DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This action is in response to the communications and remarks filed on 7/6/2022. Claims 1-8 are presently pending for examination.

Response to Arguments
Applicant's arguments, see pages 4-8, filed 7/6/2022, regarding the 102 and 103 rejections of Claims 1-8, have been fully considered and are persuasive. However, a new ground of rejection has been made in view of Schilling et al., (US 20180004938 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-2 and 4-8 are rejected under 35 U.S.C. 103 as being unpatentable over Nainar et al., (US 20170302663 A1) hereinafter referred to as Nainar in view of Schilling et al., (US 20180004938 A1) hereinafter referred to as Schilling.
Regarding Claim 1, Nainar discloses A system comprising: a first computing device comprising instructions executable by a hardware processor to: create, responsive to detecting a second computing device [Abstract, a device in a network receives a network registration request from a particular node – “particular node” is the “second computing device”] 
initially attempting to connect to a network, [Abstract, The network registration request comprises information about the particular node – the “network registration request” is the attempt to connect to a network] 
an unpopulated baseline profile for the second computing device; [paragraph 0035, For example, in various embodiments, registration request 302 may include any or all of the following…Traffic Profile] [paragraph 0047, to detect anomalies (e.g., by comparing traffic profile information or other behavioral information regarding node F stored in the block chain to an observed behavior of node F)]
Nainar does not explicitly teach populate the baseline profile with initial processes running on the second computing device and initial system calls made by the initial processes during an initial operation time period of the second computing device, wherein the initial system calls comprise initial programmatic requests of services from a kernel of an operating system executing on the second computing device; monitor, during a subsequent operation time period of the second computing device, subsequent processes running on the second computing device and subsequent system calls made by the subsequent processes, wherein the subsequent system calls comprise subsequent programmatic requests of services from the kernel of the operating system executing on the second computing device; and detect an attack on the second computing device based on a comparison of the subsequent processes and the subsequent system calls to the populated baseline profile.
Schilling teaches populate the baseline profile with initial processes running on the second computing device and initial system calls made by the initial processes during an initial operation time period of the second computing device, wherein the initial system calls comprise initial programmatic requests of services from a kernel of an operating system executing on the second computing device; [paragraph 0052, Target profiles may comprise known configurations for guest virtual machines 104. Known configurations may comprise known healthy configuration and/or known compromised configurations. A target profile may aid in the detection of obfuscated malicious instructions. Malicious instructions may disguise themselves as legitimate applications 122 on a guest virtual machine 104 when executed. A target profile may comprise application execution information to compare with the execution of an application 122 in a trusted environment. Examples of application execution information include, but are not limited to, an operating system environment has, file encryption algorithms, file names, process trees or lists, memory maps, kernel modules, API hooks, file change or modification time information, metadata, system calls/returns, memory footprints, SPU usage, central processing unit (CPU) usage, and network usage. Profiling tool 142 may be configured to perform a comparative analysis using the target profile to determine whether a guest virtual machine 104 is compromised by obfuscated malicious instructions – the “target profiles” are the “baseline profiles” which can be populated with “system calls/return” as well as “kernel modules”]
monitor, during a subsequent operation time period of the second computing device, subsequent processes running on the second computing device and subsequent system calls made by the subsequent processes, wherein the subsequent system calls comprise subsequent programmatic requests of services from the kernel of the operating system executing on the second computing device; and detect an attack on the second computing device based on a comparison of the subsequent processes and the subsequent system calls to the populated baseline profile. [paragraph 0052, Target profiles may comprise known configurations for guest virtual machines 104. Known configurations may comprise known healthy configuration and/or known compromised configurations. A target profile may aid in the detection of obfuscated malicious instructions. Malicious instructions may disguise themselves as legitimate applications 122 on a guest virtual machine 104 when executed. A target profile may comprise application execution information to compare with the execution of an application 122 in a trusted environment. Examples of application execution information include, but are not limited to, an operating system environment has, file encryption algorithms, file names, process trees or lists, memory maps, kernel modules, API hooks, file change or modification time information, metadata, system calls/returns, memory footprints, SPU usage, central processing unit (CPU) usage, and network usage. Profiling tool 142 may be configured to perform a comparative analysis using the target profile to determine whether a guest virtual machine 104 is compromised by obfuscated malicious instructions – the “profiling tool” analyzes the profiles to determine whether a machine has been compromised] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Schilling with the disclosure of Nainar. The motivation or suggestion would have been for “detecting malicious instructions on a virtual machine.” (paragraph 0002)
Regarding Claim 2, Nainar does not explicitly teach wherein the instructions executable to detect the attack include instructions executable to detect the attack by identifying the subsequent processes and the subsequent system calls do not match a portion of the initial processes and the initial system calls.
Schilling teaches wherein the instructions executable to detect the attack include instructions executable to detect the attack by identifying the subsequent processes and the subsequent system calls do not match a portion of the initial processes and the initial system calls. [paragraph 0052, Target profiles may comprise known configurations for guest virtual machines 104. Known configurations may comprise known healthy configuration and/or known compromised configurations. A target profile may aid in the detection of obfuscated malicious instructions. Malicious instructions may disguise themselves as legitimate applications 122 on a guest virtual machine 104 when executed. A target profile may comprise application execution information to compare with the execution of an application 122 in a trusted environment. Examples of application execution information include, but are not limited to, an operating system environment has, file encryption algorithms, file names, process trees or lists, memory maps, kernel modules, API hooks, file change or modification time information, metadata, system calls/returns, memory footprints, SPU usage, central processing unit (CPU) usage, and network usage. Profiling tool 142 may be configured to perform a comparative analysis using the target profile to determine whether a guest virtual machine 104 is compromised by obfuscated malicious instructions – the “profiling tool” analyzes the profiles to determine whether a machine has been compromised] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Schilling with the disclosure of Nainar. The motivation or suggestion would have been for “detecting malicious instructions on a virtual machine.” (paragraph 0002)
Regarding Claim 4, Nainar discloses wherein the instructions executable to monitor the subsequent processes and the subsequent system calls include instructions to monitor the subsequent processes and the subsequent system calls from a log file periodically received from the second computing device. [Figure 3A, the transactions in a block of a blockchain can be considered as log files]
Regarding Claim 5, Nainar discloses including the instructions executable to assign a public-private key pair to the unpopulated baseline profile. [paragraph 0048, server 150b may also digitally sign the update using a private key, allowing any validators to verify that the update was indeed sent by server 150b using the corresponding public key of server 150b]
Regarding Claim 6, Nainar discloses including the instructions executable to detect that the log file is tampered with when the log file fails authentication. [paragraph 0051, the validator may determine that there is a mismatch between the reported domain and the existing information in the block chain regarding the node. In particular, based on the block chain, the validator may determine that node F is attempting to register with a domain that differs from the domain previously reported by the manufacturer in the block chain]
Regarding Claim 7, Nainar discloses including the instructions executable to detect the second computing device initially attempting to connect to the network when the second computing device is connected to the network for a first time. [Abstract, a device in a network receives a network registration request from a particular node – “particular node” is the “second computing device”] [Abstract, The network registration request comprises information about the particular node – the “network registration request” is the attempt to connect to a network]
Regarding Claim 8, Nainar discloses including the instructions executable to transmit, responsive to detecting the second computing device initially attempting to connect to the network, an agent to the second computing device to generate log files of the initial processes, the initial system calls, the subsequent processes, and the subsequent system calls. [paragraph 0055, update the block chain to indicate the observed behavior of node F. For example, edge node 1 may monitor the traffic profile of node F (e.g., when node F sends data, the size of the sent data, the destination of the sent data, etc.). In turn, edge node 1 may initiate a block chain update 602 that includes the observed traffic profile of node F]

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Nainar in view of Schilling, as applied to Claim 1, respectively, above, and further in view of Neumann (US 9654485 B1) hereinafter referred to as Neumann.
Regarding Claim 3, the combination of Nainar and Schilling does not explicitly teach wherein the instructions executable to detect the attack include instructions executable to detect the attack by identifying a duration of the subsequent processes and the subsequent system calls do not match a duration of a portion of the initial processes and the initial system calls.
Neumann teaches wherein the instructions executable to detect the attack include instructions executable to detect the attack by identifying a duration of the subsequent processes and the subsequent system calls do not match a duration of a portion of the initial processes and the initial system calls. [Column 15, lines 36-40, The behavioral pattern of each correlation profile 120 may include any combination of behavioral characteristics that may be related to one another, such as those behavioral characteristics that occur during or close to the same time frame]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Neumann with the disclosure of Nainar. The motivation or suggestion would have been for the security monitoring system to use a number of factors in arriving at relevance of the behavioral characteristics to one another so as to form a behavioral fragment. (Column 2, lines 38-41)
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include  1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP;  2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923. The examiner can normally be reached M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANDREW J STEINLE/Primary Examiner, Art Unit 2497