MONITORING TOOL FOR DETECTING VIOLATIONS OF DEVICE BEHAVIOR CONSTRAINTS

DETAILED ACTION The applicant’s amendment filed on November 25, 2025 has been acknowledged. Claims 6, 7, 13 and 19 have been canceled. Claims 1-5, 8-12, 14-18 and 20-24, as amended, are currently pending and have been considered below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 4, 8, 9, 11, 14, 15, 17, 20, 23 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Georgescu (US 20170118242 A1) hereafter Georgescu, in view of Budhani et al. (US 2015/0264055 A1) hereafter Budhani, further in view of Repasi et al. (US 2008/0022378 A1) hereafter Repasi, further in view of Kuppusamy et al. (US 12,079,364 B2) hereafter Kuppusamy. As per claim 1, Georgescu discloses a method, comprising: obtaining, by at least one processing device, at least one processor-readable device behavior constraint that limits one or more behaviors of the at least one processing device (Georgescu; [0026], lines 3-9; “server 130 may use detection module 214 to detect potential malicious attacks against denial-of-service environment 100”. Detection module 214 may access information associated with monitored characteristics obtained by monitoring module 206 and determine whether one or more characteristics are indicative of a potential malicious attack against server 130. [0026] lines 14-21; discloses “detection module 214 is capable of discriminating normal traffic flow from distributed attacks against the system. As an example, detection module 214 may determine that at least one characteristic (e.g., processor load, memory usage, processing time) is above a particular threshold indicating a potential malicious attack. If detection module 214 detects that a particular threshold is exceeded, it may instruct server 130 to enter into a protection state”); wherein the at least one processing device comprises a processor coupled to a memory (Georgescu; [0026]; discloses that the server comprises one processing device which comprises a processor coupled to a memory and containing the instructions for carrying out the limitations); monitoring at least one action performed by the at least one processing device (Georgescu; [0025], lines 6-15; “For example, monitoring module 206 may monitor one or more characteristic associated with processing load of server 130 such as average processor load, memory usage, hard disk drive usage, processing time, database load, number of sockets opened, and/or any other characteristic suitable for monitoring any component of denial-of-service protection environment 100. Monitoring module 206 may be any combination of software, hardware, and/or firmware capable of monitoring characteristics associated with denial-of-service protection environment 100”); determining, by the at least one processing device, if the at least one monitored action of the at least one processing device violates the at least one processor-readable device behavior constraint to detect anomalous behavior of the at least one processing device (Georgescu; [0019], lines 13-24; “More specifically, in addition to providing various services to users, server 130 may also be configured to detect DDoS or DDgS attacks. In certain embodiments, server 130 may do this by monitoring processing load such as average processor load, memory usage, hard disk drive usage, database load, sockets opened, and/or any other suitable metric that may indicate processing load as suitable for a particular purpose. In such embodiments, server 130 may compare processing load to a baseline processing load threshold and determine that server 130 and/or any other suitable component of denial-of-service protection environment 100 may be under attack”); initiating at least one automated action in response to a result of the determining, to address the anomalous behavior of the at least one processing device. wherein the method is performed by the at least one processing device (Georgescu; [0020], lines1-7; “According to some embodiments, once a potential attack is detected, server 130 may be configured to enter into a protection state and take steps to filter out any traffic from a potentially malicious endpoint 110 that may be a part of a DDoS or DDgS attack. For example, after detection of a potential attack, server 130 may be configured to respond to all queued requests with an error message”); wherein the at least one processing device comprises a processor coupled to a memory (Georgescu; [0022], lines 2-6; “Server 130 may include a processor 202, memory 204, monitoring module 206, behavior model 208, behavior module 210, request handling module 212, detection module 214, and error messages 216”). While Georgescu discloses identifying IP addresses (Paragraph [0042]) and types of requests (Paragraph [0038]) it is not explicit wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device. While Georgescu discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Budhani, which like Georgescu talks about managing a Denial of Service Attack, teaches it is known wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device (Budhani paragraph [0044]; teaches that like Georgescu that the data center includes security systems such as a firewall which act to block unwanted access from outside the data center. Paragraph [0047]; teaches that certain users can be identified and blocked similar to what is shown in Georgescu. Additionally to blocking the user it can also block specific device types which are identified based on the requests. From this the limit is one or more connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device. Specifically they are outside or external connections from designated or identified device types which connect to the processing device and are blocked backed on the device type. As shown in Paragraph [0065]; this is done to thwart attacks such as denial or service attacks). Georgescu and Budhani are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Budhani, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, with constraints limiting connections of the at least one processing device with one or more external devices of a designated type that connect to the at least one processing device as taught by Budhani, for the purposes of managing attacks based on known device types. While the combination discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Repasi, which like the combination talks about monitoring for malicious activity, teaches it is known to monitor by at least one software entity of an operating system of the at least one processing device and wherein the monitoring comprises the at least one software entity intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determination is by the operating system of the at least one processing device (Repasi Paragraph [0003]; teaches that similar to the combination the threat is considered to be malware which includes threats such a malicious libraries, malicious active content and denial of service attacks. Paragraph [0008]; teaches that the kernel is the core part of the operating system responsible for resource allocation, low-level hardware interfaces, security, etc. Paragraph [0010]; teaches establishes the library is a file containing the executable code data which is loaded by a process or run time. Paragraph [0103]; teaches that like the combination the processing device includes a processor and memory. Paragraph [0127]; teaches that the operating system is passed a request from a process. This is intercepted by a software entity specifically the API interception module. The interception occurs prior to the execution as the software can restrict or prevent the malicious code from loading at all. The operating system software determines if the code is malicious or not and if it is determined to be malicious it initiates an automated action by restricting the code. Since the combination already monitors of malicious code it would have been obvious to handle the monitoring through the operating system to prevent the code from being run as shown explicitly in Repasi). Georgescu, Budhani and Repasi are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Repasi, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu and Budhani, with monitor by at least one software entity of an operating system of the at least one processing device and that the determination is by the operating system of the at least one processing device as taught by Repasi, for the purposes of managing attacks based on detected malicious files. While the combination discloses monitoring the at least one action performed by the operating system, it is not explicitly this is by an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the combination further fails to explicitly disclose that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Kuppusamy, which like the combination talks about monitoring for malicious activity, teaches it is known for the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations (Kuppusamy Col. 3, lines 46-51; teaches that the kernel program is part of the operating system and manages input output requests for the customer node such as applications. Col. 13, lines 12-32; teaches that the kernel monitors operations and receives requests to perform operations. The kernel intercepts the request before it is executed. The kernel determines if the operation request is authorized or not and if it is not authorized the systems blocks the operations. Since Kuppusamy establishes that it is known for the kernel to monitor the input and output operations of applications it would have been obvious to intercept those requests and block any unauthorized requests prior to execution to ensure the system is protected). Georgescu, Budhani, Repasi and Kuppusamy are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Kuppusamy, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, Budhani and Repasi, with the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations as taught by Kuppusamy, for the purposes of blocking unauthorized operations prior to execution. As per claim 4, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1, Georgescu further discloses wherein the at least one processor-readable device behavior constraint comprises a constraint that limits external communications between the at least one processing device and at least one other device (Georgescu; [0039] lines 4-15 “More specifically, server 130 may use behavior module 210 to compare response characteristics of the second request to behavior model 208. If the response characteristics of the second request do not conform to response characteristics expected from endpoint 110 based at least in part upon behavior model 208, then endpoint 110 is deviating from behavior model 208. For example, behavior module 210 may determine that the response time for the second request from endpoint 110 was shorter than the response time associated with the particular error message 216, with the particular associated delay period found in behavior model 208”. [0040], lines 1-5 “If server 130 determines that the second request from the endpoint 110 deviates from behavior model 208, then server 130 may immediately block all traffic from that endpoint 110. This particular endpoint 110 may be a part of a distributed attack”). As per claim 8, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1, Georgescu further discloses wherein the at least one automated action comprises one or more of: generating an alert, denying one or more network connections of the at least one processing device; preventing a performance of one or more actions of the at least one processing device; preventing communications on one or more ports of the at least one processing device; deactivating at least a portion of the at least one processing device (Georgescu; [0020]; lines 9-11 “If server 130 determines that a particular response deviates from the behavior model, server 130 may deny traffic from that particular endpoint 110. For example, server 130 may refuse all communication originating from an IP address associated with the particular endpoint 110”). As per claim 9, Georgescu teaches an apparatus (Georgescu; [0063], lines 1-9; “Modifications, additions, or omissions may be made to the systems and apparatuses disclosed herein without departing from the scope of the invention. The components of the systems and apparatuses may be integrated or separated. Moreover, the operations of the systems and apparatuses may be performed by more, fewer, or other components. Additionally, operations of the systems and apparatuses may be performed using any suitable logic comprising software, hardware, and/or other logic”) comprising: at least one processing device comprising a processor coupled to a memory (Georgescu; [0022], lines 2-6; “Server 130 may include a processor 202, memory 204, monitoring module 206, behavior model 208, behavior module 210, request handling module 212, detection module 214, and error messages 216”); the at least one processing device being configured to implement the following steps: obtaining, by the at least one processing device, at least one processor-readable device behavior constraint that limits one or more behaviors of the at least one processing device (Georgescu; [0026], lines 3-9; “server 130 may use detection module 214 to detect potential malicious attacks against denial-of-service environment 100”. Detection module 214 may access information associated with monitored characteristics obtained by monitoring module 206 and determine whether one or more characteristics are indicative of a potential malicious attack against server 130. [0026] lines 14-21; discloses “detection module 214 is capable of discriminating normal traffic flow from distributed attacks against the system. As an example, detection module 214 may determine that at least one characteristic (e.g., processor load, memory usage, processing time) is above a particular threshold indicating a potential malicious attack. If detection module 214 detects that a particular threshold is exceeded, it may instruct server 130 to enter into a protection state”); monitoring at least one action performed by the at least one processing device (Georgescu; [0025], lines 6-15; “For example, monitoring module 206 may monitor one or more characteristic associated with processing load of server 130 such as average processor load, memory usage, hard disk drive usage, processing time, database load, number of sockets opened, and/or any other characteristic suitable for monitoring any component of denial-of-service protection environment 100. Monitoring module 206 may be any combination of software, hardware, and/or firmware capable of monitoring characteristics associated with denial-of-service protection environment 100”); determining, by the at least one processing device, if the at least one monitored action of the at least one processing device violates the at least one processor-readable device behavior constraint to detect anomalous behavior of the at least one processing device (Georgescu; [0019], lines 13-24; “More specifically, in addition to providing various services to users, server 130 may also be configured to detect DDoS or DDgS attacks. In certain embodiments, server 130 may do this by monitoring processing load such as average processor load, memory usage, hard disk drive usage, database load, sockets opened, and/or any other suitable metric that may indicate processing load as suitable for a particular purpose. In such embodiments, server 130 may compare processing load to a baseline processing load threshold and determine that server 130 and/or any other suitable component of denial-of-service protection environment 100 may be under attack”); and initiating at least one automated action in response to a result of the determining, to address the anomalous behavior of the at least one processing device (Georgescu; [0020], lines1-7; “According to some embodiments, once a potential attack is detected, server 130 may be configured to enter into a protection state and take steps to filter out any traffic from a potentially malicious endpoint 110 that may be a part of a DDoS or DDgS attack. For example, after detection of a potential attack, server 130 may be configured to respond to all queued requests with an error message”). While Georgescu discloses identifying IP addresses (Paragraph [0042]) and types of requests (Paragraph [0038]) it is not explicit wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device. While Georgescu discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Budhani, which like Georgescu talks about managing a Denial of Service Attack, teaches it is known wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device (Budhani paragraph [0044]; teaches that like Georgescu that the data center includes security systems such as a firewall which act to block unwanted access from outside the data center. Paragraph [0047]; teaches that certain users can be identified and blocked similar to what is shown in Georgescu. Additionally to blocking the user it can also block specific device types which are identified based on the requests. From this the limit is one or more connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device. Specifically they are outside or external connections from designated or identified device types which connect to the processing device and are blocked backed on the device type. As shown in Paragraph [0065]; this is done to thwart attacks such as denial or service attacks). Georgescu and Budhani are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Budhani, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, with constraints limiting connections of the at least one processing device with one or more external devices of a designated type that connect to the at least one processing device as taught by Budhani, for the purposes of managing attacks based on known device types. While the combination discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Repasi, which like the combination talks about monitoring for malicious activity, teaches it is known to monitor by at least one software entity of an operating system of the at least one processing device and wherein the monitoring comprises the at least one software entity intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determination is by the operating system of the at least one processing device (Repasi Paragraph [0003]; teaches that similar to the combination the threat is considered to be malware which includes threats such a malicious libraries, malicious active content and denial of service attacks. Paragraph [0008]; teaches that the kernel is the core part of the operating system responsible for resource allocation, low-level hardware interfaces, security, etc. Paragraph [0010]; teaches establishes the library is a file containing the executable code data which is loaded by a process or run time. Paragraph [0103]; teaches that like the combination the processing device includes a processor and memory. Paragraph [0127]; teaches that the operating system is passed a request from a process. This is intercepted by a software entity specifically the API interception module. The interception occurs prior to the execution as the software can restrict or prevent the malicious code from loading at all. The operating system software determines if the code is malicious or not and if it is determined to be malicious it initiates an automated action by restricting the code. Since the combination already monitors of malicious code it would have been obvious to handle the monitoring through the operating system to prevent the code from being run as shown explicitly in Repasi). Georgescu, Budhani and Repasi are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Repasi, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu and Budhani, with monitor by at least one software entity of an operating system of the at least one processing device and that the determination is by the operating system of the at least one processing device as taught by Repasi, for the purposes of managing attacks based on detected malicious files. While the combination discloses monitoring the at least one action performed by the operating system, it is not explicitly this is by an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the combination further fails to explicitly disclose that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Kuppusamy, which like the combination talks about monitoring for malicious activity, teaches it is known for the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations (Kuppusamy Col. 3, lines 46-51; teaches that the kernel program is part of the operating system and manages input output requests for the customer node such as applications. Col. 13, lines 12-32; teaches that the kernel monitors operations and receives requests to perform operations. The kernel intercepts the request before it is executed. The kernel determines if the operation request is authorized or not and if it is not authorized the systems blocks the operations. Since Kuppusamy establishes that it is known for the kernel to monitor the input and output operations of applications it would have been obvious to intercept those requests and block any unauthorized requests prior to execution to ensure the system is protected). Georgescu, Budhani, Repasi and Kuppusamy are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Kuppusamy, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, Budhani and Repasi, with the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations as taught by Kuppusamy, for the purposes of blocking unauthorized operations prior to execution. As per claim 11, the rejection of claim 9 is incorporated. In addition, claim 11 recites limitations that are similar to the ones of the method claim 4. Therefore, claim 11 is rejected with the same rationale as applied against the method claim 4 above. As per claim 14, the rejection of claim 9 is incorporated. In addition, claim 14 recites limitations that are similar to the ones of the method claim 8. Therefore, claim 14 is rejected with the same rationale as applied against the method claim 8 above. As per claim 15, Georgescu teaches a non-transitory processor-readable storage medium having stored therein program code of one or more software programs (Georgescu; [0024], lines 1-12; “Memory 204 is generally operable to store data or instructions, such as a computer program, software, an application including one or more of logic, rules, algorithms, code, tables, etc. and/or other instructions capable of being executed by a processor. Examples of memory 204 include computer memory (for example, Random Access Memory (RAM) or Read Only Memory (ROM)), mass storage media (for example, a hard disk), removable storage media (for example, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or or any other volatile or non-volatile, non-transitory computer-readable and/or computer-executable memory devices that store information”); wherein the program code when executed by at least one processing device causes the at least one processing device to perform the following steps (Georgescu; [0022], lines 1-10; “FIG. 2 is a block diagram illustrating an example embodiment of server 130 used in FIG. 1. Server 130 may include a processor 202, memory 204, monitoring module 206, behavior model 208, behavior module 210, request handling module 212, detection module 214, and error messages 216. In some embodiments, processor 202 executes instructions to provide some or all of the functionality described in this disclosure as being provided by server 130, and memory 204 stores the instructions executed by processor 202”); obtaining, by the at least one processing device, at least one processor-readable device behavior constraint that limits one or more behaviors of the at least one processing device (Georgescu; [0026], lines 3-9; “server 130 may use detection module 214 to detect potential malicious attacks against denial-of-service environment 100”. Detection module 214 may access information associated with monitored characteristics obtained by monitoring module 206 and determine whether one or more characteristics are indicative of a potential malicious attack against server 130. [0026] lines 14-21; discloses “detection module 214 is capable of discriminating normal traffic flow from distributed attacks against the system. As an example, detection module 214 may determine that at least one characteristic (e.g., processor load, memory usage, processing time) is above a particular threshold indicating a potential malicious attack. If detection module 214 detects that a particular threshold is exceeded, it may instruct server 130 to enter into a protection state”); monitoring at least one action performed by the at least one processing device (Georgescu; [0025], lines 6-15; “For example, monitoring module 206 may monitor one or more characteristic associated with processing load of server 130 such as average processor load, memory usage, hard disk drive usage, processing time, database load, number of sockets opened, and/or any other characteristic suitable for monitoring any component of denial-of-service protection environment 100. Monitoring module 206 may be any combination of software, hardware, and/or firmware capable of monitoring characteristics associated with denial-of-service protection environment 100”); determining, by the at least one processing device, if the at least one monitored action of the at least one processing device violates the at least one processor-readable device behavior constraint to detect anomalous behavior of the at least one processing device (Georgescu; [0019], lines 13-24; “More specifically, in addition to providing various services to users, server 130 may also be configured to detect DDoS or DDgS attacks. In certain embodiments, server 130 may do this by monitoring processing load such as average processor load, memory usage, hard disk drive usage, database load, sockets opened, and/or any other suitable metric that may indicate processing load as suitable for a particular purpose. In such embodiments, server 130 may compare processing load to a baseline processing load threshold and determine that server 130 and/or any other suitable component of denial-of-service protection environment 100 may be under attack”); and initiating at least one automated action in response to a result of the determining, to address the anomalous behavior of the at least processing device (Georgescu; [0020], lines1-7; “According to some embodiments, once a potential attack is detected, server 130 may be configured to enter into a protection state and take steps to filter out any traffic from a potentially malicious endpoint 110 that may be a part of a DDoS or DDgS attack. For example, after detection of a potential attack, server 130 may be configured to respond to all queued requests with an error message”). While Georgescu discloses identifying IP addresses (Paragraph [0042]) and types of requests (Paragraph [0038]) it is not explicit wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device. While Georgescu discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Budhani, which like Georgescu talks about managing a Denial of Service Attack, teaches it is known wherein the at least one processor-readable device behavior constraint comprises a constraint that limits one or more of: internal communications within the at least one processing device; external communications of the at least one processing device to only one or more designated types of network addresses; connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device, and execution of one or more commands, of a designated type, executed by the at least one processing device (Budhani paragraph [0044]; teaches that like Georgescu that the data center includes security systems such as a firewall which act to block unwanted access from outside the data center. Paragraph [0047]; teaches that certain users can be identified and blocked similar to what is shown in Georgescu. Additionally to blocking the user it can also block specific device types which are identified based on the requests. From this the limit is one or more connections of the at least one processing device with one or more external devices of a designated device type that connect to the at least one processing device. Specifically they are outside or external connections from designated or identified device types which connect to the processing device and are blocked backed on the device type. As shown in Paragraph [0065]; this is done to thwart attacks such as denial or service attacks). Georgescu and Budhani are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Budhani, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, with constraints limiting connections of the at least one processing device with one or more external devices of a designated type that connect to the at least one processing device as taught by Budhani, for the purposes of managing attacks based on known device types. While the combination discloses monitoring the at least one action performed by the at least one processing device, it is not explicitly this is by at least one software entity of an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Repasi, which like the combination talks about monitoring for malicious activity, teaches it is known to monitor by at least one software entity of an operating system of the at least one processing device and wherein the monitoring comprises the at least one software entity intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the determination is by the operating system of the at least one processing device (Repasi Paragraph [0003]; teaches that similar to the combination the threat is considered to be malware which includes threats such a malicious libraries, malicious active content and denial of service attacks. Paragraph [0008]; teaches that the kernel is the core part of the operating system responsible for resource allocation, low-level hardware interfaces, security, etc. Paragraph [0010]; teaches establishes the library is a file containing the executable code data which is loaded by a process or run time. Paragraph [0103]; teaches that like the combination the processing device includes a processor and memory. Paragraph [0127]; teaches that the operating system is passed a request from a process. This is intercepted by a software entity specifically the API interception module. The interception occurs prior to the execution as the software can restrict or prevent the malicious code from loading at all. The operating system software determines if the code is malicious or not and if it is determined to be malicious it initiates an automated action by restricting the code. Since the combination already monitors of malicious code it would have been obvious to handle the monitoring through the operating system to prevent the code from being run as shown explicitly in Repasi). Georgescu, Budhani and Repasi are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Repasi, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu and Budhani, with monitor by at least one software entity of an operating system of the at least one processing device and that the determination is by the operating system of the at least one processing device as taught by Repasi, for the purposes of managing attacks based on detected malicious files. While the combination discloses monitoring the at least one action performed by the operating system, it is not explicitly this is by an operating system kernel of the at least one processing device and wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and that the combination further fails to explicitly disclose that the determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations. Kuppusamy, which like the combination talks about monitoring for malicious activity, teaches it is known for the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations (Kuppusamy Col. 3, lines 46-51; teaches that the kernel program is part of the operating system and manages input output requests for the customer node such as applications. Col. 13, lines 12-32; teaches that the kernel monitors operations and receives requests to perform operations. The kernel intercepts the request before it is executed. The kernel determines if the operation request is authorized or not and if it is not authorized the systems blocks the operations. Since Kuppusamy establishes that it is known for the kernel to monitor the input and output operations of applications it would have been obvious to intercept those requests and block any unauthorized requests prior to execution to ensure the system is protected). Georgescu, Budhani, Repasi and Kuppusamy are analogous art as they are in the similar field of endeavor. Therefore, from this teaching of Kuppusamy, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method provided by Georgescu, Budhani and Repasi, with the kernel of the operating system of the at least one processing device performs the monitoring and intercepts one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations and determining by the operating system kernel of the at least one processing device is done prior to an execution of the one or more device operations as taught by Kuppusamy, for the purposes of blocking unauthorized operations prior to execution. As per claim 17, the rejection of claim 15 is incorporated. In addition, claim 17 recites limitations that are similar to the ones of the apparatus claim 11. Therefore, claim 17 is rejected with the same rationale as applied against the apparatus claim 11 above. As per claim 20, the rejection of claim 15 is incorporated. In addition, claim 20 recites limitations that are similar to the ones of the apparatus claim 14. Therefore, claim 20 is rejected with the same rationale as applied against the apparatus claim 14 above. As per claim 23, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1, Kuppusamy further teaches wherein the one or more requests to execute one or more device operations are intercepted by a command interception driver of the operating system kernel of the at least one processing device (Kuppusamy Col. 3, lines 46-51; teaches that the kernel program is part of the operating system and manages input output requests for the customer node such as applications. Col. 13, lines 12-32; teaches that the kernel monitors operations and receives requests to perform operations. The kernel intercepts the request before it is executed. The kernel determines if the operation request is authorized or not and if it is not authorized the systems blocks the operations). As per claim 24, the rejection of claim 9 is incorporated. In addition, claim 24 recites limitations that are similar to the ones of the method of claim 23. Therefore, claim 24 is rejected with the same rationale as applied against the method of claim 23 above. Claim(s) 2, 5, 12, 18, 21 and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Georgescu (US 20170118242 A1) hereafter Georgescu, in view of Budhani et al. (US 2015/0264055 A1) hereafter Budhani, further in view of Repasi et al. (US 2008/0022378 A1) hereafter Repasi, further in view of Kuppusamy et al. (US 12,079,364 B2) hereafter Kuppusamy, further in view of Kapoor (US 20220232025 A1) hereafter Kapoor. As per claim 2, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1. Georgescu further teaches: wherein a user of the at least one processing device is an authenticated user (Georgescu; [0017], lines 19-26; “For example, friendly endpoints 110 may be endpoints 110 operated by trusted users (e.g., employees of an enterprise operating denial-of-service protection environment 100), endpoints 110 connected to a particular network 120, and/or endpoints 110 that may otherwise have been determined by denial-of-service protection environment 100 as not being used for a malicious attack and can be utilized for baseline testing”). Georgescu does not explicitly teach: wherein the monitoring detects anomalous behavior of one or more of the authenticated user and the at least one processing device. However, Kapoor teaches: wherein the monitoring detects anomalous behavior of one or more of the authenticated user and the at least one processing device (Kapoor; [0637], lines 1-11 “The distributed edge platform 510 depicted in FIG. 5A also includes a user behavior anomaly detection 532 module. The user behavior anomaly detection 532 module may be embodied, for example, as one or more modules of computer program instructions executing on computer hardware, virtualized hardware, or in some other execution environment. The user behavior anomaly detection 532 may be configured to analyze user behavior, user device activity, or other information to detect anomalous behavior as described in greater detail elsewhere in the present disclosure”. [0648]; lines 1-9 “In the example method depicted in FIG. 6, determining 606, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user may be carried out by comparing the device activity with the profile associated with the user. A comparison between the device activity and the profile associated with the user may reveal that device activity does not align with the profile associated with the user, which may be treated as a detection of abnormal activity”). Georgescu, Budhani, Repasi, Kuppusamy and Kapoor are analogous art as they are in the similar field of endeavor. Therefore, it would have been obvious to person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the teachings Georgescu, Budhani, Repasi and Kuppusamy and combine the teaching of Kapoor in order to monitoring user activity (e.g., via data communications involving a user device or in some other way) to enforce various policies describing how the user devices may be utilized, what resources the user devices may access, what privileges the user device has. [Kapoor 0636] As per claim 5, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1. Georgescu does not explicitly teach: wherein the at least one processor-readable device behavior constraint enforces one or more of: at least one policy of an organization; at least one designated device configuration; at least one expected device behavior and at least one processing device behavior rule. However, Kapoor teaches: wherein the at least one processor-readable device behavior constraint enforces one or more of: at least one policy of an organization; at least one designated device configuration; at least one expected device behavior and at least one processing device behavior rule (Kapoor; [0562], lines 12-19 “SaC can automate policy implementation and cloud deployments may even be compared with the policies to prevent “drift.” For example, if a policy is created where all personally identifiable information (‘PII’) or personal health information (‘PHI’) must be encrypted when it is stored, that policy is translated into a process that is automatically launched whenever a developer submits code, and code that violates the policy may be automatically rejected”. [0563] lines, 1-13 “In some embodiments, SaC may be implemented by initially classifying workloads (e.g., by sensitivity, by criticality, by deployment model, by segment). Policies that can be instantiated as code may subsequently be designed. For example, compute-related policies may be designed, access-related policies may be designed, application-related policies may be designed, network-related policies may be designed, data-related policies may be designed, and so on. Security as code may then be instantiated through architecture and automation, as successful implementation of SaC can benefit from making key architectural-design decisions and executing the right automation capabilities. Next, operating model protections may be built and supported”. [0569] The systems described may be configured to collect security event logs (or any other type of log or similar record of activity) and telemetry in real time for threat detection, for analyzing compliance requirements, or for other purposes. In such embodiments, the systems described herein may analyze telemetry in real time (or near real time), as well as historical telemetry, to detect attacks or other activities of interest. The attacks or activities of interest may be analyzed to determine their potential severity and impact on an organization.”). Georgescu, Budhani, Repasi, Kuppusamy and Kapoor are analogous art as they are in the similar field of endeavor. Therefore, it would have been obvious to PHOSITA before the effective filing date of the claimed invention to modify the teachings of Georgescu, Budhani, Repasi and Kuppusamy and combine the teaching of Kapoor so that Security as code may then be instantiated through architecture and automation, as successful implementation of SaC can benefit from making key architectural-design decisions and executing the right automation capabilities. Next, operating model protections may be built and supported. [Kapoor 0563] As per claim 12, the rejection of claim 9 is incorporated. In addition, claim 12 recites limitations that are similar to the ones of the method claim 5. Therefore, claim 12 is rejected with the same rationale and motivation as applied against the method claim 5 above. As per claim 18, the rejection of claim 15 is incorporated. In addition, claim 18 recites limitations that are similar to the ones of the apparatus claim 12. Therefore, claim 18 is rejected with the same rationale and motivation as applied against the apparatus claim 12 above. As per claim 21, the rejection of claim 9 is incorporated. In addition, claim 21 recites limitations that are similar to the ones of the method of claim 2. Therefore, claim 21 is rejected with the same rationale as applied against the method of claim 2 above. As per claim 22, the rejection of claim 15 is incorporated. In addition, claim 22 recites limitations that are similar to the ones of the method of claim 2. Therefore, claim 22 is rejected with the same rationale as applied against the method of claim 2 above. Claim(s) 3, 10 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Georgescu (US 20170118242 A1) hereafter Georgescu, in view of Budhani et al. (US 2015/0264055 A1) hereafter Budhani, further in view of Repasi et al. (US 2008/0022378 A1) hereafter Repasi, further in view of Kuppusamy et al. (US 12,079,364 B2) hereafter Kuppusamy, further in view of Smith (EP 3975014 A1) hereafter Smith. As per claim 3, the combination of Georgescu, Budhani, Repasi and Kuppusamy teaches the method of claim 1. Georgescu does not explicitly teach: wherein the monitoring is performed in response to a successful authentication of a user of the at least one processing device. However, Smith teaches: wherein the monitoring is performed in response to a successful authentication of a user of the at least one processing device (Smith; [0012], Col 3 lines 53-Col 4 line 1 “Without limitation, the authentication devices described herein are preferably in the form of one or more biometric authentication terminals, cell phones, desktop computers, laptop computers, kiosks, servers, smart phones, tablet personal computers, and ultra-mobile personal computers”. [0067] lines 29-42 Authentication device 102 may also be configured to monitor for the presence of a human being once an authenticated session has been established. In this regard, (authentication device attestation module) ADAM 215 when executed may cause authentication device 102 to monitor for the presence of a human in any suitable manner. For example, ADAM 215 may cause authentication device 102 to monitor for inputs made with one or more input devices (e.g., keyboard, mouse, touch screen, etc.) coupled to electronic resources that authentication device 102 protects. Detection of inputs made through such input devices may be considered evidence that a human being is present, whereas a lack of such inputs may be considered evidence that a human being is not present”). Georgescu, Budhani, Repasi, Kuppusamy and Smith are analogous art as they are in the similar field of endeavor. Therefore, it would have been obvious to PHOSITA before the effective filing date of the claimed invention to modify the teachings of Georgescu, Budhani, Repasi and Kuppusamy and combine the teaching of Smith where in any case, ADAM 215 when executed may cause authentication device to analyze evidence of human presence (or lack thereof), and make an inference as to whether a human is present at the system/resources that authentication device 102 protects. If the weight of the evidence suggests that a human is not present, authentication device 102 may consider this fact to constitute a termination event. [Smith 0069] As per claim 10, the rejection of claim 9 is incorporated. In addition, claim 10 recites limitations that are similar to the ones of the method claim 3. Therefore, claim 10 is rejected with the same rationale and motivation as applied against the method claim 3 above. As per claim 16, the rejection of claim 15 is incorporated. In addition, claim 16 recites limitations that are similar to the ones of the apparatus claim 10. Therefore, claim 16 is rejected with the same rationale and motivation as applied against the apparatus claim 10 above. Response to Arguments Applicant's arguments filed November 25, 2025 have been fully considered but they are not persuasive. Applicant's arguments with respect to claims 1-5, 8-12, 14-18 and 20-24 have been considered but are moot in view of the new ground(s) of rejection. Specifically the arguments regarding the newly amended material that "monitoring, by at least one software entity of an operating system kernel of the at least one processing device, at least one action performed by the at least one processing device, wherein the monitoring comprises the at least one software entity of the operating system kernel intercepting one or more requests, to execute one or more device operations to be performed on the at least one processing device, prior to an execution of the one or more device operations;" and “determining, by the operating system kernel of the at least one processing device, prior to an execution of the one or more device operations, if the at least one monitored action of the at least one processing device violates the at least one processor-readable device behavior constraint to detect anomalous behavior of the at least one processing device” are moot in view of the new grounds of rejection. The Examiner has cited the Kuppusamy reference to address these amended limitations. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL R FISHER whose telephone number is (571)270-5097. The examiner can normally be reached Monday - Friday 9 am to 5:30 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at (571)272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. PAUL R. FISHER Primary Examiner Art Unit 2498 /PAUL R FISHER/ Primary Examiner, Art Unit 2498 3/5/2026