DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Claims 14-32 are pending. Claims 1-13 has been canceled. Claims 14-32 are currently amended. 
Applicant’s amendments to the claims will overcome each and every 101 rejection previously set forth in the Non-final Office Action mailed 07/22/2021.

Terminal Disclaimer
The terminal disclaimer filed on 10/20/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent No. 10,360,378 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 14-15, 20-21, 23-24 and 28-29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by DAI et al. (US Pub No. 2012/0159628).
Regarding independent claim 14, Dai discloses an analysis method for a computer system, comprising: storing, in a storage device, a plurality of process information associated with a plurality of processes on the computer system (Dai, Figure 3; page 2, paragraph 0023-0024; stores execution objects and execution operation of processes (paragraph 0021) when conducting a malicious behavior database; malicious detection apparatus); storing, in the storage device, a plurality of purpose information associated with a plurality of purposes of a plurality of harms to the computer system caused by the plurality of processes (Dai, Figure 3; pages 2-3, paragraphs 0023-0025; when conducting a malicious behavior database stores malicious behavior profiles of the processes; the processes being a process of the malware; coding of the malware behavior of purpose designated by code, e.g. Malware A has a malicious behavior A-1 “modify the internet explorer”, and so on); and storing, in the storage device, a plurality of relation information associated with a plurality of relations between the plurality of process information and the plurality of purpose information (Dai, Figure 3; page 2, paragraphs 0022-0024; stores link information (paragraph 0021) when conducting a malicious behavior database; Link Information, “The link information in the behavior profile 2 varies with different processes. Because different processes involve different execution information, the link information may be of any related execution information depending on practical conditions…”); acquiring, from a detection device, a list of processes operating on the computer system and detected by the detection device (Dai, page 1, paragraph 0006 and page 3, paragraphs 0031-0032; first process; “the malware detection apparatus 1 executes a plurality of programs simultaneously within a time period and each of the programs further comprises a plurality of processes”); selecting a process from the list of processes (Dai, page 3, paragraph 0032; “Because detection of a malware is accomplished through comparison of a single program to detect whether the individual program is a malware, the malware detection apparatus 1 must identify by which program a process is executed.”); determining, based on the plurality of relation information stored in the storage device, a purpose information associated with a process information associated with the selected process (Dai, page 1, paragraph 0006 and page 3, paragraph 0031; first behavior profile according to the first process; “Next, the processing unit 13 searches in the malicious behavior database 3 for a malicious behavior profile identical to the first behavior profile. As can be known from the malicious behavior database 3 of FIG. 3, the first behavior profile is identical to the malicious behavior profile whose code is A-1:1.”); and outputting a signal configured to display the determined purpose information on a display device (Dai, page 2, paragraph 0042; “When a program is determined to be a malware through comparison, the processing unit 13 further transmits a detection result to the output unit 15. The output unit 15 is further configured to generate an image or an audio signal to notify a user that a malware is detected. The output unit 15 may be a display, a loud speaker or some other device capable of presenting a detection result, …”).
Regarding claim 15, Dai teaches the method further comprising: storing, in the storage devices, plurality of function information associated with a plurality of functions related to an plurality of influences of the plurality of processes on the computer system (Dai, pages 2-3, paragraphs 0023-0025; stores malicious behaviors of the malware), wherein the plurality of relation information includes a plurality of first relation information indicating a plurality of relations between the plurality of processes and the plurality of functions, and a plurality of second relation information indicating a plurality of relations between the plurality of function information and the plurality of result information(Dai, Figure 3, pages 2-3, paragraphs 0023-0025; malicious behavior A-1 with process A-1:1 and link information).
Regarding claim 20, Dai teaches the method further comprising: calculating a matching degree indicating how closely the process information associated with the detected process matches a matching rule (Dai, Figure 5, page 4, paragraphs 0033-0036; accumulated amount of malicious behavior through comparison of malicious behavior profiles).
Regarding claim 21, Dai discloses the method further comprising: storing, in the storage device, a plurality of another process information associated with a plurality of another processes on the computer system, the plurality of another processes configured to cause the plurality of results (Dai, Figure 4, page 3, paragraph 0028-0029; optional malicious behavior profiles), and storing, in the storage device, a plurality of another relation information associated with a plurality of relations between the plurality of another process information and the plurality of result information (Dai, Figures 3-4, page 3, paragraph 0028-0029 and page 2, paragraph 0023-0024).
Regarding independent claim 23, Dai discloses an analysis system, comprising: at least one memory; and at least one processor coupled to the at least one memory, wherein the at least one memory is configured to store: a plurality of process information associated with a plurality of processes on the computer system (Dai, Figure 3; page 2, paragraph 0023-0024; stores execution objects and execution operation of processes (paragraph 0021) when conducting a malicious behavior database; malicious detection apparatus); a plurality of purpose information associated with a plurality of purposes of a plurality of harms to the computer system caused by the plurality of processes (Dai, Figure 3; pages 2-3, paragraphs 0023-0025; when conducting a malicious behavior database stores malicious behavior profiles of the processes; the processes being a process of the malware; coding of the malware behavior of purpose designated by code, e.g. Malware A has a malicious behavior A-1 “modify the internet explorer”, and so on); and a plurality of relation information associated with a plurality of relations between the plurality of process information and the plurality of purpose information (Dai, Figure 3; page 2, paragraphs 0022-0024; stores link information (paragraph 0021) when conducting a malicious behavior database; Link Information, “The link information in the behavior profile 2 varies with different processes. Because different processes involve different execution information, the link information may be of any related execution information depending on practical conditions…”); the at least one processor is configured to: acquire, from a detection device, a list of processes operating on the computer system and detected by the detection device (Dai, page 1, paragraph 0006 and page 3, paragraphs 0031-0032; first process; “the malware detection apparatus 1 executes a plurality of programs simultaneously within a time period and each of the programs further comprises a plurality of processes”); select a process from the list of processes (Dai, page 3, paragraph 0032; “Because detection of a malware is accomplished through comparison of a single program to detect whether the individual program is a malware, the malware detection apparatus 1 must identify by which program a process is executed.”); determine, based on the plurality of relation information stored in the storage device, a purpose information associated with a process information associated with the selected process (Dai, page 1, paragraph 0006 and page 3, paragraph 0031; first behavior profile according to the first process; “Next, the processing unit 13 searches in the malicious behavior database 3 for a malicious behavior profile identical to the first behavior profile. As can be known from the malicious behavior database 3 of FIG. 3, the first behavior profile is identical to the malicious behavior profile whose code is A-1:1.”); and output a signal configured to display the determined purpose information on a display device (Dai, page 2, paragraph 0042; “When a program is determined to be a malware through comparison, the processing unit 13 further transmits a detection result to the output unit 15. The output unit 15 is further configured to generate an image or an audio signal to notify a user that a malware is detected. The output unit 15 may be a display, a loud speaker or some other device capable of presenting a detection result, …”).
Regarding claim 24, Dai teaches the device wherein the at least one memory is further configured to store: a plurality of function information associated with a plurality of functions related to a plurality of influences of the plurality of processes on the computer system (Dai, pages 2-3, paragraphs 0023-0025; stores malicious behaviors of the malware), wherein the plurality of relation information includes first relation information indicating a plurality of relations between the plurality of processes and the plurality of functions, and a plurality of second relation information indicating a plurality of relations between the plurality of function information and the plurality of result information(Dai, Figure 3, pages 2-3, paragraphs 0023-0025; malicious behavior A-1 with process A-1:1 and link information).
Regarding independent claim 28, Dai discloses a non-transitory computer-readable recording medium storing a program that, when executed by a computer, causes the computer to execute an analysis method, the non-transitory computer-readable recording medium further storing: a plurality of process information associated with a plurality of processes on the computer system (Dai, Figure 3; page 2, paragraph 0023-0024; stores execution objects and execution operation of processes (paragraph 0021) when conducting a malicious behavior database; malicious detection apparatus); a plurality of purpose information associated with a plurality of purposes of a plurality of harms to the computer system caused by the plurality of processes (Dai, Figure 3; pages 2-3, paragraphs 0023-0025; when conducting a malicious behavior database stores malicious behavior profiles of the processes; the processes being a process of the malware; coding of the malware behavior of purpose designated by code, e.g. Malware A has a malicious behavior A-1 “modify the internet explorer”, and so on); and a plurality of relation information associated with a plurality of relations between the plurality of process information and the plurality of purpose information (Dai, Figure 3; page 2, paragraphs 0022-0024; stores link information (paragraph 0021) when conducting a malicious behavior database; Link Information, “The link information in the behavior profile 2 varies with different processes. Because different processes involve different execution information, the link information may be of any related execution information depending on practical conditions…”), wherein the analysis method comprises: acquiring, from a detection device, a list of processes operating on the computer system and detected by the detection device (Dai, page 1, paragraph 0006 and page 3, paragraphs 0031-0032; first process; “the malware detection apparatus 1 executes a plurality of programs simultaneously within a time period and each of the programs further comprises a plurality of processes”); selecting a process from the list of processes (Dai, page 3, paragraph 0032; “Because detection of a malware is accomplished through comparison of a single program to detect whether the individual program is a malware, the malware detection apparatus 1 must identify by which program a process is executed.”); determining, based on the plurality of relation information stored in the storage device, a purpose information associated with a process information associated with the selected process (Dai, page 1, paragraph 0006 and page 3, paragraph 0031; first behavior profile according to the first process; “Next, the processing unit 13 searches in the malicious behavior database 3 for a malicious behavior profile identical to the first behavior profile. As can be known from the malicious behavior database 3 of FIG. 3, the first behavior profile is identical to the malicious behavior profile whose code is A-1:1.”); and outputting a signal configured to display the determined purpose information on a display device (Dai, page 2, paragraph 0042; “When a program is determined to be a malware through comparison, the processing unit 13 further transmits a detection result to the output unit 15. The output unit 15 is further configured to generate an image or an audio signal to notify a user that a malware is detected. The output unit 15 may be a display, a loud speaker or some other device capable of presenting a detection result, …”).
Regarding claim 29, Dai teaches the non-transitory computer-readable recording medium further storing: a plurality function information associated with a plurality of functions related to a plurality of influences of the plurality of process on the computer system (Dai, pages 2-3, paragraphs 0023-0025; stores malicious behaviors of the malware), wherein the plurality of relation information includes first plurality relation information indicating a plurality relations between the plurality of processes and the plurality of functions, and a plurality of second relation information indicating a plurality relations between the plurality of function information and the plurality of result information(Dai, Figure 3, pages 2-3, paragraphs 0023-0025; malicious behavior A-1 with process A-1:1 and link information).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 16-19, 25-27 and 30-32 are rejected under 35 U.S.C. 103 as being unpatentable over DAI et al. (US Pub No. 2012/0159628) in view of Anzai et al. (US Patent No. 7,748,041).
Regarding claim 16, Dai teaches each and every claim limitation of claim 15. 
Dai does not explicitly teach the method further comprising receiving a first input related to the plurality of result information; receiving a second input related to the plurality of function information; and receiving a third input related to the plurality of relation information.
Anzai teaches receiving a first input related to the plurality of result information; receiving a second input related to the plurality of function information; and receiving a third input related to the plurality of relation information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, functional requisites, components and correspondence).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 17, Dai teaches each and every claim limitation of claim 14. 
Dai does not explicitly teach the method further comprising receiving a first input related to the plurality of result information.
Anzai teaches receiving a first input related to the plurality of result information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, risk and assurance level).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 18, Dai teaches each and every claim limitation of claim 17. 
Dai does not explicitly teach the method further comprising receiving another input related to the plurality of relation information.
Anzai teaches receiving another input related to the plurality of relation information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters correspondence).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 19, Dai teaches each and every claim limitation of claim 14. 
Dai does not explicitly teach the method further comprising: wherein the signal is further configured to display, on a display device, process information associated with the detected process, the determined result information, and a relation information between the process information associated with the detected process and the determined result information.
Anzai teaches wherein the signal is further configured to display, on a display device, process information associated with the detected process, the determined result information, and [[the]]a relation information between the process information associated with the detected process and the determined result information (Anzai, Figures 3A-11; column 15, line 56- column 16, line 13; output the screen).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 25, Dai teaches each and every claim limitation of claim 24. 
Dai does not explicitly teach the system wherein the at least one processor is configured to: receive a first input related to the plurality of result information; receive a second input related to the plurality of function information; and receive a third input related to the plurality of relation information.
Anzai teaches receive a first input related to the plurality of result information; receive a second input related to the plurality of function information; and receive a third input related to the plurality of relation information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, functional requisites, components and correspondence).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 26, Dai teaches each and every claim limitation of claim 23. 
Dai does not explicitly teach the system wherein the at least one processor is configured to receive a first input related to the plurality of result information.
Anzai teaches receive a first input related to the plurality of result information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, risk and assurance level).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 27, Dai teaches each and every claim limitation of claim 23. 
Dai does not explicitly teach the system wherein the signal is further configured to display, on a display device, process the process information associated with the selected process, the determined result information, and a relation information between the process information associated with the selected process and the determined result information.
Anzai teaches wherein the signal is further configured to display, on a display device, process the process information associated with the selected process, the determined result information, and a relation information between the process information associated with the selected process and the determined result information (Anzai, Figures 3A-11; column 15, line 56- column 16, line 13; output the screen).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 30, Dai teaches each and every claim limitation of claim 29. 
Dai does not explicitly teach the non-transitory computer-readable recording medium wherein the program causes the computer to: receive a first input related to the result information; receive a second input related to the function information; and receive a third input related to the relation information.
Anzai teaches receive a first input related to the plurality of result information; receive a second input related to the plurality of function information; and receive a third input related to the plurality of relation information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, functional requisites, components and correspondence).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 31, Dai teaches each and every claim limitation of claim 28. 
Dai does not explicitly teach the non-transitory computer-readable recording medium wherein the program causes the computer to: receive a first input related to the plurality of result information.
Anzai teaches receive a first input related to the plurality of result information (Anzai, Figures 3A-9; column 15, line 56- column 16, line 13; enters information of the threat, risk and assurance level).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).
Regarding claim 32, Dai teaches each and every claim limitation of claim 28. 
Dai does not explicitly teach the non-transitory computer-readable recording medium wherein the signal is further configured to display, on a display device, process the process information associated with the selected process, the determined result information, and a relation information between the process information associated with the selected process and the determined result information.
Anzai teaches wherein the signal is further configured to display, on a display device, process the process information associated with the selected process, the determined result information, and a relation information between the process information associated with the selected process and the determined result information (Anzai, Figures 3A-11; column 15, line 56- column 16, line 13; output the screen).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Anzai to support a security design and evaluation tool to output an assurance level of security for components to provide the advantage of a low cost and highly reliable system that provides the magnitude of risk and degree of assurance and adaptability of computer components (Anzai, column 2, lines 44-67).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over DAI et al. (US Pub No. 2012/0159628) in view of Kanoun et al. (US Patent No. 8,973,092).
Regarding claim 22, Dai teaches each and every claim limitation of claim 14. 
Dai does not explicitly teach the method further comprising: storing, in the storage device, a plurality of another result information associated with a plurality of another result, the plurality of another result being another harm to the computer system caused by the process, and storing the plurality of another relation information associated with a plurality of relations between the plurality of process information and the plurality of another result information.
Kanoun teaches further comprising: storing, in the storage device, a plurality of another result information associated with a plurality of another result, the plurality of another result being another harm to the computer system caused by the process, and storing the plurality of another relation information associated with a plurality of relations between the plurality of process information and the plurality of another result information (Kanoun, Figure 3 , column 5, lines 1-65; different objectives (results) of the attack from level/step).   
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Dai with the teachings of Kanoun to use graphs based on attack models to show an attack objectives and steps/levels leading to the objectives to provide the advantage of operators accesses in real-time the risk of an attack and suitable responses to apply in response to the attack to protect of an information system (Kanoun, column 1, lines 14-22).
Prior Art 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. McLarnon et al. (US Pub No. 2015/0121526).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAQUEAL D WADE whose telephone number is (571)270-0357.  The examiner can normally be reached on M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SHAQUEAL D WADE-WRIGHT/Primary Examiner, Art Unit 2437