DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/24/22 has been entered.
 	Amended claims 1-4 and 6-20 as submitted on 6/24/22 were considered.  Applicant’s arguments were also considered, but are moot in view of new rejections made below in response to the amendments.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, and 6-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Pfleger de Aguiar et al (US 2020/0202008).
Claim 1:
	Repasi discloses: 
a data interface (paragraphs 13 and 78); 
a processor (paragraphs 13 and 78; The computing devices listed all have one or more data interfaces and processors as standard components as well as storage containing computing instructions executed by processors to carry out tasks); and 
a storage device storing instructions executable by the processor (paragraph 78; Computing devices) to: 
collect firmware and/or hardware information relating to the client system (paragraphs 22-23 and 93-94); 
transmit, via the data interface, data associated with the firmware and/or hardware information to an analysis device (paragraphs 93-94; Information related to the firmware of one or more hardware device of the client system are gathered and sent to analysis module 220 to determine if the firmware has been modified by malware).
Perform analysis of the client system to determine suspicious behavior indicative of implants in the client system (paragraphs 21 and 30; Scan firmware for malware).
Perform remediation for the implants in the client system (paragraphs 26 and 117; Repair firmware that had malware implant).

Repasi does not disclose the analysis device is a remote cloud-hosted service.  Repasi also does not disclose the analysis was done in real time and the analysis was of running system configuration and operation of the client system.  
However, Pfleger de Aguiar discloses the analysis device is a remote cloud-hosted service (paragraph 21) and the analysis was done in real time and the analysis was of running system configuration and operation of the client system (paragraphs 18-19, 21, 24-26, 32, 35, and 52).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Repasi’s invention using Pfleger de Aguiar’s teachings.  One skilled would have been motivated to do so as it allow for minimizing adverse impacts on attacks on industrial control systems by allowing for rapid detection of the attacks (Pfleger de Aguiar: paragraph 18).

Claim 3:
	Repasi further discloses wherein the firmware and/or hardware information includes data and/or configuration information from the processor and/or a chipset hardware of the client system, system firmware, management controllers, the storage device, a network card, a graphics card, and/or an internal or add-on device (paragraph 87).
Claim 6:
	Repasi further discloses wherein the instructions are further executable to review firmware binary images for predefined firmware implants based on indicators and/or markers of the predefined firmware implants, the indicators and/or markers of the predefined firmware implants including a signature within an image, network access, and/or firmware malicious components (paragraphs 95 and 97-99; Hash/checksum/pattern indicative of malware).

Claim 7:
	Repasi does not disclose, but Pfleger de Aguiar discloses wherein the instructions are further executable to analyze behavioral data relating to the client system using a heuristic model and to generate an alert responsive to detecting a behavior anomaly, the behavioral data including unexpected timing changes or interrupts (paragraphs 8, 20, 35, 46, and 49; Analyze behavior of executing PLC/client compared to historical data to find any anomalies.  This is heuristic modeling).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention to incorporate Pfleger de Aguiar’s teachings as discussed above.  One skilled would have done so as use of heuristic modeling/historical data analysis would allow increased chances of catching zero day malware which may not yet be well known.

Claim 8:
	Repasi further discloses wherein the instructions are further executable to compare firmware binary images with predefined binary images stored in a database (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware).


Claim 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Pfleger de Aguiar et al (US 2020/0202008) in further view of Khoruzhenko (US 2020/0364340).
Claim 2:
	Repasi does not disclose, but Khoruzhenko discloses the client system further comprising a kernel driver, wherein the firmware and/or hardware information is collected by using the kernel driver (paragraphs 6 and 47).  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention so that the client system further comprising a kernel driver, wherein the firmware and/or hardware information is collected by using the kernel driver.  One skilled would have been motivated to do so as certain type of hardware require a kernel driver to read information from/about it (Khoruzhenko: paragraph 47).


Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Pfleger de Aguiar et al (US 2020/0202008) in further view of McDougal et al (US 2012/0330801).
Claim 4:
	Pfleger de Aguiar further discloses wherein transmitting the data associated with the firmware and/or hardware information comprises transmitting the data over a channel to the remote device (paragraph 21; Upload data for cloud analysis).
	Repasi and Pfleger de Aguiar do not disclose, but McDougal discloses the channel being an encrypted and authenticated channel (paragraph 3).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to utilize an encrypted and authenticated channel as taught by McDougal’s invention for uploading data for analysis in Repasi and Pfleger de Aguiar’s combination invention.  One of ordinary skill in the art would have been motivated to do so as it would prevent leak of sensitive information being analyzed t unauthorized parties.


Claims 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Pfleger de Aguiar et al (US 2020/0202008) in further view of York et al (US 2017/0048269).
Claim 9:
	Repasi further discloses wherein the instructions are further executable to update a report to indicate a detected threat to security of the client system (paragraphs 96 and 115).  Repasi does not disclose the report being a web-based interface, however, York discloses use of a web-based interface to report alerts (paragraph 137).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention to incorporate York’s invention so the report was given via a web-based interface.  The rationale for why one would have done so is that doing so is nothing more than simple substitution of one known element (i.e. type of alert delivery mechanism) for another (i.e. different type of alert mechanism) to obtain predictable results (see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).


Claims 10-11, 13-14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Nachimuthu et al (US 2018/0150293) and further in view of Pfleger de Aguiar et al (US 2020/0202008).
Claim 10:
	Repasi discloses: 
a data interface (paragraphs 13 and 78); 
a processor (paragraphs 13 and 78; The computing devices listed all have one or more data interfaces and processors as standard components as well as storage containing computing instructions executed by processors to carry out tasks); and 
a storage device storing instructions executable by the processor (paragraph 78; Computing devices) to: 
receive, via the data interface, data associated boot firmware and/or hardware information of a client system (paragraphs 21, 87, 94, 96, 103; Analysis module receives a copy of the received BIOS, which is boot firmware, and scans it for malware).
analyze of received data to detect security threat to the client system (paragraphs 21 and 30; Scan firmware for malware).
Perform remediation for the implants in the client system (paragraphs 26 and 117; Repair firmware that had malware implant).


Repasi does not disclose, but Nachimuthu discloses wherein the boot firmware is defined according to a Unified Extensible Firmware Interface (UEFI) (paragraphs 64 and 68).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Repasi’s invention using Nachimuthu’s teachings such that the boot firmware is defined according to UEFI as taught by Nachimuthu.  
The rationale for why it would be obvious to do so is that the boot firmware must be defined in accordance with some format and using UEFI is nothing more than simple substitution of one known element (i.e. undefined format for the boot firmware) for another (i.e. specific format for the firmware, where the format is UEFI) to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  Note also that UEFI is a standard format for firmware and standards are meant to be used, thus it would also be obvious to use UEFI to define the boot firmware because it’d be using a standard as intended.
Repasi does not disclose, but Pfleger de Aguiar discloses the security threat being suspicious behavior (paragraphs 18-19, 21, 24-26, 32, 35, and 52; Operation of a PLC or computer is analyzed against historical data to detect significant statistical changes in real time, which would indicate suspicious behavior/security threat).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s invention using Pfleger de Aguiar’s teachings.  One skilled would have been motivated to do so as it allow for minimizing adverse impacts on attacks on industrial control systems by allowing for rapid detection of the attacks (Pfleger de Aguiar: paragraph 18).

Claim 11:
Repasi further disclose wherein the instructions are further executable to generate an alert responsive to detecting a security threat to the client system (Repasi: paragraphs 96 and 115), and wherein the boot firmware and/or hardware information includes data and/or configuration information from the processor and/or a chipset hardware of the client system, system firmware, management controllers, the storage device, a network card, a graphics card, and/or an internal or add-on device (Repasi: paragraph 87).

Claim 13:
	As per claim 13, Repasi further discloses wherein the instructions are further executable to review firmware binary images for predefined firmware implants based on indicators and/or markers of the predefined firmware implants (paragraphs 95 and 97-99; Hash/checksum/pattern indicative of malware).

Claim 14:
As per claim 14, Repasi does not disclose, but Pfleger de Aguiar discloses wherein the instructions are further executable to analyze behavioral data relating to the client system using a heuristic model and to generate an alert responsive to detecting a behavior anomaly (paragraphs 8, 20, 35, 46, and 49; Analyze behavior of executing PLC/client compared to historical data to find any anomalies.  This is heuristic modeling).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Repasi’s modified invention to incorporate Pfleger de Aguiar’s teachings as discussed above.  One skilled would have done so as use of heuristic modeling/historical data analysis would allow increased chances of catching zero day malware which may not yet be well known.

Claim 16:
Claim 16 recite a combination of limitations that are found in claims 1 and 10 combined, thus the rejection of claims 1 and 10 combined, using the teachings of Repasi, Nachimuthu, and Pfleger de Aguiar apply, mutatis mutandis, to claim 16.

Claim 17:
	The rejection of claim 11 applies, mutatis mutandis, to claim 17.
Claim 18:
	The rejection of claim 13 applies, mutatis mutandis, to claim 18.

Claim 19:
	The rejection of claim 14 applies, mutatis mutandis, to claim 19.

Claim 20:
	Repasi further discloses wherein the instructions are further executable to compare firmware binary images for predefined firmware implants based on indicators and/or markers of the firmware implants (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware).

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Nachimuthu et al (US 2018/0150293) and further in view of Pfleger de Aguiar et al (US 2020/0202008) in further view of McDougal et al (US 2012/0330801).
Claim 12:
	Pfleger de Aguiar further discloses wherein receiving the data associated with the boot firmware and/or hardware information comprises transmitting the data over a channel from the client system (paragraphs 21 and 87; Upload data for cloud analysis).
	Repasi, Nachimuthu, and Pfleger de Aguiar do not disclose, but McDougal discloses the channel being an encrypted and authenticated channel (paragraph 3).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to utilize an encrypted and authenticated channel as taught by McDougal’s invention for uploading data for analysis in Repasi modified invention.  One of ordinary skill in the art would have been motivated to do so as it would prevent leak of sensitive information being analyzed t unauthorized parties.

Claim 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Repasi et al (US 2007/0277241) in view of Nachimuthu et al (US 2018/0150293) and further in view of Pfleger de Aguiar et al (US 2020/0202008) in further view of York et al (US 2017/0048269).
Claim 15:
	Repasi further disclose wherein the instructions are further executable to compare firmware binary images with predefined binary images stored in a database (paragraphs 95 and 97-98; Compare firmware being analyzed with whitelists and blacklists of firmware), and wherein the instructions are further executable to update a report to indicate a detected threat to security of the client system (paragraphs 96 and 115).  Repasi does not disclose the report being a web-based interface, however, York discloses use of a web-based interface to report alerts (paragraph 137).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify McDougal’s modfied invention to incorporate York’s invention so the report was given via a web-based interface.  The rationale for why one would have done so is that doing so is nothing more than simple substitution of one known element (i.e. type of alert delivery mechanism) for another (i.e. different type of alert mechanism) to obtain predictable results (see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/           Primary Examiner, Art Unit 2495