Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-27 are elected and are pending in this office action. Claims 28-38 have been withdrawn from consideration.

Priority
No foreign priority is claimed.


Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors.  Applicant's cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 10/11/2020 and 12/16/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 13 and 26 are objected to because of the following informalities:
For claims 13 and 26, in the phrase - “classifying the process as suspicious upon determining that the thread stack does not comprise 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 6-9 and 19-22 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.
For claims 6 and 19, the limitation (last 4 lines of claims) - “comparing the identified name to a list of whitelisted names, classifying the process as suspicious if the identified name does not match any of the whitelisted names, and classifying the process as benign if the identified name does not match any of the whitelisted names” does not have support in specification. An instant specification in Fig. 3 and relevant paragraph 0075 discloses - “In step 104, endpoint agent 22 compares the retrieved file name to the whitelisted names in the first given whitelist. If endpoint agent 22 does not find any given whitelisted name 54 matching the retrieved file name, then in step 106, the endpoint agent classifies the retrieved file name as suspicious. However, if endpoint agent 22 finds a given whitelisted name 54 matching the retrieved file name, 18 then in step 108, the endpoint agent classifies the retrieved name as benign”, which describes the process of finding the filename as benign if its match is found in the whitelist. Whereas the claimed limitation identifies the file as benign if it is not found in the whitelist. Examiner is unable to find support in the specification for the above amended limitation. The claims are thus rejected based on written description as failing to be supported by the original disclosure.  See: MPEP §2163.01.

For claims 7 and 20, the limitation (last 4 lines of claims) - “comparing the identified path to a list of whitelisted paths, classifying the process as suspicious if the identified path does not match any of the whitelisted paths, and classifying the process as benign if the identified path does not match any of the whitelisted paths” does not have support in specification. An instant specification in Fig. 3 and relevant paragraph 0077 discloses - “In step 112, endpoint agent 22 compares the retrieved path to the whitelisted paths in the second given whitelist. If endpoint agent 22 does not find any given whitelisted path 54 matching between the retrieved path and, then in step 114, the endpoint agent classifies the retrieved path as suspicious. However, if endpoint agent 2 finds a given whitelisted path 54 matching retrieved file name, then in step 116, the endpoint agent 22 classifies the retrieved path as benign”, which describes the process of finding the path as benign if its match is found in the whitelisted paths. Whereas the claimed limitation identifies the path as benign if it is not found in the whitelisted paths. Examiner is unable to find support in the specification for the above amended limitation. The claims are thus rejected based on written description as failing to be supported by the original disclosure.  See: MPEP §2163.01.

For claims 8 and 21, the limitation (last 4 lines of claims) - “comparing the computed signature to a list of whitelisted signatures, classifying the process as suspicious if the computed signature does not match any of the whitelisted signatures, and classifying the process as benign if the computed signature does not match any of the whitelisted signatures” does not have support in specification. An instant specification in Fig. 3 and relevant paragraph 0079 discloses - “In step 120, endpoint agent 22 compares the computed signature to the whitelisted signatures in the third given whitelist. If endpoint agent 22 does not find any given whitelisted signature 54 matching the computed signature, then in step 122, the endpoint agent 22 classifies the computed signature as suspicious. However, if endpoint agent 22 finds a match a given whitelisted signature 54 matching the computed signature, then in step 124, the endpoint agent 22 classifies the computed signature as benign”, which describes the process of finding the signature as benign if its match is found in the whitelist. Whereas the claimed limitation identifies the signature as benign if it is not found in the whitelist. Examiner is unable to find support in the specification for the above amended limitation. The claims are thus rejected based on written description as failing to be supported by the original disclosure.  See: MPEP §2163.01.

For claims 9 and 22, the limitation (last 4 lines of claims) - “comparing the computed hash value to a list of whitelisted hash values, classifying the process as suspicious if the computed hash value does not match any of the whitelisted hash values, and classifying the process as benign if the computed hash value does not match any of the whitelisted hash values” does not have support in specification. An instant specification in Fig. 3 and relevant paragraph 0083 discloses - “In step 128, endpoint agent 22 compares the computed hash value to the whitelisted hash values in the fourth given whitelist. If endpoint agent 22 does not find any given whitelisted hash value 54 matching the computed hash value and, then in step 130, the endpoint agent classifies the computed hash value as suspicious. However, if endpoint agent 22 finds a given whitelisted signature 54 matching the computed hash value, then in step 132, the endpoint agent classifies the computed hash value as benign”, which describes the process of finding the hash as benign if its match is found in the whitelist. Whereas the claimed limitation identifies the hash as benign if it is not found in the whitelist. Examiner is unable to find support in the specification for the above amended limitation. The claims are thus rejected based on written description as failing to be supported by the original disclosure.  See: MPEP §2163.01.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 6-9 and 19-22 are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
For claims 6 and 19, the limitation (last 4 lines of claims) - “comparing the identified name to a list of whitelisted names, classifying the process as suspicious if the identified name does not match any of the whitelisted names, and classifying the process as benign if the identified name does not match any of the whitelisted names” is confusing, in that, the instant specification based on Fig. 3 and relevant paragraph 0075 discloses - “In step 104, endpoint agent 22 compares the retrieved file name to the whitelisted names in the first given whitelist. If endpoint agent 22 does not find any given whitelisted name 54 matching the retrieved file name, then in step 106, the endpoint agent classifies the retrieved file name as suspicious. However, if endpoint agent 22 finds a given whitelisted name 54 matching the retrieved file name, 18 then in step 108, the endpoint agent classifies the retrieved name as benign”, specifying the process of finding the filename as benign if its match is found in the whitelist. Whereas the claimed limitation (and para 0012) identifies the file as benign if it is not found in the whitelist, which is contradicting the detailed description and the subject matter described in the relevant diagram, thereby rendering the claim indefinite. Based on Fig. 3 and other relevant paragraphs besides also considering the most logical approach known in the art, the limitation will be interpreted as “…classifying the process as benign if the identified name matches any of the whitelisted names”.

For claims 7 and 20, the limitation (last 4 lines of claims) - “comparing the identified path to a list of whitelisted paths, classifying the process as suspicious if the identified path does not match any of the whitelisted paths, and classifying the process as benign if the identified path does not match any of the whitelisted paths” is confusing, in that, the instant specification based on Fig. 3 and relevant paragraph 0077 discloses - - “In step 112, endpoint agent 22 compares the retrieved path to the whitelisted paths in the second given whitelist. If endpoint agent 22 does not find any given whitelisted path 54 matching between the retrieved path and, then in step 114, the endpoint agent classifies the retrieved path as suspicious. However, if endpoint agent 2 finds a given whitelisted path 54 matching retrieved file name, then in step 116, the endpoint agent 22 classifies the retrieved path as benign”, specifying the process of finding the path as benign if its match is found in the whitelisted paths. Whereas the claimed limitation (and para 0013) identifies the path as benign if it is not found in the whitelisted paths, which is contradicting the detailed description and the subject matter described in the relevant diagram, thereby rendering the claim indefinite. Based on Fig. 3 and other relevant paragraphs besides also considering the most logical approach known in the art, the limitation will be interpreted as “…classifying the process as benign if the identified path matches any of the white listed paths”.

For claims 8 and 21, the limitation (last 4 lines of claims) - “comparing the computed signature to a list of whitelisted signatures, classifying the process as suspicious if the computed signature does not match any of the whitelisted signatures, and classifying the process as benign if the computed signature does not match any of the whitelisted signatures” is confusing, in that, the instant specification based on Fig. 3 and relevant paragraph 0079 discloses - - “In step 120, endpoint agent 22 compares the computed signature to the whitelisted signatures in the third given whitelist. If endpoint agent 22 does not find any given whitelisted signature 54 matching the computed signature, then in step 122, the endpoint agent 22 classifies the computed signature as suspicious. However, if endpoint agent 22 finds a match a given whitelisted signature 54 matching the computed signature, then in step 124, the endpoint agent 22 classifies the computed signature as benign”, specifying the process of finding the signature as benign if its match is found in the whitelist. Whereas the claimed limitation (and para 0014) identifies the signature as benign if it is not found in the whitelisted paths, which is contradicting the detailed description and the subject matter described in the relevant diagram, thereby rendering the claim indefinite. Based on Fig. 3 and other relevant paragraphs besides also considering the most logical approach known in the art, the limitation will be interpreted as “…classifying the process as benign if the computed signature matches any of the whitelisted signatures”.

For claims 9 and 22, the limitation (last 4 lines of claims) - “comparing the computed hash value to a list of whitelisted hash values, classifying the process as suspicious if the computed hash value does not match any of the whitelisted hash values, and classifying the process as benign if the computed hash value does not match any of the whitelisted hash values” is confusing, in that, the instant specification based on Fig. 3 and relevant paragraph 0083 discloses - - “In step 128, endpoint agent 22 compares the computed hash value to the whitelisted hash values in the fourth given whitelist. If endpoint agent 22 does not find any given whitelisted hash value 54 matching the computed hash value and, then in step 130, the endpoint agent classifies the computed hash value as suspicious. However, if endpoint agent 22 finds a given whitelisted signature 54 matching the computed hash value, then in step 132, the endpoint agent classifies the computed hash value as benign”, specifying the process of finding the hash as benign if its match is found in the whitelist. Whereas the claimed limitation (and para 0015) identifies the hash as benign if it is not found in the whitelisted paths, which is contradicting the detailed description and the subject matter described in the relevant diagram, thereby rendering the claim indefinite. Based on Fig. 3 and other relevant paragraphs besides also considering the most logical approach known in the art, the limitation will be interpreted as “…classifying the process as benign if the computed hash value matches any of the whitelisted hash values”.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-10, 14-23 and 27 are rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Challita et al. (US 2018/0248896 A1, Challita hereinafter).
For claim 1, Challita teaches a method for protecting a computer system coupled to a storage device, comprising: storing, to the storage device, a set of protected files and a decoy file (para 0013, 0014, 0017, 0035 - stopping and recovering from ransomware attacks, data or files that are to be protected from attack, decoy generation and placement within filesystem), wherein any modification to the decoy file indicates a cyber-attack on the computer system (para 0034, 0061 - detection of decoy file component modification indicative of attack); 
receiving a request from a process executing on the computing device to enumerate files stored on the storage device (para 0044, 0045 - file enumeration request monitoring for files stored on storage device); 
analyzing, by a processor, the process so as to classify the process as benign or suspicious (para 0017, 0017, 0041, 0043-0045, 0057 - process analysis of the process that request file enumeration and determining of suspiciousness);
enumerating the protected files to the process (para 0045-0046 - enumeration or counting of files and paths); and 
enumerating the decoy file to the process only upon classifying the process as suspicious (para 0018, 0034-0035, 0057, 0061 - enumeration of decoy files for the process requests when possible suspicious/ransomware activity is determined).

For claim 2, Challita teaches the claimed subject matter as discussed above. Challita further teaches wherein the cyber-attack comprises a ransomware attack (Abstract; para 0014, 0017, 0034-0035, 0048, 0057).

For claim 3, Challita teaches the claimed subject matter as discussed above. Challita further teaches initiating a protective action on the process (Abstract; para 0014, 0017-0018, 0038, 0048 - actions for mitigation, prevention, protection of files against the suspicious process).

For claim 4, Challita teaches the claimed subject matter as discussed above. Challita further teaches the method according to claim 3, wherein initiating the preventive action comprises Identifying a causality chain for the process, and initiating the preventive action on the causality chain (para 0012, 0038, 0045-0048 - processes associated with (or causing) ransomware attack are suspended, prevented or terminated).

For claim 5, Challita teaches the claimed subject matter as discussed above. Challita further teaches wherein analyzing the process comprises identifying, on the storage device, an executable file that launched the process, and performing a static analysis on the identified executable file (para 0018, 0041, 0048, 0057 - monitoring and analysis of process executed via executable, and static analysis of the process associated with or caused by the executable, including preventive action against the same).

For claim 6, Challita teaches the claimed subject matter as discussed above. Challita further teaches the method according to claim 5, wherein performing the static analysis comprises identifying a name of the executable file, comparing the identified name to a list of whitelisted names, classifying the process as suspicious if the identified name does not match any of the whitelisted names, and classifying the process as benign if the identified name does not match any of the whitelisted names (para 0046, 0048, 0054 - process names to identify processes and checked with respect to whitelist entries for classification as malicious or benign).

For claim 7, Challita teaches the claimed subject matter as discussed above. Challita further teaches the method according to claim 5, wherein performing the static analysis comprises identifying a path of the executable file, comparing the identified path to a list of whitelisted paths, classifying the process as suspicious if the identified path does not match any of the whitelisted paths, and classifying the process as benign if the identified path does not match any of the white listed paths (para 0045-0046, 0048, 0054 - paths of processes and checked with respect to whitelist entries for classification as malicious or benign).

For claim 8, Challita teaches the claimed subject matter as discussed above. Challita further teaches the method according to claim 5, wherein performing the static analysis comprises computing a signature for the executable file, comparing the computed signature to a list of whitelisted signatures, classifying the process as suspicious if the computed signature does not match any of the whitelisted signatures, and classifying the process as benign if the computed signature does not match any of the whitelisted signatures (para 0048, 0050, 0057 - encryption key and signature associated with processes).

For claim 9, Challita teaches the claimed subject matter as discussed above. Challita further teaches the method according to claim 5, wherein performing the static analysis comprises computing a hash value for the executable file, comparing the computed hash value to a list of whitelisted hash values, classifying the process as suspicious if the computed hash value does not match any of the whitelisted hash values, and classifying the process as benign if the computed hash value does not match any of the whitelisted hash values (para 0043, 0048, 0054, 0057 - hashes of processes that are checked in the whitelist).

For claim 10, Challita teaches the claimed subject matter as discussed above. Challita further teaches wherein analyzing the process comprises performing a dynamic analysis on the process (para 0018, 0057 - dynamic analysis of the process).

As to claim 14, the claim limitations are similar to those of claim 1, except the instant claim 14 is drawn to an apparatus for protecting a computer system (Fig. 1-2), comprising elements or method steps as claimed in claim 1. Therefore claim 14 is rejected according to claim 1.

As to claims 15-23, the claim limitations are similar to those of claims 2-10 respectively. Therefore claims 15-23 are rejected according to claims 2-10 respectively as above.

As to claim 27, the claim limitations are similar to those of claim 1, except the instant claim 27 is drawn to a computer software product for protecting a computing system, the product comprising a non-transitory computer-readable medium, in which program instructions are stored (Fig. 1-2; para 0034, 0037), which, when read by a computer, cause the computer to perform the method steps as claimed in claim 1. Therefore claim 27 is rejected according to claim 1.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 11-12 and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Challita et al. (US 2018/0248896 A1, Challita hereinafter), in view of Maciejak et al. (US 2018/0189490 A1, Maciejak hereinafter).
For claims 11 and 24, Challita does not appear to explicitly disclose, however Maciejak discloses wherein performing the dynamic analysis comprises identifying a thread in the process that conveyed the request to enumerate the files, determining whether or not the thread was injected into the process, classifying the process as suspicious upon determining that the thread was to be injected into the process, and classifying the thread as benign upon determining that the thread was not injected into the process (para 0043, 0048, 0055-0056, 0067 - threads associated with ransomware processes that attempt to enumerate or access files, i.e. threads inserted, or injected as part of the suspicious process are identified, and utilized for determination of benign process).
Therefore, based on Challita in view of Maciejak, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Maciejak in the system of Challita, in order to scrutinize process and associated entities such as dynamically spawned sub-processes or threads thereby tracking whether any unintended or unexpected process elements are found, to enhance system security and improve attack detection effectiveness.

For claim 12 and 25, Challita does not appear to explicitly disclose, however Maciejak discloses wherein performing the dynamic analysis comprises identifying a thread in the process that conveyed the request to enumerate the files, determining whether or not the thread comprises shellcode, classifying the process as suspicious upon determining that the thread comprises shellcode, and classifying the thread as benign upon determining that the thread does not comprise shellcode (para 0043-0045, 0048, 0055, 0078 - operating system related elements that would include shell code associated with the threads, and determining if the thread is benign).
Therefore, based on Challita in view of Maciejak, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Maciejak in the system of Challita, in order to scrutinize process and associated entities such as dynamically spawned sub-processes or threads thereby tracking whether any unintended or unexpected process elements are found, to enhance system security and improve attack detection effectiveness.


Allowable Subject Matter
Claims 13 and 26 are objected to as being dependent upon rejected base claims, but would be allowable if incorporated in their respective base claims 1 and 14 (and in independent claim 27 for allowability of claim 27) including all of the limitations of the base claims and any intervening claims, in addition to overcoming the above-mentioned rejections associated with their parent claims.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433