DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Office Action is in response to the application filed on 09/16/2020. Claims 1-20 are examined.

Drawings
The drawings are objected to because Figure 6A should be labeled “600” (see para 0092) and 6B should be labeled “650” (see para 0096).
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being Anticipated by Strogov (U.S. 20190286821).

Regarding claim 1,
Strogov discloses: A method comprising: generating a call stack classification scheme ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack); detecting a call stack during deployment of an application ([0029] detect whenever processes 102 have been launched on the system 100 [0022] Each user process 102 may be associated with a user application (i.e., the user process 102 may be part of the user application, or be considered an instance of the user application itself)); using the call stack classification scheme ([0031] stack-based classification) during runtime of the application ([0031] The execution stack 114 (also referred to as a call stack) is a data structure used by the operating system 105 to store and manage data values related to the execution state of the thread), classifying the detected call stack as one of an authorized call stack or an unauthorized call stack to yield a classification ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)); and applying a security policy based on the classification ([0004] processes may be considered suspicious and are monitored by security systems (e.g., they are blocked, place on a blacklist, etc.)).

Regarding claim 2,
Strogov discloses: The method of claim 1, wherein the call stack classification scheme comprises: a whitelist of authorized call stacks accessible by the application ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 3,
Strogov discloses: The method of claim 1, wherein the call stack classification scheme comprises: a classifier trained using a machine learning technique ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack) for identifying detected call stacks as one of authorized or unauthorized call stacks (([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)).

Regarding claim 4,
Strogov discloses: The method of claim 3, wherein training the classifier comprises: using a list of previously known authorized call stacks and a list of previously known unauthorized call stacks to train the classifier ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 5,
Strogov discloses: The method of claim 4, wherein the classifier is trained to output a score for the detected call stack during the runtime of the application ([0028] configured to probabilistically identify user processes and threads that may be malicious based on their execution state; [0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Regarding claim 6, 
Strogov discloses: The method of claim 5, wherein classifying the detected call stack further comprises: comparing the score to a threshold ([0032] the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold); and classifying the call stack ([0032] indication 113 generated by the ML engine 104 may be a classification of the execution stack; [0031] The execution stack 114 (also referred to as a call stack)) as the authorized call stack if the score is greater than the threshold ([0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Regarding claim 7, 
Strogov discloses: The method of claim 3, wherein the classifier is trained to output the classification ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack) of the call stack ([0031] The execution stack 114 (also referred to as a call stack) detected during the runtime ([0028] In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees) as one of the authorized call stack or the unauthorized call stack ([0032] corresponding to an enumerated set of values encompassing “malicious” or “safe” states).

Regarding claim 8,
Strogov discloses: A system comprising: one or more memories ([0042] the computer system 20 includes a system memory 22) having computer-readable instruction stored therein; and one or more processors ([0042] the computer system 20 includes a central processing unit (CPU) 21) configured to execute the computer-readable instructions to ([0042] The processor 21 may execute one or more computer-executable code implementing the techniques of the present disclosure): generate a call stack classification scheme ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack); detect a call stack during deployment of an application ([0029] detect whenever processes 102 have been launched on the system 100 [0022]); use the call stack classification scheme ([0031] stack-based classification) during runtime of the application ([0031] The execution stack 114 (also referred to as a call stack) is a data structure used by the operating system 105 to store and manage data values related to the execution state of the thread), classify the detected call stack as one of an authorized call stack or an unauthorized call stack to yield a classification ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)); and apply a security policy based on the classification ([0004] processes may be considered suspicious and are monitored by security systems (e.g., they are blocked, place on a blacklist, etc.)).

Regarding claim 9,
Strogov discloses: The system of claim 8, wherein the call stack classification scheme comprises: a whitelist of authorized call stacks accessible by the application ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 10,
Strogov discloses: The system of claim 8, wherein the call stack classification scheme comprises: a classifier trained using a machine learning technique ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack) for identifying detected call stacks as one of authorized or unauthorized call stacks (([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)).

Regarding claim 11,
Strogov discloses: The system of claim 10, wherein the one or more processors are configured to execute the computer-readable instructions to train the classifier using a list of previously known authorized call stacks and a list of previously known unauthorized call stacks ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 12,
Strogov discloses: The system of claim 11, wherein the classifier is trained to output a score for the detected call stack during the runtime of the application ([0028] configured to probabilistically identify user processes and threads that may be malicious based on their execution state; [0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Regarding claim 13, 
Strogov discloses: The system of claim 12, wherein the one or more processors are configured to execute the computer-readable instructions to: compare the score to a threshold ([0032] the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold); and classify the call stack ([0032] indication 113 generated by the ML engine 104 may be a classification of the execution stack; [0031] The execution stack 114 (also referred to as a call stack)) as the authorized call stack if the score is greater than the threshold ([0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Regarding claim 14, 
Strogov discloses: The system of claim 10, wherein the classifier is trained to output the classification ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack) of the call stack ([0031] The execution stack 114 (also referred to as a call stack) detected during the runtime ([0028] In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees) as one of the authorized call stack or the unauthorized call stack ([0032] corresponding to an enumerated set of values encompassing “malicious” or “safe” states).

Regarding claim 15,
Strogov discloses: One or more non-transitory computer-readable storage media ([0047] As used herein, a computer readable storage medium is not to be construed as being transitory signals per se) comprising computer-readable instructions which, when executed by one or more processors of a security system, cause the security system to ([0046] Aspects of the present disclosure may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present disclosure): generate a call stack classification scheme ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack); detect a call stack during deployment of an application ([0029] detect whenever processes 102 have been launched on the system 100 [0022]); use the call stack classification scheme ([0031] stack-based classification) during runtime of the application ([0031] The execution stack 114 (also referred to as a call stack) is a data structure used by the operating system 105 to store and manage data values related to the execution state of the thread), classify the detected call stack as one of an authorized call stack or an unauthorized call stack to yield a classification ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)); and apply a security policy based on the classification ([0004] processes may be considered suspicious and are monitored by security systems (e.g., they are blocked, place on a blacklist, etc.)).

Regarding claim 16,
Strogov discloses: The one or more non-transitory computer-readable storage media of claim 15, wherein the call stack classification scheme comprises: a whitelist of authorized call stacks accessible by the application ([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 17,
Strogov discloses: The one or more non-transitory computer-readable storage media of claim 15, wherein the call stack classification scheme comprises: a classifier trained using a machine learning technique ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state. In one aspect, the ML engine 104 may be configured to perform an ensemble learning method for classifying the execution state and behavior of monitored user processes by using a plurality of decision trees (constructed at training time) that output a classification that is the mode of the classes output by the individual trees); [0031] The execution stack 114 (also referred to as a call stack) for identifying detected call stacks as one of authorized or unauthorized call stacks (([0032] the indication 113 generated by the ML engine 104 may be a classification of the execution stack 114 corresponding to an enumerated set of values encompassing “malicious” or “safe” states; [0031] The execution stack 114 (also referred to as a call stack)).

Regarding claim 18,
Strogov discloses: The one or more non-transitory computer-readable storage media of claim 17, wherein execution of the computer-readable instructions by the one or more processors further cause the security system to train the classifier using a list of previously known authorized call stacks and a list of previously known unauthorized call stacks to train the classifier ([0028] the ML engine 104 may include a heuristics database or one or more models trained on previous execution stacks and configured to probabilistically identify user processes and threads that may be malicious based on their execution state); [0031] The execution stack 114 (also referred to as a call stack).

Regarding claim 19,
Strogov discloses: The one or more non-transitory computer-readable storage media of claim 18, wherein the classifier is trained to output a score for the detected call stack during the runtime of the application ([0028] configured to probabilistically identify user processes and threads that may be malicious based on their execution state; [0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Regarding claim 20, 
Strogov discloses: The one or more non-transitory computer-readable storage media of claim 19, wherein execution of the computer-readable instructions by the one or more processors further cause the security system to: compare the score to a threshold ([0032] the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold); and classify the call stack ([0032] indication 113 generated by the ML engine 104 may be a classification of the execution stack; [0031] The execution stack 114 (also referred to as a call stack)) as the authorized call stack if the score is greater than the threshold ([0032] In an aspect, the indication 113 generated by the ML engine 104 may represent a probabilistic estimate of the danger of this thread. For example, the indication 113 may be a probability value ranging from 0 to 1, or any range of floating point numbers with a decision threshold).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Anderson 2017-4-26 (US 20180314843) teaches classifying runtime stacks for security purposes.
Strogov 2018-9-17 (US 20200204589) teaches classifying call stack traces and whitelisting safe applications.
Strogov 2019-3-15 (US 20190286821) teaches classifying call stacks.
Chan 2013-12-17 (US 20140310714) teaches classification of stack segments.
Nitsan 2015-4-30 (US 20180089004) teaches classification of application events using call stacks.
Chan 2017-5-5 (US 20170322877) teaches classifying call stacks segments.
YOU 2018-12-29 (CN 109766698) teaches data protection using call stack features.



Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571) 272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436
/AMIE C. LIN/Primary Examiner, Art Unit 2436