DETAILED ACTION
This office action is in response to the application filed on 12/25/2019.  Claim(s) 1-21 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged of the provisional application 62/784,867 on 12/26/2018, which papers have been placed of record in the file.

Examiner’s Note – Allowable Subject Matter
Claims 5-7, 10-12, and 17-21 are objected as being dependent upon a rejected claim, but would otherwise be allowable if incorporated into the independent claim along with any intervening claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-4 and 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha et al. (US 2006/0280150 A1) in view of Avisror et al. (US 2019/0294536 A1). 
Regarding claim 1, Jha teaches:
“A method comprising: 	during a testing phase of a firmware being executed by a device (Jha, ¶ 42 teaches firmware verification module that generates a verification test result which is an outcome of a test interval), monitoring states and activities of the device (Jha, ¶ 40-41 and 48-52 teaches monitoring the device behavior), wherein said monitoring is performed by a testing agent that is functionally separate from the firmware (Jha, Fig. 1, ¶ 27-28, Firmware Verification Module is distinct from firmware and the it interacts with remote firmware management module for testing the firmware of the device); 	recording in a log, by the testing agent, at least one event that is associated with the states or the activities of the device, and a stamp of the at least one event (Jha, ¶ 50-52, a log is created for the firmware verification at particular times or predetermined intervals and includes information about the device); 	based on the stamp of the at least one event, correlating between the at least one event and one or more results of the testing phase (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised); and 	based on said correlating, determining one or more vulnerabilities of the device (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised)”.
	Jha does not, but in related art, Avisror teaches:	“recording a timestamp (Avisror, ¶ 78-79 teaches applying timestamps to code testing);
	and based on a timestamp, correlating (Avisror, ¶ 82, 84-87, 90, and 95-96 teaches correlating the various tests using time stamp information to determine risk values for various pieces of code)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha and Avisror, to modify the firmware verification test system of Jha to include the method to collect time stamp information for specific named tests and correlate those test together as taught in Avisror.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
 
Regarding claim 3, Jha in view of Avisror teaches:
“The method of Claim 1 (Jha in view of Avisror teaches the limitations of the parent claims as discussed above), wherein a vulnerability of the one or more vulnerabilities indicates that at least one result of the one or more results is incorrect (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised)”.

Regarding claim 4, Jha in view of Avisror teaches:
“The method of Claim 1 (Jha in view of Avisror teaches the limitations of the parent claims as discussed above), wherein the testing phase comprises one or more test instances having a test name (Avisror, ¶ 84 Test 1), wherein the one or more results comprise the test name and testing results of the one or more test instances (Avisror, Fig. 11A, ¶ 84-86 test results and time stamp associated with test 1 and the artifact created during the test), wherein a timestamp of the at least one event correspond to timestamps of the one or more test instances (Avisror, Fig. 11A, ¶ 84-86 test results and time stamp associated with test 1 and the artifact created during the test), wherein said correlating comprises associating the test name with the at least one event and with the testing results (Avisror, ¶ 82, 84-87, 90, and 95-96 teaches correlating the various tests using time stamp information to determine risk values for various pieces of code)”.

Regarding claim 8, Jha in view of Avisror teaches:
“The method of Claim 1 (Jha in view of Avisror teaches the limitations of the parent claims as discussed above), wherein the states or the activities of the device comprise at least one of the group consisting of: 	a file access event (Jha, ¶ 50, firmware access attempt)”.

Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha in view of Avisror in view of Thornley et al. (US 2014/0257828 A1).
Regarding claim 2, Jha in view of Avisror teaches:
“The method of Claim 1 (Jha in view of Avisror teaches the limitations of the parent claims as discussed above)”.
Jha in view of Avisror does not, but in related art, Thornley teaches:
“wherein a vulnerability of the one or more vulnerabilities is indicated by a combination of two or more recorded events in the log (Thornley ¶ 42 teaches detected a BIOS event as well as a change made the software and a corresponding alert sent to the system administrator)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha, Thornley, and Avisror, to modify the firmware verification test system of Jha in view of Avisror to include the method to analyze BIOS events and software modifications as taught in Thornley.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha in view of Avisror in view of Clark (US 2019/0129511 A1).
Regarding claim 9, Jha teaches:
“A computerized apparatus having a processor and coupled memory (Jha, ¶ 33 and 36 teaches a processor and a memory to execute the method steps), the processor being adapted to perform the steps of: 	during a first testing phase configured to test a firmware of a device with a first test (Jha, ¶ 42 teaches firmware verification module that generates a verification test result which is an outcome of a test interval), recording in a log a first parameter associated with a state of the device during the first test (Jha, ¶ 50-52, a log is created for the firmware verification at particular times or predetermined intervals and includes information about the device); 	during a second testing phase configured test the firmware of the device with a second test (Jha, ¶ 42 teaches firmware verification module that generates a verification test result which is an outcome of a test interval.  Jha, ¶ 50-52, log files for separate tests are created for the firmware verification at particular times or predetermined intervals and includes information about the device), recording in the log a second parameter associated with the state of the device (Jha, ¶ 50-52, a log is created for the firmware verification at particular times or predetermined intervals and includes information about the device),; 	correlating results of the first test with the first parameter (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised); 	correlating results of the second test with the second parameter (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised); and 	characterizing normal and abnormal states of the device (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised)”.
	Jha does not, but in related art, Avisror teaches:
	“having a test name (Avisror, ¶ 84 Test 1); 
	and a first timestamp of the first parameter (Avisror, ¶ 84-86 time stamp associated with test 1 and the artifact created during the test);
	having the test name (Avisror, ¶ 84 Test 2);
	and a second timestamp of the second parameter (Avisror, ¶ 84-86 time stamp associated with test 1 and the artifact created during the test);
	based on the first timestamp, correlating (Avisror, ¶ 82, 84-87, 90, and 95-96 teaches correlating the various tests using time stamp information to determine risk values for various pieces of code);
	based on the second timestamp, correlating (Avisror, ¶ 82, 84-87, 90, and 95-96 teaches correlating the various tests using time stamp information to determine risk values for various pieces of code); 
	and characterizing at least based on a difference between the first and second parameters (Avisror, ¶ 75 risk score allows the comparison between different tests)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha and Avisror, to modify the firmware verification test system of Jha to include the method to collect time stamp information for specific named tests and correlate those test together as taught in Avisror.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
	Jha in view of Avisror does not, but in related art, Clark ¶ 18 teaches allowed and not allowed inputs in a BIOS system being evaluated in a configuration platform.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha, Clark, and Avisror, to modify the firmware verification test system of Jha in view of Avisror to include the method to analyze allowed and not allowed inputs in a BIOS system as taught in Clark.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Claim(s) 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha in view of Ofek et al. (US 2019/0303585 A1).
Regarding claim 13, Jha teaches:
“A non-transitory computer readable medium retaining program instructions, which program instructions when read by a processor (Jha, ¶ 33 and 36 teaches a processor and a medium to execute the method steps), cause the processor to perform the steps of: 	during a testing phase of a firmware of a device (Jha, ¶ 42 teaches firmware verification module that generates a verification test result which is an outcome of a test interval), continuously polling states and activities of the device (Jha, ¶ 40-41 and 48-52 teaches monitoring the device behavior during a given test), wherein said polling is at a testing agent that is functionality separate from the firmware (Jha, Fig. 1, ¶ 27-28, Firmware Verification Module is distinct from firmware and the it interacts with remote firmware management module for testing the firmware of the device); 	correlating between at least one event that is associated with the states or the activities of the device and test results of the testing phase (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised); 	based on said correlating, determining for the firmware one or more normal events and one or more abnormal events (Jha, ¶ 48, and 63-66 the results are compared with predetermined CRC values to determine if the firmware is compromised)”.	Jha does not, but in related art, Ofek teaches:	“after the testing phase, providing indications of the one or more normal events and one or more abnormal events from the testing agent to a runtime agent (Ofek, ¶ 114, SIEM system monitors events during runtime.  Ofek ¶ 39, firmware is part of the protected code), whereby said providing enables the runtime agent to protect the firmware from vulnerabilities associated with the one or more abnormal events (Ofek, ¶ 106, and 118-123 micro-functional fixes are hooked into code and activated to protect code from abnormal events)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha and Ofek, to modify the firmware verification test system of Jha to include the method to hook code to protect it from malware abuse as taught in Ofek.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claim 14, Jha in view of Ofek teaches:
“The non-transitory computer readable medium of Claim 13 (Jha in view of Ofek teaches the limitations of the parent claims as discussed above), wherein the runtime agent is configured to utilize event hooks to detect real time events of the firmware and to compare the real time events to the provided indications to determine whether or not a remedial action is to be performed in response to the real time events (Ofek, ¶ 106, and 118-123 micro-functional fixes are hooked into code and activated to protect code from abnormal events)”.

Regarding claim 15, Jha in view of Ofek teaches:
“The non-transitory computer readable medium of Claim 13, wherein the runtime agent is configured to be executed on the device when the device is in a non-testing phase, wherein the runtime agent is configured to perform: 	classifying a real time event as normal or abnormal based on the indications (Ofek, ¶ 114, SIEM system monitors events during runtime to detect abnormal events), 5upon determining that the real time event is a normal event, ignoring the real time event, and upon determining that the real time event is an abnormal event, blocking the real time event (Ofek, ¶ 106, and 118-123 micro-functional fixes are hooked into code and activated to protect code from abnormal events)”.

Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha in view of Ofek in view of Avisror.
Regarding claim 16, Jha in view of Ofek teaches:
“The non-transitory computer readable medium of Claim 13 (Jha in view of Ofek teaches the limitations of the parent claims as discussed above)”.
	Jha in view of Ofek do not, but in related art, Avisror teaches:	“wherein said correlating is based on a timestamp (Avisror, ¶ 82, 84-87, 90, and 95-96 teaches correlating the various tests using time stamp information to determine risk values for various pieces of code)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Jha, Ofek, and Avisror, to modify the firmware verification test system of Jha and Ofek, to include the method to collect time stamp information for specific named tests and correlate those test together as taught in Avisror.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435