Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Ryan Odessa on 04/25/2022 (Note: Proposed amendments marks manually with underlining and .
1. (Currently Amended) A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
(1)	identifying a plurality of applications that have a similarity relation to a reference application;
(1)(a)	applying an LSH algorithm to binary files for a pair of applications to produce a similarity value;
(1)(b)	determining that the similarity value satisfies a similarity criterion; and
(1)(c)	including the pair of applications within the plurality of applications in response to determining that the similarity value satisfies the similarity criterion.
(2)	identifying a network security policy, wherein the network security policy specifies the reference application and another application, and indicates that the reference application is authorized to communicate with the other application;
(3)	intercepting a network connection request including a particular application, other than the reference application, in the set of applications;
(4)	determining, based on the network security policy and the identified plurality of applications, that the network security policy applies to the particular application; and
(5)	determining whether the network security policy covers the connection request.

2. (Original) The method of claim 1, wherein the network security policy specifies the reference application as a source application, wherein the network security policy references the other application as a destination application, and wherein the network connection request comprises an outgoing network connection request from the particular application. 

3. (Original) The method of claim 1, wherein the network security policy specifies the reference application as a destination application, wherein the network security policy references the other application as a source application, and wherein the network connection request comprises an incoming network connection request to the particular application.

4. (Original) The method of claim 1, further comprising, before (4):
(6)	modifying the network security policy to produce a modified network security policy, wherein the modified network security policy specifies that the reference application and the plurality of applications are authorized to communicate with the other application, and
wherein (4) comprises determining, based on the modified network security policy, that the modified network security policy applies to the particular application.

5. (Canceled) 




6. (Currently Amended) The method of claim [[5]]1, wherein the LSH algorithm comprises a TLSH algorithm.

7. (Currently Amended) The method of claim 1, wherein (1) comprises, for each pair of applications A and B in a superset of the plurality of applications:
(1)(a)	applying [[an]] the LSH algorithm to binary files for the pair of applications A and B to produce [[a]] the similarity value for the pair of applications A and B;
(1)(b)	determining whether the similarity value satisfies a similarity criterion;
(1)(c)	if the similarity value is determined to satisfy the similarity criterion, then including the pair of applications A and B in the plurality of applications; and
(1)(d)	if the similarity value is not determined to satisfy the similarity criterion, then not including the pair of applications A and B in the plurality of applications.

8. (Original) The method of claim 7, wherein the LSH algorithm comprises a TLSH algorithm.

9. (Original) The method of claim 1, further comprising:
(6)	in response to determining that the network security policy covers the connection request, determining whether the network security policy allows the network connection request.

10. (Original) The method of claim 9, further comprising:
(7)	in response to determining that the network security policy allows the network connection request, allowing the network connection request.

11. (Currently Amended) A system comprising at least one non-transitory computer-readable medium storing computer program instructions executable by at least one computer processor to perform a method, the method comprising:
(1)	identifying a plurality of applications that have a similarity relation to a reference application;
(1)(a)	applying an LSH algorithm to binary files for a pair of applications to produce a similarity value;
(1)(b)	determining that the similarity value satisfies a similarity criterion; and
(1)(c)	including the pair of applications within the plurality of applications in response to determining that the similarity value satisfies the similarity criterion.
(2)	identifying a network security policy, wherein the network security policy specifies the reference application and another application, and indicates that the reference application is authorized to communicate with the other application;
(3)	intercepting a network connection request including a particular application, other than the reference application, in the set of applications;
(4)	determining, based on the network security policy and the identified plurality of applications, that the network security policy applies to the particular application; and
(5)	determining whether the network security policy covers the connection request.

12. (Original) The system of claim 11, wherein the network security policy specifies the reference application as a source application, wherein the network security policy references the other application as a destination application, and wherein the network connection request comprises an outgoing network connection request from the particular application. 

13. (Original) The system of claim 11, wherein the network security policy specifies the reference application as a destination application, wherein the network security policy references the other application as a source application, and wherein the network connection request comprises an incoming network connection request to the particular application.

14. (Original) The system of claim 11, wherein the method further comprises, before (4):
(6)	modifying the network security policy to produce a modified network security policy, wherein the modified network security policy specifies that the reference application and the plurality of applications are authorized to communicate with the other application, and
wherein (4) comprises determining, based on the modified network security policy, that the modified network security policy applies to the particular application.

15. (Canceled) 




16. (Currently Amended) The system of claim [[15]]11, wherein the LSH algorithm comprises a TLSH algorithm.

17. (Currently Amended) The system of claim 11, wherein (1) comprises, for each pair of applications A and B in a superset of the plurality of applications:
(1)(a)	applying [[an]] the LSH algorithm to binary files for the pair of applications A and B to produce [[a]] the similarity value for the pair of applications A and B;
(1)(b)	determining whether the similarity value satisfies a similarity criterion;
(1)(c)	if the similarity value is determined to satisfy the similarity criterion, then including the pair of applications A and B in the plurality of applications; and
(1)(d)	if the similarity value is not determined to satisfy the similarity criterion, then not including the pair of applications A and B in the plurality of applications.

18. (Original) The system of claim 17, wherein the LSH algorithm comprises a TLSH algorithm.

19. (Original) The system of claim 11, wherein the method further comprises:
(6)	in response to determining that the network security policy covers the connection request, determining whether the network security policy allows the network connection request.

20. (Original) The system of claim 19, wherein the method further comprises:
(7)	in response to determining that the network security policy allows the network connection request, allowing the network connection request.

Allowable Subject Matter
Claims 1-4, 6-14 and 16-20 are allowed.
The following is statement of reasons for indications of allowable subject matter: The recorded prior art references, do not alone or in combination teach the recited features of the independent claims 1 and 11.  In this case, the allowance is based on the combination of the recited steps and the features of the recited steps, which distinguish the claimed invention from the prior art. For example, the independent claims all require “identifying a plurality of applications that have a similarity relation to a reference application; identifying a network security policy which specifies the reference application and another application, and indicates that the reference application is authorized to communicate with the other application; intercepting a network connection request including a particular application, other than the reference application, in the set of applications; determining that the network security policy applies to the particular application based on the network security policy and the identified plurality of applications.” 
In particular, the recorded prior arts do not teach identifying a plurality of applications that have a similarity relation to a reference application; the reference application is authorized to communicate with the other application; particular application based on the network security policy and the identified plurality of applications.

White et al. (US 9773107 B2) teaches methods and systems enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine. To communicate between subsystems, the source application may execute a remote procedure call and this request may then be passed to the data bus. The data bus may then request a policy validation for the remote procedure call by passing that call to the policy engine. The policy engine may either approve or disapprove the transaction and communicates. However, it does not explicitly teach “identifying a plurality of applications that have a similarity relation to a reference application”. 
Kampanakis et al. (US 20200374314 A1) teaches a computer system applies security policies to web traffic while maintaining privacy. Security policy information may be received by agent module  from policy server. Client application may initiate the process of applying a security policy by providing agent interface module with the identification of a destination entity. Agent interface module may determine that a connection to a destination entity should be established when the entity's assessment category is “safe”. However, it does not explicitly teach “identifying a network security policy which specifies the reference application and another application, and indicates that the reference application is authorized to communicate with the other application.” 
Agarwal et al. (US 20190005242 A1) teaches a computing device can compare the function signatures of the binary executables of the applications within a group to determine the similarity of the applications. If two applications have binary executables that are over a threshold percentage of similarity, the two applications can be identified as clones of each other. However, it does not explicitly teach “determining that the network security policy applies to the particular application based on the network security policy and the identified plurality of applications.”
For this reason, the above limitations in conjunction with all other limitations of independent claims and their dependent claims are neither anticipated nor rendered obvious over the recorded prior arts. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
• KIM et al. (US 20190102165 A1 hereinafter “Kim”): [Kim: 0084] the processor 130 may extract a similarity hash value by applying a similarity-based hash function (e.g., TLSH, sdHash, etc.) to each of the plurality of reference binary files.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493