Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Reasons for Allowance
2.	Claims 1-20 including all of the limitations of the base claim and any intervening claims are allowed.

Closest prior art:
U.S. Publication No. 20120324575 discloses on paragraph 0023 “In the method, a method of detecting the unwanted process is implemented using any one selected from among a method of detecting, as an unwanted process, an process running under a name identical to that of an operating system when the unwanted process is running, a method of simultaneously tracking actions of a network and a process when an unwanted process is running, and then detecting actions of the unwanted process using a combination of scenarios, a method of detecting checksums and then detecting an unwanted process running while being parasitic on a normal process, a method of tracking a parent process and a child process generated thereby in real time via process tracking, and then eliminating an initially generated unwanted process and detecting a child process which is generated by the initially generated unwanted process and is running under a name of another process of the operating system, and a method of detecting an unwanted process, which is running by injecting code into a normal process, using a hooking detection and restoration technique.” Paragraph 0026 “Another embodiment of the invention provides a system for detecting and blocking unwanted programs in real time based on process behavior analysis, the system having a plurality of user terminals and a security server individually connected to the user terminals over a network, wherein each of the user terminals comprises an action monitoring module for monitoring actions of a process, a process tracking and Process Identification (PID) detection module for tracking actions of a process, abnormal actions of which have been detected, and detecting Process Identification (PID) of the process, a scenario blocking module for combining lists of actions taken by a relevant process for a given time period and blocking the relevant process when the actions match those of a composite scenario, a checksum blocking module for blocking a relevant process when a checksum of an execution program thereof matches a previously obtained checksum, a hooking detection and restoration module for, when an unwanted program is operating by injecting code into another process so as to conceal itself, detecting the unwanted program and restoring an original program, and an exceptional process database (DB) for examining a relevant process for an exception to action-based monitoring and then processing the relevant process as the exception to action-based monitoring; and the security server comprises an analysis module for analyzing statistical information received from the user terminals, a security measure module for collecting information about abnormal actions occurring in the user terminals and blocking of unwanted programs in the user terminals, thus taking security measures, and an overall DB for storing information about blocking conditions, occurrence of abnormal actions on each of the user terminals, and unwanted programs.

U.S. Publication No. 20090328129 discloses on paragraph 0009 “It has been discovered that the aforementioned challenges are resolved by an approach that uses policies to determine which parental privileges are inherited by the parent's child processes. A parent software process initializes a child software process, such as by executing the child process. The parent process is associated with a first set of privileges. The inheritance policies are retrieved that correspond to the parent process. A second set of privileges is identified based on the retrieved inheritance policies, and this second set of privileges is applied to the child software process.” Paragraph 0031 “Using the example listings shown in registry 410, if a parent process has a parent process identifier of "system.exe" and it is executing (e.g., spawning, forking, etc.) a new child process, then processing would first load any default policies (see step 405 above) and would then compare process listings from registry 410 to the process identifier "system.exe". In this case, the first entry would match ("sys*.exe") but none of the other entries shown in registry 410 would match so only policy 411 (the default policy) and policy 412 would be retrieved. Likewise, if the parent process identifier is "systadmin.exe", then this process identifier would cause the retrieval of default policy 411, policy 412 (because "systadmin.exe" matches with "sys*.exe"), policy 413 (because "systadmin.exe" also matches with "sysad*.exe"), and policy 414 (because "systadmin.exe" matches specific process identifier "systadmin.exe").”

U.S. Publication No. 20170329968 discloses on paragraph 0033 “Data characterizing file operations associated with a process can, in some cases, be useful for detecting suspicious process behavior and/or for forensic investigation. Such data may include data representing file operations performed by the process and/or data representing file operations through which the process was invoked. In some embodiments, data representing file operations performed by a process include data representing types of file operations performed by the process, data representing pathnames of files accessed by the process, data identifying child processes created by the process (e.g., a pathname of a file corresponding to a child process, and/or an MD5 hash value for the child process), etc. Data representing file operations through which a process was invoked may include data identifying a parent process that invoked the instant process (e.g., a pathname of a file corresponding to the parent process, and/or an MD5 hash value for the file), data representing a command (e.g., a command entered into a command-line terminal or shell) that initiated the process, data representing a pathname of a file corresponding to the process, etc. (A file “corresponding to” a process may include a file that contains instructions executed by the process, a file that is otherwise accessed to initiate execution of the process, etc.).”
 	The following is an Examiner’s Statement of Reasons for Allowance: 
 	Claims 1-20 are allowable over prior art references taken individually or in combination fails to particularly disclose, fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above.
 	Although the prior art discloses analyzing received computer data by receiving a first set of computer data that includes instructions executable by a processor before the first set of computer data is received by an intended destination and allowing the first received set of computer data to be sent to the intended destination based on the identification that the set of actions correspond to the known good actions and based on identifying that the state identifiers correspond to the normal program code operation, no one or two references anticipates or obviously suggest creating a child process by the processor based on execution of instructions of a parent process such that a set of actions performed by the execution of the child process are observed by the processor and then executing the instructions included in the first set of computer data based on the creation of the child process and the observations by the processor, wherein the execution of the instructions of the first set of computer data results in the set of actions being performed by the processor.
Thereafter executing  the instructions of the parent process to compare the set of actions of the first set of computer data with known good actions of known good program code and comparing state identifiers associated with normal program code operation relative to those of the first set of computer data in order to identify as a result of the comparison that the set of actions correspond to the known good actions of the known good program code
 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499