Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the RCE filed by Applicant on 6/7/2022. Claim 21 has been added as New. Claims 1-21 are pending. This Office Action is Non-Final.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/7/2022 has been entered.
 
Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 10 and 19 have been considered but are moot because the new ground of rejection does not rely on the same combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically teachd as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) is/are 1, 4, 5, 10, 13, 14, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) in view of Zhao et al. (US 2012/0041901).


	



	As per claim 1, Ladnai teaches a system, comprising: a processor configured to (Ladnai, Paragraph 0146 recites “In general, the logical locations may be any corresponding locations of diagnostic interest that might be accessed or used by the computing objects within the computing environment, such as hardware/device interfaces, device drivers, a file system and/or directory, memory (e.g., RAM, cache, processor registers), operating system interfaces, application programming interfaces, network communication ports or interfaces, and any data sources of interest such as credential stores, system registries, system configuration files, and so forth.”):
	monitor an endpoint for malicious activity using an endpoint agent to perform behavioral threat protection by continuously monitoring activities on the endpoint to identify and analyze a set of [[real-time]] system events that are associated with a causality event chain, wherein the endpoint comprises a local device (Ladnai, Paragraph 0010 recites “In an aspect, a computer program product for detecting malware on an endpoint in an enterprise network may include computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment on the endpoint, selecting a set of logical locations from the plurality of logical locations, recording a sequence of events causally relating the number of computing objects at the set of logical locations, creating an event graph based on the sequence of events, evaluating a security state of the endpoint based on the event graph, adjusting the set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the set of logical locations according to the security state of the endpoint, and remediating the endpoint when the security state is compromised.”); 
	detect malicious activity associated with an application on the endpoint based on the causality event chain using the endpoint agent based on a set of rules, wherein the causality event chain is inspected to detect malicious activity based on a pattern of events as opposed to only inspecting each system event individually (Ladnai, Paragraph 0112 recites “As shown in step 406, the method 400 may include evaluating one or more events that occur on the endpoint. The evaluation of the one or more events may include the application of one or more security rules to determine whether the one or more events indicate or suggest a security event such as a security compromise event, a data exposure, a malware detection, or the like. Thus, the evaluation of the one or more events may lead to the detection of a security event. While illustrated as a separate step, this step 406 may be performed concurrently with or in sequence with the monitoring step 402 discussed above.”), 
	wherein the set of rules includes one or more updated detection rules provided as an update to the endpoint agent without requiring a binary or code update (Ladnai, Paragraph 0043 recites “In an embodiment, the definition files may be updated on a fixed periodic basis, on demand by the network and/or the client facility, as a result of an alert of a new malicious code or malicious application, or the like. In an embodiment, the definition files may be released as a supplemental file to an existing definition files to provide for rapid updating of the definition files.”), 
	in response to detecting malicious activity on the endpoint based on the causality event chain real using the endpoint agent, perform a security response based on a security policy that includes the one or more updated detection rules provided as the update to the endpoint agent (Ladnai, Paragraph 0133 recites “As shown in step 418, the method 400 may include remediating one or more computing objects affected by the cause of the security event. Remediation may include deleting computing objects from the endpoint, or otherwise remediating the endpoint(s) using computer security techniques such as any described herein. In another aspect, the identification of the root cause may be used to create new detection rules capable of detecting a security event at a point in time (or causation) closer to the root cause within the event graph. Other remediation steps may include forwarding the event graph, or a filtered and pruned event graph, to a remote facility for analysis. This data may usefully provide a map for identifying sources of malware, or for ensuring thorough remediation by identifying all of the potentially compromised computing objects that should be examined after the compromise has been addressed.”);
	and a memory coupled to the processor and configured to provide the processor with instructions (Ladnai, Paragraph 0146 recites “In general, the logical locations may be any corresponding locations of diagnostic interest that might be accessed or used by the computing objects within the computing environment, such as hardware/device interfaces, device drivers, a file system and/or directory, memory (e.g., RAM, cache, processor registers), operating system interfaces, application programming interfaces, network communication ports or interfaces, and any data sources of interest such as credential stores, system registries, system configuration files, and so forth.”).
	But fails to explicitly teach real-time events and wherein the set of rules are compiled into a lookup tree for pattern matching using the lookup tree to facilitate optimized detection logic.
	However, in an analogous art Zhao teaches real-time events and wherein the set of rules are compiled into a lookup tree for pattern matching using the lookup tree to facilitate optimized detection logic (Zhao, Paragraph 0011 recites “In another embodiment of the invention, a method for applying a pattern-identifying model to real-time data for knowledge pattern search and analysis from multiple learning agents is disclosed. This method comprises the steps of: receiving the real-time data in a system for knowledge pattern search and analysis; comparing the real-time data against the pattern-identifying model constructed from a context-concept-cluster (CCC) data analysis method using historical data, wherein the pattern-identifying model contains a lookup table with keys representing keywords of contexts, concepts, and/or clusters, and values representing relationship calculations between elements and contexts (EC matrix), contexts and concepts (CC matrix), concepts and sequences (SC matrix), or averages of SC matrix per cluster; identifying similarity patterns and prediction patterns based on the comparison between the real-time data and the lookup table of the pattern-identifying model; deriving an anomalousness score based on a concept projection calculation and/or a Gaussian distance to cluster calculation; performing a gains analysis by comparing prediction patterns with actual results; and displaying or visualizing the anomalousness score, the gains analysis, and/or other analysis on a display screen to inform a user some unusual, valuable, or anomalous information.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Zhao’s System And Method For Knowledge Pattern Search From Networked Agents And Managing Cyber Threats with Ladnai’s endpoint malware detection using an event graph because the use of using a lookup table would be an efficient way to identify patterns.

	As per claim 4, Ladnai in combination with Zhao teaches the system of claim 1, Ladnai further teaches wherein the processor is further configured to: detect an attempt by the application to take an action that would violate the set of rules, and report the attempt to a user of the endpoint (Ladnai, Paragraph 0161 recites “Numerous remediation techniques are known in the art and may be usefully employed to remediate an endpoint, or one or more computing objects on an endpoint, as contemplated herein. This may for example include quarantining or isolating the endpoint to prevent interactions with other devices on a network. This may also or instead include deploying malware removal tools to the endpoint, or launching a malware removal tool that is already on the endpoint, to remove malware that has been detected. This may also include intermediate steps such as terminating processes, deleting logs, clearing caches, or any other steps or combination of steps suitable for removing malicious software from the endpoint and/or restoring the endpoint to an uninfected state. This may include notifying an administrator or user.”).

	As per claim 5, Ladnai in combination with Zhao teaches the system of claim 1, Ladnai further teaches wherein the processor is further configured to: detect an attempt by the application to take an action that would violate the set of rules, and report the attempt to a remote server (Ladnai, Paragraph 0161 recites “Numerous remediation techniques are known in the art and may be usefully employed to remediate an endpoint, or one or more computing objects on an endpoint, as contemplated herein. This may for example include quarantining or isolating the endpoint to prevent interactions with other devices on a network. This may also or instead include deploying malware removal tools to the endpoint, or launching a malware removal tool that is already on the endpoint, to remove malware that has been detected. This may also include intermediate steps such as terminating processes, deleting logs, clearing caches, or any other steps or combination of steps suitable for removing malicious software from the endpoint and/or restoring the endpoint to an uninfected state. This may include notifying an administrator or user.”).

Regarding claims 10 and 19, claims 10 and 19 are directed to a method and a computer program product associated with the system of claim 1. Claims 10 and19 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claim 13, claim 13 is directed to a similar method associated with the system of claim 4 respectively. Claim 13 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 14, claim 14 is directed to a similar method associated with the system of claim 5 respectively. Claim 14 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale.  
	
	As per claim 20, Ladnai in combination with Zhao teaches the computer program product recited in claim 19, Ladnai further teaches detecting an attempt by the application to take an action that would violate the set of rules (Ladnai, Paragraph 0063 recites “However, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at a secondary location 108 that is not a part of the enterprise facility 102, the mobile client facility may be required to request network interactions through the threat management facility 100, where contacting the threat management facility 100 may be performed prior to any other network action. In embodiments, the client facility's 144 endpoint computer security facility 152 may manage actions in unprotected network environments such as when the client facility (e.g., client 144F) is in a secondary location 108 or connecting wirelessly to a non-enterprise facility 102 wireless Internet connection, where the endpoint computer security facility 152 may dictate what actions are allowed, blocked, modified, or the like. For instance, if the client facility's 144 endpoint computer security facility 152 is unable to establish a secured connection to the threat management facility 100, the endpoint computer security facility 152 may inform the user of such, and recommend that the connection not be made. In the instance when the user chooses to connect despite the recommendation, the endpoint computer security facility 152 may perform specific actions during or after the unprotected connection is made, including running scans during the connection period, running scans after the connection is terminated, storing interactions for subsequent threat and policy evaluation, contacting the threat management facility 100 upon first instance of a secured connection for further actions and or scanning, restricting access to network and local resources, or the like. In embodiments, the endpoint computer security facility 152 may perform specific actions to remediate possible threat incursions or policy violations during or after the unprotected connection.”),
	wherein the set of rules includes one or more updated detection rules (Ladnai, Paragraph 0043 recites “In an embodiment, the definition files may be updated on a fixed periodic basis, on demand by the network and/or the client facility, as a result of an alert of a new malicious code or malicious application, or the like. In an embodiment, the definition files may be released as a supplemental file to an existing definition files to provide for rapid updating of the definition files.”).


Claims 2 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) and Zhao et al. (US 2012/0041901) and in further view of Deerman et al. (US 2014/0245374).

	As per claim 2, Ladnai in combination with Zhao teaches system of claim 1, Ladnai further teaches wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules (Ladnai, Paragraph 0063 recites “However, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at a secondary location 108 that is not a part of the enterprise facility 102, the mobile client facility may be required to request network interactions through the threat management facility 100, where contacting the threat management facility 100 may be performed prior to any other network action. In embodiments, the client facility's 144 endpoint computer security facility 152 may manage actions in unprotected network environments such as when the client facility (e.g., client 144F) is in a secondary location 108 or connecting wirelessly to a non-enterprise facility 102 wireless Internet connection, where the endpoint computer security facility 152 may dictate what actions are allowed, blocked, modified, or the like. For instance, if the client facility's 144 endpoint computer security facility 152 is unable to establish a secured connection to the threat management facility 100, the endpoint computer security facility 152 may inform the user of such, and recommend that the connection not be made. In the instance when the user chooses to connect despite the recommendation, the endpoint computer security facility 152 may perform specific actions during or after the unprotected connection is made, including running scans during the connection period, running scans after the connection is terminated, storing interactions for subsequent threat and policy evaluation, contacting the threat management facility 100 upon first instance of a secured connection for further actions and or scanning, restricting access to network and local resources, or the like. In embodiments, the endpoint computer security facility 152 may perform specific actions to remediate possible threat incursions or policy violations during or after the unprotected connection.”).
But fails to teach wherein the lookup tree is implemented as a Rete tree that is compiled to provide optimized detection logic based on an optimized decision tree.
However, in an analogous art Deerman teaches wherein the lookup tree is implemented as a Rete tree that is compiled to provide optimized detection logic based on an optimized decision tree (Deerman, Paragraph 0094 recites “In yet a further aspect of the invention, a method for identifying an anomalous behavior in a network of host computing elements is teachd comprising the steps of providing 1-n network sensors in a computer network and in data communication therewith, each network sensor configured to output a sensor notification upon the satisfaction of a predetermined set of network data conditions, outputting the 1-n sensor notifications to 1-n Rete net-based rule engines configured to execute one or more Rete algorithms configured for the deterministic detection of anomalous behavior in the network based on the notifications, executing the one or more Rete algorithms, and, outputting an alarm signal upon the detection of the anomalous behavior.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Deerman’s Device And Method For Detection Of Anomalous Behavior In A Computer Network with Ladnai’s endpoint malware detection using an event graph because the use of a rete algorithm will efficiently apply many rules or patterns to many objects.

Regarding claim 11, claim 11 is directed to a method associated with the system of claim 2. Claim 11 is of similar scope to claim 2, and are therefore rejected under similar rationale.


Claims 3, 9, 12 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) and Zhao et al. (US 2012/0041901) and in further view of Mahaffey et al. (US 9,740,852).

	As per claim 3, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules, and wherein the set of rules comprises a whitelisted set of behaviors observed at a remote server during emulation of a sample in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation.
	However, in an analogous art Mahaffey teaches wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules, and wherein the set of rules comprises a whitelisted set of behaviors observed at a remote server during emulation of a sample in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation (Mahaffey, Col. 24 Lines 48-57 recites “In an embodiment, server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run. In an embodiment, the virtual or physical device is instrumented so that it reports behavioral data for the data object. In an embodiment, the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151. For example, a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance.” Col. 25 Lines 12-21 recites “Aside from capabilities of a data object, it may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application. In an embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Mahaffey’s System and method for assessing an application to be installed on a mobile communications device with Ladnai’s endpoint malware detection using an event graph because the use of an emulation in a virtual environment is safer than using a normal system with potentially malicious data. 

	As per claim 9, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein a remote server is configured to evaluate the application at least in part by executing the application in a virtualized environment, and wherein endpoint agent is configured to implement, at the endpoint, a set of rules restricting behaviors of an application.
	However, in an analogous art Mahaffey teaches wherein a remote server is configured to evaluate the application at least in part by executing the application in a virtualized environment, and wherein endpoint agent is configured to implement, at the endpoint, a set of rules restricting behaviors of an application (Mahaffey, Col. 24 Lines 48-57 recites “In an embodiment, server 151 runs a data object in a virtual (e.g., simulated or emulated) or physical device and analyzes the behavior of the data object when run. In an embodiment, the virtual or physical device is instrumented so that it reports behavioral data for the data object. In an embodiment, the virtual or physical device's network traffic, calls, and SMS messages are analyzed by server 151. For example, a virtual device may be configured to always report a specific location via its location APIs that are unlikely to occur in any real world circumstance.” Col. 25 Lines 12-21 recites “Aside from capabilities of a data object, it may be important for server 151 to gather metrics relating to a data object's effect of running on a device or its usage of capabilities on a device. For example, overuse of network data, email, or SMS messaging may be considered abusive or indicative of a malicious or exploited application. In an embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data it has available to it to produce metric data that characterizes a data object.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Mahaffey’s System and method for assessing an application to be installed on a mobile communications device with Ladnai’s endpoint malware detection using an event graph because the use of an emulation in a virtual environment is safer than using a normal system with potentially malicious data. 

	Regarding claim 12, claim 12 is directed to a similar method associated with the system of claim 3 respectively. Claim 12 is similar in scope to claim 3, respectively, and are therefore rejected under similar rationale.  
	Regarding claim 18, claim 18 is directed to a similar method associated with the system of claim 9 respectively. Claim 18 is similar in scope to claim 9, respectively, and are therefore rejected under similar rationale.  

Claims 6, 7, 15 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) and Zhao et al. (US 2012/0041901) and in further view of Kostyushko et al. (US 2020/0311268).

	As per claim 6, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein the processor is further configured to report the detected malicious activity to a remote server, wherein in response to receiving the report, the remote server performs an evaluation of a sample provided by the endpoint, wherein the sample is associated with the detected malicious activity.
	However, in an analogous art Kostyushko teaches wherein the processor is further configured to report the detected malicious activity to a remote server, wherein in response to receiving the report, the remote server performs an evaluation of a sample provided by the endpoint, wherein the sample is associated with the detected malicious activity (Kostyushko, Paragraph 0009 recites “According to one aspect of the disclosure, a system is provided for deep dynamic analysis of applications, the system comprising at least one processor configured to: by a deep dynamic analysis tool of a server in a safe isolated environment, launch a deep analysis process for determining whether a received sample of an application is a malware, the launching of the process including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parse dependencies of run-time linkages, hook system functions, create an initial application memory map with separate application and system code areas, transfer control back to the application code, and perform an on-sample-execution activity, obtain control of exception handler and monitor attempts to use the exception handler, by the registered exception handler, change an available area, log accesses, inspect exception reasons, and apply policies based on the exception reasons, analyze data related to the logged access and determine whether the application of the sample is a malware, and send, to the endpoint device, a final verdict indicating whether or not the application is a malware.” And Paragraph 0090 recites “The deep analysis tool 360 provides the analysis and malware detection for both single-threading applications and multi-threading applications. In one aspect, different approaches may be used for disguising the access control and analytical tools for single-threading and multi-threading applications. ”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kostyushko’s methods and systems for performing a dynamic analysis of applications for protecting devices from malwares with Ladnai’s endpoint malware detection using an event graph because the use of further analysis is a good way of ensuring that the data is in fact malicious. 

	As per claim 7, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein the set of rules restrict processes associated with a sample to behaviors observed during an execution of the sample in a virtualized environment.
	However, in an analogous art Kostyushko teaches wherein the set of rules restrict processes associated with a sample to behaviors observed during an execution of the sample in a virtualized environment (Kostyushko, Paragraph 0009 recites “According to one aspect of the disclosure, a system is provided for deep dynamic analysis of applications, the system comprising at least one processor configured to: by a deep dynamic analysis tool of a server in a safe isolated environment, launch a deep analysis process for determining whether a received sample of an application is a malware, the launching of the process including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parse dependencies of run-time linkages, hook system functions, create an initial application memory map with separate application and system code areas, transfer control back to the application code, and perform an on-sample-execution activity, obtain control of exception handler and monitor attempts to use the exception handler, by the registered exception handler, change an available area, log accesses, inspect exception reasons, and apply policies based on the exception reasons, analyze data related to the logged access and determine whether the application of the sample is a malware, and send, to the endpoint device, a final verdict indicating whether or not the application is a malware.” And Paragraph 0090 recites “The deep analysis tool 360 provides the analysis and malware detection for both single-threading applications and multi-threading applications. In one aspect, different approaches may be used for disguising the access control and analytical tools for single-threading and multi-threading applications. ”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kostyushko’s methods and systems for performing a dynamic analysis of applications for protecting devices from malwares with Ladnai’s endpoint malware detection using an event graph because the use of further analysis is a good way of ensuring that the data is in fact malicious. 

	Regarding claim 15, claim 15 is directed to a similar method associated with the system of claim 6 respectively. Claim 15 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale.  

	Regarding claim 16, claim 16 is directed to a similar method associated with the system of claim 7 respectively. Claim 16 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale.  


Claims 8 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) and Zhao et al. (US 2012/0041901) and in further view of Baset et al. (US 2018/0089437).

	As per claim 8, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein a remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated.

	However, in an analogous art Baset teaches wherein a remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated (Baset, Paragraph 0052 recites “ Additionally or alternatively, the scanning component 302 can scan the server device 112 to determine one or more mobile applications stored on the server device 112 that satisfy other defined criterion related to, for example, an amount of time that a mobile application is stored on the server device 112, a determination that a change has occurred with respect to a mobile application (e.g., a mobile application is updated to a new version), an amount of time since a previous analysis of a mobile application is performed, a determination that a mobile application is not previously analyzed by the testing component 102, an indication that is provided via user input (e.g., a user desires a mobile application to be analyzed by the testing component 102), debugging reports for a mobile application, etc. For example, the testing component 102 can receive the mobile application from the server device 112 in response to a determination, based on a scan of the server device 112 by the scanning component 302, that an amount of time that the mobile application is stored on the server device 112 satisfies a defined criterion, that a change has occurred with respect to the mobile application (e.g., the mobile application is updated to a new version), that an amount of time since a previous analysis of the mobile application satisfies a defined criterion, that the mobile application is not previously analyzed by the testing component 102 at a previous instance in time, that an indication provided by user input indicates to analyze the mobile application, that a debugging report for the mobile application satisfies a defined criterion, etc. It is to be appreciated that, in certain implementations, the mobile application received from the server device 112 can be received via a network (e.g., the network 114 or another network that includes one or more wireless networks and/or one or more wired networks).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Baset’s automated security testing for a mobile application or a backend server with Ladnai’s endpoint malware detection using an event graph because the use of scanning an updated application is a good way to ensure that applications are safe for use in an environment because some changes could be malicious.

	Regarding claim 17, claim 17 is directed to a similar method associated with the system of claim 8 respectively. Claim 17 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale.  





Claim 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0300690) and Zhao et al. (US 2012/0041901) and in further view of Ohana et al. (US 2020/0073740).
	As per claim 21, Ladnai in combination with Zhao teaches the system of claim 1, but fails to teach wherein the processor is further configured to filter file system related events, process related events, network related events, and operating system (OS) private application programming interface (API) events based on a filtering policy to filter out events that are noisy and/or are not useful indicators for malware detection using causality event chains.
	However, in an analogous art Ohana teaches wherein the processor is further configured to filter file system related events, process related events, network related events, and operating system (OS) private application programming interface (API) events based on a filtering policy to filter out events that are noisy and/or are not useful indicators for malware detection using causality event chains (Ohana, Paragraph 0176 recites “Filtering the maximum metric anomaly scores by removing maximum metric anomaly scores below a threshold. The threshold is selected to differentiate between score likely to be associated with an anomalous event and score likely to be associated with a non-anomalous event. The removed scores denote an association with non-anomalous events. The filtering may reduce the noise of the non-anomalous events and/or non-anomalous data-points.” While Ohana does not explicitly recite the exact events which the instant application deems to cause noise, Ohana effectively teaches the concept of filtering out non-anomalous events).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Ohana’s systems and methods for anomaly detection in a distributed computing system with Ladnai’s endpoint malware detection using an event graph because the use of eliminating non-anomalous events reduces the amount of computing power needed to find only the malicious data.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439