DETAILED ACTION
This action is responsive to the Application filed 3/25/2020.
Accordingly, claims 22-42 are submitted for prosecution on merits.
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 22, 29, 36 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Glew et al, USPubN: 2013/0036464 (herein Glew) in view of Aziz et al, USPN: 8,881,282 (herein Aziz).
	As per claim 22, Glew discloses a system for detecting malware (para 0003, 0005, 0008-0011) comprising a processor to:
	collect processor trace information (trace of a main program … supplying … to processor core for inspection, lifeguard program – para 0032) corresponding to an application being executed by the processor;
	detect an invalid indirect branch instruction (checking legitimate branch … tag indicating either is or is not legitimate branch target, indirect branch target … is not allowed to be branched-to by an indirect branch – para 0034-0037) from the processor trace information (LBA, trace – para 0032; legitimate branch target enforcement - para 0033-0034);
	detect at least one malware instruction (overlapping instructions, branching around checking sequences – para 0063-0064; instruction misalignment – para 0075-0076; controls the stack – para 0013; misalignment to synthesize instruction streams – para 0014; violate a stack location – para 0015) being executed by the application; and 
	block the application from accessing (e.g. preventing misalignment, in-line tag bit – 0078-0088; in-instruction size encoding -para 0091-0108; looking back, largest naturallly-aligned instruction size, size satisfies the alignment of the boundary– para 0111, 0113, 0115-0124; if the instruction looks illegal, stop – para 0133-0141; template, bitmask instruction boundary, detecting misalignment, falling through is not permitted – para 0163-0167, 0174; out-of-line metadata, code integrity technique – para 0178-0181; control flow integrity, various changes to control flow include direct branches, indirect banches  … subject to narrow imposed restrictions – para 0191-0195,; control flow assert - para 0199-00229; dense metadata indexed … list of branch-from Ips or classes, list indicative of only instruction pointer that are allowed – para 0234, in-band metadata – para 0236-0238; out-of-band instruction tags - para 0239; in-line enforcement, trap can be evoked – para 0242-0243; stting a bit in a control register, logic operable to control… branch enforcement, out-of-band metadata, out-of-line checking – par 0245-0248; list of indirect branch … that are allowed - para 0255; fixed-length, variable length instruction set, CALL/RET – para 0257-0260; trap – para 0266; Fig. 2; Fig. 4A, 4B; Figs 5A, 5B,5C) or modifying memory (Note1: techniques to prevent illegal branch by malware reads on techniques to stop malware illegal attempt to access memory of the application; e.g. via effect of bypassing checkpoints, overlapping a sequence or exploiting weak alignment of code);
	A) Glew does not explicitly disclose processor to detect malware instruction in response to
	analyzing modified memory values corresponding to the invalid indirect branch
	Known threats to memory or application data being caused by malicious software or malware entails capability of the malware and malicious to bypass checkpoints, protective settings or security logic of program or applications, and this is alluded to in Glew in regard to malware (para 0001-0002; branching intothe middle of an instruction, alignment issue related to data memory references – para 0050; attacks on code integirty – para 0016; indirect branches … ability to violate a stack location … an indirect jump – para 0015; malware … synthesize instruction streams other than those planned by the user – para 0014)
	As a case on point, Aziz discloses malware in form of trojan being a destructive program into a computer and operable as duplicable utility to infest computer’s memory (col. 6 li. 14-17), seek damage to the computer – as a hacker, worm or decoy - corrupt data and inhibit normally authorized requests to access computer data (col. 6 li. 19-32); where worm sensors are configured to track anomalies (a memory write) to program counter, stack, memory address or page which has been exploited or referenced by a worm (col. 18 li. 10-38); using recovery script or analysis environment to identify program memory locations infected by worms using worm sensors and a worm containment system(col. 25 li. 2-16) for monitoring values changes (jump addreses) from undesirable action of the malware (Fig. 19; col.42, li. 19-65; malware … malicious format string … writing … a chosen value to a specific address … overwrite data … as argument to a system call – col. 43, li. 41-56); therefore, recovery/sensor-based measure or analysis in place for monitoring undesirable memory locations or data being overwritten by malware is recognized.
	Therefore, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement the malware prevention syystem in Glew so that use of trace analysis and misalignment and overlapping detection would be based on analyzing modified memory values due to malware actions such as undesirable bypass or invalid indirect branch associated therewith; because
	malware actions are known to be driven/created from externally inserted program or malicious code into a host application, computer data or program memory with intent to pass for (or act as) non-suspicious utility on a host system, which over time would be heavily damaging a targeted computer resource (like memory, stack or cache), deteriorating capability of the host program for meeting or handling of scheduled activities or normal requests, with undesirable effect on cache, stack, memory such as overwriting or changing values therein to access targeted memory or jump to locations (indirect branch) not planned by a program; and by establishing sensor type monitoring set inside program code or memory resources as set forth in Aziz, timely identification of undesirable events such as values change, overwritten or memory being unexpectedly altered, or illegally accessed would provide indication that the host program or computing resources has been exploited or corrupted by a malicious code – trojan, worms type of malware as set forth above; for proper protective means to be considered as corrective or preventive measures.
	As per claim 29, Glew discloses a method for detecting malware comprising:
	collecting processor trace information corresponding to an application being executed
by the processor;
	detecting an invalid indirect branch instruction from the processor trace information;
	detecting at least one malware instruction being executed by the application in
response to analyzing modified memory values corresponding to the invalid indirect branch; and
	blocking the application from accessing or modifying memory.
( all of which being addressed in claim 22)
As per claim 36, Glew discloses a non-transitory computer readable media for detecting malware comprising a plurality of instructions that, in response to execution by a processor, cause the processor to:
collect processor trace information corresponding to an application being executed bythe processor;
detect an invalid indirect branch instruction from the processor trace information;
detect at least one malware instruction being executed by the application in responseto analyzing modified memory values corresponding to the invalid indirect branch; and
block the application from accessing or modifying memory.
	( all of which being addressed in claim 22)
Claims 23-24, 30-31, 37-38 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Glew et al, USPubN: 2013/0036464 (herein Glew) in view of Aziz et al, USPN: 8,881,282 (herein Aziz) and DeHon et al, USPubN: 2017/0177368 (herein Dehon) 
As per claims 23-24, Glew does not explicitly disclose (system of claim 22), 
(i) wherein the processor is to detect the at least one malware instruction based on a single table, wherein the single table comprises a base array and a check array, and 
(ii) wherein each value stored in the single table comprises a base address in a predetermined number of higher order bits and a check address value in a predetermined number of lower order bits; wherein the check address value indicates a next state of a state machine based on a predetermined malware pattern 
As for (i),
Use of offset from a base address as a restrictive mechanism to enforce that only code branch within a proximal address or distanced from a predelimited distance from a base address would be considered allowed by the ‘local’ firing mechanism (para 0036, 0253; Fig. 6T, 6U; para 0326-0327; para 0350); hence local branch listing in terms of permitting pointer-relative branch instruction on basis of predetermined offset entails address indirection as table/array representation having base address and chech address (*) in form of OFFSET bits reading.
As for (ii),
Use of either leftmost or rightmost bits within a address width to impart a indicator or tag such as to directing or enforcing an state transition for a branch is shown in Glew bit wise metadata (a bit per IP – par 0024; in-band tags- para 0026; branch targets … 1-bit tags – para 0251; para 0291; encodings for preventing misalignment, in-line tag bit – para 0077-0078; para 0160); e.g. to avert misalignment that favors malware exploitation.
Use of a metadata or structure of memory addresses that represent one or more memory addresses deemed proper for a branch can be shown in Dehon where a translation table (para 0280) provide opcode to be mapped against a (metadata) tag that enforces state of a next translation, the use of tag firing applied to a CFI (control flow integrity) policy; that is, configuration of the CFI policy/ruling associated with transition scenario is based on tag-based firing (Fig. 36; CFI policy, list of valide source locations which are allowed to transfer control to, source location X1 is a branch point or source point  from which control is transferred to the target - para 0261) where transition from source address to various target branch addresses can be allowed, the function transition scenario including represention of transition tree of functions pointing to subfunctions (Fig. 37), where a bit structure/array expressing a subfunction has the higher bits representing a source code address, which has pointer to a lower bits of the structure which indicate address of a target branch address (Fig. 37; para 0264-0265); hence CFI having ruling carried out with tag indicative of machine state transition and bit array having lower bits representing target address to branch from a source address defined with the higher bits is recognized.
Therefore, basesd on use of tags inlined with a array of bits in Glew to avert malware exploitation of instruction misalignment from above, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement control over infringement of malware into target memory in Glew so that the measures employed therewith include implementation of a bit array, as single table, which comprises a base array and a check array as per ( *) from above, wherein each value stored in the single table (list of permissible target branch locations)  comprises a base address in a predetermined number of higher order bits and a check address value in a predetermined number of lower order bits, as set forth per Dehon use of tags associated with the CFI branch firing implementation, where the lower bit check address indicates a next state of a state machine – as in Dehon - to consider (permitted or illegal branch) with perspective to a potential malware action; because
use of tags or special bit indicator placed in line with an instruction address to enforce a desired code transition state not only provides in-line encoding of a specific function identifier or opcode with encoding of an additional bit (or special indicator tag) dictating a code transition in form of a check that permits or disallows state transition (of the opcode) to a branch target, but would also form a bit expression into a single structure that correlates a source address at one end of the bit array and the enforcing indicator or tag at the other end of the bit array, thereby facilitating configuration of code flow integrity policy enforcement, where for each code to check a corresponding flow integrity, an array of source bits (source address from which to branch) appended with bit tag indicator or end bits specifying exact addresses where to branch  - as set forth above - can be listed as entries in a branch transaction table to be used as a protective means (e.g. CFI type of protection) to avert undesirable indirect code branch attempted by a malicious code.
As per claims 30-31, Glew discloses (method of claim 29) comprising
 detecting the at least one malware instruction based on a single table, wherein the single table comprises a base array and a check array, and wherein each value stored in the single table comprises a base address in a predetermined number of higher order bits and a check address value in a predetermined number of lower order bits.
wherein the check address value indicates a next state of a state machine based on a predetermined malware pattern.
( all of which being addressed in claims 23-24)
As per claims 37-38, refer to claims 23-24
Claims 25, 32, 39 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Glew et al, USPubN: 2013/0036464 (herein Glew) in view of in view of Aziz et al, USPN: 8,881,282 (herein Aziz) and Golshan et al, USPubN: 2013/0117849 (herein Golshan) 
As per claim 25, Glew does not explicitly disclose (system of claim 22), wherein the processor is to 
transmit the processor trace information to a graphics processing unit, wherein the graphics processing unit is to analyze at least two instructions from the processor trace information in parallel to detect the invalid indirect branch instruction.
Monitored program in Glew is provided as logged trace for inspection to a second, different core equipped with a lifeguard program to capture event values and enforce rules and tags for validating legitimacy of the branch instructions (para 0032-0034)
Use of a special processor to inspect malware is shown in Golshan’s virtualized fault reporting environment; that is, a reporting platform of a virtual environment, upon receipt of resources and objects (Fig. 4) from an external(digital) device, re-instantiates the objects, via virtual machines, and perform virtual monitoring of the operations based thereon to track and identify untrusted actions or suspiscious data (para 0057-0062), with refinement of observations via repeated cycles (Fig. 7-9), where processes run by the virtual environment may run in parallel (para 0081) and  data from the external device being investigated for presence of suspicious data or malware (Fig. 8; to detect malware – para 0123; para 0066-0067) are associated with I/O and execution state of the external device (Fig. 10; digital device 1000 – para 0136) that include encoding/decoding of a GPU and a graphics adapter (para 0140).  Hence, host platform using virtualization to track, emulate and report on suspicious data or malware actions from obtained resources such as I/O or GPU execution from an external (digital) device, via use of parallel proceses to enhance the malware detection and reporting is recognized.
Therefore, based on trace data as suspicious data (such as those associated with malicious, malware indirect branch per Glew) from a source program to be passed to a outside inspection platform in Glew, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to use an external computing environment to analyze and inspect trace or logged execution data from a source device/program so that malware or malicious data (indirect branch) can be tracked and reported – as set forth in Golshan – where state of computation associated with the received logged/trace data include graphics type encoding/decoding, I/O execution  - as in Golshan – would be processed by graphics procesing unit at the inspection platform, using parallel processing by the latter – as in Golshan - to analyze at least two instructions from the received processor trace information in parallel; e.g. to invalidate indirect branch instruction; because
trace capture or logged execution state of highly computational data such as graphics rendering, as set forth above in association with I/O thereof, can include inter-related layers of code branching and likelihood for these graphics I/O, nested graphics loops and stack access related invocations to be exploited by malicious code increases accordingly; and provision of a malware tracking and reporting environment in terms of a dedicated computing platform endowed with GPU  processing capability, possibility of accelerating the malicious code identification and reporting would increase, necessarily when at least two instructions of a source graphics rendering program received into the malware reporting platform can be simultaneously processed by virtue of the parallel processing GPU portion of the platform.
As per claim 32, Glew discloses method of claim 29, comprising transmitting the processor trace information to a graphics processing unit, wherein the graphics processing unit is to analyze at least two instructions from the processor trace information in parallel to detect the invalid indirect branch instruction. (refer to rationale in claim 25)
As per claim 39, refer to claim 25.
Claims 26-28, 33-35, 40-42 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Glew et al, USPubN: 2013/0036464 (herein Glew) in view of Aziz et al, USPN: 8,881,282 (herein Aziz) and Golshan et al, USPubN: 2013/0117849 (herein Golshan) and further in view of Blagodurov, USPubN: 2018/0077228 (herein Blagodurov) and Sechrest et al, USPubN: 2010/0199063 (herein Sechrest) 
As per claims 26-28, Glew does not explicitly disclose ( system of claim 22), wherein the processor is to 
(i) generate a first priority queue and a second priority queue, wherein the first priority queue comprises memory pages to be scanned for the application, and wherein the second priority queue comprises memory pages that have been modified within a predetermined period of time.
(ii) scan the memory pages of the second priority queue prior to scanning the memory pages of the first priority queue.
(iii) scan the memory pages of the second priority queue concurrently with scanning the memory pages of the first priority queue.
Analyzing memory affected with values changes by a malware detection and prevention module has been rendered obvious per rationale A in claim 22.
Use of parallel processing of graphics I/O and computation provided as trace into a inspection and malware identifying platform is shown in Golshan – see para 0081(refer to rationale in claim 25)
Sechrest also discloses orchestrating of FIFO queue (para 0046) related to access scenarios over memory pages for priority setting in accordance to the type of queue and static/active usage of the pages, using a pre-fetch (para 0052) on pages in static state for preliminary or idle priority set, which via repeated logging and tracing (Fig. 4A), priority values can be recalculated (para 0041) from state changes or more active I/Os and repurposed to support a proactive memory management algorithm (para 0064-0067); hence collection of I/O associated with FIFO queue trace, logging in which memory activity scenario (usefulness, usage patterns, faults – para 0048-0050) and liveness state thereof support priority adjusting/tuning from an idle value to a recalculated value to support a proactive memory management is recognized.
Trace data having prioritized memory group is disclosed in Blagodurov workload analysis; and according to which, collected traces include memory intensive structures associated with GPU performance in accordance to monitoring of page faults, memory errors on logged workloads and associated priorities thereof (para 0013), using performance counters (Fig. 3; para 0046-0047) to support application that uses (non-intrusive monitoring and profiling – para 0043-0044) the traces to determine priorities and updating priorities (Fig. 8) of the workloads; e.g.  the collected workload trace by an IOMMU providing memory errors and page faults on I/O and service request queues as part of the logging (para 0051); hence priorities attached to workload so as to help detecting page faults and memory errors associated with collected trace on I/O and request queues is recognized.
Therefore, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement tracing and orchestrating of logged data in Glew so that (a) priority of logged content determines the order of trace scanning at a inspection platform, the priority established therewith including organizing the trace in terms of first priority queue and a second priority queue – the logged queue portions having a corresponding priority as in Blagodurov or Sechrest; wherein the first priority queue comprises memory pages to be scanned for the application, and wherein the second priority queue comprises memory pages that have been modified within a predetermined period of time, the modified state of a FIFO memory pages as shown in the priority recalculation per Sechrest’s proactive management approach, or priority updates per the live profiling of workload queues in Blagodurov; (b) using priority as initially set (first value) or  recalculated (second value) to perform ordered scanning of the trace, with prioritizing of a scan in terms of memory pages assigned with a first priority or second priority value; and (c), prioritizing scanning the latest modified memory pages (second priority queue) over the unchanging memory pages (first priority queue); or else scanning unmodified memory page s and modified memory pages concurrently, as in a parallel processing (by a inspection platform) set forth with rationale in claim 25 with the teaching by Golshan; because
Intensive workload and computational data subjected to processing by a malware detection and preventive environment entails memory access, queueing of operations and I/Os in terms of variability in size, liveliness and complexities that require priority assignment to particular portions of the collected trace, which induces the importance in prioritizing  memory trace scanning by a malware handling environment; so that the scanning prioritization when coupled with capability (by inspection environment) to recognize that modified memory pages or values (of trace portions ) suggest likelihood of malicious intrusion (and should be addressed first) would enable any suspicious data caused thereby to be proactively scanned and timely segregated within a short timeframe for corrective measure to be taken, whereas effect of simultaneously scanning both modified mermory trace (second priority queue) and unmodified memory trace  (first priority queue) would on the other hand, benefit from the accelerated HW processing capabilty (GPU coprocessor per Golshan) with which Glew’s malware identifying platform is being equipped, which afford parallel processing of memory I/Os in size and complexity particularly imposed by computation-intensive FIFO, memory accesses and graphics-ladden workloads included with the received trace.
	As per claims 33-35, refer to rationale addressing claims 26-28 from above.
As per claims 40-42, refer to claims 26-28.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tuan A Vu whose telephone number is (571) 272-3735.  The examiner can normally be reached on 8AM-4:30PM/Mon-Fri.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Chat Do can be reached on (571)272-3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273-3735 ( for non-official correspondence - please consult Examiner before using) or 571-273-8300 ( for official correspondence) or redirected to customer service at 571-272-3609.
Any inquiry of a general nature or relating to the status of this application should be directed to the TC 2100 Group receptionist: 571-272-2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Tuan A Vu/
Primary Examiner, Art Unit 2193
June 03, 2022