Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 19 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 19 and 20 recite the computer product of claim 16. However, claim 16 is a system claim that depends on claim 9. It is assumed that claims 19 and 20 are intended to depend on claim 17, which is a computer product claim. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 9-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claims 9-16 recite a system including computer program instructions, while claims 17-20 recite computer program product. The instructions and product are considered software, per se, which is not statutory. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 4-10, and 12-19 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chari et al. (US 2017/0308712, hereinafter referred to as “Chari”).

Regarding claim 1, Chari teaches a method of dynamically generating monitoring tools for software applications, the method comprising: 
inspecting, using static code analysis, a non-executable representation of the application to identify one or more points in an application for monitoring ([0068] Static analysis examines source code of an application without executing the application to identify possible sensitive data vulnerabilities within the static (i.e., non-running) source code.); and 
for each of the one or more points in the application: generating a monitoring program (abstract - Audit logs of monitored sensitive data activity events in the application are generated using the audit log statements at the audit log statement insertion points in the components of the application.); and 
inserting, into an executable representation of the application, the monitoring program at a location in the executable representation of the application that corresponds to the identified point in the application ([0080 [0080] The computer generates audit logs of monitored sensitive data activity events in the application using the audit log statements at the identified audit log statement insertion points in each software component of the application (step 618). The computer also performs a dynamic code analysis on the application to ensure that none of the sensitive data flows into the generated audit logs (step 620).).

Regarding claim 2, Chari teaches the method of claim 1 wherein inspecting, using static code analysis, a non-executable representation of the application includes inspecting source code for the application that is stored in a code repository ([0032] network storage; [0068] Static analysis examines source code of an application without executing the application to identify possible sensitive data vulnerabilities within the static (i.e., non-running) source code. Static analysis may include, for example, data flow analysis and taint analysis.).
Regarding claim 4, Chari teaches the method of claim 1 further comprising creating a monitoring program repository, wherein each monitoring program is associated with an identification of an application and a point within the application where the monitoring program should be determined ([0044] Locations of sensitive data 230 represent where sensitive data is located within application 220. Audit log manager 218 may identify locations of sensitive data 230 by utilizing, for example, labeled sensitive data 238.).

Regarding claim 5, Chari teaches the method of claim 4 further comprising creating an entry in the monitoring program repository for a generated monitoring program ([0044] Audit log statement insertion points 232 represent locations within application 220 where audit log manager is to insert an audit log statement for generating an audit log entry for a monitored sensitive data activity event in a component of application 220. Audit log manager 218 may generate audit log 234 from audit log entries generated by audit log statements inserted within application 220 at audit log statement insertion points 232.).

Regarding claim 6, Chari teaches the method of claim 1 further comprising: detecting, by a particular monitoring program, that the application is preparing to take an undesirable action; and preventing the application from taking the undesirable action ([0081] If the computer determines that the generated audit logs are not in compliance with the audit requirements, no output of step 624, then the computer performs an action step regarding non-compliance of the generated audit logs with the audit requirements (step 626).).

Regarding claim 7, Chari teaches the method of claim 1 wherein a particular monitoring program is configured to inspect data communications messages generated by the application prior to the application sending the data communications messages ([0081] If the computer determines that the generated audit logs are not in compliance with the audit requirements, no output of step 624, then the computer performs an action step regarding non-compliance of the generated audit logs with the audit requirements (step 626). One possible action step may be for the computer to notify a system administrator of the non-compliance for possible correction and mitigation of risk to the sensitive data.).

Regarding claim 8, Chari teaches the method of claim 1 wherein a particular monitoring program is configured to monitor for known exploitable conditions ([0067] Automatically generating audit logs for sensitive data activities or events, which are generated by a distributed application providing a regulated service via network, is a solution to a current problem. For example, companies utilize audit logs for monitoring security and compliance, as well as for forensic analysis. Illustrative embodiments automatically determine points or locations within an application where audit logs need to be generated to record sensitive data activity.).

Claims 9-10, and 12-16 are similar to claims 1-2 and 4-8, respectively, therefore are rejected under the same rationale. 

Claims 17-19 are similar to claims 1, 6 and 2, respectively, therefore are rejected under the same rationale.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 3 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Xia et al. (WO 2017049800, hereinafter referred to as “Xia”).

Regarding claim 3, Chari does not explicitly teach the method of claim 1 wherein inspecting, using static code analysis, a non-executable representation of the application includes inspecting an intermediate representation of the application as the application is being compiled. In an analogous art, Xia teaches inspecting, using static code analysis, a non-executable representation of the application includes inspecting an intermediate representation of the application as the application is being compiled (In step 402, the application code is decompiled to generate an intermediate code in a predetermined format. In this embodiment, the electronic device can then compile or decompile the acquired application code by static analysis means to generate an intermediate code of a predetermined format. Here, the intermediate code may be code represented by a predetermined programming language, such as application code represented by the Java language; or other code capable of representing the logical relationship of the data of the application code. The electronic device can compile or decompile the application code to convert to intermediate format code.). Before the effective date of the invention, one of ordinary skill in the art would have been motivated to enable the static code analysis to include inspecting an intermediate representation of the application as the application is being compiled as a way to detect loophole code in the application, therefore enabling detection of suspicious loophole code (Xia, abstract).

Allowable Subject Matter
Claim 20 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all the limitations of the base claim and any intervening claims.
Regarding claim 20, the prior art of record does not teach the computer program product of claim 16 further comprising detecting anomalies associated with the application using one or more polygraphs.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. Sheridan et al., US 9792443 - An application source code is scanned to produce a representation of the application source code, start locations within the representation are determined, corresponding stop locations within the representation are determined, and a set of data impact locations within the representation are determined.
2. Jin et al., CN 107886000 -  software vulnerability detection system, software leak detection method by a static analysis technique.
3. Chang et al., CN 104573524 - a fuzzy-based test method for static detection, comprising a source code static analysis.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908. The examiner can normally be reached M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALINA BOUTAH
Primary Examiner
Art Unit 2442



/ALINA A BOUTAH/Primary Examiner, Art Unit 2442