Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the communication filed on 4/12/2021.
 Claims 1-20 are examined and rejected. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s) as explained below. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-14 of U.S. Patent 11,030,302. Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the U.S. Patent 11,030,302.
This is a non-statutory double patenting rejection. The assignee of the application and the patent is the same.
Exemplary claim 1 with the substantive differences / simliarities between the conflicting claim 1 identified in bold is outlined below in the following comparison table.

Claim Comparison Table   
Instant Application
17,228,258
US Patent 
11,030,302
1. A system for determining a trust level of a process associated with a call operation, comprising: a processor; and memory storing instructions that, when executed by the processor, causes the system to perform a set of operations, the set of operations comprising: 
receiving a call operation associated with a process, the process to be evaluated for a trust level; 
determining whether the process is known by a security service, when it is determined that the process is known, determining the trust level for the process and when the process is trusted based on the trust level for the process, allowing the known process to execute the call operation; 
when it is determined that the process is unknown, determining whether the call operation is known by the security service; 
when it is determined that the call operation is known, evaluating the trust level of the call operation and when the called operation is trusted based on the trust level of the call operation, trusting the unknown process and executing the call operation; 
when it is determined that the call operation is unknown, not trusting the process and not executing the call operation.
1. A system comprising: at least one processor; and memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operation, the set of operations comprising: 
monitoring at least one application programming interface (API) associated with performing one or more file finding functions; 
intercepting a call operation directed to the at least one API, wherein the call operation is associated with a process attempting to perform at least one of the one or more file finding functions; 
determining a trust level for the process; wherein determining the trust level for the process comprises: 
accessing a process data store to compare one or more attributes of the process to information for a set of known processes to determine whether the process is an unknown process; 
accessing a call operation data store to compare one or more attributes of the call operation to information for a set of known call operation attributes to determine whether the call operation is untrusted; and 
determining the trust level for the process based at least in part on the determination whether the process is an unknown process and the determination whether the call operation is untrusted; 
evaluating the determined trust level to determine whether the process is trusted or untrusted; 
based on determining the process is untrusted, presenting a prompt to a user to allow the call operation; 
responsive to a user indication to allow the call operation, allowing the call operation; and based on determining the process is untrusted and absent a user indication to allow the call operation, blocking the call operation directed to the at least one API from performing the at least one of the one or more file finding functions.





Claim 1 of the instant application is broader in all respects than conflicting claim  1 of Patent No. U.S. Patent 11,030,302.  It is clear that all the elements of claims 1, 8 and 15 of the instant application are to be found in the patent of claims 1, 6 and 10. The difference between the instant application claims 1, 8 and 15  and claims 1, 6 and 11 of patent claims lies in the fact that the patented claim includes more elements and is thus more specific. 
For example, both the inventions are directed towards – determining trust level of function / call’ in the instant application claim 1 recites “determining a trust level of a process associated with a call operation” similarly in the patent claim 1 the ‘determining a trust level for the process; wherein determining the trust level for the process comprises’. Thus, claim 1 of instant application is broader  and anticipated by claim 1 of Patent ‘302.
A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
This is non-statutory type double patenting rejection since the conflicting claims have been patented.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2016/0371484 to Mehta et al. (hereinafter known as “Mehta”) and in view of U.S. Publication 2017/0091428 to Johnson et al. (hereinafter known as “Johnson”).

As per claim 1 Mehta teaches, a system for determining a trust level of a process associated with a call operation, comprising: 
a processor; and memory storing instructions that, when executed by the processor (Mehta Fig 1 elements 110a, 110b and 110c teaches processor), causes the system to perform a set of operations, the set of operations comprising: 
receiving a call operation associated with a process, the process to be evaluated for a trust level (Mehta para 38 teaches analyzing API calls addressed to API’s and its functions. Examiner interprets analyzing API calls similar to function of intercepting call operation); 
determining whether the process is known by a security service, when it is determined that the process is known, determining the trust level for the process and when the process is trusted based on the trust level for the process, allowing the known process to execute the call operation (Mehta para 38 – 39 Fig 3 element 308 teaches analysis of API call by extraction of call metadata and further categorizing metadata into whitelist (allowed) or blacklist (blocked). Examiner notes that metadata analysis of process into whitelist or blacklist is similar to determining trust level of process, as whitelist trust level is high and blacklist trust level is low); 
when it is determined that the call operation is known, evaluating the trust level of the call operation and when the called operation is trusted based on the trust level of the call operation, trusting the unknown process and executing the call operation (Mehta para 36 and 38 teaches extraction of metadata of API call to determine if the API call is whitelist or blacklist. Further para 36 teaches – detection of known malicious process or untrusted applications, where known process is covered of claimed function); 
when it is determined that the call operation is unknown, not trusting the process and not executing the call operation (Mehta para 34 and 36 teaches analysis of API calls metadata to determine if API calls (trust level of process) is black listed (unknown) and blocked (untrusted).
Mehta does not teach however Johnson teaches, 
when it is determined that the process is unknown, determining whether the call operation is known by the security service (Johnson Fig 3 para 27-30).  
Mehta teaches analyzing API call, extracting metadata from API calls and determination of API call as allowed or blocked (Abstract and Fig 3). Mehta does not teach however Johnson teaches determining call operation as unknown by security service (Johnson Fig 3). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Mehta – Johnson before him or her, to combine, Mehta’s API call analysis with additional features of metadata analysis for determination of API call as allowed or blocked with Johnson’s teaching of where Johnson teaches determining call operation as unknown by security service. The suggestion/motivation for doing so would have been to prevent access by unauthorized API calls to unlicensed content (Johnson para 3-4). 
As per claim 2 combination of Mehta – Johnson teaches, the system of claim 1, wherein the call operation is that of an application programming interface (API) and an API hook is used to intercept the call operation (Mehta Fig 3 element 302 , para 36-37, where application calling API call is analyzed - (Johnson para 37 teaches analyzing of API calls with call stack).
As per claim 3 combination of Mehta – Johnson teaches, the system of claim 2, wherein the process comprises a process to find a file, the trust level evaluated for a file search operation that comprises a wildcard symbol (Johnson para 41 Fig 4 teaches API call and native code obfuscated by string code which is similar to function of wildcard character). 
Mehta teaches analyzing and intercepting API call by extracting metadata from API calls (Abstract and Fig 3). Mehta does not teach however Johnson teaches intercepting the call operation comprises analyzing a call stack associated with wildcard character (Johnson para 37 and 41). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Mehta – Johnson before him or her, to combine, Mehta’s API call analysis with additional features of metadata analysis with Johnson’s teaching of where API call comprises of analyzing a call stack with wild card character. The suggestion/motivation for doing so would have been to include analysis of call operation with multiple language programming (such as Java / C+).
As per claim 4 combination of Mehta – Johnson teaches, the system of claim 1, wherein determining whether the process is known by the security service comprises accessing a data store to compare attributes of the process to a set of attributes for known processes (Mehta Fig 3 element 308 and 310, para 36-37, where API call metadata is extracted and categorized into as whitelist or blacklist (known or unknown process).
As per claim 5 combination of Mehta – Johnson teaches, the system of claim 4, wherein the set of attributes for known processes comprises a list of historical data for known processes and comparing attributes comprises comparing a process name (Mehta para 21-22 teaches service name / process name), a process hash, or a process cryptographic signature to the historical data for known process.
As per claim 6 combination of Mehta – Johnson teaches, the system of claim 1, wherein determining whether the call operation is known by the security service comprises accessing a data store to compare attributes of a call stack for the call operation to a set of attributes for known call operations (Mehta para 38-39).
As per claim 7 combination of Mehta – Johnson teaches, the system of claim 6, wherein the set of attributes for known call operations comprises historical data for known call operation including a security certificate and comparing attributes comprises comparing a security certificate for the call operation to the historical data for known call operations (Johnson para 30 teaches certificate pinning (validation of certificate parameters for authentication) and motivation same as in claim 1 and 3).
Claims 8 and 15,
Claims 8 and 15 are rejected in accordance with claim 1.

Claims 9 and 16,
Claims 9 and 16 are rejected in accordance with claim 2.
Claim 10,
Claim 10 is rejected in accordance with claim 3.
Claims 11 and 17,
Claims 11 and 17 are rejected in accordance with claim 4.
Claims 12 and 18,
Claims 12 and 18 are rejected in accordance with claim 5.
Claims 13 and 19,
Claims 13 and 19 are rejected in accordance with claim 6.
Claims 14 and 20,
Claims 14 and 20 are rejected in accordance with claim 7.

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Pendergast et al US Patent 10,681,071 
Muttik et al US Patent 9,558,348
Draluk et al US Patent 9,009,856
Chinnathambi et al US Publication 2019/0312874 
Anton et al US Publication 2017/0048253 
Redberg et al US Publication 2015/0154418

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431