DETAILED ACTION
This action is in response to amendment filed 3/22/2022. Claims 9-28 are pending with claims 9, 11-20 having been amended and claims 21-28 newly added 
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 3/22/2022 have been fully considered 
A) Applicant's arguments with respect to amended clam 9 and 18 that Schilling does not teach “access, by the monitor without suspending execution of the OS, the mapping information using a virtual address in the metadata, the virtual address related to invariant information comprising program code of the OS; receive, by the monitor, a physical address translated by the mapping information from the virtual address; and access, by the monitor, a memory location specified by the physical address to retrieve the invariant information of the OS from the physical memory independently of the OS” because teaches extraction of the page tables is performed so that the page tables can be analyzed for malicious instruction have been fully considered but they are not persuasive. 
Regarding A) Schilling teaches access, by the monitor without suspending execution of the OS, the mapping information using a virtual address in the metadata, the virtual address related to invariant information comprising program code of the OS (see Schilling figure 11 step 1102 and paragraph 0112 i.e. At step 1102, hypervisor control point 124 employs virtual machine measurement points 126 to collect virtual machine memory metadata from a guest virtual machine 104. The virtual machine memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the guest virtual machine 104); 
receive, by the monitor, a physical address translated by the mapping information from the virtual address (see Schilling paragraph 0108-0109 i.e. Virtual machine measurement points 126 may be configured to collect memory metadata from guest virtual machine 104, hypervisor 102, and/or physical hardware 1012. For example, virtual machine measurement points 126 may be configured to collect one or more memory pages from guest page tables 1004 and one or more memory pages from extended page tables 1008 and paragraph 0113); 
access, by the monitor, a memory location specified by the physical address to retrieve the invariant information of the OS from the physical memory independently of the OS (see Schilling figure 11 step 1104-1106, paragraph 0109 and paragraph 0113-0114 i.e. The hypervisor memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the hypervisor 102. The hypervisor memory is the same type of metadata as the virtual machine memory metadata from the guest virtual machine 104. For example, the hypervisor memory metadata comprises a memory page when the virtual machine memory metadata comprises a memory page. In one embodiment, virtual machine measurement points 126 may collect the hypervisor memory metadata from a random access memory of the hypervisor 102. At step 1106, hypervisor control point 124 compares the virtual machine memory metadata to the hypervisor memory metadata to determine whether the virtual machine memory metadata and the hypervisor memory metadata are the same and paragraph 01117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).
This clearly teaches the claim limitation. 
B) Applicant’s arguments with respect to the rejection(s) of amended claim 20 under 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Schilling et al (US 2017/0149801) in view of Tsirkin et al (US 2016/0291996).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 9, 11, 13-24 and 26-27 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Schilling et al (US 2017/0149801).
With respect to claim 9 Schilling teaches a non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to: 
execute a monitor separate from an operating system (OS) that uses mapping information in accessing data in a physical memory, wherein the mapping information maps virtual addresses to physical addresses of the physical memory (see Schilling paragraph 0024 i.e. Detection system 100 comprises hypervisor 102, one or more guest virtual machines 104, one or more virtual vault machines 106, one or more trusted measurement machines 108, virtualization manager 110, vault management console 112); 
receive, by the monitor from an agent, metadata indicating a storage location of the mapping information (see Schilling figure 10 and paragraph 0107-0109 i.e. In an embodiment, hypervisor control point 124 may employ hardware assisted paging using hypervisor 102 to monitor and capture guest page tables 1004. Guest page tables 1004 may provide the ability to monitor currently executing pages and their corresponding page frame number mapping RAM address. Hardware assisted paging may enable targeted RAM extraction and registry extraction for file metadata information. In an embodiment, virtual machine measurement points 126 may be configured to collect virtual machine operating characteristics memory metadata independent of the operating system of the guest virtual machine 104 and paragraph 0112. Guest page tables 1004 are configured to map process virtual memory 1002 to guest physical memory 1006. For example, guest page tables 1004 may provide a mapping between data in process virtual memory 1002 to the location of the corresponding data in guest physical memory 1006. Hypervisor 102 comprises extended page tables 1008. Extended page tables 1008 may be configured to map data in the memory of guest virtual machine 104 to host physical memory 1010 in physical hardware 1012)
access, by the monitor without suspending execution of the OS, the mapping information using a virtual address in the metadata, the virtual address related to invariant information comprising program code of the OS (see Schilling figure 11 step 1102 and paragraph 0112 i.e. At step 1102, hypervisor control point 124 employs virtual machine measurement points 126 to collect virtual machine memory metadata from a guest virtual machine 104. The virtual machine memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the guest virtual machine 104); 
receive, by the monitor, a physical address translated by the mapping information from the virtual address (see Schilling paragraph 0113 i.e. At step 1104, hypervisor control points 124 employs virtual machine measurement point 126 to collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor 102 that is associated with the guest virtual machine 104); 
access, by the monitor, a memory location specified by the physical address to retrieve the invariant information of the OS from the physical memory independently of the OS (see Schilling figure 11 step 1104-1106 and paragraph 0113-0114 i.e. The hypervisor memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the hypervisor 102. The hypervisor memory is the same type of metadata as the virtual machine memory metadata from the guest virtual machine 104. For example, the hypervisor memory metadata comprises a memory page when the virtual machine memory metadata comprises a memory page. In one embodiment, virtual machine measurement points 126 may collect the hypervisor memory metadata from a random access memory of the hypervisor 102. At step 1106, hypervisor control point 124 compares the virtual machine memory metadata to the hypervisor memory metadata to determine whether the virtual machine memory metadata and the hypervisor memory metadata are the same); and
determining, by the monitor based on monitoring the invariant information of the OS, whether a security issue is present (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 11 Schilling teaches the non-transitory machine-readable storage medium of claim 7, wherein the metadata comprises a virtual memory map that indicates portions of a virtual address space that are assigned for respective uses by the OS, and wherein determining whether the security issue is present is further based on the virtual memory map (see Schilling 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 13 Schilling teaches the non-transitory machine-readable storage medium of claim 7, wherein the metadata comprises a page frame management data structure comprising information for page frames, wherein the invariant information monitored by the monitor comprises a page frame (see Schilling 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 14 Schilling teaches the non-transitory machine-readable storage medium of claim 7, wherein the instructions upon execution cause the system to: detect new executable code; and determine that an attack is occurring responsive to: detecting that the new executable code is corrupted based on the metadata, or detecting that the new executable code is within or outside of a specified virtual address region (see Schilling 0041 i.e. In another embodiment, virtual machine measurement points 126 may be configured to provide file management security. For example, virtual machine measurement points 126 may be configured to kill or terminate applications 122, for example, applications 122 with malicious instructions, based on known malware hashes. Alternatively, virtual machine measurement points 126 may be configured to capture any other data as would be appreciated by one of ordinary skill in the art upon viewing this disclosure).

With respect to claim 15 Schilling teaches the non-transitory machine-readable storage medium of claim 1, wherein determining whether the security issue is present comprises comparing a hash value of the invariant information at runtime of the OS to a baseline hash value of the invariant information (see Schilling 0041 i.e. In another embodiment, virtual machine measurement points 126 may be configured to provide file management security. For example, virtual machine measurement points 126 may be configured to kill or terminate applications 122, for example, applications 122 with malicious instructions, based on known malware hashes. Alternatively, virtual machine measurement points 126 may be configured to capture any other data as would be appreciated by one of ordinary skill in the art upon viewing this disclosure).

With respect to claim 16 Schilling teaches the non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to: use a process descriptor to verify an integrity of an OS process (see Schilling 0041 i.e. In another embodiment, virtual machine measurement points 126 may be configured to provide file management security. For example, virtual machine measurement points 126 may be configured to kill or terminate applications 122, for example, applications 122 with malicious instructions, based on known malware hashes. Alternatively, virtual machine measurement points 126 may be configured to capture any other data as would be appreciated by one of ordinary skill in the art upon viewing this disclosure).

With respect to claim 17 Schilling teaches the non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to: detect a hidden process by comparing entries of a first list that lists all processes with entries of a second list that lists scheduled processes (see Schilling 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 18 Schilling teaches a system comprising: 
a physical memory (see Schilling paragraph 0025 i.e. The memory may comprise read-only memory (ROM), random-access memory (RAM), ternary content-addressable memory (TCAM), dynamic random-access memory (DRAM), and static random-access memory (SRAM)); 
a first processor (see Schilling paragraph 0070 i.e. Hypervisor control points 124 may be implemented or executed on a core that is held separate from other cores that are available to guest virtual machine 104); 
a second processor (see Schilling paragraph 0072 i.e. Guest virtual machines 104 may be able to view and/or control all of the available cores (e.g. cores 402A-402D) or a subset of the available cores of CPU 402); 
an operating system (OS) executable on the first processor, the OS to use mapping information in accessing data in the physical memory, wherein the mapping information maps virtual addresses to physical addresses of the physical memory (see Schilling paragraph 0113 i.e. At step 1102, hypervisor control point 124 employs virtual machine measurement points 126 to collect virtual machine memory metadata from a guest virtual machine 104. The virtual machine memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the guest virtual machine 104. In one embodiment, virtual machine measurement points 126 may collect the virtual machine memory metadata from a random access memory of the guest machine 104); 
a monitor executable on the second processor that is different from the first processor to: 
receive, from an agent, metadata indicating a storage location of the mapping information (see Schilling figure 10 and paragraph 0107-0109 i.e. In an embodiment, hypervisor control point 124 may employ hardware assisted paging using hypervisor 102 to monitor and capture guest page tables 1004. Guest page tables 1004 may provide the ability to monitor currently executing pages and their corresponding page frame number mapping RAM address. Hardware assisted paging may enable targeted RAM extraction and registry extraction for file metadata information. In an embodiment, virtual machine measurement points 126 may be configured to collect virtual machine operating characteristics memory metadata independent of the operating system of the guest virtual machine 104 and paragraph 0112. Guest page tables 1004 are configured to map process virtual memory 1002 to guest physical memory 1006. For example, guest page tables 1004 may provide a mapping between data in process virtual memory 1002 to the location of the corresponding data in guest physical memory 1006. Hypervisor 102 comprises extended page tables 1008. Extended page tables 1008 may be configured to map data in the memory of guest virtual machine 104 to host physical memory 1010 in physical hardware 1012)
access, without suspending execution of the OS, the mapping information using a virtual address in the metadata, the virtual address related to invariant information comprising program code of the OS (see Schilling figure 11 step 1102 and paragraph 0112 i.e. At step 1102, hypervisor control point 124 employs virtual machine measurement points 126 to collect virtual machine memory metadata from a guest virtual machine 104. The virtual machine memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the guest virtual machine 104); 
receive, at the monitor, a physical address translated by the mapping information from the virtual address (see Schilling paragraph 0113 i.e. At step 1104, hypervisor control points 124 employs virtual machine measurement point 126 to collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor 102 that is associated with the guest virtual machine 104); 
access a memory location specified by the physical address to retrieve the invariant information of the OS from the physical memory independently of the OS (see Schilling figure 11 step 1104-1106 and paragraph 0113-0114 i.e. The hypervisor memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the hypervisor 102. The hypervisor memory is the same type of metadata as the virtual machine memory metadata from the guest virtual machine 104. For example, the hypervisor memory metadata comprises a memory page when the virtual machine memory metadata comprises a memory page. In one embodiment, virtual machine measurement points 126 may collect the hypervisor memory metadata from a random access memory of the hypervisor 102. At step 1106, hypervisor control point 124 compares the virtual machine memory metadata to the hypervisor memory metadata to determine whether the virtual machine memory metadata and the hypervisor memory metadata are the same); and
determining, based on monitoring the invariant information of the OS, whether a security issue is present (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 19 Schilling teaches the system of claim 18, wherein the monitor is executable on the second processor to: receive, from an agent that is part of the OS, metadata indicating a memory location of the mapping information, access the memory location based on the metadata to retrieve the mapping information, and identify a physical address of the invariant information using the retrieved mapping information (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 21 Schilling teaches the non-transitory machine-readable storage medium of claim 9, wherein executing the monitor separately from the OS comprises executing the monitor on a first processor and executing the OS on a second processor (see Schilling paragraph 0070 i.e. Hypervisor control points 124 may be implemented or executed on a core that is held separate from other cores that are available to guest virtual machine 104 and paragraph 0072 i.e. Guest virtual machines 104 may be able to view and/or control all of the available cores (e.g. cores 402A-402D) or a subset of the available cores of CPU 402).

With respect to claim 22 Schilling teaches the non-transitory machine-readable storage medium of claim 9, wherein the OS includes a hypervisor, and the determining comprises determining whether the security issue is present with the hypervisor, and wherein the monitor is a non-hypervisor based monitor (see Schilling figure 10 and 11 and paragraph 0108 and paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 23 Schilling teaches the non-transitory machine-readable storage medium of claim 9, wherein the monitoring of the invariant information is performed without making a copy of the mapping information (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 24 Schilling teaches the non-transitory machine-readable storage medium of claim 9, wherein the instructions upon execution cause the system to: detect an attack of the mapping information (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

With respect to claim 26 Schilling teaches the non-transitory machine-readable storage medium of claim 9, wherein the agent is part of the OS (see Schilling paragraph 0111-0113).

With respect to claim 27 Schilling teaches the system of claim 18, wherein the monitor is executable on the second processor to: detect an attack of the mapping information (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 10 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over  Schilling et al (US 2017/0149801) in view of Han et al “Myth and Truth about Hypervisor-Based Kernel Protector: The Reason Why You Need Shadow-Box” Listed on IDS 7/26/2019.
With respect to claim 10 Schilling teaches the non-transitory machine-readable storage medium of claim 9, but does not disclose wherein the access of the memory location comprises the monitor accessing the physical memory directly over an interconnect independently of the OS.
Han teaches wherein the access of the memory location comprises the monitor accessing the physical memory directly over an interconnect independently of the OS (see Han section 4.1.4 i.e. To implement monitoring procedures, we need to spawn control flows that are independent to the guest OS. Kernel threads could be used to create such control flows, but other kernel-level processes of the guest OS may intervene the threads. Instead, Light-box spawns OS independent control flows using the VMX preemption timer supported by CPU [11]. The VMX preemption timer can activate our monitoring logic periodically and give the control back to CPU after-hand. It is free from the guest’s intervention, being running in the host machine). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Schilling in view of Han to have used VMX preemption timer supported by CPU to spawns OS independent control flow that are independent from the guest OS other kernel-level processes of the guest OS may intervene the threads if the monitoring procedures aren’t independent of the guest OS (see Han section 4.1.4). Therefore one would have been motivated to have used VMX preemption timer supported by CPU to spawns OS independent control flow that are independent from the guest OS.

	
	With respect to claim 12 Schilling teaches the non-transitory machine-readable storage medium of claim 7, but does not disclose wherein the metadata comprises a virtual address of critical information of the OS or of static information of the OS, wherein the invariant information monitored by the monitor comprises the critical information or the static information.
	Han teaches wherein the metadata comprises a virtual address of critical information of the OS or of static information of the OS, wherein the invariant information monitored by the monitor comprises the critical information or the static information (see section 4.2.1 Event-driven Access Mitigation i.e. Kernel objects including kernel codes, the system call table, the IDT table, and the hypercall table, reside in read-only kernel memory. The values of the objects are static, thus im-
mutable at runtime. The codes and read-only data of LKMs also fall into the same category. Shadow-watcher protects those objects by using physical page locking. As well as the locking, Shadow-watcher also uses physical page hiding for keeping the important objects safe. When CPU or a DMA controller tries to access particular addresses, MMU and IOMMU translate given logical addresses to host physical addresses (HPA) using page tables shown in Figure 4. HPA may belong to a memory area allocated for static kernel objects, or a memory area used by the user or Shadow-box. Unintentionally or intentionally, HPA could also point to an unallocated memory area. Shadow-watcher sorts out those anomalies in memory accesses by re-setting proper access privileges in the pages tables).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Schilling in view of Han to have the Kernel objects including kernel codes, the system call table, the IDT table, and the hypercall table, reside in read-only kernel memory with the values of the objects set as static, thus immutable at runtime. Where the shadow-watcher protects those objects by using physical page locking and Shadow-watcher also uses physical page hiding for keeping the important objects safe such that when CPU or a DMA controller tries to access particular addresses, MMU and IOMMU translate given logical addresses to host physical addresses (HPA) using page tables and when the memory area allocated for static kernel objects, or a memory area used by the user or Shadow-box re-setting proper access privileges in the pages tables (see Han section 4.2.1). Therefore one would have been motivated to have the metadata comprises a virtual address of critical information of the OS or of static information of the OS, wherein the invariant information monitored by the monitor comprises the critical information or the static information as a way to keep track of kernel codes, the system call table, the IDT table, and the hypercall table, reside in read-only kernel memory that are static and can’t be changed at runtime.

Claim 20 are rejected under 35 U.S.C. 103 as being unpatentable over Schilling et al (US 2017/0149801) in view of Tsirkin et al (US 2016/0291996).
With respect to claim 20 Schilling teaches a method performed by a system comprising a hardware processor, comprising: 
accessing, by an operating system (OS) that includes a hypervisor, a physical memory using mapping information that maps virtual addresses to physical addresses of the physical memory (see Schilling paragraph 0107 i.e. In an embodiment, hypervisor control point 124 may employ virtual machine measurement points 126 to collect memory metadata in response a measurement request for virtual machine operating characteristics memory metadata. In an embodiment, hypervisor control point 124 may employ hardware assisted paging using hypervisor 102 to monitor and capture guest page tables 1004. Guest page tables 1004 may provide the ability to monitor currently executing pages and their corresponding page frame number mapping RAM address. Hardware assisted paging may enable targeted RAM extraction and registry extraction for file metadata information. In an embodiment, virtual machine measurement points 126 may be configured to collect virtual machine operating characteristics memory metadata independent of the operating system of the guest virtual machine 104); 
accessing, by a monitor using the mapping information, invariant information of the OS including the hypervisor without suspending execution of the OS (see Schilling paragraph 0113 i.e. At step 1104, hypervisor control points 124 employs virtual machine measurement point 126 to collect hypervisor memory metadata that corresponds with the virtual machine memory metadata from a hypervisor 102 that is associated with the guest virtual machine 104. The hypervisor memory metadata may comprise one or more memory pages, one or more memory page tables, information about currently executing memory pages or programs, and/or data from one or more memory locations in the hypervisor 102. The hypervisor memory is the same type of metadata as the virtual machine memory metadata from the guest virtual machine 104. For example, the hypervisor memory metadata comprises a memory page when the virtual machine memory metadata comprises a memory page. In one embodiment, virtual machine measurement points 126 may collect the hypervisor memory metadata from a random access memory of the hypervisor 102); and 
determining, by the monitor based on monitoring the invariant information of the OS including the hypervisor, whether a security issue is present (see Schilling paragraph 0117 i.e. hypervisor control point 124 proceeds to step 1114 when the virtual machine memory metadata and the hypervisor memory metadata are the different. At step 1114, hypervisor control point 124 determines that the virtual machine memory metadata is compromised. At step 1116, hypervisor control point 124 triggers an alarm to notify a security administrator that the guest virtual machine 104 is compromised).
Schilling does not teach wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level. 
Tsirkin teaches wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level (see Tsirkin paragraph 0030 i.e. The hypervisor 108 provides multiple sets of page tables. In one example, the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges. The sets of page tables, referred to as “views,” define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access. A guest 122 is typically not given access to pages other than those associated with the GPA pages of the corresponding virtual machine 110. For example, a guest 122 is not given access to pages in host memory 106 that are mapped to hypervisor memory 124 or GPAs 118 of a different virtual machine. For example, virtual machine 110-1 has access to HPAs 120 that are mapped to GPAs 118-1, but not HPAs 120 that are mapped to GPAs 118-2. This is because GPAs 118-2 are associated with a different virtual machine 110-2 and paragraph 0045-0049).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Schilling in view of Tsirkin to have the hypervisor provides multiple sets of page tables in which the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges were the sets of page tables define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access in which a guest 122 is not given access to pages other than those associated with the GPA pages of the corresponding virtual machine as a way to prevent the virtual machine from accessing other virtual machine’s memory (see Tsirkin paragraph 0030 and 0045). Therefore one would have been motivated to have detected an attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level.

	
With respect to claim 25 Schilling teaches The non-transitory machine-readable storage medium of claim 24, but does not disclose wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level or that the entry of the mapping information has a mode different from a predetermined mode.
Tsirkin teaches wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level or that the entry of the mapping information has a mode different from a predetermined mode (see Tsirkin paragraph 0030 i.e. The hypervisor 108 provides multiple sets of page tables. In one example, the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges. The sets of page tables, referred to as “views,” define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access. A guest 122 is typically not given access to pages other than those associated with the GPA pages of the corresponding virtual machine 110. For example, a guest 122 is not given access to pages in host memory 106 that are mapped to hypervisor memory 124 or GPAs 118 of a different virtual machine. For example, virtual machine 110-1 has access to HPAs 120 that are mapped to GPAs 118-1, but not HPAs 120 that are mapped to GPAs 118-2. This is because GPAs 118-2 are associated with a different virtual machine 110-2 and paragraph 0045-0049).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Schilling in view of Tsirkin to have the hypervisor provides multiple sets of page tables in which the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges were the sets of page tables define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access in which a guest 122 is not given access to pages other than those associated with the GPA pages of the corresponding virtual machine as a way to prevent the virtual machine from accessing other virtual machine’s memory (see Tsirkin paragraph 0030 and 0045). Therefore one would have been motivated to have detected an attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level.

With respect to claim 28 Schilling teaches the system of claim 27, but does not disclose wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level or that the entry of the mapping information has a mode different from a predetermined mode. 
Tsirkin teaches wherein the detecting of the attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level or that the entry of the mapping information has a mode different from a predetermined mode (see paragraph 0030 i.e. The hypervisor 108 provides multiple sets of page tables. In one example, the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges. The sets of page tables, referred to as “views,” define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access. A guest 122 is typically not given access to pages other than those associated with the GPA pages of the corresponding virtual machine 110. For example, a guest 122 is not given access to pages in host memory 106 that are mapped to hypervisor memory 124 or GPAs 118 of a different virtual machine. For example, virtual machine 110-1 has access to HPAs 120 that are mapped to GPAs 118-1, but not HPAs 120 that are mapped to GPAs 118-2. This is because GPAs 118-2 are associated with a different virtual machine 110-2 and paragraph 0045-0049).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Schilling in view of Tsirkin to have the hypervisor provides multiple sets of page tables in which the sets of page tables define the same mapping from HPAs to GPAs but with different access privileges were the sets of page tables define a virtual machine's privileges to the different pages in terms of execution access, write access, and read access in which a guest 122 is not given access to pages other than those associated with the GPA pages of the corresponding virtual machine as a way to prevent the virtual machine from accessing other virtual machine’s memory (see Tsirkin paragraph 0030 and 0045). Therefore one would have been motivated to have detected an attack of the mapping information is based on detecting that an entry of the mapping information has a privilege level different from a predetermined privilege level.

Prior Art Not Used in Rejection
Serebrin et al (US 2010/0223447) titled “Translate and Verify Instruction for a Processor” teaches translating virtual address and verify whether or not the translation attributes in the page table entry match the specified translation attributes, faults the first instruction responsive to failing to locate a translation for the virtual address, and responsive to locating a translation for the virtual address in the page table entry but with the translation attributes in the entry failing to match the specified translation attributes.
Probert et al (US 2016/0092678) titled “Protecting Application Secrets from Operating System Attacks” teaches a proxy kernel acting as a transparent interface between isolated user mode applications and the operating system during the provision of resource management and system services.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492