DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/31/2019.
Status of claims in the instant application:
Claims 1-16 are pending.
Information Disclosure Statement
No Information Disclosure Statements (IDS) has been filed by the Applicant. Applicant is reminded that per “mpep § 2011: Duty of Disclosure, Candor, and Good Faith” Applicant has the responsibility to disclose information material to patentability. It’s noted that:
(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the most effective patent examination occurs when, at the time an application is being examined, the Office is aware of and evaluates the teachings of all information material to patentability. Each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in this section. The duty to disclose information exists with respect to each pending claim until the claim is cancelled or withdrawn from consideration, or the application becomes abandoned. Information material to the patentability of a claim that is cancelled or withdrawn from consideration need not be submitted if the information is not material to the patentability of any claim remaining under consideration in the application. There is no duty to submit information which is not material to the patentability of any existing claim. The duty to disclose all information known to be material to patentability is deemed to be satisfied if all information known to be material to patentability of any claim issued in a patent was cited by the Office or submitted to the Office in the manner prescribed by §§ 1.97(b) -(d)  and 1.98. However, no patent will be granted on an application in connection with which fraud on the Office was practiced or attempted or the duty of disclosure was violated through bad faith or intentional misconduct. The Office encourages applicants to carefully examine:
(1) Prior art cited in search reports of a foreign patent office in a counterpart application, and
(2) The closest information over which individuals associated with the filing or prosecution of a patent application believe any pending claim patentably defines, to make sure that any material information contained therein is disclosed to the Office.
(c) Individuals associated with the filing or prosecution of a patent application within the meaning of this section are:
(1) Each inventor named in the application;
(2) Each attorney or agent who prepares or prosecutes the application; and
(3) Every other person who is substantively involved in the preparation or prosecution of the application and who is associated with the inventor, the applicant, an assignee, or anyone to whom there is an obligation to assign the application.
(d) Individuals other than the attorney, agent or inventor may comply with this section by disclosing information to the attorney, agent, or inventor.
(e) In any continuation-in-part application, the duty under this section includes the duty to disclose to the Office all information known to the person to be material to patentability, as defined in paragraph (b) of this section, which became available between the filing date of the prior application and the national or PCT international filing date of the continuation-in-part application
Drawings
Drawings filed on 12/31/2019 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 12/31/2019 has been inspected and it’s in compliance with MPEP 608.01.
Claim Eligibility and Abstract Idea
Examiner has considered the claims for their eligibility requirements and if they recite any abstract idea[s]. Examiner considers that, based on “2019 Revised Patent Eligibility Guidelines”, the claims of the instant application are eligible subject matter (process, machine, manufacture, or composition of matter, or any new and useful improvement thereof) and that they do not recite any abstract idea that can be grouped into one of the three abstract idea groups (i.e. mental process, mathematical process and organizing human activities)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 11240262 B1 to Aziz et al. (hereinafter “Aziz”) in view of Pub. No.: US 20170061126 A1 to HOOKS (hereinafter “HOOKS”).
Regarding Claim 1. Aziz discloses A method (Aziz, Abstract: … Computerized techniques to determine and verify maliciousness of an object by a security logic engine are described. A method features receiving information pertaining to a first set of events associated with a first object (first information) from an endpoint and information pertaining to a second set of events associated with a second object (second information) from an analysis system …) comprising:
maintaining, by a network security platform protecting a private network (Aziz, col.5,ln.37-67: The combined system, using the interoperation of endpoint(s) and an MDS to coordinate the detection and/or verification of malware, and, in some cases, prediction of malware threats to a network so as to mitigate or prevent data theft, operational compromise, and cyber-attack effects … FIG. 1 is a block diagram of a network environment 100 that may be advantageously used with one or more embodiments described herein. The network environment 100 may be organized as a plurality of networks, such as a public network 110 and/or a private network 120 (e.g., an organization or enterprise network) …), information regarding a static analysis threshold and a mapping of each of a plurality of behaviors to corresponding weighting factors (Aziz, col.12,ln.32-67: … The scoring logic 370 may correlate one or more characteristics and monitored behaviors (features) with a weight of maliciousness. The weight of maliciousness reflects experiential knowledge of the respective features (characteristics or monitored behaviors) and their correlations with those of known malware and benign objects … The classifying engine 380 may be configured to use the scoring information provided by scoring logic 370 to classify the object as malicious, suspicious, or benign. In one embodiment, when the score is above a first threshold, the heuristic engine 335 may generate an alert that the object is malicious. When the score is greater than a second threshold but lower than the first threshold, the object may be provided for further analysis to the static analysis logic and/or the dynamic analysis logic for further analysis …), wherein the network security platform includes an endpoint security solution (Aziz, col.7,ln.21-64;col.13,ln.20-41; FIG. 2: … The agent 250 is an executable software component configured to monitor the behavior of the applications 265 and/or operating system 240. The agent 250 may be configured to monitor (via monitoring logic 255), and store metadata (e.g., state information, memory accesses, process names, time stamp, etc.) associated with content executed at the endpoint device and/or behaviors (sometimes referred to as “events”) that may be associated with processing activity …  the indicators may include identification of observed features, including characteristics and behaviors. The indicators thus generated may be provided to the security logic engine 400 for further enhancement (e.g., with additional indication of features) using results provided by endpoint devices 200 …), wherein the static analysis threshold specifies a threshold for a particular process to be considered malicious when compared to a particular score assigned to the particular process as a result of performing static file analysis on one or more files associated with the particular process (Aziz, col.10,ln.54-67;col.12,ln.56-67: … The heuristics engine 335 may include scoring logic to correlate one or more characteristics of potential malware with a score of maliciousness, the score indicating the level of suspiciousness and/or maliciousness of the object. In one embodiment, when the score is above a first threshold, the heuristic engine 335 may generate an alert that the object is malicious. When the score is greater than a second threshold but lower than the first threshold, the object may be provided to the static analysis logic and/or the dynamic analysis logic for further analysis. When the score is less than the second threshold, the threat detection system may determine no further analysis is needed (e.g., the object is benign)  …), and wherein the weighting factors are indicative of a significance of the corresponding behavior of the plurality of behaviors to an inference of malicious intent (Aziz, col.12,ln.11-31: … The scoring logic 370 may correlate one or more characteristics and monitored behaviors (features) with a weight of maliciousness. The weight of maliciousness reflects experiential knowledge of the respective features (characteristics or monitored behaviors) and their correlations with those of known malware and benign objects. For example, during processing, the dynamic analysis logic 340 may monitor several behaviors of an object processed in the one or more virtual machine(s) 360, where, during processing, the object (i) executes a program, (ii) the program identifies personally identifiable data (e.g., login information, plain-text stored passwords, credit information), (iii) the program generates and encrypts the data in a new file, (iv) the program executes a network call, and (v) sends the encrypted data via the network connection to a remote server (exfiltrates the data). Each individual event may generate an independent score, weighted by the scoring logic 370, the weight based on experiential knowledge as to the maliciousness of each associated event …);
However, Aziz does not explicitly teach HOOKS from same or similar field of endeavor teaches:
“responsive to an attempt to execute a process on an endpoint device and prior to permitting execution of the process on the endpoint device, generating a static analysis score by performing, by the endpoint security solution running on the endpoint device, a static file analysis on one or more files associated with the process (HOOKS, Para [0054, 0065], FIG. 4: … Prior to launching a process in a client computer 202, prelaunch analysis may be performed on the associated executable file in operation 402. As a file is being loaded for execution (but before the process is actually allowed to run), a risk score for the file shall be evaluated. If the risk score exceeds a launch risk threshold that a particular organization has established, then a process blocking action shall be performed to prevent the file from executing. Some examples of information that could be used to formulate a risk score for an executable file prior to execution include results of static file analysis, prevalence of the executable file in the environment and through explicit prior knowledge. …);”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of HOOKS into the teachings of Aziz , because it discloses that the “manner in which an executable file is constructed can provide valuable evidence as to its purpose. For example, it is common for malware files to be packed in a way that obfuscates the contents of the file. Static analysis on each executable file identifies anomalous file content and the results of this analysis may be reflected in the risk score for that file and Automated support facility 102 may periodically provide agent components 116 with intelligence feed information, e.g., blacklist and whitelist information. The file's risk score may reflect the manner in which the executable is rated on these lists (HOOKS, Para [0066-0068])”.
Aziz further discloses:
“when the static analysis score meets or exceeds the static analysis threshold, then treating the process as malicious and blocking execution of the process (Aziz, col.10,ln.8-67;col.2,ln.51-67; Claim 8: … The static analysis logic 320 may receive the network traffic to then extract the objects and related metadata, or may receive the objects and related metadata from the network interface(s) 310 already extracted. The term “object” generally refers to a collection of data, whether in transit (e.g., over a network) or at rest (e.g., stored), often having a logical structure or organization that enables it to be classified for purposes of analysis. The static analysis logic 320 may provide the objects to the indicator scanner 330 to identify if the objects match known indicators of malware. The term “indicator” (or “signature”) designates a set of characteristics and/or behaviors exhibited by one or more malware that may or may not be unique to the malware. Thus, a match of the signature may indicate to some level of probability that an object constitutes malware … The heuristics engine 335 may be adapted to perform comparisons of an object under analysis against one or more pre-stored (e.g., pre-configured and/or predetermined) attack patterns stored in memory (not shown). The heuristics engine 335 may also be adapted to identify deviations in messaging practices set forth in applicable communication protocols (e.g., HTTP, TCP, etc.) exhibited by the traffic packets containing the object, since these deviations are often characteristic of malware. A match of an identifier may indicate, to some level of probability, often well less than 100%, that an object constitutes malware. The identifiers may represent identified characteristics (features) of the potential malware. The heuristics engine 335 may include scoring logic to correlate one or more characteristics of potential malware with a score of maliciousness, the score indicating the level of suspiciousness and/or maliciousness of the object. In one embodiment, when the score is above a first threshold, the heuristic engine 335 may generate an alert that the object is malicious … Aspects of the invention reside in the interoperation of a network endpoint and a network connected malware detection system for the detection and/or verification of malware threats to mitigate or prevent data theft, operational compromise and other cyber-attack effects …);
when the static analysis score is less than the static analysis threshold, then obtaining a dynamic analysis score for the process (Aziz, col.10,ln.37-67;col.11,ln.1-26;col.12,ln.11-31: …When the score is greater than a second threshold but lower than the first threshold, the object may be provided to the static analysis logic and/or the dynamic analysis logic for further analysis … For dynamic analysis, the static analysis engine 320 may provide the object to the scheduler 350 … The scoring logic 370 generates a score used in a decision of maliciousness by the classification engine 380. The score may be a probability value (expressed in any of various ways such as, for example, a numerical value or percent) or other indicator (quantitative or qualitative) of security risk or so-called threat level. The determination of the score of the object processed by the malware detection system 300 may be based on a correlation of each of the features identified by the static analysis logic 320 and dynamic analysis logic 340 …); and
treating the process as malicious and causing execution of the process to be blocked based on a function of the static analysis score and the dynamic analysis score (Aziz, col.22,ln.33-47; claim 16: … if the security logic engine does not receive additional features and the object is determined to be malicious, the security logic engine generates and issues a report to a security administrator detailing the cyber-attack in step 840 and the procedure proceeds to step 845 where it ends. In some embodiments, the security logic engine may also send messages to endpoints affected by the malicious object, or to endpoints found by the SLE to be at risk of cyber-attack by the malicious object, to notify the endpoint or, via screen display or other alert, of the attack and in some embodiments, to block and/or prevent processing of the object by the endpoint …).”
Regarding Claim 2. The combination of Aziz-HOOKS discloses the method of claim 1, Aziz further discloses, “wherein said obtaining a dynamic analysis score for the process comprises observing by the endpoint security solution one or more behaviors resulting from execution of the one or more files by the endpoint device and determining the corresponding weighting factors of the one or more observed behaviors based on the mapping (Aziz, col.12,ln.32-55: … The scoring logic 370 may correlate one or more characteristics and monitored behaviors (features) with a weight of maliciousness. The weight of maliciousness reflects experiential knowledge of the respective features (characteristics or monitored behaviors) and their correlations with those of known malware and benign objects. For example, during processing, the dynamic analysis logic 340 may monitor several behaviors of an object processed in the one or more virtual machine(s) 360, where, during processing, the object (i) executes a program, (ii) the program identifies personally identifiable data (e.g., login information, plain-text stored passwords, credit information), (iii) the program generates and encrypts the data in a new file, (iv) the program executes a network call, and (v) sends the encrypted data via the network connection to a remote server (exfiltrates the data). Each individual event may generate an independent score, weighted by the scoring logic 370, the weight based on experiential knowledge as to the maliciousness of each associated event. The individual scores or a combined score across these events may be provided to the classifying engine 380. Alternatively, in some embodiments, the generation of a combined score may be performed by the classifying engine 380, or the scoring logic 370 and classification engine 380 may be combined into a single engine …).”
Regarding Claim 3. The combination of Aziz-HOOKS discloses the method of claim 1, Aziz further discloses, “wherein the network security platform includes a cloud-based security service in which a sandbox service resides and wherein said obtaining a dynamic analysis score for the process comprises the endpoint security solution requesting analysis of the one or more files by the sandbox service (Aziz; col.13,ln.51-67;col.5,ln.12-36: … the SLE may direct an endpoint configured with one or more versions of Firefox running over Windows 10 to run the same object using a closely monitored and/or sandboxed (or otherwise protected) process to detect suspicious behaviors … As noted previously, the reporting logic 390 may be configured to generate an alert for transmission external to the malware detection system 300 (e.g., to one or more other endpoint devices 200, to the security logic engine 400, and/or to a central manager). The reporting logic 390 is configured to provide reports via the network interface(s) 310. The security logic engine 400, when external to the MDS 300, e.g., may be configured to perform a management function or a separate management system may be provided, depending on the embodiment, e.g., to distribute the reports to other MDS within the private network, as well as to nodes within a malware detection services and/or equipment supplier network (e.g., supplier cloud infrastructure) for verification of the indicators and subsequent distribution to other malware detection system and/or among other customer networks …).”
Regarding Claim 4. The combination of Aziz-HOOKS discloses the method of claim 1, Aziz further discloses, “wherein when the static file analysis comprises a machine-learning based static file analysis (Aziz; col.18.,ln.11-67: … FIG. 5 represents an exemplary flowchart of a computerized method 700 for operating a cyber-attack detection system. The method 700 starts at step 705 and proceeds to step 710 wherein an endpoint (e.g., a user-operated laptop) begins processing an object … If the endpoint identifies features of the object that may be indicative of malware in step 720, the object analyzed may be suspicious. Features may be determined to be indicative of malware, and thus suspicious by the endpoint employing heuristics, black lists (or white lists), or by correlation with features of known malicious and benign objects based on experiential knowledge and machine learning …  In step 730 the MDS may conduct an analysis of the suspicious object. In some embodiments, the MDS may conduct an analysis of the suspicious object using a static and/or dynamic analysis. The static analysis may, in part, include an indicator scanner 330 and/or a heuristics engine 335 which may utilize statically identified characteristics of the suspicious object to determine if the object is malicious  …).”
Regarding Claim 5. The combination of Aziz-HOOKS discloses the method of claim 1, Aziz further discloses, “wherein the one or more observed behaviors are determined by the network security platform based on contextual information of the process (Aziz; col.7,ln.20-67: The agent 250 is an executable software component configured to monitor the behavior of the applications 265 and/or operating system 240. The agent 250 may be configured to monitor (via monitoring logic 255), and store metadata (e.g., state information, memory accesses, process names, time stamp, etc.) associated with content executed at the endpoint device and/or behaviors (sometimes referred to as “events”) that may be associated with processing activity. Events are behaviors of an object that are exhibited by processes executed by the endpoint and are monitored by the agent 250 during the normal operation of the endpoint. Examples of these events may include information associated with a newly created process (e.g., process identifier, time of creation, originating source for creation of the new process, etc.), information about the type and location of certain data structures, information associated with an access to certain restricted port or memory address, or the like. The agent 250 may also retrieve and communicate off the endpoint device 200 to a remote electronic device such as the SLE 400 context information such as the contents of the endpoint device's memory or hard drive. Moreover, the monitoring logic 255 may be configurable so as to enable or disable the monitoring of select behaviors, activities or processes. In some embodiments, the agent 250 may include an event processing and filtering logic 257, which, for example, applies heuristics, rules or other conditions to the monitored behaviors, to identify anomalous or unexpected behaviors and determine if the object is suspicious …).”
Regarding Claim 6. The combination of Aziz-HOOKS discloses the method of claim 5, Aziz further discloses, “wherein the contextual information includes any or a combination of a command line instruction to execute the process, a process execution chain of the process, a memory dump associated with the process (Aziz; col.7,ln.20-67:: … The agent 250 may also retrieve and communicate off the endpoint device 200 to a remote electronic device such as the SLE 400 context information such as the contents of the endpoint device's memory or hard drive …), and a plurality of environment variables.
Regarding Claim 7. The combination of Aziz-HOOKS discloses the method of claim 1, Aziz further discloses, “wherein when the process is determined to be malicious, the network security platform takes at least one or a plurality of actions (Aziz, col.2,ln.51-67 : Aspects of the invention reside in the interoperation of a network endpoint and a network connected malware detection system for the detection and/or verification of malware threats to mitigate or prevent data theft, operational compromise and other cyber-attack effects …).”
Regarding Claim 8. The method of claim 7, Aziz further discloses, “wherein the plurality of actions include any or a combination of notifying a user associated with the process (Aziz; col.4,ln. 47-67: … This enhanced determination of maliciousness may be used to evaluate or modify the risk represented by the malware to endpoints on the network. For example, a malicious object is determined to affect a greater set of applications, or versions of an application, included in the software profiles of the original and additional endpoints, and thereby represent a threat to a larger set of endpoints on the network running those software profiles. For example, an initial interoperation of a first endpoint and an MDS may indicate all versions of Office applications using Windows 8.1 are susceptible to a cyber-attack by an object. This may be reported to a network administrator. Subsequently, additional information received by the SLE from a second endpoint indicates that the same applications running on Windows 10 are also susceptible to the malicious object. Accordingly, the SLE may initiate an alert or report to the effect that the determination of maliciousness is verified and expanded to include the additional software profile information …), isolating the endpoint device associated with the process and quarantine the process.”
Regarding Claim 9. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
Regarding Claim 10. This claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 11. This claim contains all the same or similar limitations as claim 3, hence similarly rejected as claim 3.
Regarding Claim 12. This claim contains all the same or similar limitations as claim 4, hence similarly rejected as claim 4.
Regarding Claim 13. This claim contains all the same or similar limitations as claim 5, hence similarly rejected as claim 5.
Regarding Claim 14. This claim contains all the same or similar limitations as claim 6, hence similarly rejected as claim 6.
Regarding Claim 15. This claim contains all the same or similar limitations as claim 7, hence similarly rejected as claim 7.
Regarding Claim 16. This claim contains all the same or similar limitations as claim 8, hence similarly rejected as claim 8.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. Furthermore, additional prior arts have been provided in the attached PTOL-892 form.
	US 8726392 B1; McCorkendale et al.: McCorkendale discloses a computer-implemented method for combining static and dynamic code analysis may include 1) identifying executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data, 2) performing a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code, 3) using a result of the static analysis to tune a dynamic analysis to track the one or more objects identified during the static analysis, and 4) performing the dynamic analysis by, while the executable code is being executed, tracking the one or more objects identified during the static analysis to determine whether the executable code leaks sensitive data via the one or more objects. Various other methods, systems, and computer-readable media are also disclosed.
	US 20100125911 A1; Bhaskaran: Bhaskaran discloses a computer implemented method and system for ranking a user in an organization based on the user's information technology related activities and arriving at an end risk score used for determining the risk involved in activities performed by the user and for other purposes. Group risk ranking profiles and security policies for usage of the organization's resources are created. The user is associated with one or more group risk ranking profiles. A security client application tracks the user's activities. Points are assigned to the user's tracked activities based on each of the associated group risk ranking profiles. The assigned points are aggregated to generate a first risk score. The assigned points of the user's tracked activities are modified at different levels based on predefined rules. The modified points are aggregated to generate the end risk score which is used for compliance and governance purposes, optimizing resources, etc.
	US 20140359777 A1; Lam et al.: Lam discloses a mobile device management server and method are provided for determining the security risk for deployed mobile devices. The mobile device management server receives risk measurements from mobile devices that are used to calculate a risk score based on rules. The risk score can also be adjusted by correlating the received risk measurements with past security breaches or typical usage measurements. The calculated risk score is compared to a one or more thresholds to determine whether to take a protective action that is associated with exceeding a threshold.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434