DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 17/205,230 filed on 03/18/2021.
Claims 1-20 have been examined and are pending in this application.
Priority
Acknowledgment is made of Applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d) to parent Application No. KR10-2020-0034208, filed on 03/20/2020.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 03/18/2020,is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 9-10 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Caragea (US 2017/0289109).
Regarding claim 9, Caragea teaches a malware detection method performed by a computer apparatus comprising processing circuitry, the malware detection method comprising: 
acquiring, by the processing circuitry, a memory map of the computer apparatus under control of a client program executed on the computer apparatus (Caragea: Para. [0008], receiving a content of a target memory page of a client system of the plurality of client systems, Para. [0022], a page represents the smallest unit of virtual memory that can be individually mapped to a physical memory of a host system. Para. [0008], In one example, a connection request may come from an application executing within guest VM 32, for instance a browser, and may indicate an intention to initiate an encrypted communication session, such as a TLS session, SSH session, VPN session, etc. As such, the connection request may comprise a handshake message (e.g., ClientHello) to server 13. In another example, the detected handshake message comprises a message from server 13 (e.g., a ServerHello), transmitted in response to a ClientHello received from client system 12.. Para. [0058], Para. [0059], In a step 508, introspection engine 40 may obtain an optimized memory snapshot of guest VM 32. A memory snapshot comprises a copy of the contents of a set of memory pages used by the respective VM.); and 
transmitting, by the processing circuitry, the memory map to a server that provides a service to the computer apparatus through the client program (Caragea: Para. [0008], receiving a content of a target memory page of a client system of the plurality of client systems,).
Regarding claim 10, Caragea teaches the malware detection method of claim 9, further comprising: transmitting, by the processing circuitry, information to the server, the information indicating a client environment in which the client program operates (Caragea: Para. [0070], To account for this ambiguity, some embodiments of introspection engine 40 maintain a global list of currently active sessions, each entry of the list comprising information such as a session ID, a source internet protocol (IP) address, source port number, destination IP address, destination port number, and a timestamp of a ServerHello message of the respective session.).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1, 6-8, 11-13, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Caragea (US 2017/0289109) in view of Lagar-Cavilla et al. (US 2013/0019306; Hereinafter “Lagar”).
Regarding claim 1, Caragea teaches a malware detection method performed by a computer apparatus including processing circuitry, the malware detection method comprising: 
collecting, by the processing circuitry, a plurality of memory maps from a plurality of client devices, a client program being installed in each of the plurality of client devices (Caragea: Para. [0008], receiving a content of a target memory page of a client system of the plurality of client systems, Para. [0022], a page represents the smallest unit of virtual memory that can be individually mapped to a physical memory of a host system. Para. [0008], In one example, a connection request may come from an application executing within guest VM 32, for instance a browser, and may indicate an intention to initiate an encrypted communication session, such as a TLS session, SSH session, VPN session, etc. As such, the connection request may comprise a handshake message (e.g., ClientHello) to server 13. In another example, the detected handshake message comprises a message from server 13 (e.g., a ServerHello), transmitted in response to a ClientHello received from client system 12. Para. [0058], Para. [0059], In a step 508, introspection engine 40 may obtain an optimized memory snapshot of guest VM 32. A memory snapshot comprises a copy of the contents of a set of memory pages used by the respective VM.).
Caragea does not explicitly teach analyzing, by the processing circuitry, a plurality of memory addresses of the plurality of memory maps to obtain an analysis result; and determining, by the processing circuitry, whether malware is present in one of the plurality of client devices based on the analysis result.
In an analogous art, Lagar teaches wherein analyzing, by the processing circuitry, a plurality of memory addresses of the plurality of memory maps to obtain an analysis result (Lagar: Para. [0012], and analysis logic on the remote server for determining security properties of the received memory pages, generating a feedback rule, and transmitting the feedback rule to the host domain on the mobile device. Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection.); and 
determining, by the processing circuitry, whether malware is present in one of the plurality of client devices based on the analysis result (Lagar: Para. [0012], and analysis logic on the remote server for determining security properties of the received memory pages, generating a feedback rule, and transmitting the feedback rule to the host domain on the mobile device. Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Lagar with the system and method of Caragea to include wherein analyzing, by the processing circuitry, a plurality of memory addresses of the plurality of memory maps to obtain an analysis result; and determining, by the processing circuitry, whether malware is present in one of the plurality of client devices based on the analysis result because this functionality provides extending novel security services via remote server to mobile devices thereby enhancing security (Lagar: Para. [0057]).
Regarding claim 6, Caragea, in combination with Lagar, teaches the malware detection method of claim 1, wherein the collecting comprises collecting the plurality of memory maps in response to the client program being executed in each of the plurality of client devices (Caragea: Para. [0008], receiving a content of a target memory page of a client system of the plurality of client systems, Para. [0022], a page represents the smallest unit of virtual memory that can be individually mapped to a physical memory of a host system. Para. [0008], In one example, a connection request may come from an application executing within guest VM 32, for instance a browser, and may indicate an intention to initiate an encrypted communication session, such as a TLS session, SSH session, VPN session, etc. As such, the connection request may comprise a handshake message (e.g., ClientHello) to server 13. In another example, the detected handshake message comprises a message from server 13 (e.g., a ServerHello), transmitted in response to a ClientHello received from client system 12. Para. [0058], Para. [0059], In a step 508, introspection engine 40 may obtain an optimized memory snapshot of guest VM 32. A memory snapshot comprises a copy of the contents of a set of memory pages used by the respective VM.).
Regarding claim 7, Caragea, in combination with Lagar, teaches the malware detection method of claim 1, wherein the plurality of memory addresses comprise at least a portion of memory addresses selected based on at least one of a status or a right of a corresponding memory address from among the plurality of memory addresses (Caragea: Para. [0039], Exemplary events detected by introspection engine 40 include, for instance, a processor exception and/or interrupt, an attempt to execute a particular function of guest OS 34, a change of processor privilege (e.g., a system call), an attempt to access (read from, write to, and/or execute from) a particular memory location, etc. Introspection engine 40 may be further configured to determine memory addresses of various software components executing within guest VM 32, as further described below. Para. [0040], Para. [0045], Such mappings allow potentially any software object executing at the processor privilege level of hypervisor 30 to manage memory pages belonging to software objects executing within various VMs running on client system 12. In particular, memory introspection engine 40 may thus enumerate, read, write, and control access to physical memory pages used by any process executing within guest VM 32.).
Regarding claim 8, Caragea, in combination with Lagar, teaches the malware detection method of claim 1, further comprising: restricting, by the processing circuitry, the one of the plurality of client devices in response to determining the malware is present in the one of the plurality of client devices (Lagar: Para. [0012], Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection. Para. [0050], The remote scanner then summarizes all of that information, including required regions within memory pages, and transmits this summary as a feedback rule or a determination of infection to the host agent. The host agent then provides the additional data back to the remote server or acts accordingly with an alert or a more drastic measure such as halting the process. [halting a process meets the restricting limitation]).
Regarding claim 11, Caragea teaches the malware detection method of claim 9. Caragea does not explicitly teach wherein the server is configured to determine whether malware is present in one of a plurality of client devices based on a result of analyzing a plurality of memory addresses of a plurality of memory maps collected from the plurality of client devices. 
In an analogous art, Lagar teaches wherein the server is configured to determine whether malware is present in one of a plurality of client devices based on a result of analyzing a plurality of memory addresses of a plurality of memory maps collected from the plurality of client devices (Lagar: Para. [0012], and analysis logic on the remote server for determining security properties of the received memory pages, generating a feedback rule, and transmitting the feedback rule to the host domain on the mobile device. Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection.)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Lagar with the system and method of Caragea to include wherein the server is configured to determine whether malware is present in one of a plurality of client devices based on a result of analyzing a plurality of memory addresses of a plurality of memory maps collected from the plurality of client devices because this functionality provides extending novel security services via remote server to mobile devices thereby enhancing security (Lagar: Para. [0057]).
Regarding claim 12, Claim 12 is rejected under the same rational as claim 1.
Regarding claim 13, Claim 13 is rejected under the same rational as claim 1.
Regarding claim 16, Claim 16 is rejected under the same rational as claim 8.
Regarding claim 18, Caragea teaches the malware detection method of claim 9.  Caragea does not explicitly teach further comprising: restricting, by the processing circuitry, an operation of the client program in response to receiving a signal from the server.  
In an analogous art, Lagar teaches further comprising: restricting, by the processing circuitry, an operation of the client program in response to receiving a signal from the server (Lagar: Para. [0012], Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection. Para. [0050], The remote scanner then summarizes all of that information, including required regions within memory pages, and transmits this summary as a feedback rule or a determination of infection to the host agent. The host agent then provides the additional data back to the remote server or acts accordingly with an alert or a more drastic measure such as halting the process. [halting a process meets the restricting limitation])
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Lagar with the system and method of Caragea to include further comprising: restricting, by the processing circuitry, an operation of the client program in response to receiving a signal from the server because this functionality provides extending novel security services via remote server to mobile devices thereby enhancing security (Lagar: Para. [0057]).

Claim(s) 2-4 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Caragea (US 2017/0289109) in view of Lagar-Cavilla et al. (US 2013/0019306; Hereinafter “Lagar”) in view of Tamir et al. (US 2016/0328561; Hereinafter “Tamir”).
Regarding claim 2, Caragea, in combination with Lagar, teaches the malware detection method of claim 1, wherein the analyzing comprises: classifying the plurality of memory maps for each of a plurality of client environments (Lagar: Para. [0049], Scanning logic on the remote server determines either a presence of malware, or a possibility of malware, and correlates the received memory page with its own database to determine what type of feedback to provide to the host agent.). 
Caragea, in combination with Lagar, does not explicitly teach counting a number of appearances for each of the plurality of memory addresses for each of the plurality of client environments.  
In an analogous art, Tamir teaches counting a number of appearances for each of the plurality of memory addresses for each of the plurality of client environments (Tamir: Fig. 5, Para. [0092], wherein monitoring a first set of hardware counters of the computer system over a second time period comprises: monitoring a number of transitions of memory addresses corresponding to at least one of the first set of hardware counters during the second time period. Para. [0097], Para. [0106], monitor a number of transitions of memory addresses corresponding to a first set of hardware counters of the computer system over a first time period, producing first fingerprint data for each of one or more operating system processes; monitor a number of transitions of memory addresses corresponding to the first set of hardware counters of the computer system over a second time period in a secure environment not controlled by the operating system of the computer system, producing first runtime data for each of one or more operating system processes; compare the first runtime data for each of the one or more operating system processes with the first fingerprint data for the corresponding operating system process; and indicate whether the first runtime data for any of the one or more operating system processes shows anomalies with the first fingerprint data for the corresponding operating system process.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Tamir with the system and method of Caragea and Lagar to include counting a number of appearances for each of the plurality of memory addresses for each of the plurality of client environments because this functionality provides detection of abnormalities related to a count of memory address transitions (Tamir: Para. [0057]).
Regarding claim 3, Caragea, in combination with Lagar, teaches the malware detection method of claim 1. Caragea, in combination with Lagar, does not explicitly teach wherein the analyzing comprises: counting a number of appearances for each of the plurality of memory addresses; and verifying one of the plurality of memory maps including a memory address of which the number of appearances is less than or equal to a number of times. 
In an analogous art, Tamir teaches wherein the analyzing comprises: counting a number of appearances for each of the plurality of memory addresses (Tamir: Fig. 5, Para. [0092], wherein monitoring a first set of hardware counters of the computer system over a second time period comprises: monitoring a number of transitions of memory addresses corresponding to at least one of the first set of hardware counters during the second time period. Para. [0097], Para. [0106], monitor a number of transitions of memory addresses corresponding to a first set of hardware counters of the computer system over a first time period, producing first fingerprint data for each of one or more operating system processes; monitor a number of transitions of memory addresses corresponding to the first set of hardware counters of the computer system over a second time period in a secure environment not controlled by the operating system of the computer system, producing first runtime data for each of one or more operating system processes; compare the first runtime data for each of the one or more operating system processes with the first fingerprint data for the corresponding operating system process; and indicate whether the first runtime data for any of the one or more operating system processes shows anomalies with the first fingerprint data for the corresponding operating system process.); and 
verifying one of the plurality of memory maps including a memory address of which the number of appearances is less than or equal to a number of times (Tamir: Para. [0053], In contrast, the solutions described herein rely on specifically-designed samples (e.g., interrupts that are generated when counters reach a predetermined threshold value, such as every millionth count) and the specific addresses of the instructions where the corresponding events were generated. Memory maps (i.e., mappings of which processes had accesses to a specific memory location over time) are known to OS and thus allow easy selection of counters generated by specific processes. By analyzing the address distribution's specific patterns, one can build a behavioral model (also referred to herein as a “fingerprint”) of a process and later match wherever actual behavior matches said model.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Tamir with the system and method of Caragea and Lagar to include wherein the analyzing comprises: counting a number of appearances for each of the plurality of memory addresses; and verifying one of the plurality of memory maps including a memory address of which the number of appearances is less than or equal to a number of times because this functionality provides detection of abnormalities related to a count of memory address transitions (Tamir: Para. [0057]).
Regarding claim 4, Caragea, in combination with Lagar and Tamir, teaches the malware detection method of claim 3, wherein the determining comprises determining that the malware is present in the one of the plurality of client devices from which the one of the plurality of memory maps is collected (Lagar: Para. [0012], and analysis logic on the remote server for determining security properties of the received memory pages, generating a feedback rule, and transmitting the feedback rule to the host domain on the mobile device. Para. [0057], The security services provided by various remote servers are not limited to virus or malware detection.).
Regarding claim 14, Claim 14 is rejected under the same rational as both claims 2 and 3.
Regarding claim 15, Claim 15 is rejected under the same rational as claim 4.

Claim(s) 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Caragea (US 2017/0289109) in view of Lagar-Cavilla et al. (US 2013/0019306; Hereinafter “Lagar”) in view of Boutnaru et al. (US 2021/0390182; Hereinafter “Boutnaru”).
Regarding claim 17, Caragea, in combination with Lagar, teaches the malware detection method of claim 8. Caragea, in combination with Lagar, does not explicitly teach wherein the restricting comprises causing the one of the plurality of client devices to reinstall the client program.  
In an analogous art, Boutnaru teaches wherein the restricting comprises causing the one of the plurality of client devices to reinstall the client program (Boutnaru: Para. [0037], In the event that a discrepancy is determined, a determination is made that the application has been compromised or corrupted and an appropriate remedial action is automatically performed. For instance, the compute instance on which the application may be automatically restarted, and the original image file may be automatically reinstalled.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Boutnaru with the system and method of Caragea and Lagar to include wherein the restricting comprises causing the one of the plurality of client devices to reinstall the client program because this functionality provides automatic remedial action by removing compromised applications (Boutnaru: Para. [0037]).
Regarding claim 19, Claim 19 is rejected under the same rational as claim 17.
Regarding claim 20, Claim 20 is rejected under the same rational as claim 17.
Allowable Subject Matter
Regarding Claim 5, Claim 5 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an Examiner’s statement of reasons for allowance:
The closest prior art, as previously recited, includes Caragea (US 2017/0289109) in view of Lagar-Cavilla et al. (US 2013/0019306; Hereinafter “Lagar”) in view of Tamir et al. (US 2016/0328561; Hereinafter “Tamir”). However, none of Caragea, Lagar, nor Tamir, teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in claim 5. For example, none of the cited prior art teaches or suggest the steps of “wherein the number of times is set based on a total number of the plurality of client devices and the number of appearances.” As a result, the claims are indicated as allowable over the cited prior art.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached at (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437