DETAILED ACTION
	Claims 1-20 are presented on 01/19/2022 for examination on merits.  Claims 1, 8, and 15 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would like the Applicant to submit two sets of claims: 
Set #1 as in a typical filing which includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 as an appendix to the Arguments/Remarks for a clean version of the claims which has all the markups removed for entry by the Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 11,263,307 B2 (hereinafter “USPAT 307”). 
Although the claims at issue are not identical, they are not patentably distinct from each other because they claim the same subject matter of detecting unused or no-op code to prevent code injection attacks.

	Regarding claim 1, USPAT 307 anticipates:
A system for detecting a code injection attack (USPAT 307, CLM. 1: a system for detecting a code injection attack) comprising: 
a processor; 
at least one non-transitory computer-readable memory communicatively coupled to the processor; and 
processing instructions for a computer program, the processing instructions encoded in the computer-readable memory, the processing instructions (USPAT 307, CLM. 1: processing instructions for a computer program, the processing instructions encoded in the computer-readable memory, the processing instructions), when executed by the processor, operable to perform operations comprising: 
scanning one or more sections of the computer-readable memory for computer instructions that do not define an operation (USPAT 307, CLM. 1: scanning one or more sections of the computer-readable memory for computer instructions comprising non-operational machine instructions that satisfy at least one pattern of the learned patterns of non-operational machine instructions); 
detecting a code injection attack based on the scanned one or more sections (USPAT 307, CLM. 1: detecting a code injection attack based on the scanned one or more sections); and 
mitigating the code injection attack by taking one or more defensive actions (USPAT 307, CLM. 1: mitigating the code injection attack by taking one or more defensive actions).

Independent claims 8 and 15 are rejected for the same reason as claim 1, because they each recite the same limitations as claim 1 in similar language.
Regarding dependent claims 2-7, 9-14, and 16-20 of the present application, they are obvious variants of the same subject matter as found in the reference application, and thereby rejected under the judicially created doctrine of obviousness-type double patenting.


Claim Objections
Claims 1-4, 8-11, and 15-18 are objected to because of the following informalities: 
Clam 1 recites “An system” at the beginning of the claim.  For formality reasons, it should have been “A system.”
Claims 1-4, 8-11, and 15-18 each recite a limitation for “computer instructions that do not define an operation” deficiently, because it appears that the claims mean to describe computer instructions that do not define any operation (i.e., no-op instructions) rather than a particular operation. 
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 12 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 12 and 19 each recite the limitation "the computer program" at the end of each claims.  There is insufficient antecedent basis for this limitation in the respective claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-4, 8-11, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Momot (US 20160328560 A1) in view of Thioux (US 9438623 B1; hereinafter “Thx”).

As per claim 1, Momot teaches a[n] system for detecting a code injection attack comprising: 
a processor (Momot, par. 0017: the processor); 
at least one non-transitory computer-readable memory communicatively coupled to the processor (Momot, par. 0039-0040: a system memory 822); and 
processing instructions for a computer program, the processing instructions encoded in the computer-readable memory, the processing instructions (Momot, par. 0021: execution of instructions), when executed by the processor, operable to perform operations comprising: 
scanning one or more sections of the computer-readable memory for computer instructions that do not define an operation (Momot, par. 0023 and 0025: the process scans memory to determine user-controlled contents. These contents, being user-controlled, may also be attacker-controlled, containing No-op code or involving a NOP slide; see also par. 0017 and par. 0025-0027); 
detecting a code injection attack based on the scanned one or more sections; and 
mitigating the code injection attack by taking one or more defensive actions (Momot, par. 0028 and 0034: an alert is generated at step 324 that indicates a possible NOP sled; par. 0036: the payload may be checked against tables of known attack vector code to attempt to find a match.).
While Momot discusses injection of malicious code associated with malicious code (par. 0017) and NOP code injected into process memory via heap spray (par. 0038), Momot dose not explicitly disclose a step for detecting a code injection attack based on the scanned one or more sections.
In a related art, Thx teaches:
detecting a code injection attack based on the scanned one or more sections (Thx, col. 6, lines: 10-14 and col. 3, lines 46-60: detect the presence of a heap spray attack by monitoring or observing unexpected or anomalous behaviors or activities, and, in response, determining that the object includes a heap spray attack … by pattern comparison; col. 7, lines 38-48; the new NOP sled pattern may be added to the blacklist of patterns; col. 20, lines 35-41).
Momot and Thx are analogous art, because they are in a similar field of endeavor in improving the detection of malware exploiting no-op code in memory.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Momot with the teachings of Thx that a code injection attack may be detected based on the scanned sections of memory that contain unexpected non-operational code.  The rationale for this combination is to use known technique to improve similar system concerning the detection of heap spray attacks or the like. For this combination, the motivation would have been to improve the level of security by analysis of scanned memory sections.

As per claim 2, the references as combined above teach the system of claim 1 wherein detecting a code injection attack based on the scanned one or more sections comprises: 
determining a number of computer instructions that do not define an operation in the scanned one or more sections (Momot, par. 0030-0031: a NOP sled detection process 350; par. 0022-0023: static analysis of NOP sled); and 
determining whether the number of computer instructions that do not define an operation exceeds a no-ops threshold (Momot, par. 0033-0034: The detection frequency threshold for purposes of NOP sled detection, which means a threshold to measure the number of no-ops instructions. If a frequency found at step 364 is greater than the detection frequency threshold, then control branches from step 366 to step 368 to generate a NOP sled alert).

As per claim 3, the references as combined above teach the system of claim 1 wherein detecting a code injection attack based on the scanned one or more sections comprises: 
determining a number of computer instructions that do not define an operation in the scanned one or more sections (Momot, par. 0025-0026: a number of proximal addresses are valid … involving a NOP slide, which are a number of computer instructions that do not define an operation); 
determining a total number of computer instructions in the scanned one or more sections (Momot, par. 0022: 76% of the total offsets within the code sample [are] NOP); and 
determining whether the determined number of computer instructions that do not define an operation in the scanned one or more sections exceeds a threshold percentage of the determined total number of computer instructions in the scanned one or more sections (Momot, par. 0033-0034: If a frequency found at step 364 is greater than the detection frequency threshold, then control branches from step 366 to step 368 to generate a NOP sled alert).

As per claim 4, the references as combined above teach the system of claim 1 wherein detecting a code injection attack based on the scanned one or more sections comprises: 
determining a spatial locality metric for the computer instructions that do not define an operation in the scanned one or more sections (Momot, par. 0023: the process scans memory to determine user-controlled contents. These contents, being user-controlled, may also be attacker-controlled; see par. 0002-0003: A NOP sled typically contains a long series); and 
determining whether the spatial locality metric exceeds a spatial locality threshold (Momot, par. 0033-0034: a detection frequency threshold for purposes of NOP sled detection.  Here Momot discloses using the detection frequency threshold for determining a NOP sled which is a long series of NOP, i.e., the spatial locality metric of NOP; see par. 0002-0003).

Regarding claims 8-11, and 15-18, they recite similar limitations to those in claims 1-4, respectively. Therefore, claims 8-11, and 15-18 are rejected for the same reasons as set forth in the rejections of claims 1-4 above.

Claims 5-6, 12-13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Momot and Thioux, as applied to claim 1, and further in view of Badishi (US 9904792 B1).

As per claim 5, the references of Momot and Thx as combined above teach the system of claim 1 but do not explicitly disclose mitigating the code injection attack by terminating execution of the computer program after analysis of NOP sled. This aspect of the claim is identified as a further difference.
In a related art, Badishi teaches:
wherein mitigating the code injection attack comprises terminating execution of the computer program (Badishi, col. 6, lines 14-18: mitigate the effects of an attack, including, … terminating the process responsible for the access attempt, creating a memory dump … [after] detect[ing] NOP-sleds and … rais[ing] an alert that a heap-spray attack may be in progress; see col. 5, lines 59-63).
Badishi is analogous art to the claimed invention in a similar field of endeavor in improving the detection and prevention of heap‐spray attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Momot-Thx system with Badishi’s teaching that execution of the computer program that has potential harmful no-op codes can be terminated for mitigating the code injection attack.  For this combination, the motivation would have been to improve the level of security with mitigating the code injection attack.

As per claim 6, the references as combined above teach the system of claim 1, but do not explicitly disclose mitigating the code injection attack comprises isolating one or more portions of the scanned one or more sections. This aspect of the claim is identified as a further difference.
In a related art, Badishi teaches:
wherein mitigating the code injection attack comprises isolating one or more portions of the scanned one or more sections (Badishi, col. 6, lines 52-57: memory regions containing data are marked as non-executable, and this restriction is enforced by the computer processor).
Badishi is analogous art to the claimed invention in a similar field of endeavor in improving the detection and prevention of heap‐spray attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Momot-Thx system with Badishi’s technique of marking memory regions as non-executable for mitigating the code injection attacks.  For this combination, the motivation would have been to improve the level of security by making the malicious code non-executable.

Regarding claims 12-13 and 19, they recite similar limitations to claims 5-6 and thus receive the same rejections as above.

Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Momot and Thioux, as applied to claim 1, and further in view of US 20160004861 A1 by Momot (hereinafter M-4861).

As per claim 7, the references of Momot and Thx as combined above teach the system of claim 1, but do not explicitly disclose a Hidden Markov Model to be used for detecting the code injection attack.  This aspect of the claim is identified as a further difference.
In a related art, M-4861 teaches:
wherein detecting the code injection attack comprises applying a Hidden Markov Model (HMM) (M-4861, par. 0019: a hidden Markov model of the heap spray).
M-4861 is the same inventive entity as the Momot reference for improving the detection and prevention of heap‐spray attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Momot-Thx system to include a Hidden Markov Model for malware detection.  For this combination, the motivation would have been to improve the level of security with a known model.
Regarding claims 14 and 20, they recite similar limitations to claim 7 and thus receive the same rejection as that in claim 7 above.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        12/13/2022