KERNEL BASED EXPLOITATION DETECTION AND PREVENTION USING GRAMMATICALLY STRUCTURED RULES

Remarks Claims 1, 3-10, and 13-20 are pending. In view of the Appeal Brief filed on 8/4/2025, PROSECUTION IS HEREBY REOPENED. The rejections are clarified in order to be in better form for appeal. To avoid abandonment of the application, appellant must exercise one of the following two options: (1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or, (2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid. A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below: /Jeffrey Nickerson/ Supervisory Patent Examiner, Art Unit 2432 Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 8/4/2025 have been fully considered but they are not persuasive with respect to the claimed invention being rendered obvious over Paithane as modified by Lopez-Chicheri. Applicant’s arguments quote a claim limitation the previous rejection relied on Lopez-Chicheri for. The previous rejection did not accurately delineate the portions of the quoted claim limitation that were taught by Paithane versus Lopez-Chicheri and, while one may argue a person of ordinary skill would understand which reference was relied upon for the different portions of the claim limitations, the Examiner believes applicant may benefit from more clarity on the delineation for the claim limitation in question (“responsive to identifying the triggering action is an exploitation action and before execution of the exploitation action by the operating kernel, performing a prevention action to prevent execution of the exploitation action called by the operating kernel by stopping the operating kernel from executing the triggering action on the operating kernel”). With respect to Applicant’s arguments regarding Paithane, as previously in the interview and last office action, as well as previous office action, an operating virtual kernel is an operating kernel. Indeed, Applicant has already been informed that “the primary reference hooks and executes API calls in kernel mode”. The hooking occurs in the kernel, as seen, for example, in figures 2, 4, and 5, showing interpreters (that are described in the cited portions of the specification as including hooking/instrumentation), hooks, hook framework, instrumentation framework, and the like, within the kernel. Paithane clearly discloses the argued limitation in Paithane’s disclosure of a triggering action, such as anomalous API call, out of order API call, specified API call, other non-API calls, activities, acquiring of information based thereon, characteristics, features, objects, metadata, state information, etc., as examples, from hooks, instrumentation, hook framework, instrumentation framework, etc., in kernel, for example. Nothing within the claims prohibits the operating kernel from being the kernel of a guest OS. With respect to Applicant’s allegations regarding Lopez-Chicheri, Lopez-Chicheri clearly discloses preventing of a call, which, in the combination (or, as discussed below, at least some embodiments of Lopez-Chicheri), are calls for kernel execution. As but one example, column 8, lines 16-34, discusses blocking and preventing calls. When viewed in combination with the primary reference, Paithane, that already discloses that the calls are kernel calls, it is clear that the combination, as a whole, discloses the claimed invention. With respect to Applicant’s allegation that “Paithane does not remedy this deficiency of Lopez-Chicheri, nor does the Office Action allege that it does” on page 11 of the Appeal Brief, it is once again noted that Paithane is cited as disclosing “performing a prevention action to prevent execution of the exploitation action called by the operating kernel” as noted in the rejections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). With respect to Applicant’s allegations regarding the combination, it is noted that the claims do not prohibit the kernel from operating in a sandbox, for example. Adding stopping calls from being executed by the kernel within this environment still adds stopping calls from being executed by the kernel, even if the environment is virtual. Moreover, it is noted that Paithane disclose that the host OS may be monitored, in addition to the guest OSes (e.g., column 12, lines 17-21). Therefore, Paithane actually includes disclosure of a host OS being monitored as well as the guest OSes. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 4-6, 10, 13-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Paithane (U.S. Patent 10,033,747) in view of Lopez-Chicheri (U.S. Patent 9,754,105). Regarding Claim 1, Paithane discloses a method for preventing exploitation of a computer processor, the method comprising: Receiving, from a monitoring module executing on an operating kernel, a triggering action on the operating kernel that includes an execution call by the operating kernel, the triggering action received before execution of the triggering action on the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures; triggering action, such as anomalous API call, out of order API call, specified API call, other non-API calls, activities, acquiring of information based thereon, characteristics, features, objects, metadata, state information, etc., as examples, from hooks, instrumentation, hook framework, instrumentation framework, etc., in kernel, for example. Moreover, it is noted that Paithane disclose that the host OS may be monitored, in addition to the guest OSes (e.g., column 12, lines 17-21). Therefore, Paithane includes disclosure of a host OS being monitored as well as the guest OSes); Responsive to receiving the triggering action and before executing the triggering action, accessing an evidence set comprising information describing execution of the triggering action and a plurality of related actions corresponding to the triggering action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures; triggering action, such as anomalous API call, out of order API call, specified API call, other non-API calls, activities, acquiring of information based thereon, characteristics, features, objects, metadata, state information, etc., as examples); Generating, using the evidence set for the triggering action and before executing the triggering action on the operating kernel, an execution hierarchy defining hierarchical relationships between the triggering action and the plurality of related actions (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 8, lines 45-60; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, line 1 to Column 17, line 30; Column 17, line 51 to Column 18, line 27; and associated figures; calling hierarchy, sequence of calls, call stack, call trace, etc., as examples); Accessing a rule list comprising a plurality of grammatically structured rules configured to identify whether the triggering action is an exploitation action for the operating kernel when applied to the execution hierarchy for the triggering action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; any rules, such as de-obfuscation rules, white lists, black lists, abnormal calls, specified calls, call sequences, verifying call hierarchies, etc., as examples); Identifying the triggering action is an exploitation action for the operating kernel by applying each grammatically structured rule in the accessed rule list to the execution hierarchy (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; identifying malicious action/activity, for example, by applying the above, for example); and Responsive to identifying the triggering action is an exploitation action and before execution of the exploitation action by the operating kernel, performing a prevention action to prevent execution of the exploitation action called by the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; report/alert when malicious, for example); But may not explicitly disclose stopping the operating kernel from executing the triggering action on the operating kernel. Lopez-Chicheri, however, discloses that the prevention action comprises stopping the operating kernel from executing the triggering action on the operating kernel (Exemplary Citations: for example, Abstract, Column 2, lines 44-49; Column 3, line 57 to Column 4, line 5; Column 4, lines 25-67; Column 5, line 58 to Column 6, line 45; Column 7, line 56 to Column 10, line 11; and associated figures; determining if calls, requesting applications, etc., exhibit malicious behavior/parameters, and then allowing or denying requested call based on the above, and terminating the application if malicious as well, for example. It is noted that Paithane already discloses that the triggering actions are from the kernel and for the kernel to execute. Moreover, Lopez-Chicheri also discloses stopping the kernel from executing API calls, such as API calls to kernel32.dll (e.g., Kernel32.dll CreateProcessW API), for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the exploitation prevention techniques of Lopez-Chicheri into the attack detection system of Paithane in order to allow the system to stop malicious actions from ever being executed, to provide for termination of malicious applications, allow the system to detect malicious actions regardless of the data or patterns involved, to beneficially detect malicious characteristics by analyzing a memory address associated with an API call and determining if the memory location lacks execute access, and/or to increase security in the system. Regarding Claim 19, Claim 19 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons. Regarding Claim 20, Claim 20 is a system claim that corresponds to method claim 1 and is rejected for the same reasons. Regarding Claim 4, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that performing the prevention action to prevent execution of the exploitation action by the operating kernel further comprises: Generating a notification indicating the triggering action is the exploitation action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; report/alert when malicious, for example); and Displaying the notification on a display of a system comprising the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; report/alert when malicious, for example). Regarding Claim 5, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that performing the prevention action to prevent execution of the exploitation action by the operating kernel further comprises: Transmitting, to a security management server, a report that both indicates the triggering action is the exploitation action and comprises the evidence set and the execution hierarchy for the triggering action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; report/alert when malicious, for example). Regarding Claim 6, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that applying each grammatically structured rule further comprises: For each grammatically structured rule in the rule list (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; if a certain action is found, it may be suspicious/malicious, if the action is malicious, an attack is detected, etc., for example): Accessing a conditional statement in the grammatically structured rule configured to identify one or more exploitation actions in the execution hierarchy (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; if a certain action is found, it may be suspicious/malicious, if the action is malicious, an attack is detected, etc., for example); and Evaluating the conditional statement against the execution hierarchy to determine whether one or more actions in the execution hierarchy are exploitation actions (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; if a certain action is found, it may be suspicious/malicious, if the action is malicious, an attack is detected, etc., for example); Wherein the conditional statement is indicated by its location within a grammatical structure of the grammatically structured rule (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; if a certain action is found, it may be suspicious/malicious, if the action is malicious, an attack is detected, etc., for example). Regarding Claim 10, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that the rule list is configured to identify a plurality of exploitation actions (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures); and Each grammatically structured rule of the rule list is configured to identify one or more exploitation actions of the plurality of exploitation actions in the rule list (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures). Regarding Claim 13, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses identifying an application class for the triggering action and wherein only grammatically structured rules corresponding to the application class are applied to the triggering action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; choosing configuration based on application type, interpreter type, object type, script type, or the like, as examples); and Lopez-Chicheri discloses identifying an application class for the triggering action and wherein only grammatically structured rules corresponding to the application class are applied to the triggering action (Exemplary Citations: for example, Column 5, lines 29-47, all citations above, and associated figures; application profiles and/or group profiles identifying what is to be analyzed, for example). Regarding Claim 14, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses monitoring, in real time, a plurality of execution calls by the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures); and Responsive to an execution call of the plurality of execution calls having a verification call type, defining the execution call as the triggering action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures; triggering actions described above are to be verified and, thus, have a verification call type, for example). Regarding Claim 15, Paithane as modified by Lopez-Chicheri discloses the method of claim 14, in addition, Paithane discloses executing one or more actions corresponding to one or more of the plurality of execution calls by the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures); Storing the one or more actions in a datastore (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures; storing information about calls, for example); and Wherein accessing the evidence set for the triggering action comprises accessing one or more of the stored actions in the datastore as the plurality of related actions (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures; accessing information about calls, for example). Regarding Claim 17, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that accessing the evidence set further comprises reading one or more execution images from a datastore (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures). Regarding Claim 18, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that the evidence set comprises information for previously terminated actions executed by the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 9, lines 31-47; Column 10, lines 7-32; Column 11, line 21 to Column 12, line 6; Column 12, line 17 to Column 13, line 10; Column 14, line 63 to Column 15, line 32; Column 16, lines 1-50, Column 17, lines 1-30; Column 17, line 51 to Column 18, line 27; and associated figures). Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Lopez-Chicheri and Sridhara (U.S. Patent Application Publication 2016/0337390). Regarding Claim 3, Paithane as modified by Lopez-Chicheri does not explicitly disclose that performing the prevention action to prevent execution of the exploitation action by the operating kernel further comprises migrating one or more files associated with the triggering action into a quarantine such that the triggering action cannot be executed by the operating kernel. Sridhara, however, discloses that performing the prevention action to prevent execution of the exploitation action by the operating kernel further comprises migrating one or more files associated with the triggering action into a quarantine such that the triggering action cannot be executed by the operating kernel (Exemplary Citations: for example, Abstract, Paragraph 39 and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the real-time whitelisting and malicious response techniques of Sridhara into the attack detection system of Paithane as modified by Lopez-Chicheri in order to allow the system to quarantine malicious entities, allow for whitelist updating, and/or to increase security in the system. Regarding Claim 12, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses identifying the triggering action is not exploitation action for the operating kernel by applying each grammatically structured rule in the accessed rule list to the execution hierarchy (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; identifying non-malicious action/activity, for example, by applying the above, for example); and A future execution call for the triggering action by the operating kernel (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; another call, for example); and Lopez-Chicheri discloses that the rule list is not applied to the triggering action after the future execution call (Exemplary Citations: for example, Abstract, Column 2, lines 44-49; Column 3, line 57 to Column 4, line 5; Column 4, lines 25-67; Column 5, line 58 to Column 6, line 45; Column 7, line 56 to Column 10, line 11; and associated figures; execution of requested action denied and application terminated, for example); But does not explicitly disclose responsive to determining the triggering action is not the exploitation action, adding the triggering action to an action white list comprising a plurality of benign actions previously identified as not being the exploitation action. Sridhara, however, discloses responsive to determining the triggering action is not an exploitation action, adding the triggering action to an action white list comprising a plurality of benign actions previously identified as not being an exploitation action (Exemplary Citations: for example, Paragraphs 4, 5, 25-27, 39, 126, and associated figures; adding activity to whitelist, for example); and Wherein the rule list is not applied to the triggering action after a future execution call for the triggering action by the operating kernel (Exemplary Citations: for example, Paragraphs 4, 5, 25-27, 39, 126, and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the real-time whitelisting and malicious response techniques of Sridhara into the attack detection system of Paithane as modified by Lopez-Chicheri in order to allow the system to quarantine malicious entities, allow for whitelist updating, and/or to increase security in the system. Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Lopez-Chicheri and Fulp (U.S. Patent Application Publication 2006/0248580). Regarding Claim 7, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that performing the prevention action to prevent execution of the exploitation action by the operating kernel further comprises: Accessing an action statement in a grammatically structured rule in the rule list that determined the triggering action was the exploitation action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; each rule designates what occurs when the rule is triggered, for example); Applying the action statement as the prevention action (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures); and Wherein the action statement is indicated by its location within a grammatical structure of the grammatically structured rule (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 26; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures; all rules are structured such that the computer can determine what each portion of the rule is, so that the action will be distinctly set apart from the rest (e.g., conditionals for the rule), for example). Fulp also discloses that the action statement is indicated by its location within a grammatical structure of the grammatically structured rule (Exemplary Citations: for example, Figures 5A, 5B, 6B, 7B, and associated written description; Tables 1, 2, and associated written description; action column, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention to incorporate the action column of Fulp into the attack detection system of Paithane as modified by Lopez-Chicheri in order to provide an explicit action/response/countermeasure column within a rule table, to allow any entity to easily determine what the action/response/countermeasure for every rule is, to allow the system to re-order rules so as to optimize the rules and security processing, and/or to increase security in the system. Claims 8, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Lopez-Chicheri and Yoo (U.S. Patent Application Publication 2012/0047366). Regarding Claim 8, Paithane as modified by Lopez-Chicheri does not explicitly disclose receiving a rule list from a security management server configured to generate the grammatically structured rules in the rule list. Yoo, however, discloses receiving a rule list from a security management server configured to generate the grammatically structured rules in the rule list (Exemplary Citations: for example, Paragraphs 48-50, 54-58, 106-116, 119-121, 126, 192, and associated figures; server sending encrypted update data (e.g., firewall updates, antivirus updates, etc.) to device, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the updating techniques of Yoo into the attack detection system of Paithane as modified by Lopez-Chicheri in order to ensure that security updates are encrypted, to provide additional defense against malicious entities, and/or to increase security in the system. Regarding Claim 9, Paithane as modified by Lopez-Chicheri does not explicitly disclose responsive to a security management server generating one or more additional grammatically structured rules configured to identify one or more additional exploitation actions, receiving an updated rule list from the security management server comprising the one or more additional rules. Yoo, however, discloses responsive to a security management server generating one or more additional grammatically structured rules configured to identify one or more additional exploitation actions, receiving an updated rule list from the security management server comprising the one or more additional rules (Exemplary Citations: for example, Paragraphs 48-50, 54-58, 106-116, 119-121, 126, 192, and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the updating techniques of Yoo into the attack detection system of Paithane as modified by Lopez-Chicheri in order to ensure that security updates are encrypted, to provide additional defense against malicious entities, and/or to increase security in the system. Regarding Claim 16, Paithane as modified by Lopez-Chicheri discloses the method of claim 1, in addition, Paithane discloses that the rule list is a binary file representing the plurality of grammatically structured rules (Exemplary Citations: for example, Column 2, line 42 to Column 5, line 27; Column 5, line 63 to Column 6, line 7; Column 6, line 55 to Column 7, line 15; Column 8, lines 45-60; Column 10, line 7 to Column 13, line 10; Column 13, line 30 to Column 14, line 16; Column 14, line 63 to Column 15, line 32; Column 15, line 51 to Column 17, line 30; Column 17, line 51 to Column 18, line 53; and associated figures); But does not explicitly disclose that the binary file is an encrypted binary file. Yoo, however, discloses that the rule list is an encrypted binary file representing the plurality of grammatically structured rules (Exemplary Citations: for example, Paragraphs 48-50, 54-58, 106-116, 119-121, 126, 192, and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the updating techniques of Yoo into the attack detection system of Paithane as modified by Lopez-Chicheri in order to ensure that security updates are encrypted, to provide additional defense against malicious entities, and/or to increase security in the system. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Jeffrey D. Popham/Primary Examiner, Art Unit 2432