ENDPOINT DETECTION AND RESPONSE TO CYBERSECURITY THREATS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment 2. This is in response to the amendments filed on 12/10/2025. Claims 1,13-14 have been amended. Claims 1-15 are currently pending and have been considered below. Response to Arguments 3. Applicant’s arguments filed on 12/10/2025 have been fully considered but they are not persuasive. On the Remarks, Applicant argues that the features of amended Claim 1 are not found in Gupta, Schultz, or any combination thereof. The examiner respectfully disagrees. First, in response to applicant's argument that Gupta does not disclose " “generating a state machine comprising context information for all code packages on the computing device", it is noted that, Gupta at Para.0092, Para.0096, Para.0041 discloses, “a state machine illustrating a workflow …. of…. policy set-up….. for creating policies”, “the policies are deployed …. represents the initialization …. of various components”, “components …. such as an executable file…. a process…. at the customer endpoint… analyzing code sections of the one or more … components…. a signature …. for the one or more …..components” which the examiner interpreted as being the claimed “generating a state machine comprising context information for all code packages on the computing device" because the broadest reasonable interpretation of the claimed “generating a state machine comprising context information for all code packages on the computing device" includes a state machine illustrating a workflow of policies deployed on components/executable files, code sections of the one or more components equivalent to the claimed ‘code packages’, signature of the one or more components are equivalent to the claimed ‘context information for code packages’. Also, Gupta at Para.0070, Para.0007, Para.0041, Para.0059 discloses, “file level policies ….. check the reputation of any file …. to establish trust of the file”, “the one or more … components includes one or more of: an executable file….”, “…. code sections of the one or more … components…. a signature …. for the one or more …..components”, “establish trust by checking signatures ….of the file”, which the examiner interpreted as being the claimed “for each one of the code packages, the context information comprises a state of the one of the code packages" because the broadest reasonable interpretation of the claimed “for each one of the code packages, the context information comprises a state of the one of the code packages" includes state of creating policies in order to establish trust of the file, files/components contain code sections, signature of the one or more components [claimed ‘context information for code packages’] establishes trust of the file, as policies are created to establish trust of the file and signature of the file establishes trust of the file, thus equivalent to the claimed ‘the context information comprises a state of the one of the code packages’. Moreover, Gupta at Para.0054, Para.0059, Para.0007, Para.0041 discloses, “a checksum for the code sections ….”, “establish trust by checking signatures (e.g., checksums) of the file ….”, “the one or more … components includes one or more of: an executable file….”, “….code sections of the one or more … components….”, which the examiner interpreted as being the claimed “for each one of the code packages, the context information comprises …. one or more attributes of the one of the code packages" because the broadest reasonable interpretation of the claimed “for each one of the code packages, the context information comprises …. one or more attributes of the one of the code packages" includes signatures/checksums which maintains the integrity and authenticity of the files, checksums within signature for the code sections of files equivalent to the claimed ‘for each one of the code packages, the context information comprises ….one or more attributes of the one of the code packages’. In addition, Gupta at Para.0092, Para.0004, Para.0041, Para.0054, Para.0057 discloses, “a state machine illustrating a workflow ….. responsible for creating policies ….”, “trust is being established on …. components…. applying …. policies that establish trust in the files ……”, “components …. such as an executable file…. a process….”, “extracts code sections for each process and determines … checksum for the code sections of a monitored process…. If a code …. is altered”, “altering …files (e.g., inserting malicious code sections … changing file permissions…”, which is equivalent to the claimed “generating a state machine further comprises monitoring a code package executing on the computing device for changes to the state or the one or more attributes thereof”. Lastly, Gupta at Para.0058, Para.0092. Para.0004 discloses, “updates, or deletes a file at the customer endpoint … the file is viewed …. until trust is explicitly established with the file”, “a state machine illustrating a workflow ….. for creating policies from …. STIG”, “applying …. policies that establish trust in the files based on security technical implementation guides (STIGS)”, which is equivalent to the claimed “updating the state machine with any changes to the context information”. Second, in response to applicant's argument that Schultz does not disclose "…performing an action specified in the at least one entry …. ", it is noted that, Schultz at Para.0020, Para.0019, Para.0026 discloses “an execution control list(s) (ECL) …. lists actions … of programs that are allowed to execute those actions. For instance….if a program signed by Bob Parker attempts to execute a ….action, no alert will be issued ", “Action … comprise any type of operation that can be executed on computer workstation …such as sending email, modifying files, etc.”, “Computer workstation … comprise any type of computing device, including a server, a desktop computer” which is equivalent to the claimed "…performing an action specified in the at least one entry …. ". Applicant's further arguments with respect to the feature “independent of generating the state machine, executing …..an OS event….” In claim 1, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. Claims 1-15 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Gupta et al (US 20210029170 A1) in view of Schultz et al. (US 20060031943 A1) and further in view of Challenger et al. (US 20080164908 A1) Regarding Claim 1: Gupta discloses: a. A method for securing and controlling code execution, within an operating system (OS) of a computing device, (Para.0006, Para.0003, Para.0008; “methods that detect malicious attacks …. on a …customer endpoint”, “malicious content into a ….application process or … OS kernel of a … endpoint”, “scanning code sections of the one or more …. compute components for known malware…. validating code sections”) the method implemented at the computing device and comprising: generating a state machine comprising context information for all code packages on the computing device, (Para.0092, Para.0096, Para.0041; “a state machine illustrating a workflow …. of…. policy set-up….. for creating policies”, “the policies are deployed …. represents the initialization …. of various components”, “components …. such as an executable file…. a process…. at the customer endpoint… analyzing code sections of the one or more … components…. a signature …. for the one or more …..components” a state machine illustrating a workflow of policies deployed on components/executable files, code sections of the one or more components is construed as code packages, signature of the one or more components are construed as context information for code packages) wherein, for each one of the code packages, the context information comprises a state of the one of the code packages (Para.0092, Para.0070, Para.0007, Para.0041, Para.0059; “….. policy set-up, state …. is responsible for creating policies”, “file level policies ….. check the reputation of any file …. to establish trust of the file”, “the one or more … components includes one or more of: an executable file….”, “…. code sections of the one or more … components…. a signature …. for the one or more …..components”, “establish trust by checking signatures ….of the file” at policy set-up state, policies are created to establish trust of the file, files/components contain code sections, signature of the one or more components [claimed ‘context information for code packages’] establishes trust of the file, as policies are created to establish trust of the file and signature of the file establishes trust of the file, it is construed as ‘the context information comprises a state of the one of the code packages’) and one or more attributes of the one of the code packages, (Para.0054, Para.0059, Para.0007, Para.0041; “a checksum for the code sections …. ”, “establish trust by checking signatures (e.g., checksums) of the file ….”, “the one or more … components includes one or more of: an executable file….”,“….code sections of the one or more … components….” as signatures/checksums maintains the integrity and authenticity of the files, checksums within signature for the code sections of files construed as ‘for each one of the code packages, the context information comprises one or more attributes of the one of the code packages’) and wherein the state machine is generated by; (Para.0092; “a state machine illustrating a workflow …. of…. policy set-up…”) - determining the state of each of the code packages; (Para.0092, Para.0096, Para.0041; “….. policy set-up, state …. is responsible for creating policies”, “During the deployment state …. the policies are deployed …. of various components”, “analyzing code sections of the one or more … components….”) - storing the state of each of the code packages in the state machine; (Para.0092, Para.0042, Para.0041; “a state machine illustrating a workflow …. for creating policies… once the policies are created, they are stored into …..”, “apply …..policies to ….. components”, “…. code sections of the one or more … components….”) - determining the one or more attributes of each of the code packages; (Para.0054, Para.0053, Para.0041; “compute a checksum for the code sections of a …. process”, “determines the process …. Checksum…..”, “…. code sections of the one or more … components….”) and - storing the one or more attributes of each of the code packages in the state machine; (Para.0053, Claim.5, Para.0041; “…. Checksum…. stored in an …. Jump table …..”, “components includes … a jump table”, “…. code sections of the one or more … components….”) wherein the generating a state machine further comprises monitoring a code package executing on the computing device for changes to the state or the one or more attributes thereof (Para.0092, Para.0004, Para.0041, Para.0054, Para.0057; “a state machine illustrating a workflow ….. responsible for creating policies ….”, “trust is being established on …. components…. applying …. policies that establish trust in the files ……”, “components …. such as an executable file…. a process… at the customer endpoint”, “extracts code sections for each process and determines … checksum for the code sections of a monitored process…. If a code …. is altered”, “altering …files (e.g., inserting malicious code sections … changing file permissions…”) and updating the state machine with any changes to the context information; (Para.0058, Para.0092. Para.0004; “updates, or deletes a file at the customer endpoint … the file is viewed …. until trust is explicitly established with the file”, “a state machine illustrating a workflow ….. for creating policies from …. STIG”, “applying …. policies that establish trust in the files based on security technical implementation guides (STIGS)”) and b. …… generating the state machine, executing the following: - receiving a notification of an OS event (Para.0077, Para.0044; “receives notifications from the OS subsystem whenever a …CRUD operation occurs”, “detect CRUD (create, read, write update, and delete) operations to the file system and runs ….CRUD events” customer endpoint receives notifications about an OS event/ CRUD (create, read, write update, and delete) operations) associated with an accessor code package; (Para.0078; “notifies … when one or more … regions of memory …are accessed (read and/or write)”) - attempting to match the OS event to an access control list (AGL) or execution control list (EGL) specifying at least one entry, (Abstract, Para.0006,Para.0090, Para.0068, Para.0070; “attempt to establish trust in relation to operations on a customer endpoint ….”, “perform the operation on one of: a file system…processes… operating system events”, “OS events are matched against the created policies”, “applying an ….policy to CRUD events generated in relation to operations on the file”, “policies to establish trust of the file. Once …. establishes trust of the file then the ACLs for the file …. enabled”, when any OS events/CRUD events on files are matched against specific policies followed by matching with or enabling ACLs, thus establishing trust of the files/processes/OS events which is construed as attempting to match the OS event to an access control list (ACL) or execution control list (ECL) specifying at least one entry) each entry comprising an OS event (Para.0056; “OS events … to establish trust in the monitored process….generate an OS event if ….a process starts” a process is construed as entry) and associated event context defining a validation condition, (Para.0041; “generate events to establish trust of the components …. operation on ….. process…. validating the … components …against a signature database containing file checksums for the one or more …. components”) wherein, responsive to a match being found between the OS event and the at least one entry, the method further comprises: - retrieving context information associated with the accessor code package; (Para.0059, Para.0041; “establish trust with the file….If trust is established …. …. the access permissions for the file may be restored, e.g., moving to an access group associated with the user”, “establish trust of the components… validating the …. components …. against a signature database containing file checksums” when OS events/files/processes are matched with policies and ACL, then the file or processes is marked as trusted and the access permissions for the file is restored, which is construed as responsive to a match being found between the OS event and the at least one entry, retrieving context information associated with the accessor code package) - validating the retrieved context information against the event context specified in the at least one entry; (Para.0070, Para.0041; “check the reputation of any file ….or …. a process …. performs checks based on … policies to establish trust of the file. Once …. establishes trust of the file then the ACLs for the file may be enabled, and/or the file … allowed to execute…. the checks …include validating signatures”, “components …. such as …. a process … validating …. against a signature ….containing file checksums”) and c.- performing an action ….. upon validation of the retrieved context information. (Para.0090; “OS events are matched against the created policies and a final action is carried out on all satisfied events”) however, Gupta does not explicitly disclose: b. …. independent of generating the state machine, executing ….an OS event…. c. …performing an action specified in the at least one entry …. [Gupta discloses performing an action …. upon validation of the retrieved context information, Gupta does not disclose performing an action specified in the at least one entry …] In an analogous reference Schultz discloses: c. …. performing an action specified in the at least one entry (Para.0020, Para.0019, Para.0026; “an execution control list(s) (ECL) …. lists actions … of programs that are allowed to execute those actions. For instance….if a program signed by Bob Parker attempts to execute a ….action, no alert will be issued ", “Action … comprise any type of operation that can be executed on computer workstation …such as sending email, modifying files, etc.”, “Computer workstation … comprise any type of computing device, including a server, a desktop computer”) …. Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gupta’s method of detecting malicious attacks on a customer endpoint by enhancing Gupta’s method to include Schultz’s method for controlling execution of actions being executed from within a computer program. The motivation: when a packet or access request matches an entry in an Access Control List (ACL) or Execution Control List (ECL), the specified action (permit or deny) is performed, delivering significant benefits to network security and performance. however, Gupta in view of Schultz does not explicitly disclose: b. …. independent of generating the state machine, executing ….an OS event….. In an analogous reference Challenger discloses: b. …. independent of generating the state machine, (Para.0035; “each ….state machine …. is independent of other”) executing …..an OS event…. (Para.0006; “state machine processing is performed …. without the need for an event driven operating system”) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gupta in view of Schultz’s method of detecting malicious attacks on a customer endpoint by enhancing Gupta in view of Schultz’s method to include Challenger’s method for data driven finite state machine engines for flow control in a distributed computing environment. The motivation: independent of generating a state machine, executing an OS event results in improved reactivity and reduced design complexity through run-to-completion (RTC) processing. With respect to independent claims 13 and 14, a corresponding reasoning was given earlier in this section with respect to claim 1; therefore, claims 13 and 14 rejected, for similar reasons, under the grounds as set forth for claim 1. Regarding Claim 2: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the ACL defines one or more conditions for accessing a resource by the accessor code package (Gupta, Para.0070, Para.0078; “check the reputation of any file ….. establishes trust of the file then the ACLs for the file …. enabled, and/or the file …. allowed to execute…. the checks …. include validating …. ACLs”, “when one or more ….. regions of memory ….are accessed (read and/or write)”) and the ECL defines one or more conditions for executing the accessor code package. (Schultz, Para.0020; “an execution control list(s) (ECL) …. lists actions and signers of programs that are allowed to execute …actions”) Regarding Claim 3: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the ACL/ECL comprises at least one of: a process execution control list; (Schultz, Para.0020; “an execution control list(s) (ECL) …. lists … programs that are allowed to execute …”) a process access control list; a heuristics access control list; a module execution control list; a removable drive access control list; a file read/write access control list; and a registry access control list. Regarding Claim 4: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the action associated with the matched control list entry comprises at least one of: blocking access of the OS event; allowing access of the OS event; notifying a location of the access of the OS event; blocking execution of the OS event; allowing execution of the OS event; notifying a location of the execution of the OS event; suspending a process of the OS event; and blocking the process of the OS event. (Gupta, Para.0065; “terminating one or more processes …. associated with the event”) Regarding Claim 5: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the ACL/ECL comprises a plurality of ACLs or ECLs. (Schultz, Para.0020; “an execution control list(s) (ECL) …. lists … programs that are allowed to execute …”) Regarding Claim 6: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the ACL/ECL is defined in a policy structure, the policy structure defining: one or more ACL/ECLs; (Schultz, Para.0020; “an execution control list(s) (ECL) …. lists actions and signers of programs that are allowed to execute those actions”) and policy information specifying an action to be performed based on the validated one or more ACLs/ECLs of the policy structure. (Para.0005, Abstract, Para.0019; “an execution control list (ECL) is provided …. which …. programs are allowed…. allowing the action to execute…”, ”actions being executed …. authorized for execution for a …. duration…..”, “Action … comprise any type of operation that can be executed on computer workstation … such as sending email, modifying files”) Regarding Claim 7: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 6, wherein the policy structure further comprises an indication of a relationship between ACLs/ECLs of the policy structure. (Schultz, Para.0002, Para.0018, Para.0020; “The …. invention relates …. to controlling execution of actions …. relates to allowing … authorization of an executable action on a computer system”, “an execution control system … allows …authorization of an action …being executed by a program”, “Execution control system …. includes an execution control list(s) (ECL) ….that lists actions and ….. programs that are allowed to execute those actions”) Regarding Claim 8: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 6, further comprising: receiving one or more additional ACLs/ECLs to add to the policy structure; (Schultz, Para.0005, Para.0020; “an execution control list (ECL) is provided …. which signers/programs are allowed…. adding the signer to the ECL so that the signer always has permission ….”, “an execution control list(s) (ECL) …. lists …. signers of programs that are allowed to execute …”) and combining the one or more additional ACLs/ECLs with the plurality of control lists of the policy structure. (Para.0023, Para.0020; “the signer to be added to the ECL …. TABLE…”, “an execution control list(s) (ECL)”) Regarding Claim 9: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 8, wherein the one or more ACLs/ECLs are specified in one or more policy structures. (Schultz, Para.0020; “an execution control list(s) (ECL) ….lists actions and signers of programs that are allowed to execute those actions. For instance, …. ECL …. include the following: TABLE-US-00001 Action Program Signer MailSend Bob Parker CalandarUpdate Pete Jones”) Regarding Claim 10: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 6, further comprising: receiving an indication (Schultz, Para.0016; “an alert ….window that includes a temporal authorization”) of one or more ACLs/ECLs to remove from the policy structure; (Para.0023, Para.0006; “temporal authorization …. cause the signer to be …. removed after the duration”, “edit the ECL to remove the added signer from the list of signers allowed to perform the operation”) and removing the indicated one or more ACLs/ECLs from the policy structure. (Para.0008; “temporal authorization of an executable action …. for a short duration of time (e.g., five seconds), thus allowing actions … to execute without repeatedly causing an alert”) Regarding Claim 11: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the context information includes an indication whether or not a process binary is signed. (Gupta, Para.0059, Para.0040; “establish trust with the file…. by checking signatures (e.g., checksums) of the file”, “application executed at a customer endpoint …..binary analysis ….to capture activities of the executed computer application…. monitor …. operations by applications on file …processes”) Regarding Claim 12: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the code packages comprise one or more of: processes; (Gupta, Para.0054; “code sections for each process”) dynamic libraries; and drivers. Regarding Claim 15: Gupta in view of Schultz and further in view of Challenger discloses: The method of claim 1, wherein the state machine is generated at boot of the computing device. (Gupta, Para.0097, Para.0040, Para.0056; “The state machine …. illustrates the states that are involved when an event is triggered during runtime”, “a computer application executed at a customer endpoint …. at load or runtime time in order to capture activities of the executed computer application at runtime”, “generate an OS event …. indicate ….. a process starts …. a Windows installer activity occurs”) Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAYEDA SALMA NAHAR whose telephone number is (703)756-4609. The examiner can normally be reached M-F 12:00 PM to 6:00 PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached on (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAYEDA SALMA NAHAR/Examiner, Art Unit 2435 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2491