Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  
Claim status: claims 1-20 are pending in this Office Action

Response to Arguments

Prior Art Rejection:
Regarding to claim 1:
 	Applicant's arguments to independent claims have been fully considered but they are deemed not persuasive. 
The applicant argues that the prior art does not teach determining one or more application-usage characteristics for devices in the set of two or more devices based at least in part on the first set of application-usage data.  The purpose of the step of “identifying a set of candidate devices” is to identify “a set of devices whose application-usage data suggests that a single application-control policy can add sufficient security to the devices while imposing a sufficiently low potential for productivity interference.” (Specification J [0028].)
In response to the argument, Wyatt teaches determining one or more application-usage characteristics for individual devices in the set of two or more devices based at least in part on the first set of application-usage data (Wyatt [0050] application data also includes behavioral data. Behavioral data includes information about how an application interacts with. [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects… server 151 can update bounds on a mobile communication device 101 by transmitting updated bound information to the device. In an embodiment, bounds may be particular to one or more data objects … identifying that data object … The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. [0246] Analysis server  … correlating the application objects … making assessments …   providing results from the application analysis to clients 1365 [0083] When the server receives behavioral data for a group of data objects it may analyze behavioral data from multiple devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in connecting to the malicious server will be considered malicious.)	
The applicant argues that in the Specification, the purpose of the step of “identifying a set of candidate devices” is to identify “a set of devices whose application-usage data suggests that a single application-control policy can add sufficient security to the devices while imposing a sufficiently low potential for productivity interference.” (Specification J [0028]). 
In response to applicant's argument that the reference fails to show certain features of applicant's invention, it is noted that the features upon which applicant relies ("of the step of “identifying a set of candidate devices” is to identify “a set of devices whose application-usage data suggests that a single application-control policy can add sufficient security to the devices while imposing a sufficiently low potential for productivity interference.") are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.
Wyatt teaches identifying a set of candidate devices from the set of two or more devices based at least in part on the one or more application-usage characteristics, wherein the set of candidate devices includes fewer devices than the set of two or more devices (Wyatt [0103] the network traffic information is gathered as behavioral data from mobile communication devices. [0083] devices running that operating system may transmit a list of applications installed on each device. [0106] applications that connect to a known malicious IRC server may be classified as a malicious bot, and applications that drain one or more devices' batteries may be flagged as battery drainers. Note: classified devices as malicious bot or battery drainers is identifying a set of candidate devices from the set of two or more devices; malicious/battery-drainers devices are obviously fewer than the total devices (malicious devices and battery-drainers devices) = wherein the set of candidate devices includes fewer devices than the set of two or more devices)

Regarding to claim 12:
	The applicant argues that the prior art does not teach wherein the one or more application-usage characteristics include at least one of a measure of distinct applications used by a particular device during a specified time period and a measure of variability of application usage by the particular device across a set of specified time periods.
In response to applicant's argument Wyatt teaches wherein the one or more application-usage characteristics include at least one of a measure of distinct applications used by a particular device during a specified time period and a measure of variability of application usage by the particular device across a set of specified time periods (Wyatt [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds … if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time)	

Regarding to claim 19:
The applicant argues that the prior art does not teach the measure of variability of application usage “is based on a number of applications used by the particular device in only a subset of the set of specified time periods.”
In response to applicant's argument Wyatt teaches wherein the measure of variability of application usage is based on a number of applications that the particular device used across the set of specified time periods  (Wyatt, [0003] hundreds of thousands of mobile applications. [0007] collects and stores … official application marketplaces and alternative application marketplace … comparisons and correlations are performed among the collected data in order to detect and warn users about pirated or maliciously modified applications. [0009] determining which application is legitimate when two or more applications look the same and claim to do the same thing … measuring … comparing the first mobile application program with the second mobile application program. [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds … if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time. [0201] Because a single application can cause significant problems with respect to battery life, network usage, or other limited resources … monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds … a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill … If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. Note: battery usage of an application affects the user's battery life and/or maintain connection for more than 50% of the time it is running and/or certain time and/or set thresholds is specified time period)	

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	
 	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1,148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre- AIA  35 U.S.C. 103(a) are summarized as follows: 	1. Determining the scope and contents of the prior art. 	2. Ascertaining the differences between the prior art and the claims at issue. 	3. Resolving the level of ordinary skill in the pertinent art. 	4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US20160337390), in view of Wyatt (US20120240236).

Regarding to claim 1:
Sridhara teaches A system for generating an application-control policy for deployment on one or more devices, comprising ([0070] to generate, update or refine classifiers. [0037] A classifier model may also include decision criteria):
one or more processors (fig. 1, 100. [0065] 100 may include a number of heterogeneous processors); and
memory comprising instructions that are executable by the one or more processors to perform operations comprising (fig 1, memory 112):
receiving a first set of application-usage data for a set of two or more devices (Sridhara; [0074] collect behavior information pertaining to the interactions … the activities. fig.4, 402 [0154] receive or gather a corpus of behavior data (e.g., from many computing devices), including a large number of device states, configurations and behavior, as well as information regarding whether a malicious behavior was detected.)
generating the application-control policy for the set of candidate devices based on a second set of application-usage data for the set of candidate devices and providing the application-control policy for deployment on the set of candidate devices (Sridhara; [0095] Each classifier model may also include decision criteria for monitoring. [0096]  receive a full classifier model from a network server, generate a lean classifier model in the computing device [0070] generate, update or refine classifiers or data/behavior models … The network server may send data/behavior models to the SOC 100. [0065] (SOC) 100 architecture that may be used in computing devices. [0173] The various embodiments may be implemented on a variety of computing devices  [0031] The terms “mobile computing device” … refer to any one or all of cellular telephones … personal electronic devices.).
Sridhara does not explicitly disclose determining one or more application-usage characteristics for devices in the set of two or more devices based at least in part on the first set of application-usage data. identifying a set of candidate devices from the set of two or more devices based at least in part on the one or more application-usage characteristics, wherein the set of candidate devices includes fewer devices than the set of two or more devices.
Wyatt teaches determining one or more application-usage characteristics for individual devices in the set of two or more devices based at least in part on the first set of application-usage data (Wyatt [0050] application data also includes behavioral data. Behavioral data includes information about how an application interacts with. [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects… server 151 can update bounds on a mobile communication device 101 by transmitting updated bound information to the device. In an embodiment, bounds may be particular to one or more data objects … identifying that data object … The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. [0246] Analysis server  … correlating the application objects … making assessments …   providing results from the application analysis to clients 1365 [0083] When the server receives behavioral data for a group of data objects it may analyze behavioral data from multiple devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in connecting to the malicious server will be considered malicious.)	
identifying a set of candidate devices from the set of two or more devices based at least in part on the one or more application-usage characteristics, wherein the set of candidate devices includes fewer devices than the set of two or more devices (Wyatt [0103] the network traffic information is gathered as behavioral data from mobile communication devices. [0083] devices running that operating system may transmit a list of applications installed on each device. [0106] applications that connect to a known malicious IRC server may be classified as a malicious bot, and applications that drain one or more devices' batteries may be flagged as battery drainers. Note: classified devices as malicious bot or battery drainers is identifying a set of candidate devices from the set of two or more devices; malicious/battery-drainers devices are obviously fewer than the total devices (malicious devices and battery-drainers devices) = wherein the set of candidate devices includes fewer devices than the set of two or more devices)
Wyatt also teaches generating the application-control policy for the set of candidate devices based on a second set of application-usage data for the set of candidate devices and providing the application-control policy for deployment on the set of candidate devices (Wyatt, [0208] assessment criteria as well as on a per application basis … generating a set of policy definitions and transmitting the policy definitions to one or more mobile communication devices 101. [0229] sever 151 makes configuration data, such as Snort.RTM. intrusion detection and prevention system rules, available for download via a web interface)
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Wyatt and apply them on the teachings of Sridhar to further implement determining one or more application-usage characteristics for devices in the set of two or more devices based at least in part on the first set of application-usage data. identifying a set of candidate devices from the set of two or more devices based at least in part on the one or more application-usage characteristics, wherein the set of candidate devices includes fewer devices than the set of two or more devices.  One would be motivated to do so because in order to improve better system and method when the server receives behavioral data for a group of data objects it may analyze behavioral data from multiple devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in connecting to the malicious server will be considered malicious (Wyatt, [0083]).

Regarding to claim 2:
The system of claim 1, wherein the first set of application-usage data include information sufficient to identify binaries with which users of the set of devices interacted (Sridhara [0074] collect behavior information pertaining to the interactions … the activities. fig.4, 402 [0154] receive or gather a corpus of behavior data (e.g., from many computing devices), including a large number of device states, configurations and behavior, as well as information regarding whether a malicious behavior was detected [0056] a binary classification of data/behaviors. That is, applying a behavior vector to boosted decision stump results in a binary answer (e.g., Yes or No …a "yes" answer (for "less than 3" SMS transmissions) or a "no" answer (for "3 or more" SMS transmissions). [0074] the behavior observer … pertaining to the interactions).

Regarding to claim 3:
The system of claim 2, wherein determining the one or more application-usage characteristics for the one or more devices in the set of devices is done based on data associated with the binaries with which users of the one or more devices interacted (Sridhara [0074] collect behavior information pertaining to the interactions … the activities [0056] a binary classification of data/behaviors. That is, applying a behavior vector to boosted decision stump results in a binary answer (e.g., Yes or No …a "yes" answer (for "less than 3" SMS transmissions) or a "no" answer (for "3 or more" SMS transmissions). [0074] the behavior observer … pertaining to the interactions).

Regarding to claim 4:
The system of claim 1, wherein the one or more application-usage characteristics include a measure of distinct applications used by a device during a specified time period (Sridhara [0074] collect behavior information pertaining to the interactions … the activities. [0056] a binary classification of data/behaviors …. results in a binary answer (e.g., Yes or No) …  "is the frequency of SMS transmissions less than x per minute," applying a value of "3" to the boosted decision stump will result in either a "yes" answer (for "less than 3" SMS transmissions) or a "no" answer (for "3 or more" SMS transmissions. [0079] how much network traffic has been transmitted from or generated by the computing device (e.g., 20 KB/sec, etc.),).

Regarding to claim 5:
The system of claim 4, wherein identifying the set of candidate devices includes comparing a first measure of distinct applications used by a first device during the specified time period with a second measure of distinct applications used by a second device during the specified time period, wherein the set of two or more devices comprises the first device and the second (Wyatt [0077] when a data object is first installed on a mobile communication device, the device may gather and transmit the full amount of behavioral data available every day.[0079] transmits behavioral data for a data object's network connections … in a 24 hour period … When a new data object is installed on the device, the device reports the installation event and metadata associated with the data object to the server. If the server has already characterized the data object through behavioral data from other devices, the server may send bounds to the device specifying the typical behavior of the data object on other devices (e.g., uses less than 100 kilobytes of data per day, never sends SMS messages, never sends email) so that if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time. Also see [0077] transmit behavioral data based on the period of time since the data object has last changed. fig.7 step 701-729. [0073-0074] detects a change in a data object … server 151 identifies the second mobile communication device that server 151 knows also stores the data object as well as additional information for the data object (see [0079] e.g., uses less than 100 kilobytes of data per day) … analyzes this additional information with the previously received information from the first mobile communication device to render an assessment (block 727))
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Wyatt and apply them on the teachings of Sridhar to further implement wherein identifying the set of candidate devices includes comparing a first measure of distinct applications used by a first device during the specified time period with a second measure of distinct applications used by a second device during the specified time period, wherein the set of two or more devices comprises the first device and the second.  One would be motivated to do so because in order to improve better system and method when a new data object is installed on the device, the device reports the installation event every day, the server may send bounds to the device specifying the typical behavior of the data object on other devices (e.g., uses less than 100 kilobytes of data per day, never sends SMS messages, never sends email) so that if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time (Wyatt, [0079]).

Regarding to claim 6:
The system of claim 4, wherein the measure of distinct applications used during the specified time period is a number of distinct applications used during the specified time period (Sridhara; [0156] the binary questions/test conditions … the number of communications within a previous time interval. [0161] classify device behaviors as benign, suspicious or non-benign … into categories, sub-categories, groups, or sub-groups … the severity of risk or threat that a software application or behavior poses to. [0026] monitoring or analysis of software applications). 

Regarding to claim 7:
The system of claim 1, wherein the one or more application-usage characteristics include a measure of variability of application usage across a set of specified time periods (Sridhara; [0026] monitoring or analysis of software applications. [0156] the binary questions/test conditions … the frequency of communications, or the number of communications within a previous time interval … sent more than zero data transmissions (a low correlation) … sent more than 10 data transmissions (a medium correlation) … sent more than 100 data transmissions within the previous five minutes (which might have a high correlation))

Regarding to claim 8:
	The system of claim 7, wherein identifying the set of candidate devices includes comparing a first measure of variability of application usage across the set of specified time periods of a first device with a second measure of variability of application usage across the set of specified time periods of a second device, wherein the set of two or more devices comprises the first device and the second (Wyatt [0051] an assessment of the security of a device based upon the data stored (e.g., installed applications. [0077] when a data object is first installed on a mobile communication device, the device may gather and transmit the full amount of behavioral data available every day … weekly interval … monthly intervals)
[Rejection rational for claim 5 is applicable].

Regarding to claim 9:
The system of claim 7, wherein the measure of variability of application usage is determined by dividing a first number of applications used only during a first specified time period by a second number of applications used across each time period of the set of specified time periods, the first specified time period being in the set of specified time periods (Sridhara; [0004] classify the first monitored activity of the software application as one of benign, suspicious, and non-benign. [0006] classify a second monitored activity as one of benign, suspicious and non-benign [0010] classify benign, suspicious, and non-benign behaviors into categories, sub-categories, groups, or sub-groups. fig.4, 402-406. [0154] gather a corpus of behavior data (e.g., from many computing devices) … identify … behavior. Fig. 5, 502-504. [0161] classify device behaviors as benign, suspicious or non-benign … into categories, sub-categories, groups, or sub-groups. Note: classify applications/devices (associated application) into sub-categories, groups, or sub-groups wherein the classify devices use decision criteria (see [0037] A classifier model may also include decision criteria) is dividing a first number of applications by a second number of applications (see spec [0008] [0074] dividing a first number of applications. [0074] divide the set of devices into two or more groups). [0156] the binary questions/test conditions … the frequency of communications, or the number of communications within a previous time interval … sent more than zero data transmissions (a low correlation) … sent more than 10 data transmissions (a medium correlation) … sent more than 100 data transmissions within the previous five minutes (which might have a high correlation. Note: frequencies of 10/100 is specified time periods)

Regarding to claim 10:
The system of claim 1, wherein the second set of application-usage data for the set of candidate devices covers a second time period not identical to a first time period covered by the first set of application-usage data for the set of devices (Sridhara; [0156] the binary questions/test conditions … the frequency of communications, or the number of communications within a previous time interval … sent more than zero data transmissions (a low correlation) … sent more than 10 data transmissions (a medium correlation) … sent more than 100 data transmissions within the previous five minutes (which might have a high correlation)).

Regarding to claim 11:
The system of claim 1, wherein the memory further comprises instructions that are executable by the one or more processors to perform operations comprising: deploying the application-control policy to the set of candidate devices (Sridhara; [0070] collect behavioral, state, classification …  The network server may send data/behavior models to the SOC 100, which may receive and use data/behavior models to identify suspicious or performance-degrading mobile device behaviors, software applications, processes, etc) .

Regarding to claim 12: 
wherein the one or more application-usage characteristics include at least one of a measure of distinct applications used by a particular device during a specified time period and a measure of variability of application usage by the particular device across a set of specified time periods (Wyatt [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds … if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time)	

 [Rejection rational for claim 1 is applicable].

Regarding to claim 13: 
Sridhara teaches The computer-implemented method of claim 12, wherein the first set of application-usage data includes interaction data and wherein the interaction data includes application-usage data regarding execution of binaries with which a user of a device interacted while using the device and does not include application-usage data regarding execution of binaries with which the user of the device did not interact (Sridhara [0050] application data also includes behavioral data. Behavioral data includes information about how an application interacts with … processes or installed applications. [0099] an application calls an API to interact with … server 151 detects if the code is, or may possibly be, self-modifying. The capability of a data object to modify itself may signify that the data object is of higher risk than data objects that are more straightforward. While many instances of malware on PCs use self-modifying code … self-modification alone may not be sufficient to classify a data object as malicious. Note: self-modifying (malware) is does not include application-usage data regarding execution of binaries with which the user of the device did not interact) and wherein determining the one or more application-usage characteristics for the individual devices in the set of two or more devices is done based on the interaction data (Sridhara fig. 2A [0074] The behavior observer module 202 … collect behavior information pertaining to the interactions … the activities. [0079] The behavior extractor module 204 …retrieve the collected behavior information, and use this information to generate one or more behavior vectors. [0097] A locally generated lean classifier model … computing devices (e.g., mobile devices, etc.)  … determining whether a particular device behavior is non-benign)

[Rejection rational for claim 2 is applicable].

Regarding to claim 14: 
The computer-implemented method of claim 12, wherein the measure of variability of application usage is based on a number of applications that the particular device used across the set of specified time periods and wherein an application is used across the set of specified time periods if the application is used during each and every specified time period within the set of specified time periods (Wyatt, [0003] hundreds of thousands of mobile applications. [0007] collects and stores … official application marketplaces and alternative application marketplace … comparisons and correlations are performed among the collected data in order to detect and warn users about pirated or maliciously modified applications. [0009] determining which application is legitimate when two or more applications look the same and claim to do the same thing … measuring … comparing the first mobile application program with the second mobile application program. [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds … if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time. [0201] Because a single application can cause significant problems with respect to battery life, network usage, or other limited resources … monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds … a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill … If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. Note: battery usage of an application affects the user's battery life and/or maintain connection for more than 50% of the time it is running and/or certain time  and/or set thresholds is specified time period; 20/24 hours is the set of specified time periods)	

Regarding to claim 15: 
	The computer-implemented method of claim 12, wherein the measure of distinct applications comprises raw number of distinct applications used by the particular device during the specified time period (Wyatt, [0003-0004] hundreds of thousands of mobile applications … software inevitably leaves the device susceptible to vulnerabilities, malware, and other harmful software applications … harmful software applications. [0009] determining which application is legitimate when two or more applications look the same and claim to do the same thing … measuring … comparing the first mobile application program with the second mobile application program. [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds … if the data object deviates from these bounds, the mobile communication device will send the deviated behavioral data to the server. Such deviations may be useful in the case of a legitimate application that becomes exploited and begins exhibiting uncharacteristic behavior or in the case of a "time-bomb" application that only starts becoming malicious after a certain time [0201] Because a single application can cause significant problems with respect to battery life, network usage, or other limited resources … monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds … a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill … If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. Note: battery usage of an application affects the user's battery life and/or maintain connection for more than 50% of the time it is running and/or certain time  and/or set thresholds is specified time period)

Regarding to claim 16: 
 The computer-implemented method of claim 15, wherein identifying the set of candidate devices includes determining that a first device from the set of two or more devices is not part of the set of candidate devices by determining that the measure of distinct applications used by the first device during the specified time period does not meet a defined criteria (Wyatt, [0003-0004] hundreds of thousands of mobile applications … software inevitably leaves the device susceptible to vulnerabilities, malware, and other harmful software applications … harmful software applications [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. [0130] server 151 may analyze the data object …  known good, known bad, and unknown … confidence level to determine how to classify the data object. Note: set a bound is a defined criteria. Sridhara; [0004] classify the first monitored activity of the software application as one of benign, suspicious, and non-benign. [0095] Each classifier model may also include decision criteria for monitoring)

Regarding to claim 17: 
	The computer-implemented method of claim 12, wherein the measure of variability of application usage further based on a number of applications used by the particular device during only a subset of the set of specified time periods (Wyatt, [0009] determining which application is legitimate when two or more applications look the same and claim to do the same thing [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… bounds may be particular to one or more data objects. For example, a device may have a set of default bounds by which it will send behavioral data … The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. 0095] Each classifier model may also include decision criteria for monitoring. [0201] Because a single application can cause significant problems with respect to battery life, network usage, or other limited resources … monitors the network and battery usage of applications installed on the device and notifies the device's user when an application exceeds desirable limits. For example, the user may set thresholds … a user is notified when the device determines that an application will adversely affect the user's battery life or phone bill … If a user typically uses a phone for 20 hours before plugging it in and an application on the device reduces the estimated battery life to less than 20 hours, it's likely that the user will run out of battery. Also see [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… bounds may be particular to one or more data objects. For example, a device may have a set of default bounds by which it will send behavioral data … The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. Note: Note: 50% of the time it is running and/or reduces the estimated battery life to less than 20 hours is a subset of the set of specified time periods)	

Regarding to claim 18: 
The computer-implemented method of claim 12, wherein identifying the set of candidate devices includes determining that a first device from the set of two or more devices is not part of the set of candidate devices by determining that measure of variability of application usage by the first device across the set of specified time periods does not meet a defined criteria ((Wyatt, [0079] a mobile communication device may only transmit behavioral data if the data is outside of normal bounds. In an embodiment, the bounds are universal to all data objects. For example, a bound on network usage may be set so that mobile communication device transmits behavioral data for a data object's network connections only if the data object maintains at least one open connection for more than 50% of the time it is running or if the data object transmits more than one megabyte of data in a 24 hour period… a device may have a set of default bounds by which it will send behavioral data, but the server may transmit bounds for a particular data object, identifying that data object through identifying information such as a hash, cryptographic signer, package name, or filesystem location. The updated bounds may instruct the device to send more or less behavioral data than the default set of bounds. [0130] server 151 may analyze the data object …  known good, known bad, and unknown … confidence level to determine how to classify the data object. Note: set a bound is a defined criteria. Sridhara; [0004] classify the first monitored activity of the software application as one of benign, suspicious, and non-benign. [0095] Each classifier model may also include decision criteria for monitoring)

[Rejection rational for claim 8 is applicable].

Regarding to claim 19: 
[Rejection rational for claims 1, 5-8 and 12, 14 are applicable].

Regarding to claim 20: 
[Rejection rational for claims 2-3 is applicable].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEN DOAN whose telephone number is 571 272-4317.  The examiner can normally be reached on Monday-Thursday and biweekly Friday 9am-6pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on 571-272-7304(571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HIEN V DOAN/Examiner, Art Unit 2449    

/NORMIN ABEDIN/           Primary Examiner, Art Unit 2449