DETAILED ACTION
	This Office Action is in response to the Amendment filed on 09/06/2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 06/13/2022 have been fully considered but they are not persuasive. 
Regarding claim 1, on pages 8-9, Applicant argues that Bowers and Neystadt do not disclose the newly added limitation “..file tree structure permission settings...”
In response, Examiner respectfully disagrees. Bowers discloses the integrity checking modules include rules to identify potential unauthorized creation, modification, deletion and/or access of a file as a potential threat to the integrity of a computing device (at least [0054].)  As such, these rules correspond to the recited “file tree structure permission settings” because a compromised device model is determined based on these rules/settings.  In other word, when a device model has settings/rules that match those of the rules of the integrity checking modules, then the device model is identified as compromised.
Bowers does not explicitly disclose the file tree structure permission settings information is from a plurality of known compromised devices.  
However, Neystadt discloses a concept in which permission settings information is populated from a plurality of known compromised devices ([0027]-[0029][0031] [0034], attacks from adversaries are populated from a plurality of unified threat management systems (UTMs).)
As such, contrasting to the Applicant’s arguments, Bowers and Neystadt disclose all the limitations of claim 1 above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bowers et al. (US 2017/0147827 A1-hereinafter Bowers) and in view of Neystadt et al. (US 2008/0256622 A1-hereinafter Neystadt.)
Regarding claim 1, Bowers discloses a computer-implemented method of determining whether a computing device has been compromised, the method comprising: 
obtaining file tree structure information for the computing device, wherein the file tree structure information details at least a portion of a tree-based structure of folders and files in a memory on the computing device (at least [0033][0037][0041][0043]-[0047], i.e.: information for operating system is obtained, operating system  details at least a portion of (system portion) folders and files stored on the communication device); 
determining from the file tree structure information that the computing device is compromised (at least [0047]-[0060][0078][0080], i.e.: from information for the operating system, the communication device is determined to be compromised) the determining including matching a permission setting on the computing device and a compromised permission setting in a compromised device model trained with a training set populated by file tree structure permission settings information (at least [0053]-[0055] [0060]-[0061][0066],i.e.: device is defined as being compromised or altered, when a permission which should be set as inaccessible has been altered and set to accessible as heuristically trained by the rules of the integrity checking module); and 
based on the determination that the computing device has been compromised, taking an action (at least [0087], based on information that the communication device is compromised, corrective action is taken.)
	Bowers does not explicitly disclose the file tree structure permission settings information is populated by information from a plurality of known compromised devices;
	However, Neystadt discloses a concept in which permission settings information is populated from a plurality of known compromised devices (at least [0027]-[0029][0031][0034], detected URLs and/or IP addresses associated with attacks from adversaries are populated from a plurality of unified threat management systems (UTMs).)
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the feature discloses by Neystadt into the method of Bowers to dynamically identify adversaries while reducing false positives.

Regarding claim 2, Bowers and Neystadt disclose the computer-implemented method of claim 1. Bowers also discloses file tree structure information includes permissions associated with folders and files in the portion of the tree-based structure (i.e.: [0035][0043], the information for the operating system includes user profiles that users access and permissions in the operating system.)

Regarding claim 3, Bowers and Neystadt disclose the computer-implemented method of claim 2. Bowers also discloses the determining includes identifying a match between a permission setting of a file or folder on the computing device and a compromised permission setting for that file or folder in a model (at least [0053], i.e.: when a user who is not authorized to access a file, accesses the file.)
Regarding claim 4, Bowers and Neystadt disclose the computer-implemented method of claim 2. Bowers also discloses the determining includes identifying a difference between a permission setting of a file or folder on the computing device and an expected permission setting for that file or folder prescribed by an uncompromised device model (at least [0053], when a user accesses a file, but the user is not authorized to access the file.)

Regarding claim 5, Bowers and Neystadt disclose the computer-implemented method of claim 2. Bowers also discloses the determining includes determining that a file or folder within a privileged memory space is accessible (at least [0041], i.e.: system portion is accessible.)

Regarding claim 6, Bowers and Neystadt disclose the computer-implemented method of claim 1. Bowers also discloses a model prescribes an expected tree-based structure of an uncompromised device and wherein the determining includes identifying a deviation between the portion of the tree-based structure and the expected tree-based structure (at least [0046]-[0078], i.e. information found during integrity checks is not consistent with previous checks.)

Regarding claim 7, Bowers and Neystadt disclose the computer-implemented method of claim 1. Bowers also discloses one or more models prescribe expected tree-based structures of compromised devices and wherein the determining includes matching the portion of the tree-based structure to one of the expected tree-based structures (at least [0046]-[0078], one or more parameters that are outside of predefined threshold are set as compromised. So, when an integrity check is performed, and the result matches that of a parameter that is outside of the predefined threshold, the communicating device is determined to be compromised.) 

Regarding claim 8, Bowers and Neystadt disclose the computer-implemented method of claim 1. Bowers also discloses wherein the portion of the tree-based structure excludes user-specific folders (at least figures3, 4A & 4B, [0039]-[0041], system portion does not include user portion.)

Regarding claim 9, Bowers and Neystadt disclose the computer-implemented method of claim 1. Bowers also discloses the taking an action comprises at least one of sending a message to a remote device regarding the compromised computing device (at least [0087], output information identifying that the communicating device is compromised.)

Claim 10 is rejected for the same rationale as claim 1.  In addition, Bowers also discloses a processor, a memory, and a device analysis application (at least figures 1, 2 & 4B, [0019][0028], processor, memory, server and integrity checking module.)

Claim 11 is rejected for the same rationale as claim 2.
Claim 12 is rejected for the same rationale as claim 3.
Claim 13 is rejected for the same rationale as claim 4.
Claim 14 is rejected for the same rationale as claim 5. In addition, Bowers also discloses unprivileged space (at least figures 3 & 4A, user portion.)
Claim 15 is rejected for the same rationale as claim 6.
Claim 16 is rejected for the same rationale as claim 7.
Claim 17 is rejected for the same rationale as claim 8.
Claim 18 is rejected for the same rationale as claim 9.

Regarding claim 19, Bowers and Neystadt disclose the electronic device claimed in claim 10. Bowers also discloses the computing device comprises one of the computing device (at least figures 1 & 2, [0019]-[0020], communicating device.)

Claim 20 is rejected for the same rationale as claims 1 & 10 above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHY ANH TRAN VU whose telephone number is (571)270-7317. The examiner can normally be reached Monday-Friday 7 am-1 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PHY ANH T VU/Primary Examiner, Art Unit 2438