DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Amended claims 18-34 as submitted on 9/15/22 were considered.  Note new rejections made below in response to the amendments.  Any objections and/or rejections not repeated for record were withdrawn due to applicant’s amendments.

Response to Arguments
	Applicant’s remarks with respect to the IDS’s filed on 8/11/20 and 3/4/22 were considered.  Please note newly signed versions of these IDS’s in light of applicant’s remarks.
	Applicant’s arguments with respect to claim 1 that Dalcher does not teach the new limitation “detecting an operation … to determine whether the program is operated on the execution environment or the real environment” was considered but is not persuasive.  That the detecting an operation was done “to determine whether the program operated on the execution environment or the real environment” describes an intended use for the “detecting an operation” part of the limitation.  Intended uses do not have patentable weight.  Dalcher teaches “detecting an operation performed by the program” in several places (see at least paragraphs 25-26 where behavioral analysis module monitors operations of a plug-in).  Why the detecting was done does not patentably distinguish from Dalcher, especially since the claim does not make use of the determination of whether the program operated on the execution environment or the real environment.  As an alternative, as will be discussed below, newly discovered reference to Bryce, Jr. et al (US 6,253,224) also makes obvious “detecting an operation … to determine whether the program is operated on the execution environment or the real environment” and this alternative rejection will be made in light of applicant’s amendments.
	Applicant’s arguments for claims 26 and 34 are based on similarity of these claims to claim 1 and are also not persuasive for similar reasons discussed above for claim 1’s arguments.

Information Disclosure Statement
	The IDS filed on 8/24/22 was considered.
	In light of applicant’s remarks filed on 9/22/22, the IDS filed on 8/11/20 was considered once more.  Note that NPL 3 contains correction by the examiner to include printing date of the reference.  Applicant should make similar correction to their records in case the reference is listed in an IDS filed in any other application so as to avoid delays in getting the reference considered.
	In light of applicant’s remarks filed on 3/4/22, the IDS filed on 3/4/22 was considered once more.  Note that NPL 2 contains correction to the title by the examiner, which was made to match what is listed in the Japanese Office Action the reference was cited and discussed in.  Applicant should make similar correction to their records in case the reference is listed in an IDS filed in any other application so as to avoid delays in getting the reference considered.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 18-19, 21-27, and 29-34 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Dalcher et al (US 2011/0145926) or, 
in the alternative, under 35 U.S.C. 103 as obvious over Dalcher et al (US 2011/0145926) in view of Brice, Jr. et al (US 6,253,224).


Claims 1, 26, and 34:
	As per claim 1, Dalcher discloses:
executing a program in an execution environment (paragraphs 22, 25-26, and 35-38; Browser or plug-in can be considered the claimed program and can be run in a sandboxed/virtual/execution environment),
detecting an operation performed by the program [to determine whether the program is operated on the execution environment or the real operating environment] (paragraphs 20, 22, 36, 82, 87, and 102; Behavioral analysis module monitors, analyzes, and logs execution of a plug-ins and other programs.  The part of the limitation that the detecting was done “to determine whether the program is operated on in the execution environment or the real operating environment” does not have patentable weight as it describes an intended use for the detecting), and
performing a reaction based on the operation being detected (paragraphs 22-26 and 35-38; Operations related to the program are intercepted and decisions are made as to whether they should be allowed to occur in the normal environment or isolated in the virtual environment.  Results of the program executing are also observed and logged),
wherein information associating the operation and the reaction is stored in a memory (paragraphs 26, 32, 59, and 100; Log what happened when the program executed in the virtualized/sandboxed environment).

Note that while it is discussed above that “to determine whether the program is operated on in the execution environment or the real operating environment” was not given patentable weight because that portion of the “detecting” limitation describes an intended use of the detecting step, in the alternative, it is noted that Brice also teaches “detecting an operation performed by the program to determined whether the program is operated on the execution environment or the real operating environment” (see col 15, line 64-col 16, line 50).  In the cited portion of Brice, his invention detects one or more operations performed by programs in a virtual/execution environment.  These operations are expected to be performed only in an encapsulated virtual machine.  His invention checks to see if any detected operation executes beyond the encapsulated virtual machine, meaning the operation also performs on the normal/real operating environment, outside the encapsulated virtual environment.
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Dalcher’s invention using Brice’s teachings such that the detecting an operating performed by the program was to determine whether the program is operated on the execution environment or the real operating environment.  One skilled would have been motivated to do so because it would allow one to check of the restrictions under which a program was set to execute in a virtual machine have been violated (Brice: col 16, lines 14-21).

The rejection of claim 1 applies, mutatis mutandis, to claims 26 and 34.

Claims 19 and 27:
	Dalcher further discloses wherein,
the operation comprises accessing an internal network (paragraphs 22-23, 35, 38, and 86), and
the reaction comprises virtually building the internal network (paragraphs 22-23, 35, 38, and 86).

Note when the sandboxed/virtual environment is built, it can be used to replicant the entire non-sandboxed environment.  This means any network connections would also be virtualized.

Claims 21 and 29:
	Dalcher further discloses wherein, 
the operation comprises accessing an I/O port (paragraph 21, 25, and 35), and
the reaction comprises concealing a specific I/O port (paragraphs 22-23, 25, 35-37, and 102-103; Intercepts browser I/O requests so that the program sees I/O operations as if they occurred in the normal operating environment rather than a sandboxed environment.  Thus, I/O operations using a specific I/O port is concealed from the program.  Additionally, an entire normal operating environment could be virtualized, so any I/O operation in the virtual environment would be concealed to the program).

Claims 22 and 30:
	Dalcher further discloses wherein: 
the execution environment is provided by a virtual machine configured to emulate a real operating environment and to analyze the program (paragraphs 35-38; Virtualization can be used to replicate the entire non-sandboxed operating environment),
the program is malware (paragraphs 3, 17-18, 87, and 101), and
the reaction comprises emulating the real operating environment (paragraphs 35-38, and 103).

Claims 23 and 31:
	Dalcher further discloses wherein:
the operation comprises accessing a folder (paragraphs 35-37; Windows registry is stored in a folder structure), and
the reaction comprises creating a folder structure in the virtual machine similar to a folder structure in the real operating environment (paragraphs 35-36 and 38).

Claims 24 and 32:
	Dalcher further discloses wherein:
the execution environment is provided by a virtual machine configured to emulate a real operating environment and to analyze the program (paragraphs 35-38),
the program is malware (paragraphs 3, 17-18, 87, and 101), and
the reaction comprises deceiving the program by emulating the real operating environment (paragraphs 35-38 and 103).

Claims 25 and 33:
	Dalcher further discloses storing the information associating the operation and the reaction in the memory (paragraph 32).



Claim(s) 20 and 28 is/are rejected under 35 U.S.C. 103 as being unpatentable Dalcher et al (US 2011/0145926) in view of Wang et al (“A Novel Flow Multiplication Attack against Tor”) or, 
in the alternative, under 35 U.S.C. 103 as obvious over Dalcher et al (US 2011/0145926) in view of Brice, Jr. et al (US 6,253,224) in further view of Wang et al (“A Novel Flow Multiplication Attack against Tor”).
Claims 20 and 28:
	Dalcher further discloses wherein, the operation comprises accessing an external network, and the reaction comprises allowing access to the external network (paragraphs 22-24, 26, 38, and 86).
	Dalcher does not disclose, but Wang discloses the access to the external network is via TOR (abstract).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Dalcher’s invention using Wang’s teachings so that access to the external network is via TOR.  The rationale for why it is obvious is that doing so is nothing more than simple substitution of one known element for another (i.e. one type of network accessing application for another) to achieve predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495