Remarks
Claims 1-5, 7-15, and 17-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/28/2025 has been entered.
Claim Interpretation
Based on pages 7-8 of the response dated 10/28/2025, the performing of a remedial action has been construed as being performed solely by a hardware device and not in the human mind. Moreover, based on the same section, the monitoring of pagination operations must also be performed by a hardware device and not in the human mind.
If Applicant wishes to argue that these interpretations, that were brought on by Applicant’s allegations, are incorrect, a 101 rejection may be sent in the next office action and the office action may be made final.
Response to Arguments
Applicant's arguments filed 10/28/2025 have been fully considered but they are not persuasive.
With respect to Applicant’s allegations regarding the 101 rejection of claims 11-20, Applicant, although thoroughly disparaging of the office action, fails to provide any definition of non-transitory storage medium or cloud-based storage systems and structures that differ from that provided in the office action. Requirements for information are provided below inviting Applicant to fully detail the full definition of each, since Applicant alleges that the office action is incorrect while not providing any definition of these terms that is contrary to what the office action stated.
It is noted that Applicant provides no definition of “cloud-based storage systems and structures”.
The fact here is that Applicant acted as lexicographer and provided a definition of “non-transitory storage media” that is different from the ordinary definition thereof. Thus, Applicant’s berating of the office action and Examiner (e.g., “Final OA relies on self-serving allegations that lack any factual basis” when the facts are provided clearly based on the definitions provided in the specification, “in attempting to draw the claims with the purview of non-statutory subject matter, the Examiner has been compelled to simply ignore the plain language of the specification…” when the Examiner relied entirely on the plain language of the specification and claims, and the like) is simply in error. The Examiner does not want to send 101 rejections out and would have been happy to not find the specification as providing a definition of non-transitory storage media that is different than the normal definition thereof. The Examiner would be happy to have this 101 rejection overcome and hopes that Applicant’s response to the requirements for information will do just that.
With respect to the abstract idea based rejections, the Examiner has provided a claim interpretation section above that clarifies that these actions cannot be performed in the human mind.
With respect to Saldanha, Applicant cites 3 paragraphs and alleges “none of those passages indicate that the ‘operating system’ of that references serves to ‘…[1]move[s] [2] pages of [3] a memory section, [4] used by a service, [5] into a pagination disk space [6] dedicated [7] to [8] the service…’ (parentheticals [] inserted) as claimed.” First, the Examiner thanks Applicant for noting that Saldanha discloses an operating system. Second, it is entirely unclear just what these numerals are supposed to mean. The word “to” even has a separate number than everything else. These numbers appear to be meaningless. This simply serves to confuse any argument being made.
It is noted that Applicant does not argue the monitoring aspects of the rejection and references. Applicant only argues paging operations, and defines them in the claim as being standard paging operations. There are many places out there that describe paging, but here’s one link that shows standard OS paging operations between storage and main memory: https://www.guru99.com/paging-in-operating-system.html and https://web.archive.org/web/20220521185721/https://www.guru99.com/paging-in-operating-system.html. Paging and the operations that go into it are very well-known and a claim will not be allowable simply by defining what paging is.
As to the references, Saldanha clearly discloses paging operations in the paging that occurs therein. Saldanha allows for memory to be assigned to and/or used by the process with memory pages assigned to the process and/or different elements of the process, the process may request and/or be given new memory pages, such memory pages are reported to the malware inspection tool as well.
As the limitation being argued is actually directed to monitoring pagination operations instead of just the pagination operations themselves, although Applicant does not argue the monitoring aspects of Saldanha, Saldanha discloses monitoring all pagination operations, such as allocating pages to a process, reads, writes, executes, overwrites, VirtualAlloc, VirtualAllocEx, malloc, GlobalAlloc, HeapAlloc, LocalAlloc, CoTaskMemAlloc, and/or the like, as examples. It is noted that virtual memory may be assigned to and/or used by the process with memory pages assigned to the process and/or different elements of the process, the process may request and/or be given new memory pages, such memory pages are reported to the malware inspection tool as well.
Requirement for Information
Applicant and the assignee of this application are required under 37 CFR 1.105 to provide the following information that the examiner has determined is reasonably necessary to the examination of this application.
In response to this requirement, please provide answers to each of the following interrogatories eliciting factual information:
What is the complete definition of “non-transitory storage medium” as used in the instant application?
What is the complete definition of “cloud-based storage systems and structures” as used in the instant application?
It is noted that these requirements for information are brought on by Applicant’s remarks on pages 6-7 of the response dated 10/28/2025, where Applicant continuously bashes the office action but never provides any definition that is contrary to that provided in the office action and the application as originally filed.
This requirement is an attachment of the enclosed Office action. A complete reply to the enclosed Office action must include a complete reply to this requirement. The time period for reply to this requirement coincides with the time period for reply to the enclosed Office action.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 11-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed medium need not be statutory. For example, paragraphs 60 and 61 of the instant application state the following:
[0060]As indicated above, embodiments within the scope of the present invention also include computer storage media, which are physical media for carrying or having computer-executable instructions or data structures stored thereon. Such computer storage media may be any available physical media that may be accessed by a general purpose or special purpose computer.
[0061]By way of example, and not limitation, such computer storage media may comprise hardware storage such as solid state disk/device (SSD), RAM, ROM, EEPROM, CD-ROM, flash memory, phase-change memory (“PCM”), or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other hardware storage devices which may be used to store program code in the form of computer-executable instructions or data structures, which may be accessed and executed by a general-purpose or special-purpose computer system to implement the disclosed functionality of the invention. Combinations of the above should also be included within the scope of computer storage media. Such media are also examples of non-transitory storage media, and non-transitory storage media also embraces cloud-based storage systems and structures, although the scope of the invention is not limited to these examples of non-transitory storage media.
Therefore, based on the definitions provided, non-transitory storage media “also embraces cloud-based storage systems and structures, although the scope of the invention is not limited to these examples of non-transitory storage media”. Cloud based storage systems and structures include virtual storage systems and data structures. Thus, the non-transitory storage medium of claim 11 is not statutory, since a statutory medium must be physical. None of claims 12-20 fix this issue and they are rejected for the same reasons.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 7-9, 11-13, 15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Saldanha (U.S. Patent Application Publication 2020/0019703) in view of Hironaka (U.S. Patent Application Publication 2024/0126880).
Regarding Claim 1,
Saldanha discloses a method comprising operations including:
Monitoring pagination operations by which an operating system moves pages of a memory section, used by a service, into a pagination disk space dedicated to the service (Exemplary Citations: for example, Abstract, 13, 15, 17, 18, 20, 23-30, 32, 38, 40, 43-45, 47, 48, 50, and associated figures; monitoring any pagination operations, such as allocating pages to a process, reads, writes, executes, overwrites, VirtualAlloc, VirtualAllocEx, malloc, GlobalAlloc, HeapAlloc, LocalAlloc, CoTaskMemAlloc, and/or the like, as examples. It is noted that virtual memory may be assigned to and/or used by the process with memory pages assigned to the process and/or different elements of the process, the process may request and/or be given new memory pages, such memory pages are reported to the malware inspection tool as well);
Collecting information about the pagination operations (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 38, 40, 43-45, 48, 50, and associated figures; information about the above, for example);
Analyzing the information about the pagination operations to identify a number of pages that switch between the memory section and the pagination disk space (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38, 40, 43-45, 48, 50, 99, and associated figures; detecting malware based on the information, number of pages (e.g., n), etc., for example);
Based on the number of pages that switch between the memory section and the pagination disk space, determining whether any of the pagination operations are indicative of a malicious service (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38, 40, 43-45, 48, 50, 99, and associated figures; determining if malicious, for example); and
Perform a remedial action in response to a determination of the malicious service (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38, 40, 43-45, 48, 50, 99, and associated figures; any action, such as quarantine, report, malicious aspect removal, etc., as examples);
But does not appear to explicitly disclose that the analyzing the information about the pagination operations is to identify a pace of the pagination operations in addition to the number of pages that switch between the memory section and the pagination disk space, and that determining whether any of the pagination operations are indicative of a malicious service is performed based on the pace in addition to the number of pages that switch between the memory section and the pagination disk space.
Hironaka, however, discloses that the analyzing the information about the pagination operations is to identify a pace of the pagination operations in addition to the number of pages that switch between the memory section and the pagination disk space (Exemplary Citations: for example, Abstract, Paragraphs 13, 73-75, 80, 96-104, 108-117, 125-127, 136, 138, and associated figures; determining a pace (e.g., update frequency during a certain time period or update frequency for a time period or number of writes per time period, as examples), in addition to a number of pages, for example. Hironaka discloses that such pagination operations include an OS moving pages of a memory section used by a service into a pagination disk space dedicated to the service in these cited sections, such as in updating of LDEVs and pages in a host’s area of the storage pool, for example), and
That determining whether any of the pagination operations are indicative of a malicious service is performed based on the pace in addition to the number of pages that switch between the memory section and the pagination disk space (Exemplary Citations: for example, Abstract, Paragraphs 13, 73-75, 80, 96-104, 108-117, 125-127, 136, 138, and associated figures; ransomware may be present if the pace and number are greater than a threshold, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ransomware detection techniques of Hironaka into the malware detection system of Saldanha in order to allow the system to better detect ransomware attacks, to increase the amount of data that can be used to detect attacks, to allow for readily determining if pages that are not often accessed are accessed too often in a time period, and/or to increase security in the system.
Regarding Claim 11,
Claim 11 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.
Regarding Claim 2,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the pagination operations are associated with a legitimate service, and the malicious service (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38, 40, 43-45, 48, 50, 99, and associated figures; inserted code being legitimate, services such as APIs being called being legitimate, OS being legitimate, process being malicious, for example).
Regarding Claim 12,
Claim 12 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.
Regarding Claim 3,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the malicious service comprises ransomware (Exemplary Citations: for example, Paragraphs 2, 32, and associated figures; ransomware, for example).
Regarding Claim 13,
Claim 13 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.
Regarding Claim 5,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that an outcome of the analyzing is reported to a computing entity and/or to a human (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38-40, 43-45, 48, 50, 99, and associated figures; report, notification, etc., as examples).
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.
Regarding Claim 7,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the pagination operations are different from what is expected when only legitimate services are running, an inference is made that some of the pagination operations are indictive of malware (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38-40, 43-45, 48, 50, 99, and associated figures; behavior is determined to be malicious, for example).
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 7 and is rejected for the same reasons.
Regarding Claim 8,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the pagination operations indicate use, by ransomware, of the memory section and the pagination disk space (Exemplary Citations: for example, Abstract, 2, 13, 17, 18, 20, 23-30, 32, 34, 38-40, 43-45, 48, 50, 99, and associated figures; malicious use of memory pages/paging, for example).
Regarding Claim 18,
Claim 18 is a medium claim that corresponds to method claim 8 and is rejected for the same reasons.
Regarding Claim 9,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the analyzing is performed in real time as the pagination operations are taking place (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38-40, 43-45, 48, 50, 99, and associated figures; monitoring occurring as operations occur, for example).
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 9 and is rejected for the same reasons.
Claims 4, 10, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Saldanha in view of Hironaka and Pilipenko (U.S. Patent 10,169,585).
Regarding Claim 4,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the pagination operations are performed in a space (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 34, 38, 40, 43-45, 48, 50, 99, and associated figures);
But does not explicitly disclose that the space is kernel space.
Pilipenko, however, discloses that the operations are performed in a kernel space (Exemplary Citations: for example, Column 2, line 34 to Column 3, line 3; Column 3, lines 28-42; Column 3, line 57 to Column 4, line 3; Column 10, line 61 to Column 11, line 15; Column 13, line 47 to Column 14, line 6; detecting malware in kernel space/mode, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware detection techniques of Pilipenko into the malware detection system of Saldanha as modified by Hironaka in order to allow the system to detect malware using more powerful kernel mode while having access to all necessary context information, to improve malware detection by better avoiding detection by malware, and/or to increase security in the system.
Regarding Claim 14,
Claim 14 is a medium claim that corresponds to method claim 4 and is rejected for the same reasons.
Regarding Claim 10,
Saldanha as modified by Hironaka discloses the method of claim 1, in addition, Saldanha discloses that the pagination operations relate to the operation of the service (Exemplary Citations: for example, Abstract, 13, 17, 18, 20, 23-30, 32, 38, 40, 43-45, 48, 50, and associated figures);
But does not explicitly disclose that the service is running in a userspace.
Pilipenko, however, discloses that the service is running in a userspace (Exemplary Citations: for example, Column 2, lines 34-40; Column 3, lines 28-42; Column 11, lines 16-33; Column 13, line 47 to Column 14, line 6; operating in user mode/space, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware detection techniques of Pilipenko into the malware detection system of Saldanha as modified by Hironaka in order to allow the system to detect malware using more powerful kernel mode while having access to all necessary context information, to improve malware detection by better avoiding detection by malware, and/or to increase security in the system.
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 10 and is rejected for the same reasons.
Conclusion
This Office action has an attached requirement for information under 37 CFR 1.105. A complete reply to this Office action must include a complete reply to the attached requirement for information. The time period for reply to the attached requirement coincides with the time period for reply to this Office action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey D. Popham/Primary Examiner, Art Unit 2432
Prosecution Insights