 11-13, 15 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 line 2 recites “detecting a new process start at …”. It is not clear applicant intends to recite, detecting a new process that start(s) at …, or detecting a new process start. Applicant is suggested to clarify the claim language.
Similarly, claim 9 line 3.
Claim 3 lines 1-2 recites the limitation "the related executable image".  There is insufficient antecedent basis for this limitation in the claim.
Similarly, claim 4 line 2, claim 11 line 2, claim 12 line 2.
Claim 4 lines 1-2 recites “processing the file contents of …”. There is insufficient antecedent basis for this limitation in the claim. 
Similarly, claim 12 line 2.
Claim 5 line 2 recites the limitation "the import table".  There is insufficient antecedent basis for this limitation in the claim. 
Similarly, claim 13 line 2.
Claim 7 line 5 recites the limitation “the executable images for the processes”. There is insufficient antecedent basis for limitations highlighted above in the claim.
Similarly, claim 15 lines 6-7.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 9-16 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. The claim is not statutory because the claim recites “A computer apparatus comprising: one or more processors configured to: …”. Under the broadest reasonable interpretation (BRI) of the claim, the one or more processors can be software per se since applicant’s specification does not explicitly suggest processor(s) may be hardware processor(s). To overcome the above rejection, applicant is suggested to include hardware components such as memory. One example of suggested amendment: A computer apparatus comprising: one or more processors, memory storing computer program instructions when executed by the one or more processors, cause the one or more processors to: …
Dependent claims 10-16 fail to cure the deficiency of claim 9 therefore also rejected under 35 USC 101 shown above.
Claim 17 is rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. The claim is not statutory because the claim recites “A computer program comprising: …”. Computer program is computer software, therefore does not fall within at least one of the four categories of patent eligible subject matter.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 9-10, 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Liu (US20170220797A1-IDS by applicant, hereinafter, “Liu”), in view of Wright (US20110023115A1, hereinafter, “Wright”).
Regarding claims 1, Liu teaches:
A method of threat detection (Liu, discloses a malware detection method and apparatus, see [Abstract]), the method comprising: 
5detecting a new process start at a network node of a computer network (Liu, referring to Fig. 1 step 100, and [0009] running to-be-detected software in a sandbox. And [0011] …obtaining usage of a central processing unit of a device (a network node) on which the sandbox is located. Examiner notes, “to-be-detected software” is the new process to be ran in the sandbox, in another words, the new process is to run the to-be-detected software in the sandbox of the device); 
determining that said process requires external code modules (Liu, [0009] when it is detected that any one of the interface is called, also see Fig. 1A step 110, [0033] detect whether at least one interface (i.e. external code modules) that has a delay attribute in the sandbox is called. Examiner notes, calling interface is interpreted as requiring external code modules since the claim does not limit what external code modules are); 
observing the times at which one or more external code modules required by the new process are loaded relative to the process starting time (Liu, [0034] Step 120: When it is detected that any one of the interface is called, determine whether delay duration corresponding to a first delay length parameter of the called interface is greater than the preset duration); 
determining that the usage of an external code module required by the new 10process is anomalous when the time elapsed between the start of the process and loading of said external code module lies outside predetermined expected boundaries (Liu, referring to Fig. 1A, steps 120-140, [0033] determine whether delay duration corresponding to a first delay length parameter of the called interface is greater than the preset duration (i.e. outside predetermined expected boundaries), and [0036] Step 140: Compare the at least one recorded operation with an operation of a malicious behavior, and determine, based on a comparison result that an operation that matches the operation of the malicious behavior exists in the at least one recorded operation, that the to-be-detected software is malware); 
While Liu does not expressly teach taking further action after determining anomalous process however in the same field of endeavor Wright teaches:
and taking further action to protect the network node and/or the computer network based on determining that the usage of the external code module required by the 15detected new process is anomalous (Wright, discloses threat detection using a behavioral-based host-intrusion prevention method by monitoring user interaction with a computer, see [Abstract]. And referring to Fig. 3 step 310, and [0074] At step 310, an action is caused based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype, and [0075] and performing an action to protect the computer network based at least in part on the user interaction. Such protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior and monitoring a computer code process executing during the usage session for an indication of a code operation).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wright in the malware detection method of Liu by taking preventive action after determining the executing computer process being type of malicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform further preventive action to protect the computer network after determining user interaction with computer being type of malicious act (Wright, [Abstract]). 

Regarding claims 9, Liu-Wright combination teaches:
A computer apparatus (Liu, discloses a malware detection method and apparatus, see [Abstract]) comprising: one or more processors (Liu, Fig. 4, The malware detection apparatus 3000 includes at least one processor 401) configured to: perform method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claims 17, Liu-Wright combination teaches:
A computer program (Liu, Fig. 4, Executable program) comprising computer readable code (Liu, [0100] The memory 403 is configured to store executable program code. By executing the program code…) which, when run on a computer apparatus or server, causes the computer apparatus or server to act as a computer apparatus or server according to claim 9, therefore is rejected with same rational set forth as rejection of claim 9 above. 

Regarding claims 18, Liu-Wright combination teaches:
A computer program product (Liu, [0108] The present disclosure is described with reference to the flowcharts and/or block diagrams of the method, the device (system), and the computer program product) comprising a non-transitory computer readable medium (Liu, see Fig. 4, Memory 403) and a computer program according to claim 17, wherein the computer program is stored on the computer readable medium (Liu, Fig. 4, Executable program), is rejected with same rational set forth as rejection of claim 9 and claim 17 above.

Regarding claim 2, similarly claim 10, Liu-Wright combination further teaches:
The method according to claim 1, the computer apparatus according to claim 9, 
wherein the new process comprises the execution of one or more of: a code module, a dynamic load library, a shared object (Wright, [0007] Such protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior and monitoring a computer code (i.e. code module) process executing during the usage session for an indication of a code operation).  

Claims 3, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Mayo (US20180089430A1, hereinafter, “Mayo”).
Regarding claim 3, similarly claim 11, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Mayo teaches:
further comprising determining whether the related executable image for the new process is known clean, wherein the step of determining whether the related executable image for the new process is known clean comprises determining whether the executable image satisfies one or more predetermined whitelisting criteria (Mayo, discloses security profiling files on a computer system [Abstract]. And [0027] The present invention provides a computer security profiling system and related methods that allow an executable program file (i.e. executable image), for example an unrecognized file found in a scan like the one described, to be compared to a software file on the computer system already identified as safe, for example whitelisted, and to determine whether those files are similar or related).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mayo in the malware detection method of Liu-Wright by comparing executable file to whitelisted software application to determine whether the executable file can be run in the computer system. This would have been obvious because the person having ordinary skill in the art would have been motivated to scan the executable program file to determine whether the executable program file is a security threat to the computer system (Mayo, [Abstract], [0002]). 

Claims 4-5, 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Copley (US20070056035A1, hereinafter, “Copley”).
Regarding claim 4, similarly claim 12, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Copley teaches:
the method further comprising: processing the file contents of the related executable image for retrieving a list of expected external code modules that could be used by the new process (Copley, discloses method for detection of forged computer files, see [Abstract]. And [0017] A purported system file may be examined based on the file content to determine the presence of executable code and to compare the function of any executable code to the expected and/or acceptable parameters based on the system file type, file originator [like MICROSOFT.RTM.], or the file scope including the range of functions that may be called and/or executed. And [0018] The file contents of a suspect file may be analyzed in many different ways in order to compare against the file contents of known good files).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Copley in the malware detection method of Liu-Wright by examining file content to determine the presence of executable code. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine if the suspect file is malicious file for improved security performance (Copley, [Abstract], [0007]). 

Regarding claim 5, similarly claim 13, Liu-Wright-Copley combination further teaches:
The method according to claim 4, the computer apparatus according to claim 12,	wherein the step of processing the file contents comprises one or more of: processing the import tables, processing code, extracting various artefacts (Copley, [0030] In Engine 114, "Dynamic analysis" involves parsing the file in such a manner in which the instructions of the file may be run (i.e. processing code) directly or "virtually". This type of analysis is useful for cutting through iterations of code which have a end result that is the same, but the actual code itself is obscured through a variety of means of redirection so that the code in question might be obscured, and therefore escape analysis through static means).  

Claims 6, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright-Copley combination as applied above, further in view of Satish et al (US20080010538A1, hereinafter, “Satish”).
Regarding claim 6, similarly claim 14, Liu-Wright-Copley combination teaches:
The method according to claim 4, the computer apparatus according to claim 12,
While Liu-Wright-Copley combination does not expressly teach the following limitation(s), in the same field of endeavor Satish teaches:
the method further comprising collecting 35information about new code modules being loaded or unloaded and in relation to every new code module load or unload the method further comprises increasing the level of10 suspiciousness of the new process if the new code module load/unload is not in the list of expected external code modules (Satish, discloses detecting suspicious embedded malicious content, see [Abstract]. And [0024] malicious code detector 160 represents a software module configured to execute a method for detecting (i.e. at least collecting) malicious code in the form of embedded machine code in a benign type data file. Also [0025] malicious code detector 160 may include routines for determining the application program 170 loading a file 202. And [0026] Since a benign type of data file is a data file in which the presence of executable code is not expected under any normal circumstances (i.e. not in the list of expected external code modules) …, the presence of any encoded executable code in a benign file type data file may be interpreted as an indication of the file being at least suspicious (i.e. increasing the level of10 suspiciousness), if not malicious).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Satish in the malware detection method of Liu-Wright-Copley by identifying malicious code in form of embedded machine code as not as expected and interpreting as indication of at least suspicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the malicious code detector to identify data file presented as executable file as malicious code to detect suspicious embedded malicious content in benign file formats (Satish, [Abstract], [0026]). 

Claims 7, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Edwards (US20130276119A1, hereinafter, “Edwards”) and Pottinger (US20170039211A1, hereinafter, “Pottinger”).
Regarding claim 7, similarly claim 15, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Edwards teaches:
wherein the step of determining whether the 5usage of an external code module required by the new process is anomalous is further based on determining that the external code module required by the new process belongs to a group of known processes having sufficiently similar properties (Edwards, discloses method of detection of attempt by an unknown process to control a known process [Abstract]. And [0038] For example, in the case that malicious code associated with the first process 406 attempts to perform an action that may trigger file or registry rules, then the second process 408 may be blocked because the process may no longer be trusted. If code associated with the first process 406 is determined not to be malicious, then the second process 408 may be allowed to perform required operations (i.e. first and second process having similar properties with content of having malicious code)) [on the basis of comparing file names of the executable images for the processes and/or comparing portions of the content of the executable images for the processes] (See Pottinger below for teachings of limitation(s) in bracket).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Edwards in the malware detection method of Liu-Wright by determining to allow second process to be performed based on whether first process is associated with malicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine known process based on whether the process is trusted or not, i.e. based on determination whether malicious code is associated with process (Edwards, [Abstract], [0038]),
The combination of Liu-Wright-Edwards does not expressly teach, however Pottinger in the similar field of endeavor teaches:
on the basis of comparing file names of the executable images for the processes and/or comparing portions of the content of the executable images for the processes (Pottinger, discloses method for determining content similarity using hash value, see [Abstract]. And [0026] The hash values generated by this hash function can be used to determine whether any files including JavaScript code are identical or similar to one another. In another example, a separate hash function can be built to generate hash values for files that include text… this hash function can be built to generate hash values based on the respective content corresponding to the different text files).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pottinger in the malware detection method of Liu-Wright-Edwards by determining content similarity based on hash values. This would have been obvious because the person having ordinary skill in the art would have been motivated to use hash function to generate hash values based on respective content of text files (such as code) to determine whether the text files are identical or similar to one another (Pottinger, [Abstract], [0026]).

Claims 8, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Cohen et al (US20180234435A1, hereinafter, “Cohen”).
Regarding claim 8, similarly claim 16, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Cohen teaches:
wherein the step of taking further action to secure the computer network and/or any related network node comprises one or more of the list of: preventing one or more of the network nodes from being switched off; 15switching on a firewall at one or more of the network nodes; warning a user of one or more of the network nodes that signs of a security breach have been detected; and/or sending a software update to one or more of the network nodes (Cohen, discloses method for proactively predicting cyber-security threats, [Abstract]. In particular, [0054] The mitigation action may include instructing an end-point security device to perform the action, e.g., activating the host based firewall to block communication).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Cohen in the malware detection method of Liu-Wright by activating firewall to block network traffic to mitigate the malicious activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to activate firewall on network device to mitigate the malicious activity in network after potential cyber-security threat been identified (Cohen, [Abstract], [0054]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Paithane et al (US20140380474A1) discloses detecting time-bomb malware by monitoring delay caused by events conducted during processing of content and to identify content as including malware if delay exceed specific time period.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436