Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
This action in response to original filings made on 2/22/2021. Claims 1-20 are pending. 
Specification (Abstract)
Applicant is reminded of the proper language and format for an abstract of the disclosure. Legal language such as, but not limited to “embodiments”.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1, 8 and 15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,984,098 and 098’ hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the following: 
(17/182104) A system, comprising: a processor configured to: monitor a process executed on a computing device; detect an unauthorized change in a cached initial token value associated with the process, wherein the cached initial token value is checked for changes in response to a trigger event; and perform an action based on a policy in response to the unauthorized change in the cached initial token value associated with the process, wherein the policy comprises a 10 whitelisted set of processes, and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action; and a memory coupled to the processor and configured to provide the processor with instructions; 
maps to (098’) monitor a process executed on a computing device; detect an unauthorized change in a token value associated with the process, wherein the token value corresponds to an identifier of the process, and wherein the detecting of the unauthorized change in the token value comprises to: cache an initial token value associated with the process; and check for token value changes in response to a trigger event, comprising to: compare the cached initial token value with another token value associated with another process; and in response to a determination that the cached initial token value matches the other token value, determine that the token value has changed; and perform an action based on a policy in response to the unauthorized change in the token value associated with the process, wherein the policy comprises a whitelisted set of processes, and wherein the performing of the action comprises to: compare the process with one or more processes of the whitelisted set of processes; and in response to a determination that the process matches the one or more processes, omit performing the action; and a memory coupled to the processor and configured to provide the processor with instructions.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over AISSI et al. (US Patent Publication No. 2014/0331279 and AISSI hereinafter) in view of Chen et al. (US Patent Publication No. 2015/0220455 and Chen hereinafter).

As to claims 1, 8 and 15, AISSI teaches a system, comprising: 
a processor configured to: monitor a process executed on a computing device (i.e., …teaches in par. 0195 the following: “the process 1100 may detect an event related to a change in state of the memory allocated for the application”); 
and perform an action based on a policy in response to the unauthorized change in the cached initial token value associated with the process (i.e., …teaches in par. 0196 the following: “the process 1100 may use the security policy to select an action to perform in response to the detected event. The security policy may indicate actions for a security service to provide for managing memory for an application. For example, a security policy (e.g., the security policy 702) may indicate actions, such as modifying the memory according to memory management actions to prevent a potential unauthorized access to the memory. In particular, the security policy (e.g., the security policy 702) may indicate criteria (e.g., different states or conditions) when the security service and corresponding actions should be performed.”), 
and a memory coupled to the processor and configured to provide the processor with instructions (figure 2 of AISSI teaches memory and processor). 

AISSI does not expressly teach:
detect an unauthorized change in a cached initial token value associated with the process, 
wherein the cached initial token value is checked for changes in response to a trigger event; 
wherein the policy comprises a whitelisted set of processes, 
and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action. 
In this instance the examiner notes the teachings of prior art reference Chen. 
With regards to applicant’s claim limitation element of, “detect an unauthorized change in a cached initial token value associated with the process”, Chen teaches par. 0082 the following: “an attacker may attempt to modify the cred structure 220 to modify the privilege of malicious programs, applications, processes, and/or the like by modifying the uid and the gid values 240.”.
With regards to applicant’s claim limitation element of, “wherein the cached initial token value is checked for changes in response to a trigger event”, Chen teaches in par. 081 the following: “the entry for `const struct cred` in the task_struct 210 points to the corresponding entry in the cred structure 220. The uid and gid values 240 in the cred structure define the privilege level of the running application (or user process) associated with that task_struct. For example, a uid value of 0 allows the application or process to gain root (Administrative) privilege of the system.”.
With regards to applicant’s claim limitation element of, “wherein the policy comprises a whitelisted set of processes”, Chen teaches in par. 0099 the following: “running processes in relation to whether the running process is allowed to run with administrator privileges or not or whether they are on a whitelist or a black list regarding gaining this administrator privilege.”. 
With regards to applicant’s claim limitation element of, “and wherein the performing of the action comprises to compare the process with one or more processes of the whitelisted set of processes to determine whether to perform the action”, Chen teaches in par. 0099 the following: “running processes in relation to whether the running process is allowed to run with administrator privileges or not or whether they are on a whitelist or a black list regarding gaining this administrator privilege.”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise process id tracking. One would have been motivated to do so to provide a simple and effective means to further determine system intrusion, wherein the process id tracking helps identify questionable processes to make it easier to ensure system integrity.

As to claims 2, 9 and 16, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI teaches a system of claim 1, wherein the trigger event includes a new process creation, a thread creation, a registry operation, a file operation, or any combination thereof (i.e., …teaches in par. 0195 the following: “To provide a secure environment and protect sensitive data, the memory management services 340 may detect the change in state in order to identify an attempt to access or modify storage of sensitive data for the application.”).

As to claims 3, 10 and 17, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI does not expressly teach a system of claim 1, wherein the processor is further configured to: detect an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device.
In this instance the examiner notes the teachings of prior art reference Chen. 
Chen teaches in par. 081 the following: “the entry for `const struct cred` in the task_struct 210 points to the corresponding entry in the cred structure 220. The uid and gid values 240 in the cred structure define the privilege level of the running application (or user process) associated with that task_struct. For example, a uid value of 0 allows the application or process to gain root (Administrative) privilege of the system.”. Chen teaches par. 0082 the following: “an attacker may attempt to modify the cred structure 220 to modify the privilege of malicious programs, applications, processes, and/or the like by modifying the uid and the gid values 240.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise process id tracking. One would have been motivated to do so to provide a simple and effective means to further determine system intrusion, wherein the process id tracking helps identify questionable processes to make it easier to ensure system integrity.

As to claims 4, 11 and 18, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI does not expressly teach a system of claim 1, wherein the processor is further configured to: detect an attempt to change the cached initial token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges.
In this instance the examiner notes the teachings of prior art reference Chen. 
Chen teaches in par. 081 the following: “the entry for `const struct cred` in the task_struct 210 points to the corresponding entry in the cred structure 220. The uid and gid values 240 in the cred structure define the privilege level of the running application (or user process) associated with that task_struct. For example, a uid value of 0 allows the application or process to gain root (Administrative) privilege of the system.”. Chen teaches par. 0082 the following: “an attacker may attempt to modify the cred structure 220 to modify the privilege of malicious programs, applications, processes, and/or the like by modifying the uid and the gid values 240.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise process id tracking. One would have been motivated to do so to provide a simple and effective means to further determine system intrusion, wherein the process id tracking helps identify questionable processes to make it easier to ensure system integrity.

As to claims 5, 12 and 19, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI does not expressly teach a system of claim 1, wherein the processor is further configured to: perform a protection action based on the policy in response to the unauthorized change in the cached initial token value associated with the process.
In this instance the examiner notes the teachings of prior art reference Chen. 
Chen teaches in par. 081 the following: “the entry for `const struct cred` in the task_struct 210 points to the corresponding entry in the cred structure 220. The uid and gid values 240 in the cred structure define the privilege level of the running application (or user process) associated with that task_struct. For example, a uid value of 0 allows the application or process to gain root (Administrative) privilege of the system.”. Chen teaches par. 0082 the following: “an attacker may attempt to modify the cred structure 220 to modify the privilege of malicious programs, applications, processes, and/or the like by modifying the uid and the gid values 240.”. Teaches in par. 00125 the following: “a set of functions in Linux kernel that modifies the cred structure (e.g., commit_creds( ), copy_creds( ), override_creds( )/revert_creds( )), may be instrumented to invoke the SEA. According to various embodiments of the present disclosure, the SEA may verify whether the modification is legal (e.g., under a whitelist policy,”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise process id tracking. One would have been motivated to do so to provide a simple and effective means to further determine system intrusion, wherein the process id tracking helps identifies questionable processes to make it easier to ensure system integrity.

As to claims 6, 13 and 20, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI does not expressly teach a system of claim 1, wherein the processor is further configured to: kill the process based on the policy in response to the unauthorized change in the cached initial token value associated with the process.
In this instance the examiner notes the teachings of prior art reference Chen. 
Chen teaches in par. 113 the following: “a write attempt to the cred_struct. If the write attempt is not detected at operation 520, the write is disallowed at operation 560 and the process ends.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise process termination. One would have been motivated to do so to provide a simple and effective means to further secure a compromised system, wherein the process termination helps stop questionable processes to make it easier to restore system integrity.

As to claims 7 and 14, the system of AISSI and Chen as applied to claim 1 above teaches process monitoring, specifically AISSI does not expressly teach a system of claim 1, wherein the processor is further configured to: generate an alert based on the policy in response to the unauthorized change in the cached initial token value associated with the process.
In this instance the examiner notes the teachings of prior art reference Chen. 
Chen teaches in par. 165 the following: “may alert the user of the electronic device of the malicious event.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of AISSI with the teachings of Chen by having their system comprise intrusion notification. One would have been motivated to do so to provide a simple and effective means to further determine system intrusion, wherein the intrusion notification will help identify questionable processes to make it easier to prevent further system compromise.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRYAN F WRIGHT/Examiner, Art Unit 2497