DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gangadharan et. al. (U.S. Patent Application Publication No. 20200120111), in view of Bahrenburg et. al. (U.S. Patent Application Publication No. 20200007529 A1), hereinafter Bahrenburg and further in view of G Rao et. al. (U.S. Patent Application Publication No. 20210342742 A1), hereinafter G Rao .

Regarding claim 1, Gangadharan discloses An apparatus (Par. [0057], The disclosed methods, apparatus and articles of manufacture improve the efficiency of using a computing device by employing a disclosed monitoring agent to detect threats and prevent attacks at the data link layer) comprising : 
a memory configured to store (Par. [0023], In some examples, the entirety of and/or a portion of the malicious applications reference system 210 is cached in a memory of the endpoint device 204 for faster access and/or offline access by the monitoring agent 202. For example, a subset of entries from the malicious applications reference system 210 may be selected for local caching in a memory of the endpoint device 204 based on most relevancy to applications likely to be executed in the endpoint device 204. For example, if the endpoint device 204 is a tablet computer, it may cache entries from the malicious applications reference system 210 corresponding to mobile apps, whereas if the endpoint device 204 is a server, it may cache entries from the malicious applications reference system 210 corresponding to server programs, database applications, etc. In yet other examples, the malicious applications reference system 210 database is fully implemented and stored in the endpoint device 204.): 
a first list of applications comprising a first application (Par. [0019-0022] disclose an application reference system 210 containing application of different trust levels. For example, Par. [0020], Privilege levels define whether processes (i.e. first list) can access system-level information); and 
5a second list of applications comprising a second application (Par. [0020], Privilege levels define whether processes (i.e. second list) can access … only user-level information), wherein: 
each computer system of the set of computer systems located on a network (Par. [0015], In FIG. 1, the firewall 104 monitors communications exchanged between the endpoint device 102 and other devices connected via a network 106 such as the Internet.); and a communication log comprising information identifying communications that have occurred over the network (Par. [0023], For example, the malicious applications reference system 210 may be implemented using a network-accessible cloud-based server that stores characteristics and metadata about malicious sources such as malicious applications, programs, websites, network communications, and/or processes.); and 
a hardware processor communicatively coupled to the memory (Par. [0050], The processor 712 of the illustrated example is in communication with a main memory including a volatile memory 714 and a non-volatile memory 716 via a bus 718), the hardware processor configured to: 
determine that the second application transmitted a communication destined for the first application (Par. [0044], The example connection detector 404 analyzes the data link layer (Layer 2) communication (block 504) to determine whether it is a request for a connection to the endpoint device 204 (FIGS. 2 and 3) at the data link layer (Layer 2). For example, the connection detector 404 monitors communications at the data link layer (Layer 2) from applications (e.g., the Application-5 208 of FIG. 2 and/or applications on the external computer 302 and/or the local endpoint device 304 of FIG. 3) to detect requests to establish data link layer (Layer 2) connections in the endpoint device 204. To detect such connection requests, the example connection detector 404 may employ the dynamic tracer 410 and/or the raw socket interface monitor 412 using techniques described above. For example, the connection detector 404 may employ the dynamic tracer 410 by using one or more operating system APIs to monitor communications from ones of the processes 402 (FIG. 4) that issue file open requests to a particular file (e.g., file open requests to a /dev/bpf0 character file using bpf, etc.) which allows connection via the data link layer (Layer 2).); 
determine, based at least in part on the communications identified in the 30communication log, that a probability that the communication destined for the first application is malicious is greater than a threshold (Par. [0022], In some examples, a confirmation of a malicious source can be logged in the malicious applications reference system 210 when a threshold number of endpoint devices report erroneous or undesired operating conditions attributable to the malicious source. For example, when a program attempts an unauthorized access to a secure area in an endpoint device, the endpoint device reports the attempted access to the malicious applications reference system 210. The malicious applications reference system 210 can log the reporting and monitor for similar reporting from the same or other endpoint devices. In this manner, when a threshold number of reporting are logged, a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source.); and 57520572ATTORNEY DOCKETPATENT APPLICATION 015444.1706 31 of 40 
in response to determining that the probability that the communication destined for the first application is malicious is greater than the threshold (Par. [0046],  If the threat monitor 406 determines at block 508 that the communication is a threat ), prevent the communication destined for the first application from reaching the computer system of the first application ( Par. [0046], the example threat manager 408 manages the threat (block 510) by generating a notification to prompt a user (e.g., a network administrator) about the threat and/or blocking the communication.
Gangadharan discloses an apparatus configured to receive a communication from a second application to a first application and determine that the probability that the communication destined for the first application is malicious is greater than a threshold based on a communication log. Gangadharan fails to disclose determining if the first application and the second application are assigned different trust levels before checking a communication log. 
However, Bahrenburg teaches determining that a second applications send a communication destined for a first application (Par. [0067]).
Bahrenburg further teaches determine that the first application and the second application are assigned to 25different trust levels of the set of trust levels (Par. [0087], In some implementations, the directory service verifies that the requesting tenant (i.e. second application) and/or target tenant  (i.e. first application) are members of the trust group identified in the system request at 358. More particularly, the directory service may ascertain, from the system request, the identity of the trust group to which the tenant request was directed and verify that the target tenant trusts the requesting tenant or the trust group to which the requesting tenant belongs. For example, the directory service may verify that the requesting tenant is a member of the trust group identified in the tenant request using the registry. As described above, the directory service may access the group membership information associated with the trust group and apply the group membership information to determine whether requesting tenant is a member of the trust group.); and 
in response to determining that the first application and the second application are assigned to different trust levels (Par. [0088], More particularly, the intermediate system may apply a set of permissions associated with the requesting tenant and/or the target tenant, maintained in the registry, to determine whether the requesting tenant is permitted to access the data or application. The set of permissions may be retrieved by looking up an identifier of the target tenant and/or an identifier of the requesting tenant.), and prior to the communication destined for the first application reaching the computer system of the first application (Fig. 3B, Block 360 comes prior to block 368 ): 
Gangadharan and Bahrenburg are analogous references to the claimed invention as they both pertain to an apparatus configured to receive a request for communication between applications and determine if the communication is malicious or not. Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify  Gangadhara by determining if the first and second applications belongs to the same trust level (trust group) and performing actions in response to the determination as taught by Bahrenburg. Such modifications allow securing networks involving enterprise networks, multi-tenant systems by allowing communication between applications that belong to a given trust group established by the system Bahrenburg (Par. [0021]).
The combination of Gangadharan and Bahrenburg teaches a memory storing a list of applications, but fails to expressly disclose the applications are stored as first and second lists where the lists are assigned a first and second trust level respectively. 
However, G Rao teaches a memory configured to store, a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches wherein: each application of the first list of applications is assigned to a first trust level of a set of trust levels, the assignment of the application to the first trust level indicating that a probability that the application is malicious is less than a lower threshold (Par. [0059], If it is determined at 458 that the application 150 is not positioned between the lower trust threshold value and the upper trust threshold value, it is determined that the application is above the upper trust threshold and hence that the application 150 is categorized as safe for publication at 464. ); 
10each application of the second list of applications is assigned to a second trust level of the set of trust levels, the assignment of the application to the second trust level indicating that a probability that the application is malicious is greater than the lower threshold (Par. [0059], If it is determined at 452 that the position of the application 150 on the scoring 1400
scale 134 is not below the lower trust threshold value, it is further determined at 458 if the application 150 is positioned between the lower trust threshold value and the upper trust threshold value. If yes, then the application 150 is categorized as potentially vulnerable at 460 and a communication with the results 142 and suggestions for improvement of the application 150 under the tenets is transmitted at 462.); and 
each application of the first list of applications and the second list of 15applications belongs to a set of applications (Par. [0049], The method begins at 402 wherein the application files 152 of the application 150 to be scored and tested are received.), wherein each application of the set of applications is installed on a computer system of a set of computer systems (Par. [0045], The application trust score obtained above from Eq. (1) is indicative of the extent to which the application 150 can be trusted when installed in a user's device), 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadhara and Bahrenburg by sorting applications into separate lists as taught by G Rao. Such modifications allows better management of large amount of applications by classifying them into trust groups, such as in enterprise networks.

Regarding claim 2, the combination of Gangadharan, Bahrenburg and G Rao teaches the apparatus of claim 1, 
Gangadharan further discloses the memory is further configured to store a third list of applications (Note: Gangadharan discloses a first list of applications and a second list of applications (Par. [0020]), therefore, it would be obvious to modify Gangadharan to have a third list of applications. Such modification will provide the predictable outcome of further separating applications into lists and verifying a communication requests based on trust levels.),
in response to determining that the probability that the communication destined for the first application is malicious is greater than the threshold (Par. [0046],  If the threat monitor 406 determines at block 508 that the communication is a threat),
Gangadharan discloses determining that a communication is malicious and taking actions based on the determination such as preventing the communication. Gangadharan fails to disclose the applications are stored as separate lists based on different trust levels and changing application trust levels based on the determination of maliciousness. 
However, G Rao teaches a memory configured to store, a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches wherein: for each application of the second list of applications, the assignment of the application to the second trust level indicates that the probability that the application is malicious is between the lower threshold and an upper threshold (Par. [0059], If it is determined at 452 that the position of the application 150 on the scoring 1400 scale 134 is not below the lower trust threshold value, it is further determined at 458 if the application 150 is positioned between the lower trust threshold value and the upper trust threshold value. If yes, then the application 150 is categorized as potentially vulnerable at 460 and a communication with the results 142 and suggestions for improvement of the application 150 under the tenets is transmitted at 462.); 
wherein each 10application of the third list of applications is assigned to a third trust level of the set of trust levels, the assignment of the application to the third trust level indicating that a probability that the application is malicious is greater than the upper threshold (Par. [0059], At 452, it is determined if the position of the application 150 on the scoring scale 134 is below the lower trust threshold value. If it is determined at 452 that the position of the application 150 on the scoring scale 134 is below the lower trust threshold value, the application 150 is categorized as vulnerable at 454); and 
the processor is further configured 15to: 
move the second application from the second list to the third list; and 
move the first application from the first list to the second list (Par. [0061], While the feedback 146 includes the reviewer's change to the overall categorization of the application 150 from one of the vulnerable, potentially vulnerable and safe to another categorization, it can be appreciated that such categorization is based on the upper and lower trust threshold values. These trust thresholds values depend on the severities of the corresponding rulesets implemented by the scoring system 100 for the application 150. Therefore, a change to the categorization of the application 150 results in corresponding changes to the severity thresholds of the rulesets. The feed forward neural network 362 is configured to identify new severity values for individual rulesets based on the training data 148 which includes the historical data 350.).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadharan, G Rao and Bahrenburg in claim 1 by moving applications from one trust level to another. Such modification allows to secure networks since the security state of applications can change and it is important to reflect that in the trust level.

Regarding claim 3, the combination of Gangadharan, Bahrenburg and G Rao teaches the apparatus of claim 1, 
Gangadharan further discloses wherein:
 a malicious application is at least one of: 
20an application that is infected with malware (Par. [0022], Different criteria may be used to determine whether the program should be characterized as malicious. An example criterion is whether the origination of the program or the developer of the program is known to produce malicious programs. Another example criterion is whether the program spreads across the Internet 212 with a speed characteristic of virus-like infection and/or using delivery vehicles known to spread malicious activities (e.g., emails, email attachments, uniform resource locators (URLs), etc.). When the program is tagged or stored in a record of the malicious applications reference system 210 as a malicious source); and 
an application that is instructed to perform tasks by another application that is infected by malware; and 
a malicious communication is a communication comprising at least one of: 
malware; and 
25a phishing attempt (Par. [0015], Examples disclosed herein implement an intrusion prevention mechanism that detects threats operating at the data link layer (Layer 2). Such threats may be intentional attempts at bypassing host firewall rules by operating at the data link layer and/or may be unintentional consequences of poorly written/executed programs that perform harmful operations at the data link layer.).

Regarding claim 4, the combination of Gangadharan, G Rao and Bahrenburg  teaches the apparatus of claim 1,  
The combination teaches determining if the first and second application are assigned different trust levels, but fails to teach determining if the first and second application are assigned the same trust level and taking action based on the determination. 
However, Bahrenburg further teaches wherein the hardware processor is further configured to: 
determine that a third application of the set of applications transmitted a communication destined for a fourth application of the set of applications (Par. [0067], The tenant request may include an identifier of the requesting tenant, an identifier of the trust group to which the tenant request is directed, and an indication of data or an application to which the requesting tenant requests access. For example, the indication of data may take the form of an Application Programming Interface (API) call. ); 57520572ATTORNEY DOCKETPATENT APPLICATION 015444.1706 32 of 40 
determine that both the third application and the fourth application are assigned to a given trust level of the set of trust levels (Par. [0087], in some implementations, the directory service verifies that the requesting tenant and/or target tenant are members of the trust group identified in the system request at 358. More particularly, the directory service may ascertain, from the system request, the identity of the trust group to which the tenant request was directed and verify that the target tenant trusts the requesting tenant or the trust group to which the requesting tenant belongs); and 
in response to determining that both the third application and the fourth application are assigned to the given trust level, allow the communication destined for 5the fourth application to reach the computer system of the fourth application (Par. [0093], After determining that the tenant request has been successfully authenticated and that the requesting tenant is authorized to access data of the target tenant as requested in the tenant request, the target tenant may fulfill the tenant request by transmitting the requested data or a token at 368.).  
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combined teaching of Gangadharan, G Rao and Bahrenburg in claim 1 by allowing communication of applications with the same trust level as taught by Bahrenburg. Such modifications allow securing networks involving enterprise networks, multi-tenant systems by allowing communication between applications that belong to a given trust group established by the system Bahrenburg (Par. [0021]).

Regarding claim 5, the combination of Gangadharan, Bahrenburg and G Rao teaches the apparatus of claim 1, 
Gangadharan further discloses wherein: 
10the memory is further configured to store: 
a third list of applications, and a fourth list of applications (Note: Gangadharan discloses a first list of applications and a second list of applications (Par. [0020]), therefore, it would be obvious to modify Gangadharan to have a third and fourth list of applications. Such modification will provide the predictable outcome of verifying a connection request based on trust levels.).
the hardware processor is further configured to: 
determine that the third application transmitted a communication destined for 20the first application (Par. [0044], The example connection detector 404 analyzes the data link layer (Layer 2) communication (block 504) to determine whether it is a request for a connection to the endpoint device 204 (FIGS. 2 and 3) at the data link layer (Layer 2). For example, the connection detector 404 monitors communications at the data link layer (Layer 2) from applications (e.g., the Application-5 208 of FIG. 2 and/or applications on the external computer 302 and/or the local endpoint device 304 of FIG. 3) to detect requests to establish data link layer (Layer 2) connections in the endpoint device 204. To detect such connection requests, the example connection detector 404 may employ the dynamic tracer 410 and/or the raw socket interface monitor 412 using techniques described above. For example, the connection detector 404 may employ the dynamic tracer 410 by using one or more operating system APIs to monitor communications from ones of the processes 402 (FIG. 4) that issue file open requests to a particular file (e.g., file open requests to a /dev/bpf0 character file using bpf, etc.) which allows connection via the data link layer (Layer 2).);
 determine that the third application is listed in the fourth list of applications (Par. [0033], The monitoring agent 202 is provided with the example threat monitor 406 to check privilege levels and/or trust levels of applications); and 
in response to determining that the third application is listed in the fourth list of applications (Par. [0045], For example, the threat monitor 406 checks privilege levels and/or trust levels of an application corresponding to the communication, and/or checks whether the application is known to be suspicious or malicious, as described above in connection with FIG. 2. In some examples, the threat monitor 406 additionally or alternatively checks whether the application is identified as a whitelisted application and/or is identified in an administrator policy as being allowed to connect at the data link layer (Layer 2)): 
allow the communication transmitted by the third application and 25destined for the first application to reach the computer system of the first application (Par. [0046], Otherwise, if the threat monitor determines at block 508 that the communication is not a threat, the example threat manager 408 allows the communication (block 512).); 
generate an alert associated with the communication transmitted by the third application and destined for the first application (Par. [0022], The example malicious applications reference system 210 may be implemented by a computing security entity such as a company or independent organization that monitors and tracks malicious activities reported (i.e. generate an alert) by endpoint devices across a network such as the Internet 212.); and 
store, in the communication log, information indicating that the third 30application transmitted the communication destined for the first application (Par. [0022], The malicious applications reference system 210 can log the reporting and monitor for similar reporting’s from the same or other endpoint devices. In this manner, when a threshold number of reporting’s are logged, a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source.).  
The combination of Gangadharan and Bahrenburg teaches a memory storing a list of applications, but fails to expressly disclose the applications are stored as first and second lists where the lists are assigned a first and second trust level respectively. 
However, G Rao teaches a memory configured to store, a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches for each application of the second list of applications, the assignment of the application to the second trust level indicates that the probability that the application is malicious is between the lower threshold and an upper threshold (Par. [0059], If it is determined at 452 that the position of the application 150 on the scoring 1400 scale 134 is not below the lower trust threshold value, it is further determined at 458 if the application 150 is positioned between the lower trust threshold value and the upper trust threshold value. If yes, then the application 150 is categorized as potentially vulnerable at 460 and a communication with the results 142 and suggestions for improvement of the application 150 under the tenets is transmitted at 462.); 
wherein each application of the third list of applications is assigned to a third trust level of the set of trust levels, the assignment of the application to the third trust level indicating that a probability that the application is malicious is greater than the upper threshold (Par. [0059], At 452, it is determined if the position of the application 150 on the scoring scale 134 is below the lower trust threshold value. If it is determined at 452 that the position of the application 150 on the scoring scale 134 is below the lower trust threshold value, the application 150 is categorized as vulnerable at 454); and 
15wherein each application of the fourth list of applications has not yet been assigned to any of the first trust level, the second trust level, and the third trust level (G Rao teaches three categories (i.e. lists) of applications (Par. [0059]), based on trust levels. Therefore it would be obvious to add any number of categories to monitor communications based on trust levels. Such modification would be an obvious variation of the teaching of G Rao and will result in a predictable outcome of fine tuning the monitoring of communications between applications ); 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadhara and Bahrenburg by sorting applications into separate lists. Such modifications allows better management of large amount of applications by classifying them into trust groups, such as in enterprise networks.

Regarding claim 6, the combination of Gangadharan, Bahrenburg and G Rao teaches the apparatus of claim 5, 
Gangadharan further discloses wherein the hardware processor is further configured to: 
receive information indicating that the communication transmitted by the third application and destined for the first application was not malicious (Par. [0046], A corresponding one of the processes 402 that issued the communication is allowed by the threat manager 408 to continue (block 514) because it did not present a threat (i.e. not malicious). After managing the threat at block 510 or after the process 402 continues at block 514, the example process of FIG. 5 ends.) and store the information 5in the communication log (Par. [0022], The malicious applications reference system 210 can log the reporting and monitor for similar reporting’s from the same or other endpoint devices. In this manner, when a threshold number of reporting’s are logged, a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source.); 
determine, based at least in part on the communications identified in the communication log (Par. [0022], a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source), that a probability that the third application is malicious is less than the lower threshold (Par. [0046], Otherwise, if the threat monitor determines at block 508 that the communication is not a threat, the example threat manager 408 allows the communication (block 512). A corresponding one of the processes 402 that issued the communication is allowed by the threat manager 408 to continue (block 514) because it did not present a threat); and 
Gangadharan discloses determining that a communication is not malicious and taking actions based on the determination such as allowing the communication. Gangadharan fails to disclose changing trust levels of applications in response to the determination.
However, G Rao teaches a memory configured to store, a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches in response to determining that the probability that the third application is malicious is 10less than the lower threshold, move the third application from the fourth list to the first list (Par. [0061], While the feedback 146 includes the reviewer's change to the overall categorization of the application 150 from one of the vulnerable, potentially vulnerable and safe to another categorization, it can be appreciated that such categorization is based on the upper and lower trust threshold values. These trust thresholds values depend on the severities of the corresponding rulesets implemented by the scoring system 100 for the application 150. Therefore, a change to the categorization of the application 150 results in corresponding changes to the severity thresholds of the rulesets. The feed forward neural network 362 is configured to identify new severity values for individual rulesets based on the training data 148 which includes the historical data 350.).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadharan, G Rao and Bahrenburg in claim 5 by moving applications from one trust level to another. Such modification allows to secure networks since the security state of applications can change and it is important to reflect that in the trust level.

Regarding claim 7, the combination of Gangadharan, G Rao and Bahrenburg teaches the apparatus of claim 1, 
Gangadharan in the combination discloses using a communication log to determine if a communication is malicious. The combinations fails to teach using neural networks.
However, G Rao further teaches wherein determining that the probability that the communication destined for the first application is malicious is greater than the threshold comprises applying a recurrent neural network (Par. [0047], The automatic adjuster 306 includes ML components such as a feed forward neural network 362 that is trained via supervised training on historical data 350 to automatically adjust one or more of the priority of the criteria, the severity of the associated rulesets and the lower and upper trust threshold values based on the feedback 146. The historical data 350 can include the categorizations produced by the scoring system 100 for the previously-scored applications and the corresponding categorizations provided by the reviewer for the previously-scored applications.).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combined teaching of Gangadharan and G Rao in claim 1 by applying neural networks to adjust threshold levels for applications and consequently determine if a communication between applications is malicious or not. Such modification will provide the benefit of self-learning and high processing capacity of neural networks to dynamically update application’s trust levels and determine their maliciousness.

Regarding claim 8, Gangadharan discloses A method (Par. [0057], The disclosed methods, apparatus and articles of manufacture improve the efficiency of using a computing device by employing a disclosed monitoring agent to detect threats and prevent attacks at the data link layer) comprising : 
15determining that a second application transmitted a communication destined for a first application (Par. [0044], The example connection detector 404 analyzes the data link layer (Layer 2) communication (block 504) to determine whether it is a request for a connection to the endpoint device 204 (FIGS. 2 and 3) at the data link layer (Layer 2). For example, the connection detector 404 monitors communications at the data link layer (Layer 2) from applications (e.g., the Application-5 208 of FIG. 2 and/or applications on the external computer 302 and/or the local endpoint device 304 of FIG. 3) to detect requests to establish data link layer (Layer 2) connections in the endpoint device 204. To detect such connection requests, the example connection detector 404 may employ the dynamic tracer 410 and/or the raw socket interface monitor 412 using techniques described above. For example, the connection detector 404 may employ the dynamic tracer 410 by using one or more operating system APIs to monitor communications from ones of the processes 402 (FIG. 4) that issue file open requests to a particular file (e.g., file open requests to a /dev/bpf0 character file using bpf, etc.) which allows connection via the data link layer (Layer 2).);
determining, based at least in part on communications identified in a communication log, that a probability that the communication destined for the first 30application is malicious is greater than a threshold (Par. [0022], In some examples, a confirmation of a malicious source can be logged in the malicious applications reference system 210 when a threshold number of endpoint devices report erroneous or undesired operating conditions attributable to the malicious source. For example, when a program attempts an unauthorized access to a secure area in an endpoint device, the endpoint device reports the attempted access to the malicious applications reference system 210. The malicious applications reference system 210 can log the reporting and monitor for similar reporting from the same or other endpoint devices. In this manner, when a threshold number of reporting are logged, a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source.); and 57520572ATTORNEY DOCKETPATENT APPLICATION 015444.1706 31 of 40 
in response to determining that the probability that the communication destined for the first application is malicious is greater than the threshold (Par. [0046],  If the threat monitor 406 determines at block 508 that the communication is a threat ), prevent the communication destined for the first application from reaching the computer system on which the first application is installed ( Par. [0046], the example threat manager 408 manages the threat (block 510) by generating a notification to prompt a user (e.g., a network administrator) about the threat and/or blocking the communication.); and 57520572ATTORNEY DOCKETPATENT APPLICATION 015444.1706 
Gangadharan discloses a method comprising receiving a communication from a second application to a first application and determine that the probability that the communication destined for the first application is malicious is greater than a threshold based on a communication log. Gangadharan fails to disclose determining if the first application and the second application are assigned different trust levels before checking a communication log. 
However, Bahrenburg teaches determining that a second applications send a communication destined for a first application (Par. [0067]).
Bahrenburg further teaches determining that the first application and the second application are assigned to 25different trust levels of the set of trust levels (Par. [0087], In some implementations, the directory service verifies that the requesting tenant (i.e. second application) and/or target tenant  (i.e. first application) are members of the trust group identified in the system request at 358. More particularly, the directory service may ascertain, from the system request, the identity of the trust group to which the tenant request was directed and verify that the target tenant trusts the requesting tenant or the trust group to which the requesting tenant belongs. For example, the directory service may verify that the requesting tenant is a member of the trust group identified in the tenant request using the registry. As described above, the directory service may access the group membership information associated with the trust group and apply the group membership information to determine whether requesting tenant is a member of the trust group.); and 
in response to determining that the first application and the second application are assigned to different trust levels (Par. [0088], More particularly, the intermediate system may apply a set of permissions associated with the requesting tenant and/or the target tenant, maintained in the registry, to determine whether the requesting tenant is permitted to access the data or application. The set of permissions may be retrieved by looking up an identifier of the target tenant and/or an identifier of the requesting tenant.), and prior to the communication destined for the first application reaching the computer system of the first application (Fig. 3B, Block 360 comes prior to block 368 ): 
Gangadharan and Bahrenburg are analogous references to the claimed invention as they both pertain to an apparatus configured to receive a request for communication between applications and determine if the communication is malicious or not. Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify  Gangadhara by determining if the first and second applications belongs to the same trust level (trust group) and performing actions in response to the determination as taught by Bahrenburg. Such modifications allow securing networks involving enterprise networks, multi-tenant systems by allowing communication between applications that belong to a given trust group established by the system Bahrenburg (Par. [0021]).
The combination of Gangadharan and Bahrenburg teaches a first and second application, but fails to explicitly teach the first and second applications are assigned a first and second trust level indicating the probability of malicioness.
However, G Rao teaches a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches wherein: each application of the first list of applications is assigned to a first trust level of a set of trust levels, the assignment of the application to the first trust level indicating that a probability that the application is malicious is less than a lower threshold (Par. [0059], If it is determined at 458 that the application 150 is not positioned between the lower trust threshold value and the upper trust threshold value, it is determined that the application is above the upper trust threshold and hence that the application 150 is categorized as safe for publication at 464. ); 
10each application of the second list of applications is assigned to a second trust level of the set of trust levels, the assignment of the application to the second trust level indicating that a probability that the application is malicious is greater than the lower threshold (Par. [0059], If it is determined at 452 that the position of the application 150 on the scoring 1400
scale 134 is not below the lower trust threshold value, it is further determined at 458 if the application 150 is positioned between the lower trust threshold value and the upper trust threshold value. If yes, then the application 150 is categorized as potentially vulnerable at 460 and a communication with the results 142 and suggestions for improvement of the application 150 under the tenets is transmitted at 462.); and 
each application of the first list of applications and the second list of 15applications belongs to a set of applications (Par. [0049], The method begins at 402 wherein the application files 152 of the application 150 to be scored and tested are received.), wherein each application of the set of applications is installed on a computer system of a set of computer systems (Par. [0045], The application trust score obtained above from Eq. (1) is indicative of the extent to which the application 150 can be trusted when installed in a user's device), 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadhara and Bahrenburg by sorting applications into separate lists as taught by G Rao. Such modifications allows better management of large amount of applications by classifying them into trust groups, such as in enterprise networks.
34 of 40 
Regarding claim 15, Gangadharan discloses A system (Par. [0020], A dynamic application testing and scoring system) comprising: 
a first computer system on which a first application is installed, the first computer system located on a network (Par. [0015], In FIG. 1, the firewall 104 monitors communications exchanged between the endpoint device 102 and other devices connected via a network 106 such as the Internet. The firewall 104 protects against malicious, unwanted, and/or unauthorized communications corresponding to Application-1 108 and Application-2 110.); 
a second computer system on which a second application is installed, the second computer system located on the network (Par. [0015], In FIG. 1, the firewall 104 monitors communications exchanged between the endpoint device 102 and other devices connected via a network 106 such as the Internet. The firewall 104 protects against malicious, unwanted, and/or unauthorized communications corresponding to Application-1 108 and Application-2 110.); 
a memory configured to store (Par. [0023], In some examples, the entirety of and/or a portion of the malicious applications reference system 210 is cached in a memory of the endpoint device 204 for faster access and/or offline access by the monitoring agent 202. For example, a subset of entries from the malicious applications reference system 210 may be selected for local caching in a memory of the endpoint device 204 based on most relevancy to applications likely to be executed in the endpoint device 204. For example, if the endpoint device 204 is a tablet computer, it may cache entries from the malicious applications reference system 210 corresponding to mobile apps, whereas if the endpoint device 204 is a server, it may cache entries from the malicious applications reference system 210 corresponding to server programs, database applications, etc. In yet other examples, the malicious applications reference system 210 database is fully implemented and stored in the endpoint device 204.): 

a first list of applications comprising a first application (Par. [0019-0022] disclose an application reference system 210 containing application of different trust levels. For example, Par. [0020], Privilege levels define whether processes (i.e. first list) can access system-level information); and 
5a second list of applications comprising a second application (Par. [0020], Privilege levels define whether processes (i.e. second list) can access … only user-level information), wherein: 
each computer system of the set of computer systems located on a network (Par. [0015], In FIG. 1, the firewall 104 monitors communications exchanged between the endpoint device 102 and other devices connected via a network 106 such as the Internet.); and 
a communication log comprising information identifying communications that have occurred over the network (Par. [0023], For example, the malicious applications reference system 210 may be implemented using a network-accessible cloud-based server that stores characteristics and metadata about malicious sources such as malicious applications, programs, websites, network communications, and/or processes.); and 
a hardware processor communicatively coupled to the memory (Par. [0050], The processor 712 of the illustrated example is in communication with a main memory including a volatile memory 714 and a non-volatile memory 716 via a bus 718), the hardware processor configured to: 
determine that the second application transmitted a communication destined for the first application (Par. [0044], The example connection detector 404 analyzes the data link layer (Layer 2) communication (block 504) to determine whether it is a request for a connection to the endpoint device 204 (FIGS. 2 and 3) at the data link layer (Layer 2). For example, the connection detector 404 monitors communications at the data link layer (Layer 2) from applications (e.g., the Application-5 208 of FIG. 2 and/or applications on the external computer 302 and/or the local endpoint device 304 of FIG. 3) to detect requests to establish data link layer (Layer 2) connections in the endpoint device 204. To detect such connection requests, the example connection detector 404 may employ the dynamic tracer 410 and/or the raw socket interface monitor 412 using techniques described above. For example, the connection detector 404 may employ the dynamic tracer 410 by using one or more operating system APIs to monitor communications from ones of the processes 402 (FIG. 4) that issue file open requests to a particular file (e.g., file open requests to a /dev/bpf0 character file using bpf, etc.) which allows connection via the data link layer (Layer 2).); 
determine, based at least in part on the communications identified in the 30communication log, that a probability that the communication destined for the first application is malicious is greater than a threshold (Par. [0022], In some examples, a confirmation of a malicious source can be logged in the malicious applications reference system 210 when a threshold number of endpoint devices report erroneous or undesired operating conditions attributable to the malicious source. For example, when a program attempts an unauthorized access to a secure area in an endpoint device, the endpoint device reports the attempted access to the malicious applications reference system 210. The malicious applications reference system 210 can log the reporting and monitor for similar reporting from the same or other endpoint devices. In this manner, when a threshold number of reporting are logged, a ML process and/or a person (e.g., an administrator) can inspect the program responsible for the logged unauthorized access attempts to determine whether the program is actually a malicious source.); and 57520572ATTORNEY DOCKETPATENT APPLICATION 015444.1706 31 of 40 
in response to determining that the probability that the communication destined for the first application is malicious is greater than the threshold (Par. [0046],  If the threat monitor 406 determines at block 508 that the communication is a threat ), prevent the communication destined for the first application from reaching the computer system of the first application ( Par. [0046], the example threat manager 408 manages the threat (block 510) by generating a notification to prompt a user (e.g., a network administrator) about the threat and/or blocking the communication.
Gangadharan discloses an apparatus configured to receive a communication from a second application to a first application and determine that the probability that the communication destined for the first application is malicious is greater than a threshold based on a communication log. Gangadharan fails to disclose determining if the first application and the second application are assigned different trust levels before checking a communication log. 
However, Bahrenburg teaches determining that a second applications send a communication destined for a first application (Par. [0067]).
Bahrenburg further teaches determine that the first application and the second application are assigned to 25different trust levels of the set of trust levels (Par. [0087], In some implementations, the directory service verifies that the requesting tenant (i.e. second application) and/or target tenant  (i.e. first application) are members of the trust group identified in the system request at 358. More particularly, the directory service may ascertain, from the system request, the identity of the trust group to which the tenant request was directed and verify that the target tenant trusts the requesting tenant or the trust group to which the requesting tenant belongs. For example, the directory service may verify that the requesting tenant is a member of the trust group identified in the tenant request using the registry. As described above, the directory service may access the group membership information associated with the trust group and apply the group membership information to determine whether requesting tenant is a member of the trust group.); and 
in response to determining that the first application and the second application are assigned to different trust levels (Par. [0088], More particularly, the intermediate system may apply a set of permissions associated with the requesting tenant and/or the target tenant, maintained in the registry, to determine whether the requesting tenant is permitted to access the data or application. The set of permissions may be retrieved by looking up an identifier of the target tenant and/or an identifier of the requesting tenant.), and prior to the communication destined for the first application reaching the computer system of the first application (Fig. 3B, Block 360 comes prior to block 368 ): 
Gangadharan and Bahrenburg are analogous references to the claimed invention as they both pertain to an apparatus configured to receive a request for communication between applications and determine if the communication is malicious or not. Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify  Gangadhara by determining if the first and second applications belongs to the same trust level (trust group) and performing actions in response to the determination as taught by Bahrenburg. Such modifications allow securing networks involving enterprise networks, multi-tenant systems by allowing communication between applications that belong to a given trust group established by the system Bahrenburg (Par. [0021]).
The combination of Gangadharan and Bahrenburg teaches a memory storing a list of applications, but fails to expressly disclose the applications are stored as first and second lists where the lists are assigned a first and second trust level respectively. 
However, G Rao teaches a memory configured to store, a first list of applications and a second list of applications (Par. [0116]).
G Rao further teaches wherein: each application of the first list of applications is assigned to a first trust level of a set of trust levels, the assignment of the application to the first trust level indicating that a probability that the application is malicious is less than a lower threshold (Par. [0059], If it is determined at 458 that the application 150 is not positioned between the lower trust threshold value and the upper trust threshold value, it is determined that the application is above the upper trust threshold and hence that the application 150 is categorized as safe for publication at 464. ); 
10each application of the second list of applications is assigned to a second trust level of the set of trust levels, the assignment of the application to the second trust level indicating that a probability that the application is malicious is greater than the lower threshold (Par. [0059], If it is determined at 452 that the position of the application 150 on the scoring 1400
scale 134 is not below the lower trust threshold value, it is further determined at 458 if the application 150 is positioned between the lower trust threshold value and the upper trust threshold value. If yes, then the application 150 is categorized as potentially vulnerable at 460 and a communication with the results 142 and suggestions for improvement of the application 150 under the tenets is transmitted at 462.); and 
each application of the first list of applications and the second list of 15applications belongs to a set of applications (Par. [0049], The method begins at 402 wherein the application files 152 of the application 150 to be scored and tested are received.), wherein each application of the set of applications is installed on a computer system of a set of computer systems (Par. [0045], The application trust score obtained above from Eq. (1) is indicative of the extent to which the application 150 can be trusted when installed in a user's device), 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the combination of Gangadhara and Bahrenburg by sorting applications into separate lists as taught by G Rao. Such modifications allows better management of large amount of applications by classifying them into trust groups, such as in enterprise networks.

Method claim 9 is related to the method using the apparatus as claimed in apparatus claim 2. Therefore, method claim 9 is rejected for the same reason of obviousness as claim 2 above.

Method claim 10 is related to the method using the apparatus as claimed in apparatus claim 3. Therefore, method claim 10 is rejected for the same reason of obviousness as claim 3 above.

Method claim 11 is related to the method using the apparatus as claimed in apparatus claim 4. Therefore, method claim 11 is rejected for the same reason of obviousness as claim 4 above.

Method claim 12 is related to the method using the apparatus as claimed in apparatus claim 5. Therefore, method claim 12 is rejected for the same reason of obviousness as claim 5 above.

Method claim 13 is related to the method using the apparatus as claimed in apparatus claim 6. Therefore, method claim 13 is rejected for the same reason of obviousness as claim 6 above.

Method claim 14 is related to the method using the apparatus as claimed in apparatus claim 7. Therefore, method claim 14 is rejected for the same reason of obviousness as claim 7 above.

System claim 16 is related to the system using the apparatus as claimed in apparatus claim 2. Therefore, system claim 16 is rejected for the same reason of obviousness as claim 2 above.

System claim 17 is related to the system using the apparatus as claimed in apparatus claim 3. Therefore, system claim 17 is rejected for the same reason of obviousness as claim 3 above.

System claim 18 is related to the system using the apparatus as claimed in apparatus claim 4. Therefore, system claim 18 is rejected for the same reason of obviousness as claim 4 above.

System claim 19 is related to the system using the apparatus as claimed in apparatus claim 5. Therefore, system claim 19 is rejected for the same reason of obviousness as claim 5 above.

System claim 20 is related to the system using the apparatus as claimed in apparatus claim 6. Therefore, system claim 20 is rejected for the same reason of obviousness as claim 6 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Samadani (U.S. Patent Application Publication No. 20180131705 A1)  teaches a method of receiving a network activity data and associating subsequent network traffic data with malicious activity based on previous data.
Yadav (U.S. Patent Application Publication No. 20160359695 A1) teaches a method of receiving network data and identifying anomalies using dynamic modeling. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 7:30 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 2496

/JORGE L ORTIZ CRIADO/               Supervisory Patent Examiner, Art Unit 2496