Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/7/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 3, 9 and 15 are objected to because of the following informalities:  
Regarding claims 3, 9 and 15, “…at first time…” should read “…at a first time…”

Appropriate correction is required.

Specification
The abstract of the disclosure is objected to because:
The abstract repeats information given in the title.
It should avoid using phrases which can be implied, i.e. “Disclosed herein…” Correction is required.  See MPEP § 608.01(b).
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The disclosure is objected to because of the following informalities:
[0010] “…at first time…” should read “…at a first time…”
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7-10 and 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hollander et al. (US Patent No. 6,412,071 B1) in view of Jianming, F., et al., "Malware Behavior Capturing Based on Taint Propagation and Stack Backtracing," 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, 2011, pp. 328-335, doi: 10.1109/TrustCom.2011.43, and Bianchi, A. “Blacksheep: A Tool for Kernel Rootkit Detection, Based on Physical Memory Crowdsourced Analysis”. University of Illinois at Chicago. 13 Dec. 2012. Web. 28 Sept. 2022. (https://hdl.handle.net/10027/9493), hereinafter Hollander, Jianming and Bianchi.

	Regarding claim 1, Hollander discloses a method for protecting against unauthorized memory dump modification, the method comprising: 
producing a memory dump of a computing device; (Hollander, 191)
identifying a current kernel function used for producing the memory dump (Hollander, 192)
in response to determining that the current kernel function is not authorized to produce the memory dump (Hollander, 196). 
Hollander is directed to detecting and preventing unauthorized attempts to gain enhanced privileges within a computing environment. The difference between the invention of the present disclosure and the prior art is Hollander does not explicitly disclose producing a memory dump, determining that the produced memory dump has been modified, analyzing a call tree to identify an original kernel function authorized to produce memory dumps, and calling the original kernel function to produce an authentic memory dump. 
However, it is noted, producing a memory dump is achieved through a privileged system call. Therefore, Hollander’s teaching of detecting a call routine is analogous to detecting system call to produce a memory dump. Furthermore, the mere presence of a memory dump in Bianchi remedies any potential deficiency of Hollander.
Bianchi teaches producing a memory dump of a computing device; (Bianchi, S-1.1.1 Pg. 2 “We propose a novel technique for detecting kernel rootkits, based on the analysis of physical memory dumps (and, if necessary, the swap area) of a running operating system.”)
determining that the produced memory dump has been modified; (Bianchi, Ch. 6.2.2 Pg. 79-80 “Any difference classified as “added outside”, “changed from inside to outside”, … is considered as suspicious since it is likely that it has been caused by a rootkit infecting m_verify”)
and calling the original kernel function to produce an authentic memory dump.  (Bianchi, Ch. 6 Pg. 70 “Trained analysis works on two sets of memory dumps: a training set, assumed to be non-infected, and a set of memory dumps [acquired] from machines to be checked.”)
Bianchi is directed to detecting rootkits by analyzing memory dumps. Bianchi does not explicitly teach analyzing memory dumps in response to the calling of a memory dump, determining if the calling was authorized or analyzing a call tree to identify an original kernel function authorized to produce memory dumps. However, the teaching of analyzing and comparing memory dumps is pertinent to the invention of the present disclosure. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hollander to incorporate the teachings of Bianchi to include producing a memory dump of a computing device; determining that the produced memory dump has been modified; and calling the original kernel function to produce an authentic memory dump. Such modifications would be motivated to automate the rootkit detection process. Bianchi,  S-1.1.1 Pg. 4.

Jianming teaches analyzing a call tree to identify an original kernel function authorized to produce memory dumps. (Jianming, S-III(B) Pg. 331, “Through resolving the stack structure, we can get the address of application’s original function calling by analyzing every stack frame… If user-level application uses standard Win32 API, a function falling in the address space of Kernel32.dll can be seen as original calling location of system calls.”)
Jianming is directed to capturing malware behavior based on a connection between system call and its module using taint propagation and stack backtracing. Jianming does not explicitly teach executing the original kernel function to produce a memory dump after it is identified. Instead, Jianming teaches terminating the stack backtracing procedure when encountering a suspicious module. However, the stack backtracing procedure is analogous to the analyzing of a call tree. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify  the combination of  Hollander and Bianchi to incorporate the teachings of Jianming to include analyzing a call tree to identify an original kernel function authorized to produce memory dumps. Such modification(s) would be motivated to determine which module the operation belongs to, and only record operations belonging to this module. Jianming, S-III(B) Pg. 331.

	Regarding claim 2, Hollander in view of Jianming and Bianchi discloses the method of claim 1 as set forth above, wherein determining that the current kernel function is not authorized to produce the memory dump comprises determining that an entry, in a dispatch table, that points to a kernel function for memory dumping has been modified.  (Bianchi, Ch. 6.2.1 Pg. 78 “Kernel entry points” and “SSDT”; Ch. 6.2.2 Pg. 80 “Any difference classified as “added outside”, “changed from inside to outside”, … is considered as suspicious since it is likely that it has been caused by a rootkit infecting m_verify”)

	Regarding claim 3, discloses Hollander in view of Jianming and Bianchi discloses the method of claim 2 as set forth above, wherein determining that the entry has been modified comprises determining that an address associated with a system call number in the dispatch table at first time does not match an address associated with the system call number at a second time.  (Bianchi, Ch. 6.2.2 Pg. 79 “changed from inside to a new module—The pointer in m verify points to a different location than in m reference. In both memory dumps it points inside a kernel module, but the module pointed in m verify is different from that pointed in m reference.”) 

	Regarding claim 4, Hollander in view of Jianming and Bianchi discloses the method of claim 1 as set forth above, wherein determining that the current kernel function is not authorized to produce the memory dump is based on determining that an address of the current kernel function is not in an operating system kernel range of the computing device.  (Bianchi, 6.2.2 Pg. 79 “changed from inside to outside—The pointer in m verify points to different locations than in m reference. In m reference it points to a kernel module, whereas in m_verify it points to a location outside any kernel module”; Pg. 80 “changed from outside to outside – different—The pointer in m verify points to a different location than in m reference. In both memory dumps it points outside any kernel module.)

	Regarding claim 5, Hollander in view of Jianming and Bianchi disclose the method of claim 1 as set forth above, wherein analyzing the call tree to identify the original kernel function comprises determining an offset indicating the original kernel function based on contents of an entry in the call tree.  (Jianming, S-III(B) Pg. 331, “Through resolving the stack structure, we can get the address of application’s original function calling by analyzing every stack frame… If user-level application uses standard Win32 API, a function falling in the address space of Kernel32.dll can be seen as original calling location of system calls.”)
It is noted, an offset may include the address itself, or may be easily calculated given the starting address of the application. The starting address of the application is already known at this point of the monitoring procedure taught by Jianming et al., see S-III(B) Pg. 330, Step 12b.


	Claims 7-11 and 13-17 are substantially similar to that of 1-5. Therefore, claims 7-11 and 13-17 are rejected on similar grounds as claims 1-5 over Hollander in view of Hunt and Bianchi.

Claims 6, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hollander in view of Jianming and Bianchi as applied to claim 1 above, and further in view of Mahapatra, C., and Selvakumar, S., "An online cross view difference and behavior based kernel rootkit detector." ACM SIGSOFT Software Engineering Notes 36.4 (2011): 1-9, hereinafter Mahapatra.

	Regarding claim 6, Hollander in view of Jianming and Bianchi discloses the method of claim 1 as set forth above, wherein determining that the current kernel function is not authorized to produce the memory dump further comprises comparing an on-disk kernel image of the computing device with an in-memory kernel image of the computing device; (Bianchi, S-2.1.5 Pg. 16 “For this reason, a possible rootkit detection method is to check if all critical components of an operating system are in their expected state.”; Pg. 17 “… the image in memory of a kernel module should be equal to the content of the file from which it is loaded.”)

Mahapatra teaches identifying modified kernel fragments used to produce the memory dump based on the comparison; and determining that the modified kernel fragments are caused by malware. (Mahapatra, S-4.1 Pg. 3 “The control module retrieves a snapshot of list of processes running and drivers loaded into the system from the Task Manager running in user mode. A comparison between snapshot of list of processes and drivers in user mode and KeRTD Process and Driver List helps to find out the hidden processes and hidden drivers which are thereafter blocked thus preventing further attacks.”)
Mahapatra is directed to detecting kernel rootkits based on cross view difference and behvaior. The system call monitor taught by Mahapatra is pertinent to the invention of the present disclosure. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hollander in view of Jianming and Bianchi to incorporate the teachings of Mahapatra to include identifying modified kernel fragments used to produce the memory dump based on the comparison; and determining that the modified kernel fragments are caused by malware. Such modifications would be motivated to detect hidden processes and drivers running in the system as rootkit. Mahapatra S-4.1 Pg. 3

	Claims 12 and 18 are substantially similar to that of 6. Therefore, claims 12 and 18 are rejected on similar grounds as claim 6 over Hollander in view of Bianchi, Jianming and Mahapatra.
	

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Jung (US Patent No. 10,628,586 B1) – Regarding detecting malware via scanning for dynamically generated function pointers in memory.
Zhang (US 2018/0114018 A1) – Regarding malware detection and classification based on semantic analysis of memory dumps of malware.
Hunt et al. (US Patent No. 9,609,005 B2) – Regarding a cross-view detection engine for detecting malware behavior.
Ring et al. (US 2005/0204205 A1) – Regarding detection of an operating system exploitation such as a rootkit install.
Korkin, Igor, and Ivan Nesterov. "Applying memory forensics to rootkit detection." arXiv preprint arXiv:1506.04129 (2015). – Regarding a memory forensic system. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-7:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.N.G./Examiner, Art Unit 2496                                                                                                                                                                                                        /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496