Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/20/22 has been entered.
 

Claims 1-11, 24, 26, and 31-36 are pending. Claims 24 and 26 allowed. Claims 31-36 withdrawn, and Claims 1-11 rejected.  As amended, claims 31-36 are now directed to the examined invention and are thus no longer withdrawn.



Response to Arguments
Applicant’s arguments, in view of the present amendments, with respect to the previous 35 USC §112 rejection have been fully considered and are persuasive.  The rejection of claims 1-11 has been withdrawn. 


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 31, 33, and 34 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by USP Application Publication 2016/0342791 to Gonzalez et al., hereinafter Gonzalez.

As per claim 31, Gonzalez teaches sequence modeling a set of allowable computational activities (0052-0053 and 0087);
wirelessly receiving a signal emanating (0022) from a monitored device comprising hardware and running a software program, wherein the signal is representative of a set of actual computational activities during the running of the software program on the monitored device (0024 and 0034); and
comparing the set of actual computational activities to the set of the allowable computational activities (0034 and 0035);
where in the sequence of modeling is representative of an expected normal execution of the software program running on the monitored device [reference data; 0034, 0051, and 0052]; and
where in the sequence modeling defines the allowable computational activities during the expected normal [known good/normal/baseline] execution of the software program on the monitored device (0051 and 0052).


As per claim 33, Gonzalez teaches sequence modeling a set of allowable sequences of execution of blocks of program code [code running; 0052-0053 and 0087];
collecting training sequences of execution of blocks of program codes [trained on instruction order; 0087]; 
wirelessly receiving a signal emanating (0022) from a monitored device comprising hardware and running a software program, wherein the signal is representative of a set of actual execution of blocks of program code of the software program running on the monitored device (0024 and 0034); and
comparing the set of actual sequences of execution of blocks of program code to the set of the allowable sequences of execution of blocks of program code (0034, 0035, and 0087);
where in the sequence of modeling is independent from analyses of the actual sequences of execution of blocks of program code [reference data; 0034, 0051, and 0052].
As per claim 34, Gonzalez teaches processing the signal to identify actual sequences of execution of blocks of program code of the software program running on the monitored device (0024 and 0034) by comparing portions of the signal representative of execution of blocks of program code to the training sequences of execution of blocks of program code (0034 and 0087).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 Claims 1-11, 32, and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez in view of USP Application Publication 2014/0324409 to Simhon et al., hereinafter Simhon.
As per claim 1, Gonzalez teaches receiving a signal from a monitored device [target device] comprising hardware and running a software program (0006); and
 monitoring the signal representative of an actual execution [side-channel information] of the software program running on the monitored device based upon (0024 and 0034):
sequence modeling allowable sequences of hardware/software interaction events that is representative of an expected normal execution of the software program running on the monitored device [expected sequences, detects out of context; 0052-0053 and 0087]; and 
processing the signal representative of an actual execution of the software program running on the monitored device (0024) based upon:
the possible expected normal sequences of hardware/software interaction events of the expected normal execution of the software program running on the monitored
device (0031 and 0034); and the software model (0034 and 0080).  
Gonzalez is silent in explicitly teaching a probabilistic software model that and accounts for all of possible expected normal sequences of hardware/software interaction events and how likely each of the possible expected normal sequences of hardware/software is for the software program running on the monitored device.  On the other hand, these limitations are taught by Simhon as he uses a stochastic software model to determine how likely a process will cause an anomalous state (0049 and 0050).  Using the model and given the sequence of vectors detected on the monitored device, the system can determine with some probability if the device will terminate in a normal state or an anomalous state.  Gonzalez already uses input vectors as well to statistically characterize the response (0052).  Simhon also teaches creating a model for each state that an application is defined by (0051).   Thus, Simhon teaches the broad limitations of all possible expected normal sequences of hardware/software interaction events.  A sequence is characterized by some probability of being anomalous the sequence is likely to terminate in an unknown state.  This known this information would improve the robustness of anomaly detection in Gonzalez’ system.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

As per claim 2, Gonzalez teaches the probabilistic software model defines the hardware/software interaction events that are possible during the expected normal execution of the program executions on the monitored device (0046 and 0047).
As per claim 3, Gonzalez teaches determining a probability that the monitored device is compromised (0036 and 0038).
As per claim 4, Gonzalez teaches determining the probability, that the monitored device is compromised is based upon the monitoring of the signal representative of the actual execution of the software program running on the monitored device (0036).
As per claim 5, Gonzalez teaches determining, the probability that the monitored device is compromised comprises applying signal processing to the received signal to compute the probability [confidence] that an anomalous event is uncovered within the actual execution of the program executions on the monitored device (0038 and 0041).
As per claim 6, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device [side channel info on app events]; and the expected normal execution of the software program running on the monitored device [reference data; 0034 and 0035].
As per claim 7, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device (0034); and both the expected normal execution of the software program running on the monitored device (0035 and 0087) and the expected normal execution of the set of hardware/software interaction events of the software program running on the monitored device (0046 and 0051).
As per claim 8, Gonzalez teaches performing spectral monitoring on the signal to identify a loop or program module of program code in the actual execution of the software program running on the monitored device (0028, 0031, and 0098).
As per claim 9, Gonzalez teaches determining code blocks [code segment] executed by the monitored device corresponding to the signal (0087); wherein at least one code block is selected from the group consisting of a loop and a program module [program segment/key instructions] of program code (0087).
As per claim 10, Gonzalez teaches the probabilistic software model comprises one or more of a control flow graph at basic code block granularity, instruction-level representation of the program [key instructions; 0087], and intermediate-representation of the program.

As per claim 11, Gonzalez teaches the expected normal set of hardware/software interaction events of the software program running on the monitored device is based upon a probabilistic hardware-software interaction model (0046 and 0051).
As per claim 32, the combined system of Gonzalez and Simhon teaches the sequence modeling accounts for how likely the allowable computational activities is for the software program running on the monitored device [Simhon: 0049 and 0050].

As per claim 36, Gonzalez teaches modeling with a software model possible sequences of hardware/software interaction events (0052-0053 and 0087);
wirelessly receiving a signal emanating (0022) from a monitored device comprising hardware and running a software program, wherein the signal is representative of actual sequences of hardware/software interaction events of the software program running on the monitored device (0024 and 0034); and
comparing the actual sequences of hardware/software interaction events to the possible sequences of hardware/software interaction events (0034 and 0035);
wherein the modeling with the software model is representative of an expected normal set of sequences of hardware/software interaction events of the
software program running on the monitored device [reference data; 0034, 0051, and 0052].  Gonzalez is silent in explicitly teaching a probabilistic software model that and how likely each of the possible sequences of hardware/software interaction is for the software program running on the monitored device.  On the other hand, these limitations are taught by Simhon as he uses a stochastic software model to determine how likely a process will cause an anomalous state (0049 and 0050).  Using the model and given the sequence of vectors detected on the monitored device, the system can determine with some probability if the device will terminate in a normal state or an anomalous state.  Gonzalez already uses input vectors as well to statistically characterize the response (0052).  A sequence is characterized by some probability of being anomalous the sequence is likely to terminate in an unknown state.  This known this information would improve the robustness of anomaly detection in Gonzalez’ system.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

Claim 35 is rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez in view of USP Application Publication 2016/0021121 to Cui et al., hereinafter Cui.

As per claim 35, Gonzalez is silent in explicitly teaching the processing of the
signal further comprises estimating a duration of time the program execution has spent in each execution of blocks of program code.  Cui teaches this limitation as means to determine how often segments of code are executed by a normal embedded device.  Knowing the baseline would allow a system like Gonzalez that uses an expected result of a device given certain inputs to identify anomalies.  If a given application running on a particular hardware executes a certain branch segment only 10% of the time but a probe is detecting that branch being executed 90% of the time, this would indicate an anomaly.  This known this information would improve the robustness of anomaly detection in Gonzalez’ system.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431