DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 21-39, drawn to a method/non-transitory computer readable storage medium for intercepting a service call for an internal service, determining whether rules are specified for the service call identifier, and processing the service call according to specified rules, or explicitly forwarding the service call if no rules are specified for the identifier, classified in G06F21/54.
II. Claim 40, drawn to a method for intercepting a service call, determining whether the service call is directed internally to a first appliance, or to a second appliance, processing the service call according to specified rules if the service call is to an internal service, and forwarding the service call to the second appliance if the service call is not an internal service, classified in H04L63/0227.
The inventions are independent or distinct, each from the other because:
Inventions I and II are related as subcombinations disclosed as usable together in a single combination.  The subcombinations are distinct if they do not overlap in scope and are not obvious variants, and if it is shown that at least one subcombination is separately usable.  In the instant case, subcombination II has separate utility such as determining whether a service call is directed internally or to a separate appliance before determining whether to apply filtering rules to the received service call.  See MPEP § 806.05(d).
The examiner has required restriction between subcombinations usable together. Where applicant elects a subcombination and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104.  See MPEP § 821.04(a).  Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application. 
Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply:
⦁	the inventions have acquired a separate status in the art in view of their different classification
⦁	the inventions have acquired a separate status in the art due to their recognized divergent subject matter
⦁	the inventions require a different field of search (e.g., searching different classes/subclasses or electronic resources, or employing different search strategies or search queries).
Applicant is advised that the reply to this requirement to be complete must include (i) an election of an invention to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected invention. 
The election of an invention may be made with or without traverse. To reserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the restriction requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable upon the elected invention.
Should applicant traverse on the ground that the inventions are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA  35 U.S.C. 103(a) of the other invention.

During a telephone conversation with Samuel G. Campbell III, Reg. No. 42,381 on 6/7/2022 a provisional election was made without traverse to prosecute the invention of I, claims 21-39.  Affirmation of this election must be made by applicant in replying to this Office action.  Claim 40 is withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Status of Claims
Claims 21-40 are pending.  Claim 40 is withdrawn from consideration.  Claims 1-20 are cancelled.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 21, 23, 32-35, 37-39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Freund (PGPUB 2004/0199763), and further in view of Mehta et al (PGPUB 2016/0371484).

Regarding Claim 21 and claim 35:
Freund teaches a computer-implemented method (paragraph 48, computer) and a non-transitory computer readable storage medium storing program instructions executable to perform a method (paragraph 48, memory coupled to processor; paragraph 50, storage holding programs and applications) comprising: 
intercepting a service call initiated by a client process of a client (paragraph 63, to control indirect access, certain communications, e.g. local procedure calls are intercepted at the level of the operating system (OS) kernel; paragraph 73, system monitors connection requests, e.g. hooking API calls, to monitor application’s attempt to access a specific service; paragraph 100-101, Interprocess Communication Controller (IPCC) includes patcher module to intercept and redirect system calls to IPCC; paragraph 60-61, normally in an operating system, the various applications and services "live" (reside) in separate memory spaces; in order for one application to communicate with another application or service, the operating system must provide some sort of communication channel between the two applications or services; paragraph 69-70, Fig. 3, application, e.g. ‘malware’ 321, operating in user space, in separate memory space, as per above), wherein 
the service call is a request for an internal service (paragraph 38, Local Procedure Call for communication between processes running on the same machine; LPC used as communication mechanism between system services and client processes; client thread invokes LPC when it needs some service from the subsystem; paragraph 105, e.g. call to DNS service),
the internal service is provided by a server (paragraph 42, service is special type of application that serves other applications; paragraph 60-61, normally in an operating system, the various applications and services "live" (reside) in separate memory spaces; in order for one application to communicate with another application or service, the operating system must provide some sort of communication channel between the two applications or services; paragraph 69-70, Fig. 3, service, e.g. ‘DNS’ 331, operating in user space, in separate memory space, as per above), 
the service call comprises an identifier (paragraph 63, system determines what address or port a given application is attempting to talk to, based on text string passed during invocation of call; paragraph 72, text string is sufficient information to allow one to determine the type of service that is being requested), and 
the identifier identifies the internal service (paragraph 72, text string is sufficient information to allow one to determine the type of service that is being requested); 
determining whether one or more rules of a plurality of rules are specified for the identifier (paragraph 73, requests are intercepted and redirected to TrueVector engine which determines whether application that originated the request has appropriate privileges, based on system’s specified rules and policy; paragraph 76, upon interception, IPCC looks at source and destination of message to determine if target is protected application or process for which communication should be blocked; paragraph 85, IPCC includes rules and/or logic to evaluate attempts to access a service); 
in response to a determination that the one or more rules are specified for the identifier, processing one or more attributes of the one or more rules (paragraph 90, application to be protected is registered with IPCC, and assigned a protection level that prevents other applications from posting particular types of messages that the application is to be guarded against; paragraph 95, based upon the collected information about the message, the source application, and the target, a determination is made as to whether the communication should be permitted; this determination typically first involves determining whether the target application is a protected application (i.e., the target application was previously registered as a protected application); if the target application is a protected application, the type of message (communication) is then evaluated to determine if it is a type of communication that the target application is to be protected against (based upon the established rules regarding what is protected); paragraph 96, rules may be established to provide that the device driver should reject all messages to a first target application, should allow all messages to a second target application, and should refer all messages to a third target to an external rules engine; name of target and whether to block/allow can be considered attributes of the rules), and 
forwarding the service call to the server, if the processing indicates that the forwarding the service call is allowable (paragraph 87, IPCC permits or blocks the attempt by the application to access the service; if IPCC determines to allow the request for service, request if forwarded to original destination routine).
Freund does not explicitly teach in response to a determination that none of the plurality of rules are specified for the identifier,
forwarding the service call to the server.
However, Mehta teaches the concept of determining whether one or more rules of a plurality of rules are specified for an identifier (paragraph 20-21, system for detection of malicious invocation of API calls to service APIs hosted inside system server in user space; paragraph 39, application calls API; API call communicated to kernel driver; interceptor in kernel driver (i.e. service call filter module) intercepts API call and metadata is extracted; system determines if API or metadata match security policy); and
in response to a determination that none of the plurality of rules are specified for the identifier (paragraph 20-21, system for detection of malicious invocation of API calls to service APIs hosted inside system server in user space; paragraph 39, application calls API; API call communicated to kernel driver; interceptor in kernel driver (i.e. service call filter module) intercepts API call and metadata is extracted; system determines if API or metadata match security policy; paragraph 36, security policies include policies on how to handle identified or suspect malware; format of policy includes source and target, e.g. API interface name and functions, i.e. internal service identifiers; paragraph 15, 33, Fig. 1-2, security policies, blacklists, and whitelists located in kernel space in memory); paragraph 39, if neither API or metadata or both match security policy, API call is allowed), 
forwarding a service call to a server (paragraph 39, if neither API or metadata or both match security policy, API call is allowed).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the default call forwarding teachings of Mehta with the interprocess communication control system of Freund, in order to simplify the security system by creating a default filtering policy, thereby focusing security functions on known malicious agents, and limiting the space taken up by the security policies by limiting entries to known vulnerabilities, and avoiding the onerous task of trying to account for every allowable possibility.

Regarding Claim 23:
Freund in view of Mehta teaches the computer-implemented method of claim 21.  In addition, Freund teaches wherein 
the identifier is a port identifier or a port number (paragraph 63, certain communications (e.g., "open port" local procedure calls in Windows environments) are intercepted at the level of the operating system kernel; at that point, the system of the present invention can determine what address or port a given application is attempting to talk to, based on a text string passed during invocation of the communication (e.g., "open port") call).

Regarding Claim 32:
Freund in view of Mehta teaches the computer-implemented method of claim 21.  In addition, Freund teaches wherein
the client and the server are deployed in an appliance (paragraph 38, Local Procedure Call for communication between processes running on the same machine; LPC used as communication mechanism between system services and client processes; client thread invokes LPC when it needs some service from the subsystem; paragraph 105, e.g. call to DNS service).

Regarding Claim 33:
Freund in view of Mehta teaches the computer-implemented method of claim 21.  In addition, Freund teaches the method, further comprising: 
in response to the determination that the one or more rules are specified for the identifier (paragraph 84, the rules database is consulted to determine whether the malware application is a known application and applies any established rule if the application is known; a known application may have an established rule which indicates the application is trusted (i.e., approved for Internet access), untrusted (blocked from accessing the Internet), or which provides for requesting a decision from the user (or from a centralized administrative service) about whether or not to permit access), 
rejecting the service call, if the one or more rules indicate that the service call should not be forwarded to the first server (paragraph 22, identifying the particular application that is attempting to invoke the particular system service; based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service).

Regarding Claim 34:
Freund in view of Mehta teaches the computer-implemented method of claim 21.  In addition, Freund teaches the method, further comprising:
the service call is intercepted by a service call filter module executing in a kernel (paragraph 63, calls intercepted at level of operating system kernel; paragraph 76, 81-82, Fig. 3, service call, e.g. attempt to open port using “NtCreatePort” call, intercepted and rerouted to IPCC; IPCC 349 operates at kernel level), and
Mehta teaches the service call filter module comprises a rule set that is stored in the kernel memory (paragraph 15, 33, Fig. 1-2, security policies, blacklists, and whitelists located in kernel space in memory), and 
the forwarding the service call to the server is performed without accessing kernel memory (paragraph 39, if neither API or metadata or both match security policy, API call is allowed; no further policies required from kernel memory; paragraph 21, calls dispatched from kernel driver to destination service).
The rationale to combine Freund and Mehta is the same as provided for claim 21 due to the overlapping subject matter between claims 21 and 34.

Regarding Claim 37:
Freund in view of Mehta teaches the non-transitory computer readable storage medium of claim 35.  In addition, Freund teaches wherein the method further comprises: 
accessing the rule set to determine whether the internal service identified by the identifier is unprotected or protected (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination; paragraph 95, rules determine what is protected), wherein 
the plurality of rules are part of a rule set (paragraph 41, security policy is set of rules),
the rule set is part of a service call filter module (paragraph 85, IPCC includes rules to evaluate attempts to access a service; paragraph 65, control is achieved by filtering an application’s request to access a service through security policy management mechanisms, i.e. IPCC acts as filter, and therefore is a service call filter module), 
the service call filter module is part of a kernel (paragraph 71, kernel component comprises TrueVector device driver which includes IPCC), 
the internal service is protected if the rule set comprises at least one rule of the plurality of rules for the identifier specified in the service call (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); paragraph 95, rules determine what is protected; this determination typically first involves determining whether the target application is a protected application (i.e., the target application was previously registered as a protected application as described above)), and 
the internal service is unprotected if the rule set does not comprise at least one rule of the plurality of rules for the internal service specified in the service call (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination); and 
forwarding the service call to the server if the internal service is unprotected (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination), or each attribute of the at least one rule matches the corresponding client process property of the one or more client process properties.

Regarding Claim 38:
Freund in view of Mehta teaches the non-transitory computer readable storage medium of claim 35.  In addition, Freund teaches wherein the method further comprises: 
in response to the determination that the one or more rules are specified for the identifier (paragraph 84, the rules database is consulted to determine whether the malware application is a known application and applies any established rule if the application is known; a known application may have an established rule which indicates the application is trusted (i.e., approved for Internet access), untrusted (blocked from accessing the Internet), or which provides for requesting a decision from the user (or from a centralized administrative service) about whether or not to permit access), 
rejecting the service call, if the one or more rules indicate that the service call should not be forwarded to the first server (paragraph 22, identifying the particular application that is attempting to invoke the particular system service; based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service).

Regarding Claim 39:
Freund in view of Mehta teaches the non-transitory computer readable storage medium of claim 35.  In addition, Freund teaches wherein the method further comprises:
the service call is intercepted by a service call filter module executing in a kernel (paragraph 63, calls intercepted at level of operating system kernel; paragraph 76, 81-82, Fig. 3, service call, e.g. attempt to open port using “NtCreatePort” call, intercepted and rerouted to IPCC; IPCC 349 operates at kernel level), and
Mehta teaches the service call filter module comprises a rule set that is stored in the kernel memory (paragraph 15, 33, Fig. 1-2, security policies, blacklists, and whitelists located in kernel space in memory), and 
the forwarding the service call to the server is performed without accessing kernel memory (paragraph 39, if neither API or metadata or both match security policy, API call is allowed; no further policies required from kernel memory; paragraph 21, calls dispatched from kernel driver to destination service).
The rationale to combine Freund and Mehta is the same as provided for claim 35 due to the overlapping subject matter between claims 35 and 39.

Claim(s) 22, 24-31, 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Freund in view of Mehta, and further in view of Pham et al (PGPUB 2005/0182966).

Regarding Claim 22:
Freund in view of Mehta teaches the computer-implemented method of claim 21.  In addition, Freund teaches the method, further comprising: 
retrieving one or more client process properties associated with the client process (paragraph 83, IPCC determines currently running process or application which is attempting to open the connection, using e.g. "GetCurrentProcess" and "GetCurrentProcessId" Windows API functions to determine the current application or process attempting to open the connection).
Neither Freund nor Mehta explicitly teaches retrieving one or more client process properties of a plurality of client process properties associated with the client process from kernel memory.
However, Pham teaches the concept of retrieving one or more client process properties of a plurality of client process properties associated with a client process from kernel memory (paragraph 53, PEM locally executed in kernel space as component permitting interception of API and virtual file system function calls; paragraph 55, information describing process context retrieved from operating system kernel; process context defined as task parent process and child processes traceable through parent process identifiers, including authentication data and access attributes).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the expanded client process properties teachings of Pham with the interprocess communication control system of Freund in view of Mehta, in order to increase the level of process trust by incorporating additional process characteristics into a policy, thereby improving precision and allowing the separation of similar processes which would otherwise be treated exactly the same, reducing false positive rejection rates while maintaining service security.

Regarding Claim 24:
Freund in view of Mehta and Pham teaches the method of claim 22.  In addition, Freund teaches wherein 
the plurality of client process properties comprise a user context, a user group context, a client program name (paragraph 40, 83, process identifier which identifies the program with a process number, retrieved by "GetCurrentProcessId”), or a terminal type, and
Pham teaches wherein the plurality of client process properties comprise a parent process name (paragraph 46, process identifier is used either directly or by tracing through the chain of parent process identifiers maintained for the process context by the operating system to match an authentication data record process identifier; the authentication data preferably includes the request process identifier and, as applicable, the linking parent process identifiers associated with the authentication data record).
The rationale to combine Freund and Pham is the same as provided for claim 22 due to the overlapping subject matter between claims 22 and 24.

Regarding Claim 25:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 22.  In addition, Freund teaches the method, further comprising: 
forwarding the service call to the server if each attribute of the one or more attributes of at least one rule matches a corresponding client process property of the one or more client process properties (paragraph 84, a known application may have an established rule which indicates the application is trusted (i.e., approved for Internet access), untrusted (blocked from accessing the Internet), or which provides for requesting a decision from the user (or from a centralized administrative service) about whether or not to permit access).

Regarding Claim 26:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 25.  In addition, Freund teaches the method, further comprising: 
generating a reject notification if at least one client process property of the one or more client process properties does not match each attribute (paragraph 84, if the application is not known, an established rule may be applied (e.g., block access by unknown applications); paragraph 87, if the answer is to block (deny) the attempt, then a response is returned to the requesting application (e.g., malware) with an appropriate error message, such as "connection refused", "service not available", or the like); and 
sending the reject notification to the client (paragraph 87, if the answer is to block (deny) the attempt, then a response is returned to the requesting application (e.g., malware) with an appropriate error message, such as "connection refused", "service not available", or the like).

Regarding Claim 27:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 26.  In addition, Freund teaches wherein 
a first attribute of the one or more attributes of a first rule of the one or more rules corresponds to a first client process property of the one or more client process properties (paragraph 84, the rules database is consulted to determine whether the malware application is a known application and applies any established rule if the application is known; a known application may have an established rule which indicates the application is trusted (i.e., approved for Internet access), untrusted (blocked from accessing the Internet), or which provides for requesting a decision from the user (or from a centralized administrative service) about whether or not to permit access), and 
Pham teaches a second attribute of the one or more attributes of a second rule of the one or more rules corresponds to a second client process property of the one or more client process properties (paragraph 40, on intercept of any interprocess communications request, whether a local domain interprocess communications channel (IPC) or network socket request, the requested access operation, along with authentication and authorization information derived from the application instance process context associated with the request, is reported to and processed through a rule-based policy set maintained by the security appliance; based on the request and related information, an applicable set of policy rules are identified for evaluation against the provided information; access operations if and as permitted under an applicable policy set are then enabled through the PEM to complete; paragraph 44, the stored rules are specified by a system administrator to detail the permitted operations against the various filesystem and communications resources protected by the security processor further qualified by applicable authentication and authorization values and the time ranges within which a rule is operative; the specified authorization values and time ranges are referred to as the rule access attributes).
The rationale to combine Freund and Pham is the same as provided for claim 22 due to the overlapping subject matter between claims 22 and 27.

Regarding Claim 28:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 22.  In addition, Freund teaches wherein 
the plurality of rules are part of a rule set (paragraph 41, security policy is set of rules), 
the rule set is part of a service call filter module (paragraph 85, IPCC includes rules to evaluate attempts to access a service; paragraph 65, control is achieved by filtering an application’s request to access a service through security policy management mechanisms, i.e. IPCC acts as filter, and therefore is a service call filter module), and 
the service call filter module is part of a kernel (paragraph 71, kernel component comprises TrueVector device driver which includes IPCC).

Regarding Claim 29:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 28.  In addition, Freund teaches the method, further comprising: 
accessing the rule set to determine whether the internal service identified by the identifier is unprotected or protected (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination; paragraph 95, rules determine what is protected).

Regarding Claim 30:
Freund in view of Mehta and Pham teaches the computer-implemented method of claim 29.  In addition, Freund teaches wherein 
the internal service is protected if the rule set comprises at least one rule of the plurality of rules for the identifier specified in the service call (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); paragraph 95, rules determine what is protected; this determination typically first involves determining whether the target application is a protected application (i.e., the target application was previously registered as a protected application as described above)), and 
the internal service is unprotected if the rule set does not comprise at least one rule of the plurality of rules for the internal service specified in the service call (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination).

Regarding Claim 31:
Freund in view of Mehta and Pham teaches the method of claim 30.  In addition, Freund teaches the method, further comprising: 
forwarding the service call to the server if the internal service is unprotected (paragraph 165-166, a determination is made as to whether the process that is being called is a protected process or application (i.e., one that has been registered); if the process that is being called is a protected process then "FALSE" is returned; otherwise, "TRUE" is returned to indicate that the communication should be allowed to proceed; if the process is not protected (i.e., if "TRUE" is returned), then an actual handler is called; in this event the message is sent to the original destination), or each attribute of the at least one rule matches the corresponding client process property of the one or more client process properties.

Regarding Claim 36:
Freund in view of Mehta teaches the non-transitory computer readable storage medium of claim 35.  In addition Freund teaches wherein the method further comprises: 
retrieving one or more client process properties associated with the client process (paragraph 83, IPCC determines currently running process or application which is attempting to open the connection, using e.g. "GetCurrentProcess" and "GetCurrentProcessId" Windows API functions to determine the current application or process attempting to open the connection), wherein 
the client process properties comprise a client program name (paragraph 40, 83, process identifier which identifies the program with a process number, retrieved by "GetCurrentProcessId”); 
forwarding the service call to the server if each attribute of the one or more attributes of at least one rule matches a corresponding client process property of the one or more client process properties (paragraph 84, a known application may have an established rule which indicates the application is trusted (i.e., approved for Internet access), untrusted (blocked from accessing the Internet), or which provides for requesting a decision from the user (or from a centralized administrative service) about whether or not to permit access); 
generating a reject notification if at least one client process property of the one or more client process properties does not match each attribute (paragraph 84, if the application is not known, an established rule may be applied (e.g., block access by unknown applications); paragraph 87, if the answer is to block (deny) the attempt, then a response is returned to the requesting application (e.g., malware) with an appropriate error message, such as "connection refused", "service not available", or the like); and 
sending the reject notification to the client (paragraph 87, if the answer is to block (deny) the attempt, then a response is returned to the requesting application (e.g., malware) with an appropriate error message, such as "connection refused", "service not available", or the like).
Neither Freund nor Mehta explicitly teaches retrieving one or more client process properties of a plurality of client process properties associated with the client process from kernel memory; and
the plurality of client process properties comprise a user context, a user group context, a parent process name, or a terminal type.
However, Pham teaches the concept of retrieving one or more client process properties of a plurality of client process properties associated with a client process from kernel memory (paragraph 53, PEM locally executed in kernel space as component permitting interception of API and virtual file system function calls; paragraph 55, information describing process context retrieved from operating system kernel; process context defined as task parent process and child processes traceable through parent process identifiers, including authentication data and access attributes); and
the plurality of client process properties comprise a user context, a user group context, a parent process name (paragraph 46, process identifier is used either directly or by tracing through the chain of parent process identifiers maintained for the process context by the operating system to match an authentication data record process identifier; the authentication data preferably includes the request process identifier and, as applicable, the linking parent process identifiers associated with the authentication data record), or a terminal type.
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the expanded client process properties teachings of Pham with the interprocess communication control system of Freund in view of Mehta, in order to increase the level of process trust by incorporating additional process characteristics into a policy, thereby improving precision and allowing the separation of similar processes which would otherwise be treated exactly the same, reducing false positive rejection rates while maintaining service security.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                         
/Kevin Bechtel/Primary Examiner, Art Unit 2491