DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	The Examiner acknowledges the applicant's submission of the amendment dated 8/10/22. 
   1.   REJECTIONS BASED ON PRIOR ART
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claim Rejections - 35 USC ' 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-8, 10-14 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kawatani (J.P. 2009-259078) in view of Sallam (US 20120254995 A1).

Regarding claim 1, Kawatani teaches a method of detecting unexpected behavior associated with a process, comprising: 
receiving a memory allocation request (a request from the program – pg. 2: “Description:” para. 6; outputs the executable program – pg. 3: para. 14-16), the memory allocation request indicating one or more memory segments to be allocated in memory of a computing system (detecting a buffer overflow that occurs when a program is executed by a computer, wherein the computer allocates a buffer memory area in a memory in response to a request from the program; An allocation step of allocating dummy memory areas to the addresses before and after adjacent to each other – pg. 2: “Description:” para. 6; predetermined function is called to allocate first dummy area, a buffer area and second dummy variable sequentially on the stack – pg. 3: para. 14-16); 
allocating the one or more memory segments in the memory based on the memory allocation request (allocates a buffer area in a memory in response to a request from the program – pg. 2; “Description;” para. 6; buffer variable allocated on the stack memory – pg. 3: para. 14-16); 
allocating one or more decoy memory segments in the memory based on the memory allocation request (allocating dummy memory areas to the addresses before and after the allocated buffer, adjacent to each other – pg. 2: “Description:” para. 6; first and second dummy variables allocated to the stack memory – pg. 3: para. 14-16; and   the present invention also provides a detection program for detecting a buffer overflow that occurs during execution of an application program executed by a computer, and allocates a buffer memory area in memory in response to a request from the application program to the computer. An allocation step of assigning dummy memory areas to addresses before and after the buffer memory area – middle of page 2); 
trapping an input/output (I/O) operation (CPU detects overflow and generates an interrupt/interrupt function called - pg. 3; para. 2; detected that the data in the dummy variable memory areas 61 and 63 has been updated (S24: YES), the debugging unit 14 generates an interrupt and calls an interrupt function – pg. 3: para. 19); 
detecting an unexpected behavior associated with the I/O operation based on determining that the I/O operation indicates that the I/O operation impacts at least one of the one or more decoy memory segments (CPU detects overflow and generates an interrupt/interrupt function called - pg. 3; para. 2; detected that the data in the dummy variable memory areas 61 and 63 has been updated (S24: YES), the debugging unit 14 generates an interrupt and calls an interrupt function – pg. 3: para. 19); and 
performing one or more actions based on the detection (by detecting this interrupt, the execution unit 13 (the program 34 being executed) detects the occurrence of a buffer overflow (S25); By executing the interrupt function, predetermined error processing (forcibly terminating the program / function being executed, collecting log information, etc.) is performed (i.e. one or more actions) – pg. 3: para. 19).  
However, the Kawatani reference does not explicitly teach trapping an input/output (I/O) operation prior to detecting an unexpected behavior associated with the I/O operation; and detecting the unexpected behavior associated with the I/O operation based on determining that the I/O operation indicates that the I/O operation impacts at least one of the one or more decoy memory segments before the decoy memory is updated.  (emphasis added)
	The Sallam reference teaches it is conventional to have trapping an input/output (I/O) operation prior to detecting an unexpected behavior associated with the I/O operation; and detecting the unexpected behavior associated with the I/O operation based on determining that the I/O operation indicates that the I/O operation impacts at least one of the one or more decoy memory segments before the decoy memory is updated.  (paragraph 219, where five such stages of execution of an instruction may include 1) fetching the instruction, 2) decoding of the instruction, 3) execution, 4) accessing a memory location for the results, and 5) writing a return value back to memory, register, or another location. In such an embodiment, execution stage to trigger 1012 may include the ability to trigger before or after any of the five stages. This provides a total of six different example triggering options--before fetching, after decoding (and thus before execution), after execution (and thus before accessing a memory location), after accessing a memory location (and thus before writing a return value), and after writing a return value. The ability to trap based upon the stage of execution may provide significant flexibility unavailable in other anti-malware systems)
It would have been obvious to a person of ordinary skill in the art before the claimed invention was effectively filed to modify the Kawatani reference to have wherein trapping an input/output (I/O) operation prior to detecting an unexpected behavior associated with the I/O operation; and detecting the unexpected behavior associated with the I/O operation based on determining that the I/O operation indicates that the I/O operation impacts at least one of the one or more decoy memory segments before the decoy memory is updated, as taught by the Sallam reference.
The suggestion/motivation for doing so would have been to provide significant flexibility unavailable in other anti-malware systems by trapping based upon any stage of execution.  (Sallam, paragraph 219)
Therefore it would have been obvious to combine the Kawatani and Sallam references for the benefits shown above to obtain the invention as specified in the claim.

	Regarding claims 10 and 16, claims 10 and 16 comprise the same or similar language as claim 1 and are, therefore, rejected for the same or similar reasons.  Note, regarding Claim 10, Kawatani teaches a memory comprising executable instructions; and a processor in data communication with the memory and configured to execute the instructions to cause the computer system to (a general-purpose computer system including at least a CPU, a memory, and an external storage device such as an HDD can be used. In this computer system, each function of the detection apparatus 1 is realized by the CPU executing a program loaded on the memory – pg. 3: para. 5).

Regarding claim 2, Kawatani teaches wherein the allocated one or more decoy memory segments are contiguous with respect to the allocated one or more memory segments (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 below; at least dummy segment(s) (61) being contiguous with buffer segment (62)).  

[AltContent: textbox (Illustrated Fig. 6)]
    PNG
    media_image1.png
    427
    424
    media_image1.png
    Greyscale




[AltContent: rect]

[AltContent: rect]



	Regarding claims 11 and 17, claims 11 and 17 comprise the same or similar limitations as claim 2 and are, therefore, rejected for the same or similar reasons.

Regarding claim 3, Kawatani teaches wherein the allocated one or more decoy memory segments are non-contiguous with respect to the allocated one or more memory segments (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (61) being non-contiguous with next/sequential buffer segment (62*)).  

Regarding claim 12, claim 12 comprises the same or similar limitations as claim 3 and is, therefore, rejected for the same or similar reasons.

Regarding claim 4, Kawatani teaches wherein the allocated one or more decoy memory segments are contiguous with respect to each other (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (63) being contiguous with sequential/next dummy segment (61*)).  

Regrading claim 5, Kawatani teaches wherein the allocated one or more decoy memory segments are not contiguous with respect to each other (the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described – pg. 3: para. 9; first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (61) being non-contiguous with dummy segment (63)).  

Regarding claim 6, Kawatani teaches wherein a starting address associated with the allocated one or more decoy memory segments is larger than a starting address associated with the allocated one or more memory segments (dummy segment 63 address larger than dummy segment 61 address (i.e. location within the buffer/stack - see Fig. 6 and illustrative Fig. 6 above))

Regarding claim 7, Kawatani teaches further comprising: receiving a first indication of a computer security risk associated with the computer system (preprocessing unit 11 performs preprocessing before compiling a source program stored in advance in the program storage unit 15; compiling unit 12 reads the preprocessed source program output to the program storage unit; execution unit 13 executes the executable program and detects a buffer overflow – pg. 2: “Description;” para. 12-13; i.e. an overflow is a “computer security risk”); and 
prior to receiving the memory allocation request, enabling a decoy memory allocation mechanism for use in detecting unexpected behavior (The debugging unit 14 is a debugging function of the CPU (hardware) of the detection apparatus 1 and detects an error that occurs when an executable program (such as an application program) in the program storage unit 15 is executed; which generates an interrupt (i.e. before the program is executed) – pg. 3: para 1-2).  

Regarding claims 13 and 18, claims 13 and 18 comprise the same or similar limitations as claim 7 and are, therefore, rejected for the same or similar reasons.

Regarding claim 8, Kawatani teaches further comprising: receiving a second indication indicative of the computer security risk being resolved; and disabling the decoy memory allocation mechanism (By executing the interrupt function, predetermined error processing (forcibly terminating the program (i.e. an indication of termination)/ function being executed, collecting log information, etc.) is performed – pg. 3: para. 19; i.e. once interruption has been executed, the debugging mechanism is no longer needed/disabled until another overflow instance is detected/occurs).  

Regarding claims 14 and 19, claims 14 and 19 comprise the same or similar limitations as claim 8 and are, therefore, rejected for the same or similar reasons.

Claim 9, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Kawatani (J.P. 2009-259078) and Sallam (US 20120254995 A1) as shown in the rejections above, and in further view of Iwamura (J.P. 2006-053760).

Regarding claim 9, While Kawatani teaches detecting and preventing buffer/stack overflow and executing an interrupt function which may forcibly terminate the program/function being called, collect log information, etc. and Sallam teaches trapping an input/output (I/O) operation prior to detecting an unexpected behavior associated with the I/O operation (see rejections above), the combination of Kawatani and Sallam may not necessarily teach the overflow is part of a computer security attack and executing the interrupt function and performing the one or more actions comprises at least one of examining: a timing associated with the I/O operation; a payload of the I/O; and information that is read from or written to the one or more decoy memory segments based on the I/O operation.  
Iwamura teaches wherein: the unexpected behavior is a computer security attack (detection means for detecting the occurrence of a buffer overflow attack – Iwamura; pg. 3; para. 14) and performing the one or more actions comprises at least one of examining: a timing associated with the I/O operation; a payload of the I/O (as the analysis information to be provided, the information on the location of the buffer that was the target of the attack and information on the function that secured the buffer are extracted, and the function call history from the buffer allocation to the buffer overflow attack – Iwamura; pg. 3: para. 13; the analysis information may be provided to the developer and modifications may be made based on the analysis information (i.e. at least examination of data/information associated a payload of the I/O) – Iwamura; pg. 4: paras. 11-14); and information that is read from or written to the one or more decoy memory segments based on the I/O operation. Note, the claim limitation comprises multiple alternatives, in which only a single alternative may be rejected. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kawatani and Sallam to have wherein overflows may occur beyond just mere computer/programming error (i.e. potential malicious code/attacks), and analysis/interpretation of the data/information associated with the attack, as taught by Iwamura.  The suggestion/motivation for doing so would have been to further detect/prevent buffer overflow attacks and provide additional information (to be examined) in order to clarify the cause of the attack and to more quickly perform countermeasures. (Iwamura; pg. 3: para. 12-13). Therefore, it would have been obvious to combine Kawatani, Sallam, and Iwamura for the benefits shown above to obtain the invention as specified in the claims.

Regarding claims 15 and 20, claims 14 and 20 comprise the same or similar limitations as claim 9 and are, therefore, rejected for the same or similar reasons.

   2. ARGUMENTS CONCERNING NON-PRIOR ART REJECTIONS/OBJECTIONS
Rejections - USC 112
	Applicant's arguments and amendments with respect to claim 6 have been considered and have overcome the Examiner’s prior rejections and thus are withdrawn.

   3.   ARGUMENTS CONCERNING PRIOR ART REJECTIONS
Rejections - USC 102/103
	Applicant's arguments and amendments (see pages 7-15 of the remarks) with respect to claims 1-8, 10-14, and 16-20 have been considered and are partially persuasive.  
Particularly, the Examiner notes the Applicant’s arguments I and II, see pages 7-10 of the remarks, with respect to the rejection(s) of claim(s) 1, 10, and 16 and their dependent claims have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Kawatani and Sallam references to teach the newly amended claim language as noted above.  
Further, Applicant's argument III (see pages 10-13) have been fully considered but they are not persuasive. Applicant argues Kawatani does not disclose “wherein the allocated one or more decoy memory segments are non-contiguous with respect to the allocated one or more memory segments”; and does not disclose "the one or more memory segments in the memory [are allocated] based on [a] memory allocation request" and "the one or more decoy memory segments in the memory [are allocated] based on the memory allocation request.   The Kawatani reference teaches (pg. 3: para. 9) teaches the allocation of a memory area on successive memory addresses among local variables and arguments; when the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described.   Kawatani further teaches that (pg. 3: para. 15) that the first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack.  Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (61) being non-contiguous with next/sequential buffer segment (62*)).    Further, the Kawatani reference (middle of page 2) teaches the present invention also provides a detection program for detecting a buffer overflow that occurs during execution of an application program executed by a computer, and allocates a buffer memory area in memory in response to a request from the application program to the computer. An allocation step of assigning dummy memory areas to addresses before and after the buffer memory area.  Thus, based on the citations above, the Kawatani reference teaches the limitation of ““wherein the allocated one or more decoy memory segments are non-contiguous with respect to the allocated one or more memory segments” since at least dummy segment(s) (61) being non-contiguous with next/sequential buffer segment (62*)) [see fig. 6].  Further, the Examiner maintains that the allocation of both “the memory segments” and “the decoy memory segments” are based on a “single memory allocation request” as there is a  detection program for detecting a buffer overflow that occurs during execution of an application program executed by a computer, and allocates a buffer memory area in memory in response to a request from the application program to the computer and allocates the dummy areas [i.e. a buffer overflow] based on the program allocating other areas for a memory request [which cause a buffer overflow].    
Lastly, Applicant's argument IV (see pages 13-14) have been fully considered but they are not persuasive. Applicant argues Kawatani does not disclose “wherein the allocated one or more decoy memory segments are contiguous with respect to each other”; and does not disclose "the one or more memory segments in the memory [are allocated] based on [a] memory allocation request" and "the one or more decoy memory segments in the memory [are allocated] based on the memory allocation request”.   The Kawatani reference teaches (pg. 3: para. 9) teaches the allocation of a memory area on successive memory addresses among local variables and arguments; when the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described.   Kawatani further teaches that the allocation of a memory area on successive memory addresses among local variables and arguments; When the buffer variable is detected, the preprocessing unit 11 describes (adds) the declaration of the dummy variable before and after the portion where the buffer variable of the variable declaration unit 22 is described (pg. 3: para. 9); and that the first dummy variable, the buffer variable, and the second dummy variable declared in S11 are sequentially allocated on the stack – pg. 3: para. 15; Note, the system is able to allocate more than one buffer/dummy memory area for additional/next functions, i.e. “successive” memory addresses allocated “sequentially” on the stack; i.e. the groupings of successive first dummy memory areas, buffer areas and second dummy areas are allocated sequentially on the stack - see Fig. 6 and illustrative Fig. 6 above; at least dummy segment(s) (63) being contiguous with sequential/next dummy segment (61*)).     Further, the Kawatani reference (middle of page 2) teaches the present invention also provides a detection program for detecting a buffer overflow that occurs during execution of an application program executed by a computer, and allocates a buffer memory area in memory in response to a request from the application program to the computer. An allocation step of assigning dummy memory areas to addresses before and after the buffer memory area.  Thus, based on the citations above, the Kawatani reference teaches the limitation of “wherein the allocated one or more decoy memory segments are contiguous with respect to each other” since at least dummy segment(s) (63) being contiguous with sequential/next dummy segment (61*) [see Fig. 6 and illustrative Fig. 6 above].  Further, the Examiner maintains that the allocation of both “the memory segments” and “the decoy memory segments” are based on a “single memory allocation request” as there is a detection program for detecting a buffer overflow that occurs during execution of an application program executed by a computer, and allocates a buffer memory area in memory in response to a request from the application program to the computer and allocates the dummy areas [i.e. a buffer overflow] based on the program allocating other areas for a memory request [which cause a buffer overflow].    
	The Examiner notes the arguments pertaining to the USC 103 rejections (see pages 14-15) are commensurate in scope with the arguments above, and notes the responses above.  

   4.   RELEVANT ART CITED BY THE EXAMINER
	The following prior art made of record and not relied upon is cited to establish the level of skill in the applicant's art and those arts considered reasonably pertinent to applicant's disclosure.  See MPEP 707.05(c).
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. These references include:
Sallam (US 20120254999 A1), which teaches a method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device

   5.  CLOSING COMMENTS
	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
        a.   STATUS OF CLAIMS IN THE APPLICATION
	The following is a summary of the treatment and status of all claims in the application as recommended by M.P.E.P. ' 707.07(i):
        a(1)  CLAIMS REJECTED IN THE APPLICATION
	Per the instant office action, claims 1-20 have received a second action on the merits and are subject of a second action final.
      b.   DIRECTION OF FUTURE CORRESPONDENCES 
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Prasith Thammavong whose telephone number is (571) 270-1040 can normally be reached on Monday through Friday, 1-9:30 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arpan Savla can be reached on (571) 272-1077.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PRASITH THAMMAVONG/
Primary Examiner, Art Unit 2137