DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings

Figures 1A, 1B, and 2 should be designated by a legend such as --Prior Art-- because only that which is old is illustrated.  See MPEP § 608.02(g).  Corrected drawings in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. The replacement sheet(s) should be labeled “Replacement Sheet” in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any portion of the drawing figures. If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Specification

The disclosure is objected to because of the following informalities:  
The specification does not include a brief summary of the invention as per 37 CFR 1.73.  If a summary has been intentionally omitted, Applicant is requested to make a statement confirming this on the record.  See also MPEP § 608.01(d).
Appropriate correction is required.  The above is not intended as an exhaustive list of errors in the specification.  Applicant’s cooperation is requested in correcting any other errors of which applicant may become aware in the specification.

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more.
Claim 1 recites a method that includes identifying a set of variables; generating a profile by tracking counts of memory write operations to the variables and corresponding timestamps; detecting trigger condition by monitoring a pattern of memory accesses to the variables and detecting a deviation of the pattern from the profile; and generating a notification indicating an attack status.  The detection of the deviation of the monitored pattern from the generated profile can be performed by a taking a difference (subtraction) and comparison to a threshold (as per Claim 2).  The subtraction is a basic arithmetic operation, which is a mathematical concept, and the comparison can be performed mentally.  Mental processes and mathematical concepts are two of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2).  Abstract ideas are judicial exceptions as per MPEP § 2106.04(I).  See also Alice Corporation Pty. Ltd. v. CLS Bank, International, et al, 573 U.S. 208, 110 USPQ2d 1976 (2014).
This judicial exception is not integrated into a practical application because the claim does not recite a clear use or further action with respect to the detection of the trigger condition.  Although the claim recites generating a notification indicating an attack status, this is merely insignificant post-solution activity as per MPEP § 2106.05(g) without then using that notification to perform some further mitigating action, for example.  The steps of identifying the variables, tracking the counts of write operations and timestamps, and monitoring the pattern of memory accesses amount to simple data gathering, which is also insignificant extra-solution activity as per MPEP § 2106.05(g).  There is nothing that would result in a particular transformation, as per MPEP § 2106.05(c), nor does the claim require the use of the abstract ideas in conjunction with a particular machine or manufacture, as per MPEP § 2106.05(b).  The recitation that the method is computer-implemented constitutes nothing more than mere instruction to implement the abstract idea on a computer. See MPEP § 2106.05(f).  The recitations of the computer program and memory only recite a field of use or technological environment for the abstract idea as per MPEP § 2106.05(h).  There are no additional elements that apply or use the abstract ideas in a meaningful way beyond merely linking the use of the judicial exceptions to a particular technological environment.  Therefore, the claim is not directed to a practical application of the abstract ideas.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exceptions for similar reasons as detailed above with respect to the question of a practical application of the judicial exceptions.  To the extent that the step of generating a notification may include sending the notification over a network, and to the extent that various tracking and monitoring steps may include retrieving data from memory, these have been recognized by the courts as well-understood, routine, and conventional functions.  See MPEP § 2106.05(d)(II), citing Symantec, TLI, OIP Techs., buySAFE, and Versata.  Therefore, the claim as a whole, whether the steps are considered individually or as an ordered combination, is not directed to significantly more than the abstract ideas.
Claim 11 is directed to a device that includes a memory and processor and having functionality corresponding to the method of Claim 1, and recites abstract ideas for similar reasons as detailed above.  The recitations of the memory and processor are at a generic level and constitute nothing more than mere instructions to implement the abstract idea on a computer.  See MPEP § 2106.05(f).  Therefore, the device claim is not directed to significantly more than the abstract ideas.
Dependent Claims 2-10 and 12-20 only recite further details of what data is monitored or tracked, which only further describe the data input to the abstract step of data comparison, and/or providing further description of the technological environment in which the abstract idea is to be practiced.  These are abstract for the same reasons as the independent claims and do not add significantly more to the abstract ideas recited in the independent claims.
Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1-20 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above.  Therefore, based on the above analysis, the claimed inventions are not directed to patent eligible subject matter.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim	1 recites “the variable” in line 5; however, the claim previously recited plural variables, and it is not clear to which of the plural variables this limitation is intended to refer.  This ambiguity renders the claim indefinite.
Claim 2 recites that “a count… deviates from a frequency” in lines 2-3.  This appears to require a comparison of two values having different units, which is generally unclear.
Claim 3 recites “an expected time of write access” in line 3.  It is not whose or what’s expectation this is based on.  The term “expected” is subjective, and neither the specification nor claims appears to provide a clear standard of comparison to determine the expected time.  See MPEP § 2173.05(b).
Claim 5 recites “the variable” in line 2.  It is not clear to which of the plural variables this limitation is intended to refer.  The claim further recites “the related shadow memory value” in line 5.  There is insufficient antecedent basis for this limitation in the claims.
Claim 6 recites “each heap allocated program variable” in lines 1-2.  There does not appear to be clear antecedent basis for this limitation in the claims.  The claim further recites “the variable” in line 3.  It is not clear to which of the plural variables this limitation is intended to refer.
Claim 9 recites “memory accesses for writing to the variables in the set of program variables is checked” in lines 2-3.  It is not clear what the subject of the verb “is checked” is intended to be, as there does not appear to be a clear singular subject recited prior to the verb.
Claim	11 recites “the variable” in line 7; however, the claim previously recited plural variables, and it is not clear to which of the plural variables this limitation is intended to refer.  This ambiguity renders the claim indefinite.
Claim 12 recites that “a count… deviates from a frequency” in lines 2-3.  This appears to require a comparison of two values having different units, which is generally unclear.
Claim 13 recites “an expected time of write access” in lines 3-4.  It is not whose or what’s expectation this is based on.  The term “expected” is subjective, and neither the specification nor claims appears to provide a clear standard of comparison to determine the expected time.  See MPEP § 2173.05(b).
Claim 15 recites “the variable” in line 3.  It is not clear to which of the plural variables this limitation is intended to refer.  The claim further recites “the related shadow memory value” in line 6.  There is insufficient antecedent basis for this limitation in the claims.
Claim 16 recites “each heap allocated program variable” in line 2.  There does not appear to be clear antecedent basis for this limitation in the claims.  The claim further recites “the variable” in line 3.  It is not clear to which of the plural variables this limitation is intended to refer.
Claim 19 recites “memory accesses for writing to the variables in the set of program variables is checked” in lines 2-3.  It is not clear what the subject of the verb “is checked” is intended to be, as there does not appear to be a clear singular subject recited prior to the verb.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 7-13, and 17-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Som et al, US Patent Application Publication 2020/0257460.
In reference to Claim 1, Som discloses a method that includes identifying a set of program variables associated with a computer program and generating a profile of variable writes for the computer program based on tracking, for each variable in the set, a count of memory write operations to the respective variable and timestamps associated with the write operations (see paragraphs 0024 and 0076, access statistics store); detecting a trigger condition associated with the variables by monitoring a pattern of memory accesses to the variables and detecting a deviation of the pattern from the profile (see paragraphs 0024 and 0075, matching expected pattern; paragraph 0102, behavior evaluation); and in response to detecting the trigger condition, generating a notification of an attack (see paragraph 0103).
In reference to Claims 2 and 3, Som further discloses determining that a count of write operations in a time period deviates from a frequency indicated in the profile by more than a threshold amount or that write operations occur at times different from an expected time (see paragraph 0075).
In reference to Claims 7 and 8, Som further discloses identifying variables written to during initialization or configuration changes and setting the memory to read-only (see paragraph 0084, locking configuration).
In reference to Claims 9 and 10, Som further discloses a secure enclave and checking a memory access control policy checking a value or source (see paragraph 0114, rule sets, i.e. policy).

Claims 11-13 and 17-20 are directed to devices having functionality corresponding substantially to the methods of Claims 1-3 and 7-10, and are rejected by a similar rationale, mutatis mutandis.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-6 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Som in view of Burrows et al, US Patent Application Publication 2003/0126590.
In reference to Claims 4 and 5, Som discloses everything as detailed above with respect to Claim 1, but does not explicitly disclose using shadow memory.  However, Burrows discloses tracking information on write accesses by a computer program using shadow memory (see paragraphs 0034-0037, for example).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Som by including the use of shadow memory in order to allow the dynamic checking of variables (see Burrows, paragraph 0047).
In reference to Claim 6, Som discloses everything as detailed above with respect to Claim 1, but does not explicitly disclose identifying variables in a heap.  However, Burrows, discloses identifying addresses allocated to a heap variable (paragraphs 0026-0027, for example).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Som by including the use of heap variables in order to allow the dynamic checking of variables (see Burrows, paragraph 0047).

Claims 14-16 are directed to devices having functionality corresponding substantially to the methods of Claims 4-6, and are rejected by a similar rationale, mutatis mutandis.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Aditham et al, US Patent 10678907, discloses detecting threats based on memory access patterns.
Prvulovic et al, US Patent 10810310, discloses a system that detects memory access pattern anomalies.
Basak et al, US Patent 11455392, discloses a method of detecting anomalous memory access patterns.
Costa et al, US Patent Application Publication 2009/0282393, discloses securing software by monitoring variables.
Roeder, US Patent Application Publication 2018/0232303, discloses monitoring deviations in a number of write operations to memory.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Zachary A. Davis/Primary Examiner, Art Unit 2492