DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 10/5/2022 has been placed of record in the file.
Claims 42 and 52 have been amended.
The double patenting rejection remains of record.
The IDS filed 10/5/2022 and the IDS filed 10/10/2022 have been considered.
Claims 42-61 are pending.
The applicant’s arguments with respect to claims 42-61 have been considered but are moot in view of the following new grounds of rejection.

Response to Amendment
Claims have been amended to further define the use of the stateful model.  The amendment proves a change in scope to the independent claims as the independent claims now explicitly state applying a score to the stateful model based on the one or more identified behaviors.  However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 103
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	Claims 42-61 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara et al. (U.S. Patent Application Publication Number 2015/0286820), hereinafter referred to as Sridhara, in view of Schmidtler et al. (U.S. Patent Application Publication Number 2015/0033341), hereinafter referred to as Schmidtler.
Sridhara disclosed techniques for computing and using execution states in performing behavioral analysis.  In an analogous art, Schmidtler disclosed techniques for detecting threats based on feature vectors.  Both systems deal directly with modeling for malware detection.
Regarding claim 42, Sridhara discloses a computer-implemented method of performing a behavior-based analysis of an execution of a program in an operating system, the method comprising: monitoring, by a computer system, using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment (paragraph 69, behavior observer module configured to instrument APIs and monitor operations), wherein the monitoring comprises tracking user space operations and/or kernel space operations (paragraph 68, kernel space and user space); selecting at least one operation of interest from the one or more operations (paragraph 69, collect information pertaining to observed operations); generating, by the computer system, an event data for each of the at least one operation of interest, wherein the event data characterizes one or more events of the at least one operation of interest (paragraph 69, generate observations); filtering event data of interest from the event data for each of the at least one operation of interest, the filtering based on one or more predefined filtering rules (paragraph 69, filter collected information); normalizing the event data of interest into a logical data structure such that attributes of the event data of interest can accessed and analyzed (paragraph 61, generate behavior vectors); building, by the computer system, at least one stateful model of the execution of the program based on the normalized event data of interest, the at least one stateful model comprising a hierarchal structure of the at least one operation of interest performed by the execution of the program in the live environment (paragraph 84, classifier model includes data structures used to evaluate behavior), the at least one operation of interest linked by an event context, wherein the hierarchal structure comprises: the event context comprising: one or more objects derived from the one or more monitored operations (paragraph 87, subsystems, processes, and applications); one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object (paragraph 84, information structures for features or aspects of behavior); and one or more relationships identified among the one or more objects (paragraph 62, features used by specific software application or application-type); and attributes characterizing the one or more objects and the one or more relationships among the one or more objects (paragraph 84, features), wherein the attributes comprise at least a type of the at least one operation of interest and a source of the one or more events, wherein the type comprises an identifier of the at least one operation of interest that characterizes the one or more events, and wherein the source comprises an originating entity that performs the at least one operation of interest (paragraphs 70-75, different types of behavior to be monitored, and paragraph 84, list of components), wherein each of the one or more objects represent an entity related to the one or more monitored operations (paragraph 87, subsystems, processes, and applications associated with observations); analyzing, by the computer system, the event context in view of the at least one stateful model to identify one or more behaviors of the execution of the program related to the one or more events (paragraph 85, uses lean classifier model); and comparing the one or more identified behaviors to one or more pre-existing behaviors of a pre-existing stateful model (paragraph 88, applies behavior vectors to classifier modules), wherein the computer system comprises a processor and memory (paragraph 156, processors and memory).
Sridhara does not explicitly state applying a score to the stateful model based on the one or more identified behaviors, and comparing the score to a pre-existing score.  However, utilizing scores with classifier models was well known in the art as evidenced by Schmidtler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Sridhara by adding the ability for applying a score to the stateful model based on the one or more identified behaviors, and comparing the score to a pre-existing score as provided by Schmidtler (see paragraph 56, determines threat assessment score, and paragraph 57, compares threat assessment score with threshold value).  One of ordinary skill in the art would have recognized the benefit that using trained models would assist in detecting threats that have evolved and changed over time (see Schmidtler, paragraph 4).
Regarding claim 43, the combination of Sridhara and Schmidtler discloses updating, in real time, the at least one stateful model in response to one or more new events (Sridhara, paragraph 103, modify or regenerate lean classifier model).
Regarding claim 44, the combination of Sridhara and Schmidtler discloses outputting, via an output device of the computer system, a representation of the one or more identified behaviors of the execution of the program (Sridhara, paragraph 90, notifies observer module of analysis).
Regarding claim 45, the combination of Sridhara and Schmidtler discloses storing the one or more identified behaviors of the execution of the program in a behavioral profile database (Sridhara, paragraph 155, maintaining databases of behaviors).
Regarding claim 46, the combination of Sridhara and Schmidtler discloses wherein the computer system comprises a cloud-based computer system (Sridhara, paragraph 83, cloud service).
Regarding claim 47, the combination of Sridhara and Schmidtler discloses wherein the computer system comprises one or more functional components distributed over more than one computer (Sridhara, paragraph 98, mobile device in conjunction with network server).
Regarding claim 48, the combination of Sridhara and Schmidtler discloses wherein the live environment comprises one or more programs, including the program, operating concurrently and interactively for their intended uses (Sridhara, paragraph 91, real-time behavior analysis).
Regarding claim 49, the combination of Sridhara and Schmidtler discloses aggregating the one or more identified behaviors (Sridhara, paragraph 109, aggregate information over time).
Regarding claim 50, the combination of Sridhara and Schmidtler discloses wherein the one or more behaviors comprise a representation of a behavior pattern of the execution of the program (Sridhara, paragraph 93, behaviors compared to normal operation patterns).
Regarding claim 51, the combination of Sridhara and Schmidtler discloses analyzing the one or more behaviors to determine if the execution of the program comprises malware (Sridhara, paragraph 88, determines whether application is malicious).
Regarding claim 52, Sridhara discloses a system for performing a behavior-based analysis of an execution of a program in an operating system, the system comprising: one or more computer readable storage devices configured to store a plurality of computer executable instructions (paragraph 156, memory); and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions (paragraph 156, processors) in order to cause the system to: monitor, using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment (paragraph 69, behavior observer module configured to instrument APIs and monitor operations), wherein monitoring comprises tracking user space operations and/or kernel space operations (paragraph 68, kernel space and user space); select at least one operation of interest from the one or more operations (paragraph 69, collect information pertaining to observed operations); generate an event data for each of the at least one operation of interest, wherein the event data characterizes one or more events of the at least one operation of interest (paragraph 69, generate observations); filtering event data of interest from the event data for each of the at least one operation of interest, the filtering based on one or more predefined filtering rules (paragraph 69, filter collected information); normalize the event data of interest into a logical data structure such that attributes of the event data of interest can accessed and analyzed (paragraph 61, generate behavior vectors); build at least one stateful model of the execution of the program based on the normalized event data of interest, the at least one stateful model comprising a hierarchal structure of the at least one operation of interest performed by the execution of the program in the live environment (paragraph 84, classifier model includes data structures used to evaluate behavior), the at least one operation of interest linked by an event context, wherein the at least one stateful model comprises: the event context comprising: one or more objects derived from the one or more monitored operations (paragraph 87, subsystems, processes, and applications); one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object (paragraph 84, information structures for features or aspects of behavior); and one or more relationships identified among the one or more objects (paragraph 62, features used by specific software application or application-type); and attributes characterizing the one or more objects and the one or more relationships among the one or more objects (paragraph 84, features), wherein the attributes comprise at least a type of the at least one operation of interest and a source of the one or more events, wherein the type comprises an identifier of the at least one operation of interest that characterizes the one or more events, and wherein the source comprises an originating entity that performs the at least one operation of interest (paragraphs 70-75, different types of behavior to be monitored, and paragraph 84, list of components), wherein each of the one or more objects represent an entity related to the one or more monitored operations (paragraph 87, subsystems, processes, and applications associated with observations); analyze the event context in view of the at least one stateful model to identify one or more behaviors of the execution of the program related to the one or more events (paragraph 85, uses lean classifier model); and comparing the one or more identified behaviors to one or more pre-existing behaviors of a pre-existing stateful model (paragraph 88, applies behavior vectors to classifier modules).
Sridhara does not explicitly state applying a score to the stateful model based on the one or more identified behaviors, and comparing the score to a pre-existing score.  However, utilizing scores with classifier models was well known in the art as evidenced by Schmidtler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Sridhara by adding the ability for applying a score to the stateful model based on the one or more identified behaviors, and comparing the score to a pre-existing score as provided by Schmidtler (see paragraph 56, determines threat assessment score, and paragraph 57, compares threat assessment score with threshold value).  One of ordinary skill in the art would have recognized the benefit that using trained models would assist in detecting threats that have evolved and changed over time (see Schmidtler, paragraph 4).
Regarding claim 53, the combination of Sridhara and Schmidtler discloses wherein the system is further caused to update, in real time, the at least one stateful model in response to one or more new events (Sridhara, paragraph 103, modify or regenerate lean classifier model).
Regarding claim 54, the combination of Sridhara and Schmidtler discloses wherein the system is further caused to output, via an output device of the system, a representation of the one of more behaviors of the execution of the program (Sridhara, paragraph 90, notifies observer module of analysis).
Regarding claim 55, the combination of Sridhara and Schmidtler discloses wherein the system is further caused to store the one or more behaviors of the execution of the program in a behavioral profile database (Sridhara, paragraph 155, maintaining databases of behaviors).
Regarding claim 56, the combination of Sridhara and Schmidtler discloses wherein the system comprises a cloud-based computer system (Sridhara, paragraph 83, cloud service).
Regarding claim 57, the combination of Sridhara and Schmidtler discloses wherein the system comprises one or more functional components distributed over more than one computer (Sridhara, paragraph 98, mobile device in conjunction with network server).
Regarding claim 58, the combination of Sridhara and Schmidtler discloses wherein the live environment comprises one or more programs, including the program, operating concurrently and interactively for their intended uses (Sridhara, paragraph 91, real-time behavior analysis).
Regarding claim 59, the combination of Sridhara and Schmidtler discloses wherein the system is further caused to aggregate the one or more identified behaviors (Sridhara, paragraph 109, aggregate information over time).
Regarding claim 60, the combination of Sridhara and Schmidtler discloses wherein the one or more behaviors comprise a representation of a behavior pattern of the execution of the program (Sridhara, paragraph 93, behaviors compared to normal operation patterns).
Regarding claim 61, the combination of Sridhara and Schmidtler discloses wherein the system is further caused to analyze the one or more behaviors to determine if the execution of the program comprises malware (Sridhara, paragraph 88, determines whether application is malicious).

Conclusion
12.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493