DETAILED ACTION

Currently pending claims are 1 – 14, 16 – 29 and 34 – 37 (newly added claims 35 – 37 and cancelled claim 30 – 33).

Response to Arguments

Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.
As per claim 1, Applicant asserts prior-art(s) does not teach the newly amended claim element such as “the initial state having a shared scope to prevent multiple threads from launching in response to multiple occurrences of an initial event in the sequence of events” (Added by Applicant on 6/24/2022).  Examiner respectfully disagrees with the following rationale.  
(a) According to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit since the alleged limitation such as “(a) in a sequence of events, what is the exact content of an occurrence w.r.t. multiple occurrences of an initial event (i.e. what is the alleged initial event if a 1st occurrence of computer activity is designated as a 1st (initial) event which can comprises what kind of recited multiple occurrences, and (b) what is the exact content of a scope to be shared and associated with what kind of thread” have not been specifically recited into the claim.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  Accordingly, Examiner notes such a newly added claim element renders not only unclear but also abstract – i.e. it appears to merely directed to concept in a high level of generality capturing concept (i.e. using functional descriptive material of a state machine) in lack of a subtly incorporated specific detail algorithm / mechanism of implementations;
(b) In light of that, according to MPEP 2111, Examiner respectfully notes:
(b-1) a specific-purpose function must be associated with a particular thread for executing a predetermined functionality in a system, and 
(b-2) a new arriving message can be construed as one type of an initial event (as recited in the claim) to be handled by Telco’s simple event hander of the state machine directed to security protection and accordingly, a series of multiple occurrences of new incoming messages can be construed as multiple occurrences of an initial event in the sequence of events, as recited in the claim and accordingly, 
(b-3) Telco teaches during such a situation, an integral system security function would be invoked to filter and review the received data for unauthorized access (Telco: Col 20 Line 31 – 37), and such a integral system security function operates as a centralized controlling for the entire computer system by providing (sharing) a system-scope level of security function processing  (Telco: Col 19 Line 50 – 55 / Line 61 – 67).  Therefore, the particular thread for executing a predetermined functionality of the system such as the integral system security function is indeed an independent centralized (single) system-scope level thread for executing the corresponding integral system security function to filter and review for unauthorized access for an entirety rather than utilizing multiple threads for each of a new incoming messages so as to effectively provide a simple event handler (w.r.t. a simplified state machine) (Telco: Col. 20 Line 21 – 26) – this matches the recited claim languge such as having a shared scope to prevent multiple threads from launching by the system; and 
(b-4) Furthermore, an additional evidence, enclosed in the record of PTO-892, can be used, as a reinforcement of a supplemental reference, to further support the rationale of rejection for the clarity purpose – for example, U.S. Patent 2015/0142988 (Wen: Abstract & Para [0015]: a series of reduandant incoming packets (messages) can be construed as multiple occurrences of an initial event (w.r.t. initial state) in a sequence of events, and the finite state machine would not make a transition into a next state (associated with another thread) based on a shared scope of Wen’s event processing mechanism and thus prevent the launching of multiple threads so as to relieve (reduce) the computational load of the simplified state machine (Wen: Para [0015] / Last sentence).  As such Applicant's arguments are respectfully traversed.
Examiner notes similar rationale can be applied to the rejection of PART – II / 2 of Lei’s reference.
As per claim 1, Applicant also asserts prior-art(s) does not teach the claim element such as “a time-based exit condition that resets the state machine after a predetermined amount of time ” (Deleted by Applicant on 6/24/2022).  Examiner respectfully disagrees with the following rationale.  
(a) Telesco (Col. 12 Line 30 – 43) teaches a particular type of computing object such as a computer I/O device input from an unauthorized user constitutes a type of computing object (Note: this is consistent with the disclosure of the instant specification SPEC [0184]: a computing object as a process or a peripheral (I/O) device such as a mouse, a keyboard or a USB device), which can be associated with a security threat event (a malware event) so as to activate the BIOS in the booting of the computer device and device configuration before the unauthorized data can make its way too deep into the computer device (i.e. completely exiting and terminating the current process) (Telco: Col. 12 Line 31 – 33) in order to stop malware attacks immediately as soon as possible and thus being construed as a timing-sensitive malware event w.r.t. one type of time-based exit conditions especially when in view of monitoring the health of the computing system, which is also qualified as one type of watchdog time-out events by ordinary skills in the art (Telesco: FIG. 17 / E-68) to allow dynamically adapt to varying levels of security threats (Telco: Col. 12 Line 40 – 43 & FIG. 17 / E-68) as needed; and  
(b) Besides, Examiner notes the disclosure of SPEC, at most, just disclose to reset the state machine after a predetermined amount of time in a particular state (SPEC: Para [0179] Last sentence) while nowhere in the SPEC does indicate what kind of (qualified) particular state would do so (how, when and what) to reset the state machine after a predetermined amount of time. As such Applicant's arguments are respectfully traversed.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 4, 23 & 24 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea.

Step 1: 
With regard to claims 1, 4, 23 and 24, the claims are recited as being directed to a computer program product, a method and an endpoint respectively.  

Step 2A Prong One:
These claim limitations appear to recite “Mental Processes” to monitor the transition in a state machine with a sequence of events / states that are merely abstract – i.e. the claims are merely done by human mental analysis using well-understood and conventional functional descriptive material of a state machine previously known to the pertinent industry to monitor for an occurrence of a sequence of events / states. The claims appears to recite the concepts in a high level of generality capturing concepts which may be performed within a human mind.
In addition, even though the new claim element such as “the initial state having a shared scope to prevent multiple threads from launching in response to multiple occurrences of an initial event in the sequence of events” has been added by Applicant on 6/24/2022, Examiner respectfully notes such a newly added claim element appears to recite the concept in a high level of generality capturing concept (i.e. merely using functional descriptive material of a state machine) in lack of a subtly incorporated specific detail algorithm / mechanism of implementations because: 
(a) in a sequence of events, what is the exact content of an occurrence w.r.t. multiple occurrences of an initial event (i.e. what is the alleged initial event if a 1st occurrence of computer activity is designated as a 1st (initial) event which can comprises what kind of recited multiple occurrences, and 
(b) what is the exact content of a scope to be shared and associated with what kind of thread” have not been specifically recited into the claim at all.



Step 2B Prong Two:
With regard to claims 1, 4, 23 and 24, The claims recite additional elements as follow.
deploying the event handler as an event-based state machine for use by a local security agent executing on the endpoint in detection of malware; 
            monitoring events on the endpoint with the event handler; 
            detecting the instance of the malware on the endpoint based upon an occurrence of the the terminal event during the terminal states; and 
            in response to detecting the instance of the malware, initiating remediation of  the instance of the malware on the endpoint.  

These claim limitations appear to merely add the use of generic computer components which are merely executing the abstract idea within a computer device (terminal). (See MPEP 2106.05(b))   

As such, when viewed as an ordered combination, the claim appears to recite a series of mental processes which are being executed by generic computing devices and do not appear to amount to significantly more than the abstract idea itself to subtly incorporates specific details of patentable features into an implementation.

Based on the above analysis the claims 1, 4, 23 and 24 have been determined to not be eligible subject matter under 35 USC 101.  Any other claims not addressed are rejected by virtue of their dependency.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 11, 16 – 20, 22 – 24, 27, 29, 34 & 37 (PART – I / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Telesco et al. (U.S. Patent 7,249,381). 

As per claim 1, 4, 23 and 24 (PART – I / 2), Telesco teaches a computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

identifying a sequence of events associated with malware on an endpoint (Telesco: Figure 15 / E-66, E-19(a) & Figure 17, Col. 20 Line 21 – 44, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67, Col. 18 Line 60 – Col. 19 Line 48 and Col. 2 Line 41 – 48: 
(a) providing a simple version of state machine with an event handler (Telesco: Col. 20 Line 21 – 26) to (b) detect an unauthorized access to a computing system (i.e. endpoint) when it is triggered (invoked) by a new received message (i.e. event data) from a malicious entity to filter (i.e. capture / analyze) for determining an unauthorized access and to generate a security alarm as needed (Telesco: Col. 20 Line 33 – 37, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67) – i.e. (c) monitoring (tracing) and analyzing a sequence of events associated with a malicious (anomaly) activity (i.e. a malware attack as an action by an instance of the malware, as recited) on a target terminal (endpoint) device));
configuring an event handler for use with the endpoint as a state machine, the state machine comprising a plurality of states arranged sequentially from an initial state to a terminal state, each one of the plurality of states corresponding to a monitoring state for one of the sequence of events associated with the malware, and each one of the plurality of states configured to monitor for an occurrence of the one of the sequence of events (Telesco: see above & Col. 12 Line 35 – 43, Col. 20 Line 21 – 44 and Col. 18 Line 60 – Col. 19 Line 48: 
(1) Telesco implementing a simple state machine with a simple event handler to establish an improved security (or security protection) resource management system (Telesco: Col. 4 Line 39 – 47 and Col. 20 Line 21 – 26) to detect an unauthorized access to a computing device (as one type of malwares) when it is triggered (invoked) by a new received message (i.e. new event data) from a malicious entity to filter (i.e. capture / analyze) for determining an unauthorized access so as to generate a security alarm as needed (Telesco: Col. 20 Line 33 – 37, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67) – As such, Telesco’s state machine is qualified as a malware detection state machine – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0178] – [0180]: using a state machine during a process of detecting a potential malware (i.e. reaching a compromised security state)); and besides,
(2) With respect to improved security (or security protection: see above), Telesco teaches designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance); and 
(3) Telesco also teaches using a second event as a terminal event (e.g. any event other than the initial event) for checking (detecting) the access authorization) associated with filtering (i.e. capturing / analyzing) a new message (access request) to trigger a simple version of state machine for security protection (e.g. determining unauthorized access) (Telesco: FIG. 17 / E-72 & Col. 20 Line 21 – 26 / Line 33 – 37 and Col. 11 Line 63 – 67) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 3 – 4: a second event is a terminal event);
wherein each one of the plurality of states is further configured to respond to the occurrence of the one of the sequence of events by transitioning to a next sequential one of the plurality of states where the event handler monitors for a next sequential one of the sequence of events associated with the malware and to respond to an exit condition by returning to the initial state, the initial state having a shared scope to prevent multiple threads from launching in response to multiple occurrences of an initial event in the sequence of events, wherein the exit condition for at least one of the plurality of states includes a time-based exit condition that resets the state machine after a predetermined amount of time  (deleted by Applicant on 6/24/2022) (Telesco: see above & FIG. 17 / E-68 & Col. 12 Line 31 – 34, Col. 20 Line 21 – 23 / Line 27 – 28 and Col. 2 Line 30 – 34: 
(4) in addition to above (1 - 3), Telesco also provides a malware detection with effective exit condition rule – for example, to enable checking (i.e. monitoring) computer system incoming events for unauthorized access before the data can make its way too deep into the computer where it can cause more serious problems to the entire computer system – i.e. effectively managing and terminating the current unauthorized access request as needed (Telesco: Col. 12 Line 31 – 34) and as such, upon exiting from the detection of an unauthorized access (i.e. the compromised security state), the system can continue the simple version of state machine to continuously monitoring new access requests for security protection (Telesco: Col. 20 Line 21 – 23); and   
(5) Furthermore, Telesco also teaches providing a time-base event as another type of exit conditions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of the computing system and resource management (e.g. a process insufficency to freeze the computing system and resource management or to activate the BIOS in the booting of the computer device and device configuration before the unauthorized data can make its way too deep into the computer device (i.e. completely exiting and terminating the current process) (Telco: Col. 12 Line 31 – 33)) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state to continuously monitoring the incoming system events by the simple version of state machine with an improved security (or security protection: see above) (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34)); besides,
(6) Additionly, Telesco (Col. 12 Line 30 – 43) teaches a particular type of computing object such as a computer I/O device input from an unauthorized user constitutes a type of computing object (Note: this is consistent with the disclosure of the instant specification SPEC [0184]: a computing object as a process or a peripheral (I/O) device such as a mouse, a keyboard or a USB device), which can be associated with a security threat event (a malware event) so as to activate the BIOS in the booting of the computer device and device configuration before the unauthorized data can make its way too deep into the computer device (i.e. completely exiting and terminating the current process) (Telco: Col. 12 Line 31 – 33) in order to stop malware attacks immediately as soon as possible and thus being construed as a timing-sensitive malware event w.r.t. one type of time-based exit conditions especially when in view of monitoring the health of the computing system, which is also qualified as one type of watchdog time-out events by ordinary skills in the art (Telesco: FIG. 17 / E-68) to allow dynamically adapt to varying levels of security threats (Telco: Col. 12 Line 40 – 43 & FIG. 17 / E-68) as needed; (the following has been deleted by Applicant on 6/24/2022)


(7) regrading the newly added claim element: the initial state having a shared scope to prevent multiple threads from launching in response to multiple occurrences of an initial event in the sequence of events, Examiner notes:
(a) a specific-purpose function must be associated with a particular thread for executing a predetermined functionality in a system, and 
(b) a new arriving message can be construed as one type of an initial event (as recited in the claim) to be handled by Telco’s simple event hander of the state machine directed to security protection and accordingly, a series of multiple occurrences of new incoming messages can be construed as multiple occurrences of an initial event in the sequence of events, as recited in the claim and accordingly, 
(c) Telco teaches during such a situation, an integral system security function would be invoked to filter and review the received data for unauthorized access (Telco: Col 20 Line 31 – 37), and such a integral system security function operates as a centralized controlling for the entire computer system by providing (sharing) a system-scope level of security function processing  (Telco: Col 19 Line 50 – 55 / Line 61 – 67).  Therefore, the particular thread for executing a predetermined functionality of the system such as the integral system security function is indeed an independent centralized (single) system-scope level thread for executing the corresponding integral system security function to filter and review for unauthorized access for an entirety rather than utilizing multiple threads for each of a new incoming messages so as to effectively provide a simple event handler (w.r.t. a simplified state machine) (Telco: Col. 20 Line 21 – 26) – this matches the recited claim languge such as having a shared scope to prevent multiple threads from launching by the system; and
Furthermore, an additional evidence, enclosed in the record of PTO-892, can be used, as a reinforcement of a supplemental reference, to further support the rationale of rejection for the clarity purpose – for example, U.S. Patent 2015/0142988 (Wen: Abstract & Para [0015]: a series of reduandant incoming packets (messages) can be construed as multiple occurrences of an initial event (w.r.t. initial state) in a sequence of events, and the finite state machine would not make a transition into a next state (associated with another thread) based on a shared scope of Wen’s event processing mechanism and thus prevent the launching of multiple threads so as to relieve (reduce) the computational load of the simplified state machine (Wen: Para [0015] / Last sentence).   
        and further wherein the event handler is configured to respond to a terminal event in the sequence of events during the terminal state by identifying an instance of the malware on the endpoint (Telesco: see above);
        deploying the event handler as an event-based state machine for use by a local security agent executing on the endpoint in detection of malware (Telesco: see above & Col. 20 Line 30 – 37); 
        monitoring events on the endpoint with the event handler (Telesco: see above); 
        detecting the instance of the malware on the endpoint based upon an occurrence of the the terminal event during the terminal states (Telesco: see above); and 
        in response to detecting the instance of the malware, initiating remediation of  the instance of the malware on the endpoint (Telesco: see above & Figure 20 / E-6 and Col. 20 Line 40 – 44: sending an alert message (security alarm) to the system and users).  

As per claim 2 – 3, Telesco teaches wherein the one or more computing devices includes the endpoint (Telesco: see above & Col. 2 Line 41 – 48: using a finite state machine automata to monitor and trace a sequence of events associated with (anomaly) malware on a target terminal (endpoint) device in a local or remote networking environment).  

As per claim 5, Telesco teaches monitoring events on the endpoint with the event handler (Telesco: see above and Col. 17 Line 66 – 67).  

As per claim 6, Telesco teaches wherein the second one of the sequence of events is the terminal event (Telesco: see above).  

As per claim(s) 7 – 8, 11 and 22, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.   

As per claim 9, Telesco teaches wherein at least one of the sequence of events includes a multi-parameter event (Telesco: see above and Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 10, Telesco teaches wherein the first one of the sequence of events is an initial one of the sequence of events (Telesco: see above and Figure 17 / E-69 & E-70 and Col. 12 Line 35 – 43: designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance).  

As per claim 16, Telesco teaches wherein the exit condition includes a time limit for detection of the malware (Telesco: see above and Col. 18 Line 44 – 48: a TIMEOUT event).  

As per claim 17, Telesco teaches wherein the event handler includes a plurality of exit conditions that return the event handler to the first state (Telesco: see above & FIG. 17 / E-68 & Col. 12 Line 31 – 34, Col. 20 Line 21 – 23 / Line 27 – 28 and Col. 2 Line 30 – 34: 
(a) Telesco teaches providing a malware detection with effective exit condition rule – for example, to enable checking (i.e. monitoring) computer system incoming events for unauthorized access before the data can make its way too deep into the computer where it can cause more serious problems to the entire computer system – i.e. effectively managing and terminating the current unauthorized access request as needed (Telesco: Col. 12 Line 31 – 34) and as such, upon exiting from the detection of an unauthorized access (i.e. the compromised security state), the system can continue the simple version of state machine to effectively enable continuous monitoring of new access requests for security protection (Telesco: Col. 20 Line 21 – 23) and 
(b) Telesco teaches providing a time-base event as one type of exit contions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the control and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state so as to continue monitoring the incoming system events (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34) and (b) returning back to an INIT / IDLE state designated as a new started instance waiting for a new incoming security event is a cyclic nature of an usage of a state machine so as to continue monitoring the incoming system events).  

As per claim 18, Telesco teaches wherein the sequence of events includes at least one event from a computing object selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device (Telesco: see above & Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 19, Telesco teaches wherein the sequence of events includes at least one event from a network address selected from a group consisting of a uniform resource locator (URL), an internet protocol (IP) address, and a domain name (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: at least validating the network source address and checking unauthorized data access).  

As per claim 20, Telesco teaches wherein the sequence of events includes at least one event from a peripheral device selected from a group including at least one of a universal serial bus (USB) memory, a network interface card, a camera, a printer, a mouse and a keyboard (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: (e.g.) a network interface card). 

As per claim 27, Telesco teaches wherein the state machine is implemented as a thread that is woken up to update a current state in response to an event and applies a local rule to determine whether to transition to another state in response to the event (Telesco: see above & Figure 17 / E-86, E-72 & E-73: a thread (FIG. 17 / E-86) of multi-tasking is implemented to update a state (FIG. 17 / E-73) of secure communications based upon a system security event (FIG> 17 / E-72) – e.g. an unauthorized event). 

          As per claim 29 & 34, the claims contain(s) similar limitations to claim 1 and thus is rejected with the same rationale.

(The following has been deleted by Applicant on 6/24/2022)






As per claim 37, Telco teaches sleeping the event-based state machine while monitoring for a next event; and waking the event-based state machine to update one of the plurality of states upon detecting the next event (Telco: see above & Col. 20 Line 21 – 26: providing an event-driven simplified state machine for a network intrusion management system to analyze a sequence of states / events on a target device – as such, the sleeping and the waking of the event-based state machine to update one of the plurality of states upon detecting the next event are merely a part of the functional elements accordingly).


Claims 13 (& 12), 14 and 21 (PART – I / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Telesco et al. (U.S. Patent 7,249,381), in view of Brenzinski et al. (U.S. Patent 9,225,730).  

As per claim 13, Brenzinski (& Telesco) teaches identifying the sequence of events includes traversing an event graph among a sequence of causal events in reverse chronological order to a root cause of the malware (Brenzinski: Co. 4 Line 52 – 67 and Col. 11 Line 57 – 64: (a) a sequence of state graph can be traversed to identify anomalous activity included in the state gragh starting from a start vertex and the graph can be traversed either by a depth-first or a breadth-first manner and (b) the traversed can be performed based on a time-stamp attribute such that the traversal is in accordance with a desired timly chronological order).  
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Brenzinski within the system of Telesco because (a) Telesco teaches providing a malware (e.g. network intrusion) management system that designates a sequence of events (w.r.t. a target device) which includes malicius activities monitored and analyzed by a sequence of states / events (see above), and (b) Brenzinski teaches effectively providing a sequence of state graph which can be traversed to identify anomalous activity included in the state gragh starting from a start vertex (a root acuse) and the graph can be traversed either by a depth-first or a breadth-first manner for analysis (see above). 

As per claim 12, Brenzinski (& Telesco) teaches providing a scripting language for configuring the event handler (Brenzinski: Col. 8 Line 1 – 4: using a Java-script). See the same rationale of combination applied herein as above in rejecting the claim 13.

As per claim 14, Brenzinski (& Telesco) teaches providing the event handler includes creating the sequence of events based on a forward traversal of the event graph (Brenzinski: see above & Col. 11 Line 57 – 60: forward traversing the state graph). 

As per claim 21, Brenzinski (& Telesco) teaches wherein the sequence of events includes at least one file operation selected from a group consisting of a read, a write, an open, a move, a copy and a delete (Brenzinski: Col. 3 Line 15 – 16: (e.g.) accessing (reading) a password file). See the same rationale of combination applied herein as above in rejecting the claim 13.

Claims 35 – 36 (PART – I / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Telesco et al. (U.S. Patent 7,249,381), in view of Wen et al. (U.S. Patent 2015/0142988).  

As per claim 36, Wen (& Telco) teaches storing a current one of the plurality of states; and retrieving an additional state of the plurality of states from a remote threat management facility when the state machine transitions from the current one of the plurality of states based upon the occurrence of a corresponding one of the sequence of events (Wen: Abstract & Para [0015]: (a) during a receipt of multiple reduandant incoming packets (messages), retrieving state information from a remote node to enable the local node to determine whether to make a transition into a next state based on an effective event processing mechanism so as to relieve (reduce) the computational load of a simplified state machine (Wen: Para [0015] / Last sentence) and wherein (b) a series of reduandant incoming packets (messages) can be construed as multiple occurrences of an initial event (w.r.t. initial state) in a sequence of events (Wen: Para [0015] / Last sentence)) || (Telco: see above & Col. 20 Line 21 – 26: providing an event-driven simplified finate state machine for a network intrusion management system to analyze a sequence of states / events on a target device).
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Wen within the system of Telesco because (a) Telesco teaches providing a simplified finate state machine for a network intrusion management system to analyze a sequence of states / events on a target device (Telco: see above & Col. 20 Line 21 – 26), and (b) Wen teaches providing an improved event processing mechanism by effectively retrieving state information from a remote node to enable the local node to determine whether to make a transition into a next state based on an effective event processing mechanism so as to relieve (reduce) the computational load of an event-driven simplified state machine during a receipt of multiple reduandant incoming packets (messages) (see above). 

As per claim(s) 35, the claims contain(s) similar limitations to claim(s) 36 and thus is/are rejected with the same rationale.


---------------------------------------------------------------------------------------------------------------------
Claims 1 – 11, 16 – 20, 22 – 24, 27, 29, 34 & 37 are rejected under 35 U.S.C. 103 as being unpatentable over Lei et al. (NPL - MeadDroid: Detecting Monetary Theft Attacks in Android by DVM Monitoring), in view of Telesco et al. (U.S. Patent 7,249,381).  

As per claim 1, 4, 23 and 24 (PART – II / 2), Lei teaches a computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
identifying a sequence of events associated with malware on an endpoint (Lei: Abstract, Figure 2 & Sec. 1 / 4th Para, Sec. 2.2 and Sec. 2.3: Lei teaches constructing and deploying a light-weight finite state machine (FSM) (Sec. 1 / 4th Para / Line 24 – 28) on a smart-phone device for real-time detection on malware attacks (e.g. monetary theft attacks) using information obtained from event data such as monitoring the API calls and tracking the user inputs); 
configuring an event handler for use with the endpoint as a state machine, the state machine comprising a plurality of states arranged sequentially from an initial state to a terminal state, each one of the plurality of states corresponding to a monitoring state for one of the sequence of events associated with the malware, and each one of the plurality of states configured to monitor for an occurrence of the one of the sequence of events (Lei: Abstract, Figure 2 & Sec. 1 / 4th Para, Sec. 2.2 and Sec. 2.3: the FSM (Figure 2) includes an initial state “1” along with a plurality of states arranged sequentially from an initial state to a terminal state (i.e. transitioning between states of the FSM) corresponding to a monitoring state for monetary theft attacks w.r.t. the event data such as sending APIs (application interface call) or calling SMS (short message service)), 
wherein each one of the plurality of states is further configured to respond to the occurrence of the one of the sequence of events by transitioning to a next sequential one of the plurality of states where the event handler monitors for a next sequential one of the sequence of events associated with the malware and to respond to an exit condition by returning to the initial state (Lei: see above & Figure 2: by the nature of finite state machine (FSM), the exit condition is defaut to the initial state such that the system can continue the light-weight state machine to continuously monitoring new incoming API call (or SMS servcice) for security protection after reaching a conclusive state), the initial state having a shared scope to prevent multiple threads from launching in response to multiple occurrences of an initial event in the sequence of events (Lei: see above: 
please also refer to the rejections of 35 USC § 101 (Prong One) & PART I / 2 – including, an additional evidence, enclosed in the record of PTO-892, can be used, as a reinforcement of a supplemental reference, to further support the rationale of rejection for the clarity purpose – for example, U.S. Patent 2015/0142988 (Wen: Abstract & Para [0015]: a series of reduandant incoming packets (messages) can be construed as multiple occurrences of an initial event (w.r.t. initial state) in a sequence of events, and the finite state machine would not make a transition into a next state (associated with another thread) based on a shared scope of Wen’s event processing mechanism and thus prevent the launching of multiple threads so as to relieve (reduce) the computational load of the simplified state machine (Wen: Para [0015] / Last sentence).   
However, Lei does not disclose expressly wherein the exit condition for at least one of the plurality of states includes a time-based exit condition that resets the state machine after a predetermined amount of time selected according to a type of computing object.
Telesco (& Lei) teaches wherein the exit condition for at least one of the plurality of states includes a time-based exit condition that resets the state machine after a predetermined amount of time  (deleted by Applicant on 6/24/2022) (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 21 – 44, Col. 2 Line 30 – 34, Col. 20 Line 21 – 44, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67, Col. 18 Line 60 – Col. 19 Line 48 and Col. 2 Line 41 – 48: (a) providing a simple version of state machine with an event handler (Telesco: Col. 20 Line 21 – 26) for detecting a malware attack (unauthorized access) to a computing system (i.e. endpoint) when it is triggered (invoked) by a new received message (i.e. event data) from a malicious entity and (b) furthe utilizing a time-base event as another type of exit conditions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of the computing system and resource management (e.g. a process insufficency to freeze the computing system and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state to continuously monitoring the incoming system events; and besides,
(a) Telesco provides a malware detection with effective exit condition rule – for example, to enable checking (i.e. monitoring) computer system incoming events for unauthorized access before the data can make its way too deep into the computer where it can cause more serious problems to the entire computer system – i.e. effectively managing and terminating the current unauthorized access request as needed (Telesco: Col. 12 Line 31 – 34) and as such, upon exiting from the detection of an unauthorized access (i.e. the compromised security state), the system can continue the simple version of state machine to continuously monitoring new access requests for security protection (Telesco: Col. 20 Line 21 – 23); and   
(b) Telesco also teaches providing a time-base event as another type of exit conditions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of the computing system and resource management (e.g. a process insufficency to freeze the computing system and resource management or to activate the BIOS in the booting of the computer device and device configuration before the unauthorized data can make its way too deep into the computer device (i.e. completely exiting and terminating the current process) (Telco: Col. 12 Line 31 – 33)) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state to continuously monitoring the incoming system events by the simple version of state machine with an improved security (or security protection: see above) (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34)); and
(c) Furthermore, Telesco (Col. 12 Line 30 – 43) teaches a particular type of computing object such as a computer I/O device input from an unauthorized user constitutes a type of computing object (Note: this is consistent with the disclosure of the instant specification SPEC [0184]: a computing object as a process or a peripheral (I/O) device such as a mouse, a keyboard or a USB device), which can be associated with a security threat event (a malware event) so as to activate the BIOS in the booting of the computer device and device configuration before the unauthorized data can make its way too deep into the computer device (i.e. completely exiting and terminating the current process) (Telco: Col. 12 Line 31 – 33) in order to stop malware attacks immediately as soon as possible and thus being construed as a timing-sensitive malware event w.r.t. one type of time-based exit conditions especially when in view of monitoring the health of the computing system, which is also qualified as one type of watchdog time-out events by ordinary skills in the art (Telesco: FIG. 17 / E-68) to allow dynamically adapt to varying levels of security threats (Telco: Col. 12 Line 40 – 43 & FIG. 17 / E-68) as needed; (the following has been deleted by Applicant on 6/24/2022)


           It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Telesco within the system of Lei because (a) Lei teaches constructing and deploying a light-weight finite state machine (FSM) on a smart-phone computing device for real-time detection on malware attacks (e.g. monetary theft attacks) using information from event data such as monitoring the API calls and tracking the user inputs (see above) and (b) Telesco provides implementing a simple version of state machine with an event handler to establish an improved security for detecting a malware attack (unauthorized access) and further utilizing a time-base event as another type of exit conditions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the computing system and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state to continuously monitoring the incoming system events by the simple version of state machine with an improved security (or security protection (see above). 
and further wherein the event handler is configured to respond to a terminal event in the sequence of events during the terminal state by identifying an instance of the malware on the endpoint (Lei: see above); 
deploying the event handler as an event-based state machine for use by a local security agent executing on the endpoint in detection of malware (Lei: see above); 
monitoring events on the endpoint with the event handler (Lei: see above); 
detecting the instance of the malware on the endpoint based upon an occurrence of the the terminal event during the terminal states (Lei: see above & Sec. 2.3: (e.g.) a detection of the sending frequency of API calls (or SMS services) too high); and 
in response to detecting the instance of the malware, initiating remediation of  the instance of the malware on the endpoint (Lei: see above & Sec. 2.3: sending an alert message (security alarm) to the user).  

As per claim 2 – 3, Lei as modified teaches wherein the one or more computing devices includes the endpoint (Lei: see above & Sec. 2.1) || (Telesco: see above & Col. 2 Line 41 – 48: using a finite state machine automata to monitor and trace a sequence of events associated with (anomaly) malware on a target terminal (endpoint) device in a local or remote networking environment).  

As per claim 5, Lei as modified teaches monitoring events on the endpoint with the event handler (Lei: see above) || (Telesco: see above and Col. 17 Line 66 – 67).  

As per claim 6, Lei as modified teaches wherein the second one of the sequence of events is the terminal event (Lei: see above) || (Telesco: see above).  

As per claim(s) 7 – 8, 11 and 22, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.   

As per claim 9, Lei as modified teaches wherein at least one of the sequence of events includes a multi-parameter event (Lei: see above: e.g. APPI call parameters) || (Telesco: see above and Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 10, Lei as modified teaches wherein the first one of the sequence of events is an initial one of the sequence of events (Lei: see above) || (Telesco: see above and Figure 17 / E-69 & E-70 and Col. 12 Line 35 – 43: designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance).  

As per claim 16, Lei as modified teaches wherein the exit condition includes a time limit for detection of the malware (Telesco: see above and Col. 18 Line 44 – 48: a TIMEOUT event).  

As per claim 17, Lei as modified teaches wherein the event handler includes a plurality of exit conditions that return the event handler to the first state (Lei: see above) || (Telesco: see above: (a) Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34: Telesco teaches providing a time-base event as one type of exit contions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the control and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state so as to continue monitoring the incoming system events (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34) and (b) returning back to an INIT / IDLE state designated as a new started instance waiting for a new incoming security event is a cyclic nature of an usage of a state machine so as to continue monitoring the incoming system events).  

As per claim 18, Lei as modified teaches wherein the sequence of events includes at least one event from a computing object selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device (Lei: see above) || (Telesco: see above & Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 19, Lei as modified teaches wherein the sequence of events includes at least one event from a network address selected from a group consisting of a uniform resource locator (URL), an internet protocol (IP) address, and a domain name (Lei: see above: e.g. a SMS message received over a network) || (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: at least validating the network source address and checking unauthorized data access).  

As per claim 20, Lei as modified teaches wherein the sequence of events includes at least one event from a peripheral device selected from a group including at least one of a universal serial bus (USB) memory, a network interface card, a camera, a printer, a mouse and a keyboard (Lei: see above) || (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: (e.g.) a network interface card). 

As per claim 27, Lei as modified teaches wherein the state machine is implemented as a thread that is woken up to update a current state in response to an event and applies a local rule to determine whether to transition to another state in response to the event (Lei: Figure 2 & Page 83 / 2nd Para / Line 1 – 6: the FSM of figure 2 is implemented as a part of thread manegement of a multi-tasking system) || (Telesco: see above & Figure 17 / E-86, E-72 & E-73: a thread (FIG. 17 / E-86) of multi-tasking is implemented to update a state (FIG. 17 / E-73) of secure communications based upon a system security event (FIG> 17 / E-72) – e.g. an unauthorized event). 

As per claim 29 & 34, the claims contain(s) similar limitations to claim 1 and thus is rejected with the same rationale.

As per claim 30 – 33, (The following has been deleted by Applicant on 6/24/2022)






As per claim 37, Lei as modified teaches sleeping the event-based state machine while monitoring for a next event; and waking the event-based state machine to update one of the plurality of states upon detecting the next event (Telco: see above & Col. 20 Line 21 – 26: providing an event-driven simplified state machine for a network intrusion management system to analyze a sequence of states / events on a target device – as such, the sleeping and the waking of the event-based state machine to update one of the plurality of states upon detecting the next event are merely a part of the functional elements accordingly) || (Lei: se above).

Claims 13 (& 12), 14 & 21 (PART – II / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Lei et al. (NPL - MeadDroid: Detecting Monetary Theft Attacks in Android by DVM Monitoring), in view of Telesco et al. (U.S. Patent 7,249,381), and in view of Brenzinski et al. (U.S. Patent 9,225,730).  

As per claim 13, Brenzinski (& Lei as modified) teaches identifying the sequence of events includes traversing an event graph among a sequence of causal events in reverse chronological order to a root cause of the malware (Brenzinski: Co. 4 Line 52 – 67 and Col. 11 Line 57 – 64: (a) a sequence of state graph can be traversed to identify anomalous activity included in the state gragh starting from a start vertex and the graph can be traversed either by a depth-first or a breadth-first manner and (b) the traversed can be performed based on a time-stamp attribute such that the traversal is in accordance with a desired timly chronological order).  
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Brenzinski within the system of Lei because (a) Lei teaches constructing and deploying a light-weight finite state machine (FSM) on a smart-phone computing device for real-time detection on malware attacks (e.g. monetary theft attacks) using information from event data such as monitoring the API calls and tracking the user inputs (see above), and (b) Brenzinski teaches effectively providing a sequence of state graph which can be traversed to identify anomalous activity included in the state gragh starting from a start vertex (a root acuse) and the graph can be traversed either by a depth-first or a breadth-first manner for analysis (see above). 

As per claim 12, Brenzinski (& Lei as modified) teaches providing a scripting language for configuring the event handler (Brenzinski: Col. 8 Line 1 – 4: using a Java-script). See the same rationale of combination applied herein as above in rejecting the claim 13.

As per claim 14, Brenzinski (& Lei as modified) teaches providing the event handler includes creating the sequence of events based on a forward traversal of the event graph (Brenzinski: see above & Col. 11 Line 57 – 60: forward traversing the state graph). 

As per claim 21, Brenzinski (& Lei as modified) teaches wherein the sequence of events includes at least one file operation selected from a group consisting of a read, a write, an open, a move, a copy and a delete (Brenzinski: Col. 3 Line 15 – 16: (e.g.) accessing (reading) a password file). See the same rationale of combination applied herein as above in rejecting the claim 13.

Claims 25 – 26 & 28 (PART – I / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Telesco et al. (U.S. Patent 7,249,381), in view of Ogg et al. (U.S. Patent 7,490,065).  

As per claim 25, Ogg (& Telesco) teaches wherein state information for the state machine is retained across a restart of the computing device (Ogg: Figure 6 & Col. 25 Line 9 – 12 Line 18 – 25 and Col. 7 Line 60 – 62: utilizes a finite state machine to manage, monitor and prevent access to secure resource by unathorized malware (or malicious users) – e.g. authentication (logon/logoff), session management, access control and etc. and allowing for atomic state transitions to retain state information across rebooting w/o losing the crucial securiy information (Ogg: Col. 25 Line 18 – 25)) || (Telesco: see above).
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Ogg within the system of Telesco because (a) Telesco teaches providing a malware (e.g. network intrusion) management system that designates a sequence of events (w.r.t. a target device) which includes malicius activities monitored and analyzed by a sequence of states / events (see above), and (b) Ogg teaches effectively utilizes a finite state machine to manage, monitor and prevent access to secure resource by unathorized malware (or malicious users) – e.g. authentication (logon/logoff), session management, access control and etc. and allowing for atomic state transitions to retain state information across rebooting w/o losing the crucial securiy information (see above). 

As per claim 26, Ogg (& Telesco) teaches wherein the endpoint provides event sequence information to a remote threat management facility and receives state updates from the remote threat management facility (Ogg: see above (finite state machine) & Col. 4 Line 66 – Col. 5 Line 4, Col. 25 Line 9 – 12 and Col. 34 Line 38 – 61: (a) an authentication server constitutes a remote threat management facility, as recited (b) a client device sends logon credential information such as a set of user ID / password to the server that constitutes event sequence information and (c) the authentication server (as a remote threat management facility) validate the submitted information from the active client device and determine whether the active user has an appropriate role as an authorized user to access the secure information and enable the client device to update, at least, the state information (e.g. an authetication state of either authentication pass or failure) that constitutes associated state update information) || (Telesco: see above).  See the same rationale of combination applied herein as above in rejecting the claim 25.

As per claim 28, Ogg (& Telesco) teaches wherein the event handler incrementally performs event analysis by transitioning to a next state without storing a corresponding state event (Ogg: see above (finite state machine) & Col. 25 Line 18 – 25: there are two types of state information being managed by the security system: a persistent state that utilized a non-volatile memory to staore the state information into a NVRAM that can be retained during the restart or rebooting (see Claim 25); otherwise, a current state information is managed w/o using the NVRAM to store and maintain the corresponding state / event information persistently). 

Claims 25 – 26 & 28 (PART – II / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Lei et al. (NPL - MeadDroid: Detecting Monetary Theft Attacks in Android by DVM Monitoring), in view of Telesco et al. (U.S. Patent 7,249,381), and in view of Ogg et al. (U.S. Patent 7,490,065).  

As per claim 25, Ogg (& Lei as modified) teaches wherein state information for the state machine is retained across a restart of the computing device (Ogg: Figure 6 & Col. 25 Line 9 – 12 Line 18 – 25 and Col. 7 Line 60 – 62: utilizes a finite state machine to manage, monitor and prevent access to secure resource by unathorized malware (or malicious users) – e.g. authentication (logon/logoff), session management, access control and etc. and allowing for atomic state transitions to retain state information across rebooting w/o losing the crucial securiy information (Ogg: Col. 25 Line 18 – 25)) || (Telesco: see above).
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Ogg within the system of Lei because (a) Lei teaches constructing and deploying a light-weight finite state machine (FSM) on a smart-phone computing device for real-time detection on malware attacks (e.g. monetary theft attacks) using information from event data such as monitoring the API calls and tracking the user inputs (see above), and (b) Ogg teaches effectively utilizes a finite state machine to manage, monitor and prevent access to secure resource by unathorized malware (or malicious users) – e.g. authentication (logon/logoff), session management, access control and etc. and allowing for atomic state transitions to retain state information across rebooting w/o losing the crucial securiy information (see above). 

As per claim 26, Ogg (& Lei as modified) teaches wherein the endpoint provides event sequence information to a remote threat management facility and receives state updates from the remote threat management facility (Ogg: see above (finite state machine) & Col. 4 Line 66 – Col. 5 Line 4, Col. 25 Line 9 – 12 and Col. 34 Line 38 – 61: (a) an authentication server constitutes a remote threat management facility, as recited (b) a client device sends logon credential information such as a set of user ID / password to the server that constitutes event sequence information and (c) the authentication server (as a remote threat management facility) validate the submitted information from the active client device and determine whether the active user has an appropriate role as an authorized user to access the secure information and enable the client device to update, at least, the state information (e.g. an authetication state of either authentication pass or failure) that constitutes associated state update information) || (Telesco: see above).  See the same rationale of combination applied herein as above in rejecting the claim 25.

As per claim 28, Ogg (& Lei as modified) teaches wherein the event handler incrementally performs event analysis by transitioning to a next state without storing a corresponding state event (Ogg: see above (finite state machine) & Col. 25 Line 18 – 25: there are two types of state information being managed by the security system: a persistent state that utilized a non-volatile memory to staore the state information into a NVRAM that can be retained during the restart or rebooting (see Claim 25); otherwise, a current state information is managed w/o using the NVRAM to store and maintain the corresponding state / event information persistently). 

Claims 35 – 36 (PART – II / 2) are rejected under 35 U.S.C. 103 as being unpatentable over Lei et al. (NPL - MeadDroid: Detecting Monetary Theft Attacks in Android by DVM Monitoring), in view of Telesco et al. (U.S. Patent 7,249,381), and in view of Wen et al. (U.S. Patent 2015/0142988).  

As per claim 36, Wen (& Lei) teaches storing a current one of the plurality of states; and retrieving an additional state of the plurality of states from a remote threat management facility when the state machine transitions from the current one of the plurality of states based upon the occurrence of a corresponding one of the sequence of events (Wen: Abstract & Para [0015]: (a) during a receipt of multiple reduandant incoming packets (messages), retrieving state information from a remote node to enable the local node to determine whether to make a transition into a next state based on an effective event processing mechanism so as to relieve (reduce) the computational load of a simplified state machine (Wen: Para [0015] / Last sentence) and wherein (b) a series of reduandant incoming packets (messages) can be construed as multiple occurrences of an initial event (w.r.t. initial state) in a sequence of events (Wen: Para [0015] / Last sentence)) || (Lei: see above & Col. 20 Line 21 – 26: constructing and deploying a light-weight finite state machine (FSM) on a smart-phone computing device for real-time detection on malware attacks using information from event data by tracking the user inputs (see aboe).
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Wen within the system of Lei because (a) Lei teaches constructing and deploying a light-weight finite state machine (FSM) on a smart-phone computing device for real-time detection on malware attacks using information from event data by tracking the user inputs, and (b) Wen teaches providing an improved event processing mechanism by effectively retrieving state information from a remote node to enable the local node to determine whether to make a transition into a next state based on an effective event processing mechanism so as to relieve (reduce) the computational load of an event-driven simplified state machine during a receipt of multiple reduandant incoming packets (messages) (see above). 

As per claim(s) 35, the claims contain(s) similar limitations to claim(s) 36 and thus is/are rejected with the same rationale.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2209 – 2022
---------------------------------------------------