16653702DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Harris (US 9,967,264 B2).

Double Patenting
Regarding the double patenting rejection:
	Responsive to the approved 12/22/2021 terminal disclaimer, the double patenting rejection has been withdrawn.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen (US 2016/0092190 A1) in view of Zhu (US 9,852,294 B1) and Harris (US 9,967,264 B2).

Regarding claim 1, Chen discloses: A server apparatus, comprising: 
a hardware platform comprising a processor and a memory; 
a network interface; and 
Refer to at least FIG. 1 and [0034] of Chen with respect to exemplary hardware and networking.
a vulnerability assessment server engine comprising instructions encoded within the memory to instruct the processor to: 
receive via the network interface an endpoint payload comprising a platform identification string, comprising an identifier for an application and an identifier for an action that the application intends to take; 
Refer to at least S406-S408 in FIG. 4, [0008], and [0062]-[0063] of Chen with respect to interrupting and analyzing an application installation event for which application information is obtained. The application information is provided to a cloud server.
query a vulnerability database and platform identification string database to procure an application-specific [references] for the action; and 
Refer to at least [0026]-[0029], S414 in FIG. 4, and [0066]-[0067] of Chen with respect to an SID database and procuring application-specific information from the cloud server.  
send via the network interface [application-specific references for the action].
Refer to at least [0067] of Chen with respect to the cloud server returning information obtained from the SID database.
Chen does not specify: wherein the action the application intends to take is a subset comprising less then all actions that the application is capable of taking; that the [references] further comprise an application-specific grayware reputation for the action; that procuring application specific [references] further comprise to procure an application-specific grayware reputation for the action, wherein the application-specific grayware reputation for the action represents a composite likelihood that the application is grayware and that the action is unwanted; that sending back the [application specific references for the action] is based at least in part on the grayware reputation; and that the [application specific references for the action] further comprise: an indication of whether the action is permissible for the application. However, Chen in view of Zhu discloses: procuring application specific [references] further comprising to procure an application-specific (e.g., at least Col. 13, Ll. 10-24 of Zhu concerning reputation data relating to the application) grayware reputation for the action (e.g., Col. 13, Ll. 35-37 and Col 13, Ll. 57-Col. 14, Ll. 13 of Zhu with respect to determining that an application is grayware based on its functions); that sending back the [application specific references for the action] is based at least in part on the grayware reputation; that the [application specific references for the action] further comprise: an indication of whether the action is permissible for the application;
Refer to at least Col. 11, Ll. 50-Col. 13, Ll. 52 of Zhu with respect to identifying an application, its reputation, whether the reputation is that of grayware or otherwise suspicious, and identifying its potentially malicious actions. A database may be queried.
wherein the action the application intends to take is a subset comprising less then all actions that the application is capable of taking.
Refer to at least Col. 7, Ll. 1-54, Col. 9, Ll. 9-51, and Col. 12, Ll. 4-22 of Zhu with respect to potential actions which may be taken by the application. 
Chen-Zhu does not fully specify: wherein the application-specific grayware reputation for the action represents a composite likelihood that the application is grayware and that the action is unwanted. However, Chen-Zhu in view of Harris discloses: wherein the application-specific grayware reputation for the action represents a composite likelihood that the application is grayware and that the action is unwanted. 
Refer to at least FIG. 16 and Col. 61, Ll. 20-39 of Harris with respect to providing a numerical score for an object/action combination, such as that of a specific application and an action in combination with said application. 
The teachings of Chen, Zhu, and Harris concern malware analysis and remediation and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chen to further include suspicious application reputations associated with potential application actions for at least the reasons discussed in Col. 3, Ll. 60-Col. 4, Ll. 10 of Zhu (i.e., improved security by more efficiently and effectively identifying grayware applications). It further would have been obvious to modify the teachings of Chen-Zhu to include support for specific object/action combination scoring for at least the purpose of increasing detection accuracy (i.e., having more data to determine maliciousness). 

Regarding claim 2, Chen-Zhu-Harris discloses: The server apparatus of claim 1, wherein the vulnerability assessment server engine further comprises instructions to: determine that the application has an available patch to repair a vulnerability of the application related to the action; and push the patch to the endpoint via the network interface.
Refer to at least [0007], [0047], and [0074] of Chen with respect to downloading and reinstalling the application via the cloud server. 

Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations; FIG. 2 of Chen).

Regarding claim 4, it is rejected for at least the same reasons as claim 2 above (i.e., the citations). It is noted, however, that the Wootton reference also discusses recommending a second application (e.g., [0238]-[0243] of Wotton).

Regarding claim 5, Chen-Zhu-Harris discloses: The server apparatus of claim 1, wherein pushing the patch comprises creating a work item, and assigning the work item to an update agent of the endpoint.
Refer to at least FIG. 3, [0051], and [0054] of Chen with respect to a client installed on the mobile device, the client configured for downloading and reinstalling applications. 

Regarding claim 6, it is rejected for substantially the same reasons as claims 1-2 and 5 above (i.e., the citations and obviousness rationale).

Regarding claim 7, Chen-Zhu-Harris discloses: The server apparatus of claim 6, wherein the vulnerability assessment server engine is further to instruct a shim agent of the endpoint to monitor the updated or patched application.
Refer to at least FIG. 3, [0049], and [0052] of Chen with respect to the client and its monitoring module. 

Regarding claim 8, Chen-Zhu-Harris discloses: The server apparatus of claim 1, wherein the vulnerability assessment server engine further comprises instructions to interface with a research service to identify new vulnerabilities in applications.
Refer to at least database 120 in FIG. 2 of Zhu.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 9, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning application information; [0066] of the instant specification).

Regarding independent claim 10, it is substantially similar to independent claim 1 and claims 2 and 4, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationales). 

Regarding claim 11, it is rejected for substantially the same reasons as claim 1 (e.g., [0026]-[0029] of Chen).

Claims 12-13, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Clancy (US 2014/0157355 A1) in view of Zhu (US 9,852,294 B1).

Regarding claim 12, Clancy discloses: A computing apparatus, comprising: 
a processor and a memory; and 
Refer to at least FIG. 1-2 and [0074] of Clancy with respect to exemplary computing devices.
a process-reputation store comprising a plurality of process identifiers, and one or more allowed actions on a per-process basis; 
Refer to at least [0055], [0080], and [0124] of Clancy with respect to whitelists / blacklists as part of policy.
instructions encoded within the memory to instruct the processor to provide a shim application to: 
identify a process for inspection; 
hook an attempted action of the process; 
determine that the attempted action is not a pre-load action for the process and is not a whitelisted action for the process; 
Refer to at least [0009], [0048], and/or FIG. 3-4 of Clancy with respect to an application making a system call, or generally requesting data. The call / request is evaluated before being allowed. 
compute a process-specific reputation for the action; and 
Refer to at least [0050]-[0052], [0062], and [0143] of Clancy with respect to the call / request’s context.
Refer to at least [0080], [0055], [0124] of Clancy with respect to the policy server serving policy requests. 
according to the computed reputation, determine whether to allow, block, or warn on the action in context of the [process].
Refer to at least [0042] of Clancy with respect to exemplary enforcement actions, including changing one or more rules. 
Clancy does not disclose: computing the process-specific reputation further comprising a process-specific grayware reputation for the action; wherein the process-specific grayware reputation represents a composite likelihood that the process is grayware and the action is unwanted; that remediation on the action is determined in context of the grayware reputation; wherein the one or more allowed actions comprise a subset being fewer than all actions available to a process. However, Clancy in view of Zhu discloses: computing the process-specific reputation further comprising a process-specific grayware reputation (e.g., at least Col. 13, Ll. 10-24 of Zhu concerning reputation data relating to the application) for the action (e.g., Col. 13, Ll. 35-37 and Col 13, Ll. 57-Col. 14, Ll. 13 of Zhu with respect to determining that an application is grayware based on its functions); that remediation on the action is determined in context of the grayware reputation; 
Refer to at least Col. 11, Ll. 50-Col. 13, Ll. 52 of Zhu with respect to identifying an application, its reputation, whether the reputation is that of grayware or otherwise suspicious, and identifying its potentially malicious actions. A database may be queried.
wherein the one or more allowed actions comprise a subset being fewer than all actions available to a process.
Refer to at least Col. 7, Ll. 1-54, Col. 9, Ll. 9-51, and Col. 12, Ll. 4-22 of Zhu with respect to potential actions which may be taken by the application. 
Clancy-Zhu does not fully specify: wherein the process-specific grayware reputation represents a composite likelihood that the process is grayware and the action is unwanted. However, Clancy-Zhu in view of Harris discloses: wherein the process-specific grayware reputation represents a composite likelihood that the process is grayware and the action is unwanted.
Refer to at least FIG. 16 and Col. 61, Ll. 20-39 of Harris with respect to providing a numerical score for an object/action combination, such as that of a specific application and an action in combination with said application. 
The teachings of Clancy, Zhu, and Harris concern malware analysis and remediation and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Clancy to further include suspicious application reputations associated with potential application actions for at least the reasons discussed in Col. 3, Ll. 60-Col. 4, Ll. 10 of Zhu (i.e., improved security by more efficiently and effectively identifying grayware applications). It further would have been obvious to modify the teachings of Clancy-Zhu to include support for specific object/action combination scoring for at least the purpose of increasing detection accuracy (i.e., having more data to determine maliciousness). 

Regarding claim 13, it is rejected for substantially the same reasons as claim 12 above (i.e., the citations and obviousness rationale; e.g., the portions concerning remediation).

Regarding claim 18, it is rejected for substantially the same reasons as claim 12 above (i.e., the citations).

Regarding claims 19-20, they are rejected for substantially the same reasons as claim 12 above (i.e., the citations; [0066] of the instant specification).

Claims 14-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Clancy-Zhu-Harris as applied to claims 12-13, and 18-20 above, and further in view of Wootton (US 2012/0110174 A1).

Regarding claim 14, Clancy-Zhu-Harris does not disclose: wherein the instructions are further to cache the reputation in the process-reputation store. However, Clancy-Zhu-Harris in view of Wootton discloses: wherein the instructions are further to cache the reputation in the process-reputation store.
Refer to at least [0126] of Wootton with respect to caching assessment results.  
The teachings of Clancy-Zhu-Harris and Wootton relate to securing mobile applications and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Clancy-Zhu-Harris to further include caching for at least the purpose of quickly providing the results to additional requesters.   

Regarding claim 15, Clancy-Zhu-Harris-Wootton discloses: The computing apparatus of claim 14, wherein the instructions are to solicit feedback before executing a warn action.
Refer to at least Col. 13, Ll. 40-52 of Zhu with respect to notifying a user. 
This claim would have been obvious for substantially the same reasons as claim 12 above.

Regarding claim 16, it is rejected for substantially the same reasons as claim 14 above.

Regarding claim 17, it is rejected for substantially the same reasons as claim 15 above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432