Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21, 24-28, 34, 37-41, 47, 50-54, 60, and 63-67, are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4 of U.S. Patent No. 11,042,638. Although the claims at issue are not identical, they are not patentably distinct from each other because instant claim groups (21 and 24-28, 34 and 37-31, 47 and 50-54, and 60 and 63-67) overlap with claims 1-4 of the ‘638 patent.
Claims 22, 23, 35, 36, 48, 49, 61 and 62 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11,042,638  in view of “Choi” (US 2019/0012459). While claim 1 of the ‘638 patent discloses respective claims 21, 34, 47, and 60, claim 1 fails to disclose “wherein the operations do not comprise behavioral analysis to determine the execution of malware” (claims 22, 35, 48, and 61) or “to determine the execution of the malicious target process” (claims 23, 36, 49, and 62). However, Choi discloses performing a frequency analysis in order to detect malware execution (¶0022). Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify claim 1 of the ‘638 patent to perform a frequency analysis instead of a behavioral analysis to detect the execution of malware or a malicious process as taught by Choi, in order to detect malware that typically evades routine prevention systems that are based on behavioral detections, thus increasing the ability of the ‘638 patent to detect hidden malware. 
Claims 29, 42, 55, and 68 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11,042,638  in view of “Valencia” (US 2016/0253498). While claim 1 of the ‘638 patent discloses respective claims 21, 34, 47, and 60, claim 1 fails to disclose “wherein the determination comprises a binary prediction”. However, Valencia discloses performing a binary classification of data/behaviors (¶0057). Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify claim 1 of the ‘638 patent to perform a frequency analysis instead of a behavioral analysis to perform a binary prediction, as taught by Valencia, in order to detect implement classification modeling to better predict which types of data are representative of malware.
Claims 30, 32, 43, 45, 56, 58, 69, and 71 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11,042,638  in view of “Harrison” (US 2017/0235951). While claim 1 of the ‘638 patent discloses respective claims 21, 34, 47, and 60, claim 1 fails to disclose “wherein the malicious target process comprises a file input/output (I/O) process” and “wherein the malicious target process comprises a virtualization process”. However, Harrison discloses a malware process being file behavior (I/O) (¶0128, “As shown in step 506, the method 500 may include analyzing the file … This may also or instead include behavioral analysis…”) and a malware process being virtualized (¶0127, “As shown in step 504, the method 500 may include transmitting the file to a secure virtual machine hosted by a hypervisor for the virtual machine”). Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify claim 1 of the ‘638 patent to detect a malicious file based on behavioral analysis and based on being scanned within a virtual machine, as taught by Harrison, in order to more accurately detect malicious files while containing the malicious file within a secured environment.
Claims 31, 44, 57, and 70 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11,042,638 in view of “Glew” (US 2019/0108332). While claim 1 of the ‘638 patent discloses respective claims 21, 34, 47, and 60, claim 1 fails to disclose “wherein the malicious target process comprises a network input/output (I/O) process”. However, Glew teaches monitoring network input/output operations to determine whether a software process is malicious (¶0120; ¶0258). Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify claim 1 of the ‘638 patent to detect a malicious process based on network input/output operations, as taught by Glew, in order to utilizing monitoring of network traffic to generate another detection point for malicious processes thereby increasing the accuracy of detecting the malicious processes as they operate.
Claims 33, 46, 59, and 72 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11,042,638  in view of “Kindlund” (US 9565202). While claim 1 of the ‘638 patent discloses respective claims 21, 34, 47, and 60, claim 1 fails to disclose “wherein the malicious target process comprises data exfiltration”. However, Kindlund teaches monitoring network output to detect data exfiltration attacks caused by a malicious process (Abstract; Fig. 2). Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify claim 1 of the ‘638 patent to detect a malicious process that carries out data exfiltration, as taught by Kindlund, in order to utilize an active detection system that prevents data from being exfiltrated while still detecting the process that attempted to exfiltrate it.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491