DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 04/08/2026. In the instant Amendment, claims 2-3, 5, 7, 9-10, 12, 14, 16-17, 19, and 21 have been amended. Claim 1 was previously cancelled. Claims 2, 9, and 16 are independent claims. Claims 2-22 have been examined and are pending. This Action is made FINAL.
Response to Arguments
In attempts to promote principle of compact prosecution, on 06/12/2026, the Examiner contacted the Applicants to discuss possible amendments to move the case forward. However, the Examiner and the Applicants could not come up with an agreement.
Applicant request the double patenting rejection to be held and remain after the claims of the present application have been otherwise allowed (Applicant Arguments/Remarks, 04/08/2026, page 1). Therefore, the double patenting rejection maintained, but held abeyance.
Applicants’ arguments with respect to claims 2-22 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2-4, 6-7, 9-11, 13-14, 16-18, and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over SRIDHARA et al. (“SRIDHARA,” US 20150230108, published on 08/13/2015) in view of FENG et al. (“FENG,” CN 104239783, published on 12/24/2014), and further in view of Colvin et al. (“Colvin,” US 20130042294, published on 02/14/2013)
Regarding Claim 2;
SRIDHARA discloses a method, comprising:
detecting, by a monitor engine, an interaction of software content and a computing environment, the software content comprising software instructions (par 0020; monitor key assets of the mobile device at a low level and report suspicious activities to a comprehensive behavioral monitoring and analysis system; par 0021; key assets include [] instruction queues that are associated with a feature, application; par 0030; the hardware debug module include any of a variety of hardware and software technologies that enable real-time collection of information relating to instruction execution; par 0035; for example, the hardware debug module using a key asset of the mobile device until the analyzer module determines that the software application is benign; par 0039; the hardware debug module include an application programming interface that is suitable for sending and receiving input/output instructions and information to and from [] secured or trusted execution environment (e.g., ARM TrustZone.RTM., etc.) of the mobile device, proprietary hardware modules, etc.);
loading at a least a portion of the software instructions into the execution environment, the execution environment having access to functionality for evaluating the software instructions (par 0031; the hardware debug module configured to capture instruction flows, instruction sequences; par 0035; the hardware debug module [] using a key asset of the mobile device until the analyzer module determines that the software application is benign; par 0039; the hardware debug module include an application programming interface that is suitable for sending and receiving input/output instructions and information to and from [] secured or trusted execution environment);
evaluating, by the execution environment, the loaded software instructions to identify functions and associated memory addresses (par 0103; a secure computing environment or trusted execution environment, which allows the mobile device to provide a secure and efficient system for identifying and correcting problematic mobile device behaviors; par 0021; monitor the access or use of key assets by monitoring data flows [] key assets may include memory locations, ranges of memory addresses; par 0031; the hardware debug module configured to use this information to perform profiling, debugging, or tracing operations [] generated trace data, behavior vectors and the results of its monitoring, detection or analysis operations in a system memory; par 0034; determine whether the software application is authorized to read information from that section of the memory);
using the identified functions and associated memory addresses to further identify calls of interest in the loaded software instructions (par 0021; monitor the access or use of key assets by monitoring data flows [] key assets may include memory locations, ranges of memory addresses; par 0031; the hardware debug module configured to use this information to perform profiling, debugging, or tracing operations [] generated trace data, behavior vectors and the results of its monitoring, detection or analysis operations in a system memory; par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations, and determining whether the software application is malicious or benign based on the behavior analysis operations);
forwarding calls of interest to a behavioral engine for analysis, the analysis comprising classifying the calls of interest as behavioral signatures (par 0053; send (e.g., function calls, etc.) the generated observations to the behavior analyzer module; par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations, and determining whether the software application is malicious or benign based on the behavior analysis operations); and
based on the behavioral signatures, identifying the software content as malicious and performing remedial action (par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations; par 0035; monitor an instruction queue to identify instruction sequences or instruction execution patterns that are associated with the monitored features, compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The hardware debug module then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the hardware debug module may stop or prevent a software application from accessing).
SRIDHARA discloses detecting, by a monitor engine, an interaction of software content and a computing environment; execution environment as recited above, but do not explicitly disclose a monitor engine comprising a secure execution environment; secure execution environment.
However, in an analogous art, FENG discloses information security input system/method that includes:
a monitor engine comprising a secure execution environment (FENG: par 0053; the second application module is comprised of a secure execution environment into the secure execution environment, is located in the second zone is triggered input state to enter specific information, after receiving the specific information, the user inputs the specific information input application in the secure execution environment [] the background server after verifying the verification result back to the first application module, subsequent operations to the first application module to perform service functions);.
secure execution environment (FENG: par 0053; the second application module is comprised of a secure execution environment into the secure execution environment, is located in the second zone is triggered input state to enter specific information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of FENG with the method/system of SRIDHARA to include a monitor engine comprising a secure execution environment; secure execution environment. One would have been motivated to perform the specific information input. a second application module is triggered to input the specific information, and the encryption result of encrypted specific information is returned to the first application module, a background server comprises a verifying module for verifying the encryption result of (FENG: abstract).
The combination of SRIDHARA and FENG disclose loading at a least a portion of the software instructions
However, in an analogous art, Colvin discloses identifying application system/method that includes:
loading at a least a portion of the software instructions (Colvin: par 0066; download a part or all of the computer readable instructions for execution. Alternatively, the computing device download pieces of the computer readable instructions, as needed, or some instructions executed at the computing device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Colvin with the method/system of SRIDHARA and FENG to include loading at a least a portion of the software instructions. One would have been motivated to identify malware based on the reputations of remote resources accessed by an application. Remote resource accesses reported to a reputation service, which identify reputations of remote resources, and application reputations of applications that utilize such remote resources (Colvin: abstract).
Regarding claim 3;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 2,
SRIDHARA discloses wherein the secure execution environment comprises a trusted execution environment residing in a secure area of one or more processing components (SRIDHARA: par 0013; logical components and information flows in an aspect mobile device equipped with a secure computing environment having multiple privilege/protection domains that may be configured to monitor privileged or secured assets to securely determine whether a particular mobile device behavior, software application, or process is malicious, performance-degrading, suspicious, or benign; par 0039; the hardware debug module may include an application programming interface that is suitable for sending and receiving input/output instructions and information to and from the comprehensive behavioral monitoring and analysis system, third party applications, third party security enabling libraries, components in a protected, secured or trusted execution environment of the mobile device, proprietary hardware modules, etc.).
FENG further discloses the secure execution environment (FENG: par 0053; the second application module is comprised of a secure execution environment into the secure execution environment, is located in the second zone is triggered input state to enter specific information).
The motivation is the same that of claim 1 above.
Regarding claim 4;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 2,
SRIDHARA discloses wherein the software content comprises programs, applications, services, code segments, or executable files (SRIDHARA: par 0028; hardware component configured to monitor key assets of a mobile computing device at a low level (e.g., at the kernel, firmware, hardware, or machine levels) to identify a suspicious or malicious activities [] software applications).
Regarding claim 6;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 2,
SRIDHARA discloses wherein the behavioral engine comprises a model for analyzing calls of interest, the model comprising at least one of: a rule-based model, a machine learning regressor model, a machine learning classifier model, or a neural network (SRIDHARA: par 0081; a classifier model may be generated by using machine learning and other similar techniques. Each classifier model may be categorized as a full classifier model or a lean classifier model; par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations, and determining whether the software application is malicious or benign based on the behavior analysis operations).
Regarding claim 7;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 2,
SRIDHARA discloses wherein the behavioral engine classifies behavioral signatures as known malicious content, wherein based on the classification, the performed remedial action comprises at least one of: pausing or terminating the software content, restricting access by the software content to the computing environment, or limiting the functionality of the software content (SRIDHARA: par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations; par 0035; monitor an instruction queue to identify instruction sequences or instruction execution patterns that are associated with the monitored features, compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The hardware debug module then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the hardware debug module may stop or prevent a software application from accessing).
Regarding Claim 9;
This Claim recites a system that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.
Regarding Claim 10;
This Claim recites a system that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.
Regarding Claim 11;
This Claim recites a system that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.
Regarding Claim 13;
This Claim recites a system that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.
Regarding Claim 14;
This Claim recites a system that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.
Regarding Claim 16;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.
Regarding Claim 17;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.
Regarding Claim 18;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.
Regarding Claim 20;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.
Regarding Claim 21;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.
Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over SRIDHARA et al. (US 20150230108) in view of FENG et al. (CN 1042397830, and further in view of Colvin et al. (US 20130042294) and Carson et al. (“Carson,” US 20170032118, published on 02/02/2017).
Regarding claim 5;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 2,
SRIDHARA discloses wherein the functionality for evaluating the software instructions comprises utilities for performing at least one of: executing, debugging, instrumenting, or profiling the software instructions (SRIDHARA: par 0031; the hardware debug module configured to use this information to perform profiling, debugging, or tracing operations to generate debug or trace data), wherein evaluating, by the secure execution environment, the loaded software instructions to identify functions and associated memory addresses comprises: parsing the loaded software instructions (SRIDHARA: par 0103; a secure computing environment or trusted execution environment, which allows the mobile device to provide a secure and efficient system for identifying and correcting problematic mobile device behaviors; par 0021; monitor the access or use of key assets by monitoring data flows [] key assets may include memory locations, ranges of memory addresses; par 0031; the hardware debug module configured to use this information to perform profiling, debugging, or tracing operations [] generated trace data, behavior vectors and the results of its monitoring, detection or analysis operations in a system memory; par 0034; determine whether the software application is authorized to read information from that section of the memory); generating, by the utilities, execution paths and entry point addresses for the loaded software instructions (SRIDHARA: par 0031; the hardware debug module configured to use this information to perform profiling, debugging, or tracing operations to generate debug or trace data. Such trace data include hardware block trace data, processor trace data, software trace data, memory trace data, program flow trace data, data flow trace data, bus signaling trace data, USB trace data, etc. The hardware debug module may store the generated trace data, behavior vectors and the results of its monitoring, detection or analysis operations in a system memory); and wherein using the identified functions and associated memory addresses to further identify calls of interest in the loaded software instructions comprises (par 0021; monitor the access or use of key assets by monitoring data flows [] key assets may include memory locations, ranges of memory addresses; par 0053; send (e.g., function calls, etc.) the generated observations to the behavior analyzer module; par 0075; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources, using the light-weight behavior signature to perform behavior analysis operations, and determining whether the software application is malicious or benign based on the behavior analysis operations): comparing execution paths and entry point addresses to identify the calls of interest (par 0005; determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities, and removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity).
FENG further discloses the secure execution environment (FENG: par 0053; the second application module is comprised of a secure execution environment into the secure execution environment, is located in the second zone is triggered input state to enter specific information).
The motivation is the same that of claim 1 above.
The combination of SRIDHARA, FENG, and Colvin disclose execution paths as recited above, but do not explicitly disclose entry point addresses.
However, in an analogous art, Carson discloses protecting data system/method that includes:
entry point addresses (Carson: par 0075; the virtual memory validator compare a signature of the executable module against the path entry of the executable module on the memory range map; par 0076; The executable load indicator established as a callback mechanism to keep track of one or more function calls of the one or more threads and/or malware allocation of the process. The virtual memory validator establish the callback mechanism (e.g., by hooking an existing function in the process) such that the virtual memory validator notified of any executable or DLL being loaded in the process).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Carson with the method/system of SRIDHARA, FENG, and Colvin to include entry point addresses. One would have been motivated to monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource (Carson: abstract).
Regarding Claim 12;
This Claim recites a system that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.
Regarding Claim 19;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.
Claims 8, 15, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over SRIDHARA et al. (US 20150230108) in view of FENG et al. (CN 1042397830, and further in view of Colvin et al. (US 20130042294) and LEE et al. (“LEE,” KR 101731838 B1, published on 05/04/2017).
Regarding claim 8;
The combination of SRIDHARA, FENG, and Colvin disclose the method of claim 7,
SRIDHARA discloses wherein the malicious content comprises injection of malicious software instructions (SRIDHARA: par 0028; hardware component configured to monitor key assets of a mobile computing device at a low level (e.g., at the kernel, firmware, hardware, or machine levels) to identify a suspicious or malicious activities [] software applications).
The combination of SRIDHARA, FENG, and Colvin disclose disclose the malicious content as recited above, but do not explicitly disclose the malicious content comprises injection of malicious software instructions.
However, in an analogous art, LEE discloses scanning vulnerability system/method that includes:
the malicious content comprises injection of malicious software instructions (LEE: page 2, par 6; SQL Injection is a form of malicious instruction injection attack, which means an attack technique that takes unauthorized SQL commands through a Web site user authentication window or a URL direct input window and obtains unauthorized information by modifying SQL queries).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of LEE with the method/system of SRIDHARA, FENG, and Colvin to include the malicious content comprises injection of malicious software instructions. One would have been motivated to scanning a vulnerability of a web site based on Java Script detect and represent a vulnerability of a web site to be scanned when a URL of the web site that a user wants to scan the vulnerability (LEE: abstract).
Regarding Claim 15;
This Claim recites a system that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.
Regarding Claim 22;
This Claim recites a non-transitory computer readable medium that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644. The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/C.W./Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439