DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This is a Final Office Action in response to applicant’s amendment filed on May 12, 2022. At this time, claims 1, 9 have been amended. Claim 21 has been added. No claim has been cancelled. Therefore, claims 1-21 are pending and addressed below.
                                                  Response to Amendment
2.As to Claims 1-21, Applicants’ amendment of independent Claims 1and 9 with newly added feature “ ...wherein the hardware controller is separate from the operating system“[Claims 1-21] has necessitated a new ground(s) of rejection in this Office action.  Therefore, Applicants’ arguments filed on 05/12/2022 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 
Claims 1-4 and 9-14 and 16-20 are rejected under 35 U.S.C 103 as being unpatentable over Diehl, US pat. No 2013/0333040 in view of Ayolasomyajula, US pat. No 20200042324.      
Claims 1, 9. The combination of Diehl and Ayolasomyajula discloses a method (See [0010]; the kernel-level security agent loads before the operating system of the host computing device.) comprising: 
an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised, (See [0012]; the detection loop of the kernel-level security agent and security service cloud is enabled by an agent architecture designed in accordance with the principles of the well-known OODA-loop (i.e., observe-orient-detect-act-loop). Rather than using fixed signatures to make quick determinations and responses, the kernel-level security agent observes and analyzes all semantically-interesting events that occur on the host computing device. Upon determining an occurrence of such an interesting event (Event associated with malicious code), the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code. ) wherein the monitoring comprises the operating system agent scanning a data structure, (See  [0042]; the situation model 118 of the kernel-level security agent 114 may comprise any one or more databases, files, tables, or other structures that track attributes, behaviors, and/or patterns of objects or processes of the computing device 102.) the process executes in a user space, (See Fig 2; element 204 ) and the data structure is part of an operating system kernel space; (See  [0042];  the situation model 118 of the kernel-level security agent 114 may comprise any one or more databases, files, tables, or other structures that track attributes, behaviors, and/or patterns of objects or processes of the computing device 102. See also fig 2; kernel 202 and collection of data value by elements 218, module 122, manager 226 etc.) and the hardware controller taking a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process. (See [0044] Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event.)
Diehl does not appear to explicitly disclose a hardware controller of the computer system listening for a heartbeat generated by the operating system agent, wherein the hardware controller is separate from the operating system agent; 
However, Ayolasomyajula discloses a hardware controller of the computer system listening for a heartbeat generated by the operating system agent, wherein the hardware controller is separate from the operating system agent; (See Ayolasomyajula, [0021]; proactive monitoring and reporting of access events associated with host devices, enabling real-time monitoring and reporting of access ( i.e, heartbeat) and availability of host devices and/or their applications, while generating a cumulative audit trail (i.e, heartbeat) that assists datacenter administrators in managing unauthorized access to the host device, and allows for advanced heuristics to be performed. The systems and methods of the present disclosure may be enabled via a remote access controller device 308, Baseboard Management Controller (BMC), or other management controller that is located in the host device, that is configured with an out-of-band communication channel to a management system, and that may act as an “edge computing device” for server host ecosystem access monitoring that may be assisted by an operating system agent. See also [0037]; the service module agent 306a may operate to periodically perform a shared memory event scan 704 to detect access events identified by the application 306a in a memory that is shared with the service module agent 306a. In addition, in some embodiments, the application 306b may optionally provide an event notification communication 706 to the service module agent 306a when an access event occurs. As also discussed further below, when an event is detected via the shared memory event scan 704, or reported by the application 306a via event notification communications 706, the service module agent 306a provides an event notification communication 708 to the remote access controller 308.)
Diehl and Ayolasomyajula are analogous art because they are from the same field of endeavor which is access control. It would have been obvious to a person of ordinary skill in the art before the effective filing data of the claimed invention to modify the invention of Diehl with the teaching of Ayolasomyajula to include a remote controller because it would have provided an improved host device access monitoring and reporting system. (See Ayolasomyajula, [0004])
2. The combination of Diehl and Ayolasomyajula discloses  the method of claim 1, further comprising: an application registering the process with the operating system agent, wherein the operating system agent begins the monitoring of the process in response to the registration. (See [0024])
3. The combination of Diehl and Ayolasomyajula discloses  the method of claim 2, wherein the registering comprises the application enabling heartbeat monitoring of the process by the operating system agent. (See [0043] see also [0012]; event being monitored)
4. The combination of Diehl and Ayolasomyajula discloses the method of claim 1, wherein the hardware controller taking the corrective action comprises at least one of the hardware controller initiating a reboot of the computer system, or the hardware controller communicating a security alert to a management server. (See [0028])
10. The combination of Diehl and Ayolasomyajula discloses  the storage medium of claim 9, wherein the instructions, when executed by the machine, further cause the machine to: in response to a registration of the process with a heartbeat monitoring option, listen for a second heartbeat generated by the process; (See [0024]) and in response to a failure to detect the second heartbeat, communicate an alert to the hardware controller to cause the hardware controller to take corrective action. (See [0044])
11. The combination of Diehl and Ayolasomyajula discloses  the storage medium of claim 9, wherein the instructions, when executed by the machine, further cause the machine to detect the memory state based on identification of a shared library object and a location of the shared library object.  (See [0013], [0031]) 
12. The combination of Diehl and Ayolasomyajula discloses  the storage medium of claim 9, wherein the instructions, when executed by the machine, further cause the machine to detect the memory state based on detection of an executable memory page associated with the process being a copy- on-write page. (See [0040])
13. The combination of Diehl and Ayolasomyajula discloses  the storage medium of claim 12, wherein the instructions, when executed by the machine, further cause the machine to detect the memory state based on at least one status flag associated with the memory page. (See [0012])
14. The combination of Diehl and Ayolasomyajula discloses  the storage medium of claim 9, wherein the instructions, when executed by the machine, further cause the machine to: identify a given shared library object associated with the process and a path associated with the given shared library object; (See [0013], [0031]) compare the given shared library object to a reference list of a plurality of approved shared library objects and file paths associated with the plurality of approved shared library objects; ( See [0012]) and determine whether the memory state corresponding to the process being compromised by a security attack has been detected based on the comparison.  (See [0012]; the detection loop of the kernel-level security agent and security service cloud is enabled by an agent architecture designed in accordance with the principles of the well-known OODA-loop (i.e., observe-orient-detect-act-loop). Rather than using fixed signatures to make quick determinations and responses, the kernel-level security agent observes and analyzes all semantically-interesting events that occur on the host computing device. Upon determining an occurrence of such an interesting event (Event associated with malicious code), the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code. )
Claim 21 is rejected under 35 U.S.C 103 as being unpatentable over Diehl, US pat. No 2013/0333040 in view of Ayolasomyajula, US pat. No 20200042324 in further view of Chou, US pat.No 5902352. 
Claim 21. The combination of Diehl and Ayolasomyajula does not appear to explicitly discloses the method of claim 1, wherein the heartbeat comprises a repeating sequence of indications, the repeating sequence of indications follows a schedule, and an interruption of the repeating sequence of indications according to the schedule corresponds to the operating system agent not operating in an acceptable state.
However, Chou discloses wherein the heartbeat comprises a repeating sequence of indications, the repeating sequence of indications follows a schedule, and an interruption of the repeating sequence of indications according to the schedule corresponds to the operating system agent not operating in an acceptable state. (See Chou, fig 3 and figs 7A,7B, 7C; repeated event and interrupt)
Diehl, Ayolasomyajula and Chou are analogous art because they are from the same field of endeavor which is access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Diehl and Ayolasomyajula with the teaching of Chou to include the interrupt because it would have allowed the system administration to know when unauthorized access occurred. 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


15. Diehl and Ayolasomyajula discloses a computer platform comprising: a baseboard management controller to: monitor a first heartbeat provided by a loadable operating system kernel extension; (See [0012]; the detection loop of the kernel-level security agent and security service cloud is enabled by an agent architecture designed in accordance with the principles of the well-known OODA-loop (i.e., observe-orient-detect-act-loop). Rather than using fixed signatures to make quick determinations and responses, the kernel-level security agent observes and analyzes all semantically-interesting events that occur on the host computing device. Upon determining an occurrence of such an interesting event (Event associated with malicious code), the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code. ) and in response to a detected interruption of the first heartbeat or a communication of a security alert from the operating system kernel module, initiate an action to address the security alert; (See [0012]; Upon determining an occurrence of such an interesting event (I.e., event associated with malicious code), the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code.) a hardware processor other than the baseboard management controller; (See Fig 1; element 102) and a memory to store instructions corresponding to the operating system kernel extension, wherein the instructions, (See Diehl, storage 222) when executed by the hardware processor, cause the hardware processor to: listen for a second heartbeat generated by the process; scan a kernel memory space associated with the process to detect a memory state corresponding to an integrity of the process being compromised; (See  [0042]; the situation model 118 of the kernel-level security agent 114 may comprise any one or more databases, files, tables, or other structures that track attributes, behaviors, and/or patterns of objects or processes of the computing device 102.) send the first heartbeat to the baseboard management controller; (See [0044] Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event.) and in response to at least one of a failure to detect the second heartbeat or the detection of the memory state, communicate the security alert to the baseboard management controller. (See [0044] Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event.)
16. Diehl discloses the computer platform of claim 15, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to use the memory scan to determine whether the process has been subjected to at least one of process hollowing or code injection. (See [0044] Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event.) 
17. Diehl discloses  the computer platform of claim 15, wherein the process comprises one of a plurality of processes, and the instructions, when executed by the hardware processor, further cause the hardware processor to: listen for a plurality of heartbeats generated by the plurality of processes; (see [0028] and [0016], [0012]) and in response to a detected interruption of a given heartbeat of the plurality of heartbeats, communicate a security alert to the baseboard management controller. (See [0044] Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event.) 
18. Diehl discloses  the computer platform of claim 15, wherein: the instructions, when executed by the hardware processor, further cause the hardware processor to: determine a plurality shared library objects associated with the process and for each shared library object of the plurality of shared library objects, determine a file path of the shared library object; (See [0012] ) communicate the plurality of shared library objects and the file paths to the baseboard management controller; (See [0012] )  and the baseboard management controller to communicate the plurality of shared library objects and the file paths to the baseboard management controller to a remote management server. (See [0012] and [0018])  
19. Diehl discloses the computer platform of claim 15, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to generate messages corresponding to the first heartbeat based on a predetermined seed or key shared with the baseboard management controller.(See [0028])
20. Diehl discloses the computer platform of claim 15, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to detect the memory state based on at least one of: a determination of an executable memory page associated with the process being a copy-on-write page; or detection of a shared library object associated with the process and a file path location of the shared library object. (See [0013], [0031]) 
Allowable Subject Matter
Claims 5 and 6 and 7 and 8 (together) are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
                                                                             Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Watkins, US 20190356562, title “CRM integrated chat with authorization management “. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Date: 2/3/2022
/JOSNEL JEUDY/Primary Examiner, Art Unit 2438