Systems, Methods and Devices for Memory Analysis and Visualization

§103 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status 1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 2. Claims 1-17, and 19-21 are pending. Claims 1 and 20-21 are in independent forms. Claims 4-10, 12-14, 16-17, and 19 has been amended. Claims 18 and 22-48 has been cancelled. Priority 3. No foreign priority is claimed. Information Disclosure Statement 4. The information disclosure statements (IDS's) submitted on 05/05/2025 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Drawings 5. The drawings filed on 11/21/2024 are accepted by the examiner. Double Patenting 6. The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. 7. Claims 1 and 21 are rejected on the ground of non-statutory obviousness type double patenting as being unpatentable over claims 1 and 21 of U.S. Patent No. 12,182,267 B1 and Patent No. 11,734,427 B1 in view of Levy et al. (US 2012/0158737 A1) in view of Ismael (US 2015/0096025 A1) in view of Amsler (US 2014/0201836 A1) in view of Bhargava et al. (US 2012/0030731 A1). Although the conflicting claims are not identical, they are not patentably distinct from each other because the instant application merely attempts to broaden the scope of the invention by omitting “in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device; and providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated; and generating and presenting a visualization of the data structures and the artifacts, in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device. wherein the method is performed by at least one processing device”. Since it has been held that omission of an element and its function in a combination where the remaining elements perform the same functions as before involves only routine skill in the art. In re Karison, 136 USPQ 184, Application 18/955,552 is an obvious variant of Patent Application No. 12,182,267 and Patent No. 11,734,427. The dependent claims are rejected because of their dependency on independent claims. respectively (see table below). Instant Application 18/955552 Patent No. 12,182,267 Patent No. 11,734,427 Claim 1: A method for aiding cyber intrusion investigations, the method comprising: extracting data from a specified range of a volatile memory of a target processing device; reconstructing data structures and artifacts from the extracted data; and generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts, wherein the method is performed by at least one processing device. Claim 20: A system for aiding cyber intrusion investigations, the system comprising: at least one processing device, the at least one processing device including: at least one processor, a memory having instructions stored therein for execution by the at least one processor, a storage device for storing data, and a communication bus connecting the at least one processor with the read only memory and the storage device; wherein when the at least one processing device executes the instructions a method is performed comprising: providing a secure web services application program interface for use by at least one remote processing device; and providing a data analytics platform comprising: a plurality of profiles, the plurality of profiles being related to at least one operating system, at least one application, or to both the at least one operating system and the at least one application, a plurality of threat feeds and a plurality of detection methods, a plurality of whitelists, a facility for allowing a plurality of users to collaborate in a cyber intrusion investigation, secure storage, a sandbox for testing detection methods, and feedback analytics. Claim 21: At least one processing device for cyber intrusion investigations, the at least one processing device comprising: at least one processor; a memory having instructions stored therein for execution by the at least one processor; a storage device for storing data; and a communication bus connecting the at least one processor with the read only memory and the storage device, wherein when the instructions are executed by the at least one process of the at least one processing device, a method is performed comprising: communicating with at least one remote processing device via a secure web services application program interface, providing a graphical user interface for formulating queries and displaying artifacts related to anomalous conditions, providing storage for whitelists and detected anomalies, the whitelists comprising information related to normal known, or trusted, conditions, and requesting and receiving information regarding artifacts and data structures found in a memory sample. Claim 1: A method for aiding cyber intrusion investigations, the method comprising: extracting data from a specified range of a volatile memory of a target processing device; reconstructing data structures and artifacts from the extracted data; and generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts, in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device; and providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated; wherein the method is performed by at least one processing device. Claim 21: At least one processing device for cyber intrusion investigations, the at least one processing device comprising: at least one processor; a memory having instructions stored therein for execution by the at least one processor; a storage device for storing data; and a communication bus connecting the at least one processor with the read only memory and the storage device, wherein when the instructions are executed by the at least one process of the at least one processing device, a method is performed comprising: communicating with at least one remote processing device via a secure web services application program interface, providing a graphical user interface for formulating queries and displaying artifacts related to anomalous conditions, providing storage for whitelists and detected anomalies, the whitelists comprising information related to normal known, or trusted, conditions, requesting and receiving information regarding artifacts and data structures found in a memory sample, and generating and presenting a visualization of the data structures and the artifacts, in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device. Claim Rejections - 35 USC § 103 8. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 9. Claims 1-9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Ismael U.S. Patent Application Publication No. 2015/0096025 (hereinafter Ismael). Regarding claim 1, a method for aiding cyber intrusion investigations, the method comprising: “extracting data from a specified range of a volatile memory of a target processing device” (see Levy pars. 0022, 0029, 0036, 0047, extracting data from an indexing database stored in volatile memory by querying the database residing on a server (target processing device) to identify locations of data (specified range); “reconstructing data structures and artifacts from the extracted data” (see Levy pars. 0038-0039, In block 201, the HTML layered reconstruction module 103 receives a request to reconstruct a web page from network packet data (structures) stored in the packet capture repository and/or previously reconstructed artifacts. At block 202, HTML layered reconstruction module 103 queries the indexing database 106 for locations of packet data stored in the packet capture repository and corresponding to the HTML file being reconstructed. The flow then proceeds to block 203 where the HTML layered reconstruction module reconstructs the HTML file from the packet data in the packet capture repository); and “generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts” (see Levy pars. 0038-0039, 0061, the HTML layered reconstruction module may generate a snapshot of the reconstructed web page and provide it to a user via the user interface (presenting a visualization). The provided snapshot may be selectable by the user in order to view the full reconstructed web page. Such a snapshot may be provided, optionally along with snapshots of other reconstructed web pages, so that the user may select particular reconstructed web pages for viewing, the HTML layered reconstruction module 103 receives a request to reconstruct a web page from network packet data (structures) stored in the packet capture repository and/or previously reconstructed artifacts); Levy does not explicitly discloses wherein the method is performed by at least one processing device. However, in analogues art, Ismael discloses wherein the method is performed by at least one processing device (see Ismael par. 0045, preliminary analysis logic 170, scheduler 180 and/or replay analysis engine 190 may be software modules executed by a processor that receives the suspicious object, performs malware analysis and is adapted to access one or more non-transitory storage mediums operating as database 175, data store 185 and/or reporting module 195. In some embodiments, the preliminary analysis engine 170 may be one or more software modules executed by a processor, and the scheduler 180 and the replay analysis engine 190 may be one or more software modules executed by a different processor, where the two processors are possibly located at geographically remote locations, and communicatively coupled for example via a network). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Ismael into the system of Levy to include a first analysis engine and the second analysis engine may operate on the analyzed content concurrently or may operate on the analyzed content sequentially (see Ismael par. 0038). Regarding claim 2, Levy in view of Ismael discloses the method of claim 1, Ismael further discloses providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated (see Ismael par. 0036, The static analytical environment 191 comprises a first analysis engine 193 that is adapted to conduct static malware detection operations, such as comparisons between binary content from the network traffic and suspected malware identifiers (e.g. alphanumeric patterns associated with known or suspected malware, etc.) for example. The dynamic analytical environment 192 comprises a second analysis engine 194, which includes at least instrumentation control logic operating in concert with VM(s) as described herein. The second analysis engine 194 is adapted to detect whether the suspicious object may include malware by execution of one or more VMs that are configured to simulate the receipt and/or processing of the object under analysis ("analyzed object") targeted for the client device 150. The second analysis engine 194 analyzes the resultant behaviors monitored within the VM. These may include "expected" behaviors (e.g., those typically resulting from processing objects of the type being analyzed) and "unexpected" (or "anomalous") behaviors, and may represent those behaviors that would have occurred if the targeted client device 150 processed the object, and these behaviors are provided as malware analysis results to logic within replay analysis engine 190). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Ismael into the system of Levy to include a first analysis engine and the second analysis engine may operate on the analyzed content concurrently or may operate on the analyzed content sequentially (see Ismael par. 0038). Regarding claim 3, Levy in view of Ismael discloses the method of claim 2, Ismael further discloses wherein the plurality of analysis methods include one or more of scripts, database queries, byte sequence signatures, string matching, and comparison of registry key values (see Ismael par. 0054, a first VM disk file may include a first VM instrumentation directed to analysis of JavaScript.RTM. code in accordance with a first type of JavaScript.RTM. engine and a second VM disk file may include a second VM instrumentation directed to deeper-level analysis of JavaScript.RTM. code in accordance with a different type of JavaScript.RTM. engine). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Ismael into the system of Levy to include a first analysis engine and the second analysis engine may operate on the analyzed content concurrently or may operate on the analyzed content sequentially (see Ismael par. 0038). Regarding claim 4, Levy in view of Ismael discloses the method of claim 1, Ismael further discloses presenting indications of suspicious activity or indications of abnormal conditions to a user; and providing a facility for the user to bookmark and annotate artifacts (see Ismael par. 0034 discloses an object is identified as "suspicious" when it is assessed by a preliminary analysis engine 170, with a certain level of likelihood, that at least one characteristic identified during inspection of the object indicates the presence of malware); and providing a facility for the user to bookmark and annotate artifacts (see Ismael par. 0056, the replay analysis engine 190 may flag a suspicious object as malware according to the observed anomalous behavior detected by the VM. The reporting module 195 may issue alerts indicating the presence of malware, and using pointers and other reference information, identify what portion of the "suspicious" object may contain malware). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Ismael into the system of Levy to include a first analysis engine and the second analysis engine may operate on the analyzed content concurrently or may operate on the analyzed content sequentially (see Ismael par. 0038). Regarding claim 5, Levy in view of Ismael discloses the method of claim 1, Levy further discloses providing a user an ability to develop custom workflows (see Levy par. 0005, a user may be able to specify which external file types to include in reconstructing the web page and/or which external file types not to include, such as style sheets, script elements, image files, media content, etc. In such implementations, reconstruction of the web page may not be based on reconstruction one or more external files that the user specifies not to include). Regarding claim 6, Levy in view of Ismael discloses the method of claim 1, Levy further discloses correlating information within the volatile memory with data stored in at least one other data source to determine an existence of at least one inconsistencies or anomalies (see Levy par. 0050, the query may specify not to reconstruct script files from data stored in the packet capture repository because of concerns that script files may include viruses or other malicious code. Thus, when a link is identified in the HTML file that is associated with a script file, the HTML layered reconstruction module 103 may not reconstruct any file associated with the link for inclusion in the reconstructed web page). Regarding claim 7, Levy in view of Ismael discloses the method of claim 1, Levy further discloses extracting, indexing, and/or correlating information regarding a state of the target processing device over at least one particular point in time (see Levy pars. 0036-0038, The information (e.g., packet data, meta-data, etc.) may be extracted from the indexing database through a suitable database query. The database query may be performed through any number of interfaces including a graphical user interface, a web services request, a programmatic request, a structured query language (SQL), and so on, used to extract related information of a packet data or any meta-data stored in the indexing database. If a query is matched to certain data stored in the indexing database, then matched packets may be retrieved from the packet capture repository for reconstruction. The request may specify a time window as well as file types to include, file types not to include, how to handle files that were not captured or are not to be included, and so on); and providing a facility for archiving and tracking changes in the state of the target processing device over time (see Levy pars. 0046-0047, The query may also specify a time window within which to restrict the query such that only network packet data captured during the time window (e.g., packets having time stamps falling within the time window and the like) is searched. The HTML layered reconstruction module may perform the query in response to receiving user input from a user interface 110 that is communicably coupled to the capture appliance 101. If data of files associated with the links is present in the packet capture repository, the HTML layered reconstruction module may then query the indexing database to identify locations of data in the packet capture repository and may reconstruct the files. The HTML layered reconstruction module may also query a database containing references to previously reconstructed artifact files. The HTML layered reconstruction module may then reconstruct the web page based at least on the reconstructed HTML file and reconstructed files). Regarding claim 8, Levy in view of Ismael discloses the method of claim 1, Ismael further discloses providing a facility to generate a sharable analytics catalog (see Ismael par. 0033, management system 120 may be adapted to cause malware identifiers generated as a result of malware detection by any of MCD systems 110.sub.1-110.sub.N to be shared with one or more of the other MCD systems 110.sub.1-110.sub.N including, for example, where such sharing is conducted on a subscription basis. Additionally, the management system 120 may coordinate the sharing information associated with the VM instrumentation (described below) among the MCD systems 110.sub.1-110.sub.N in order to better refine malware analysis and detection). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Ismael into the system of Levy to include a first analysis engine and the second analysis engine may operate on the analyzed content concurrently or may operate on the analyzed content sequentially (see Ismael par. 0038). Regarding claim 9, Levy in view of Ismael discloses the method of claim 1, Levy further discloses providing a graphical user interface and a scriptable interface for formulating queries and performing other types of analysis (see Levy par. 0036, the database query may be performed through any number of interfaces including a graphical user interface, a web services request, a programmatic request, a structured query language (SQL), and so on, used to extract related information of a packet data or any meta-data stored in the indexing database). Regarding claim 19, Levy in view of Ismael discloses the method of claim 1, Levy further discloses reconstructing data stores based on data found in cached memory of the processing device (see Levy par. 0048, 0023, If data of files associated with a particular link is determined not to be present neither in the packet capture repository, nor as a previously reconstructed artifact file, the reconstructed web page may not be recreated from a stored version of the files. The data may not be present in the packet capture repository or as a previously reconstructed artifact file for a variety of reasons. For example, the external file may have been loaded from cache rather than sent across the network when the web page was originally accessed). 10. Claims 10-11, 13-15 is rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Ismael U.S. Patent Application Publication No. 2015/0096025 (hereinafter Ismael) in further view of Thomas et al. U.S. Patent Application Publication No. 2012/0079596 (hereinafter Thomas). Regarding claim 10, Levy in view of Ismael discloses the method of claim 1, Levy in view of Ismael does not explicitly discloses generating, managing, and/or sharing detection methods for detecting anomalous conditions using artifacts displayed with the graphical user interface. However, in analogues art, Thomas discloses generating, managing, and/or sharing detection methods for detecting anomalous conditions using artifacts displayed with the graphical user interface (see Thomas par. 0045, the method 300 further includes analyzing the memory baseline and the memory after execution (324) to determine the changes made by the malware and generating a report (326). The report may include a wide variety of information and can be delivered to the user in a variety of manners. As an example, the report could be provided in pdf format or the user could view the report on the website. The report can either display all of the information in the post-execution memory (e.g., all running processes) or only display the changes with respect to the memory baseline). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Thomas into the system of Levy and Ismael to include Utilizing the obtained artifacts, embodiments are able to generate timelines of activities performed by the malware during operation to provide a report including the exact order in which the malware performed its various actions (see Thomas par. 0043). Regarding claim 11, Levy in view of Ismael in further view of Thomas discloses the method of claim 10, Thomas further discloses importing at least one other detection method for detecting the anomalous conditions using the artifacts displayed with the graphical user interface (see Thomas pars. 0177-0178, The "avscan" table may store the list of antivirus detections for each malware sample and any files that it drops or downloads that were detected by an antivirus product. [0178] The "pefiles" tables may store artifacts of PE headers such as PE section names, entropy for each section, file characteristics, and imported/exported API functions). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Thomas into the system of Levy and Ismael to provide user search for malware by hash, a/v name, a file it created, a host it contacted, an API function that it imports or exports, and a number of other data types (see Thomas par. 0195). Regarding claim 13, Levy in view of Ismael disclose the method of claim 1, Levy in view of Ismael does not explicitly discloses automatically evaluating capabilities of memory resident executables and associated file formats by analyzing imported libraries and exported methods for inconsistencies or anomalies. However, in analogues art, Thomas discloses automatically evaluating capabilities of memory resident executables and associated file formats by analyzing imported libraries and exported methods for inconsistencies or anomalies (see Thomas par. 0032, a method of detecting and analyzing malware according to an embodiment. The method 300 includes receiving a file (310). The file, which may be one of several files is a potentially malicious file. The file may be any suitable file type that runs on an operating system (e.g., Microsoft Windows) and can include executables (.exe), dynamic link libraries (.dll), kernel drivers (.sys), Adobe Reader files (.pdf), Microsoft Office documents (.doc, .xls, .ppt), and URLs (typically, website addresses beginning with http://, https://, or ftp://)). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Thomas into the system of Levy and Ismael to provide user search for malware by hash, a/v name, a file it created, a host it contacted, an API function that it imports or exports, and a number of other data types (see Thomas par. 0195). Regarding claim 14, Levy in view of Ismael discloses the method of claim 1, Levy in view of Ismael does not explicitly disclose providing a facility to associate a response action with at least one analytic pattern. However, in analogues art, Thomas discloses providing a facility to associate a response action with at least one analytic pattern (see Thomas par. 0277-0278, all the artifacts that occurred on the system as a result of running the malware sample can be shown by the family tree. Analysis of files that were dropped in response to the execution of the parent file is performed and similar information is provided at lower levels of the family tree in association with the dropped files). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Thomas into the system of Levy and Ismael to provide views of family trees based on behaviors rather than artifacts, providing the user with insight into the behaviors (see Thomas par. 0278). Regarding claim 15, Levy in view of Ismael in further view of Thomas discloses the method of claim 14, Levy further discloses wherein the response actions include at least one of querying new types of data, generating an alert, and/or halting a process (see Levy par. 0047, The HTML layered reconstruction module 103 may query the indexing database to identify locations of, and retrieve, packet data of the HTML file in the packet capture repository. Based on the identified packet data, the HTML layered reconstruction module may reconstruct the HTML file and parse it to identify one or more links in the HTML file to external files (such as links to external image files, movie files, script files, style sheet files, and so on)). 11. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Ismael U.S. Patent Application Publication No. 2015/0096025 (hereinafter Ismael) in further view of Thomas et al. U.S. Patent Application Publication No. 2012/0079596 (hereinafter Thomas) in further view of Zorn U.S. Patent Application Publication No. 2010/0205674 (hereinafter Zorn). Regarding claim 12, Levy in view of Ismael in further view of Thomas discloses the method of claim 10, Levy in view of Ismael in further view of Thomas does not explicitly disclose collecting metrics regarding effectiveness of the detection algorithms; and sending the collected metrics to at least one other processing device for remote analytics. However, in analogues art, Zorn discloses collecting metrics regarding effectiveness of the detection algorithms (see Zorn par. 0071, an exponentially weighted moving average of a statistic may be used as a baseline value, along with standard deviations or other metrics); and sending the collected metrics to at least one other processing device for remote analytics (see Zorn par. 0071-0072, The alert of block 318 may be any type of action that may be taken based on a high vulnerability. In the case of a memory heap analysis, the high vulnerability may cause a message to be presented to a user or system administrator. In some cases, an anti-virus or anti-malware scan may be initiated for the device). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Zorn into the system of Levy, Ismael, and Thomas to provide an exponentially weighted moving average of a statistic may be used as a baseline value, along with standard deviations or other metrics (see Zorn par. 0071). 12. Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Ismael U.S. Patent Application Publication No. 2015/0096025 (hereinafter Ismael) in further view of Nabutovsky U.S. Patent Application Publication No. 2011/0078550 (hereinafter Nabutovsky). Regarding claim 16, Levy in view of Ismael discloses the method of claim 1, Levy in view of Ismael does not explicitly discloses importing or generating whitelists of normal known, or trusted, conditions; sharing the whitelists; and managing the whitelists. However, in analogues art, Nabutovsky discloses importing or generating whitelists of normal known, or trusted, conditions (see Nabutovsky par. 0010, creating links includes providing an account Owner the opportunity to create and manage whitelists and blacklists through the settings in multiple criteria sections, which are used as filters to automatically accept or decline a proposed link according to the criteria set); sharing the whitelists (see Nabutovsky par. 0059, If the other side is sharing all that it contracted/agreed to do, the link exchange system 100 would permit the links/media exchange. As part of the criteria (whitelist/blacklist), the system 100 may also monitor sound and video quality, and if the quality meets a minimum standard, the mutual links are whitelisted); and managing the whitelists (see Nabutovsky par. 0026, the method of creating links includes providing an account Owner the opportunity to create, manage and use whitelists 605 (shown in FIG. 6B) and blacklists 705 (shown in FIG. 7B) through the settings in multiple criteria sections, which are used as filters to automatically accept or decline a proposed link according to the criteria set). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Nabutovsky into the system of Levy and Ismael to provide an account Owner the opportunity to create and manage whitelists and blacklists which are used as filters to automatically accept or decline a proposed link (see Nabutovsky Abstract). 13. Claim 17 are rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Ismael U.S. Patent Application Publication No. 2015/0096025 (hereinafter Ismael) in further view of Wood et al. U.S. Patent Application Publication No. 2009/0290492 (hereinafter Wood). Regarding claim 17, Levy in view of Ismael discloses the method of claim 1, Levy in view of Ismael does not explicitly discloses wherein the method further comprises: extracting metadata based on the extracted data; storing the metadata, the metadata describing a system state and including a subset of original runtime state information. However, in analogues art, Wood discloses extracting metadata based on the extracted data (see Wood par. 0005 extract a meta-data having information relevant to network traffic visibility based on the type of the header); storing the metadata, the metadata describing a system state and including a subset of original runtime state information (see Wood par. 0005, extracting the meta-data from the header, and streaming the meta-data to a storage device). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Wood into the system of Levy and Ismael to extract the meta-data from the header, and streaming the meta-data to a storage device (see Wood Abstract). 14. Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Amsler US Patent Application Publication No. 2014/0201836 (hereinafter Amsler) in further view of Bhargava et al. U.S. Patent Application Publication No. 2012/0030731 (hereinafter Bhargava). Regarding claim 20, Levy discloses a system for aiding cyber intrusion investigations, the system comprising: “at least one processing device” (Fig. 1, Capture Appliance 101); the at least one processing device including: “at least one processor” (Fig. 1, Processing Unit 102), a memory (Fig. 1, Computer Readable Media 104) having instructions stored therein for execution by the at least one processor “a storage device for storing data” (Fig. 1, Storage 105) and “a communication bus connecting the at least one processor with the read only memory and the storage device” (see Levy par. 0029, The system 100 also includes a capture appliance 101 communicably coupled to the storage 105 and the indexing database 106. The capture appliance 101 may include at least one processing unit 102 and one or more computer readable media 104 (such as random access memories, hard disks, flash memory, cache memory, non-volatile memory, optical storage media, and so on)); wherein when the at least one processing device executes the instructions (see Levy par. 0037) a method is performed comprising: “providing a secure web services application program interface for use by at least one remote processing device” (see Levy par. 0036, The indexing database 106 may include a collection of meta-data that is stored in an organized manner so that the network packet data may be accessed efficiently through a query. The information (e.g., packet data, meta-data, etc.) may be extracted from the indexing database through a suitable database query. The database query may be performed through any number of interfaces including a graphical user interface, a web services request, a programmatic request, a structured query language (SQL), and so on, used to extract related information of a packet data or any meta-data stored in the indexing database); Levy does not explicitly discloses providing a data analytics platform comprising: However, in analogues art, Amsler discloses providing a data analytics platform (Fig. 1, element 26) comprising: “a plurality of profiles, the plurality of profiles being related to at least one operating system, at least one application, or to both the at least one operating system and the at least one application” (see Amsler pars. 0039, 0072, Big Data Analytics Platform 26, may include statistical analysis, link analysis, and machine-learning tools. These allow a leveraging of a variety of netflow and customer-specific data to provide individualized, continuously updated profiles of each customer's network, including suspicious activity. Automated Program using a vmware esx server application program interface stands up 3 replicated machines that appear in the isolated VLAN, using the same hostnames and addressing scheme as the "real" operating environment); “a plurality of threat feeds and a plurality of detection methods” (see Amsler pars. 0054, 0032, one embodiment of the invention includes a computer-implemented method for automatically securing a network against threats, wherein the method comprises collating data feeds for sending through a scanning system, scanning the data feeds based on preselected categories by determining type of information discerned from each data feed, and tagging data from the data feed scanning. Extended data pieces are provided by adding context surrounding threats including at least one of geophysical, customer verticals, operating system, adversary campaigns. a Big Data Analytics platform 26 baselines the network environment, detects anomalies or statistical detection and then alerts an analyst); “a facility for allowing a plurality of users to collaborate in a cyber intrusion investigation” (see Amsler par. 0004, provide risk assessment and managed security systems and methods for network users, such as commercial organizations by way of example, and provide managed security services knowing that organizations must deal with formidable cyber threats, malware creations and phishing techniques); “secure storage” (see Amsler par. 0075, he Threat Intelligence segment 30 draws information from a wide variety of the external sources 34, normalizing the data from each of them and storing it in the central database 42. The system 10 will also work with the analytics subsystem 44 to track the accuracy and relevance of different sources. In addition, suspicious patterns are fed to the central database 42 and a customer database 50 to automatically query security tools in the customers' environments); “a sandbox for testing detection methods” (see Amsler par. 0108, As part of the analysis, the Honeytrap 20 copies memory being used by the new/suspect process. This memory snapshot can be used to do memory analysis of the suspect code and to make clones of the code in slightly different environments to see how it interacts with different environments. While this is happening, the Honeytrap 20 is trying to emulate a larger network. If an active attack was found outside the Honeytrap 20, a VLAN switch & Network Address Translation may be used to redirect that attack to a virtual machine and a protected sandbox area. Increased, detailed logging of the suspect process's behavior may be used to do black box analysis of it); and “feedback analytics” (see Amsler par. 0006, The analyst portal tracks various metrics of analyst performance and provides feedback to the system. The customer portal may allow the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Amsler into the system of Levy to include automatically securing a network against threats may comprise collating data feeds for sending through a scanning system; scanning the data feeds based on preselected categories by determining type of information discerned from each data feed (see Amsler par. 0011). Levy in view of Amsler does not explicitly discloses a plurality of whitelists. However, in analogues art, Bhargava discloses a plurality of whitelists (see Bhargava pars. 0032-0033, Internal whitelist 133 may also contain information related to software program files evaluated for risk and may identify such software program files using checksums. Global whitelists and blacklists may be external to local network 110 and may be accessible through other networks such as Internet 150, or through any other suitable connection that permits electronic communication between local network 110 and global whitelist 165). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Bhargava into the system of Levy and Amsler to provide searching one or more whitelists to determine whether the software program file is identified in one of the whitelists (see Bhargava par. 0017). 15. Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Levy et al. U.S. Patent Application Publication No. 2012/0158737 (hereinafter Levy) in view of Bhargava et al. U.S. Patent Application Publication No. 2012/0030731 (hereinafter Bhargava). Regarding claim 21, Levy discloses at least one processing device for cyber intrusion investigations, the at least one processing device comprising: “at least one processor” (Fig. 1, Processing Unit 102); a memory (Fig. 1, Computer Readable Media 104) having instructions stored therein for execution by the at least one processor, “a storage device for storing data” (Fig. 1, Capture Appliance 101); and “a communication bus connecting the at least one processor with the read only memory and the storage device” (see Levy par. 0029, The system 100 also includes a capture appliance 101 communicably coupled to the storage 105 and the indexing database 106. The capture appliance 101 may include at least one processing unit 102 and one or more computer readable media 104 (such as random access memories, hard disks, flash memory, cache memory, non-volatile memory, optical storage media, and so on)); wherein when the instructions are executed by the at least one process of the at least one processing device (see Levy par. 0030, the capture appliance 101 may be software operating in a virtualized environment implemented by the processing unit 102 executing one or more instructions stored in the computer readable media 104); a method is performed comprising: “communicating with at least one remote processing device via a secure web services application program interface” (see Levy par. 0036, The indexing database 106 may include a collection of meta-data that is stored in an organized manner so that the network packet data may be accessed efficiently through a query. The information (e.g., packet data, meta-data, etc.) may be extracted from the indexing database through a suitable database query. The database query may be performed through any number of interfaces including a graphical user interface, a web services request, a programmatic request, a structured query language (SQL), and so on, used to extract related information of a packet data or any meta-data stored in the indexing database); “providing a graphical user interface for formulating queries and displaying artifacts related to anomalous conditions” (see Levy pars. 0046-0047, 0051, The HTML layered reconstruction module may perform the query in response to receiving user input from a user interface 110 that is communicably coupled to the capture appliance 101. The HTML layered reconstruction module 103 can granularly tailor the reconstruction of the web page based on which file types to include, which file types not to include, whether to obtain new versions of files that do not have related previously reconstructed artifact files or data in the packet capture repository, whether to provide indications in the reconstructed web page for files retrieved from external sources, the HTML layered reconstruction module 103 provides flexible and layered reconstruction of web pages. An administrator may control the specifications of the query via the user interface 110 in order to control and visually detect just how much the reconstructed web site matches the original web site viewed by the user); “requesting and receiving information regarding artifacts and data structures found in a memory sample” (see Levy Abstract, par. 0038, a method 200 of hypertext transfer protocol layered reconstruction that may be performed by the system 100. In block 201, the HTML layered reconstruction module 103 receives a request to reconstruct a web page from network packet data stored in the packet capture repository and/or previously reconstructed artifacts. The request may specify a time window as well as file types to include, file types not to include, how to handle files that were not captured or are not to be included, and so on. The flow then proceeds to block 202). Levy does not explicitly discloses providing storage for whitelists and detected anomalies; the whitelists comprising information related to normal known, or trusted, conditions. However, in analogues art, Bhargava discloses providing storage for whitelists and detected anomalies (see Bhargava par. 0018, a global server 160 may provide a database 165 containing global whitelists indicating software program files that have been evaluated and determined to be free of malicious code); the whitelists comprising information related to normal known, or trusted, conditions (see Bhargava par. 0037, using central trusted cache 245, the cache may be implemented in hardware as a block of memory for temporary storage of entries (e.g., checksums) identifying program files that have been previously determined to have a trusted status, such as those program files found during searches of global and/or internal whitelists. Central trusted cache 245 can provide quick and transparent access to data indicating program files previously evaluated for a trust status. Thus, if a requested program file is found in central trusted cache 245 then a search of global and/or internal whitelists, or any other trust evaluation, may not need to be performed). Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Bhargava into the system of Levy to provide a trust status is defined as trusted if the software program file is included in a whitelist identifying trustworthy software program files and untrusted if the software program file is not included in a whitelist (see Bhargava par. 0017). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Bhattacharyya (US 20170024573): discloses A processor implementing techniques for supporting configurable security levels for memory address ranges is disclosed. In one embodiment, the processor includes a processing core a memory controller, operatively coupled to the processing core, to access data in an off-chip memory and a memory encryption engine (MEE) operatively coupled to the memory controller. The MEE is to responsive to detecting a memory access operation with respect to a memory location identified by a memory address within a memory address range associated with the off-chip memory, identify a security level indicator associated with the memory location based on a value stored on a security range register. The MEE is further to access at least a portion of a data item associated with the memory address range of the off-chip memory in view of the security level indicator. Sallam (US 20110185424): discloses A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMUEL AMBAYE whose telephone number is (571)270-7635. The examiner can normally be reached M-F 9:00 AM - 6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAMUEL AMBAYE/Examiner, Art Unit 2433 /JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433