DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In view of the appeal brief filed on 9/16/2025, PROSECUTION IS HEREBY REOPENED. A new ground of rejection is set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
{ 4 }
Response to Arguments
Regarding claims rejected under 35 USC 103:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that the Harris-Aslam-Pham combination does not disclose all elements of “the platform identification string further comprising at least one of an md5 of the application or a sha-1 of the application and a file size, wherein, in the platform identification string, the name of the application precedes the at least one of the md5 or the sha-1, and the file size succeeds and is adjacent, in the platform identification string, to the at least one of the md5 or sha-1.” Specifically, Applicant argues that “[i]t is uncontroverted that the cited portion of Pham does not disclose the request includes a data structure, such as a CPE string. As such, Pham cannot disclose or suggest any particular ordering within such a data structure… The Examiner's analysis talks past the point. The Examiner takes for granted that Pham describes an order, simply because Pham lists several attributes. However, because Pham does not specify any data structure, Pham cannot be relied upon as teaching an application of its word order to a specific data structure. So, while Pham might suggest including a file size in the Aslam CPE name, Pham cannot dictate how the Aslam CPE name would have been modified to include that file size.” Applicant further cites to MPEP 2144.08 II and argues that “the Examiner has misguidedly asserted that Pham has disclosed a species of data structure that includes a particular order-despite that reference's silence as to any data structure-to suggest its teachings could be applied to a genus of data structures. The evidentiary record does not support such application.”
In response to these arguments, it is first noted that Col. 55, Ll. 6-11 of Harris states that “method 1200 may include collecting one or more descriptions of one or more actions and/or objects on the endpoint. These descriptions may be organized into any suitable structure, syntax, format, and the like for communication to a remote threat management facility as an indication of compromise (IOC).” As per FIG. 12 and Col. 60, Ll. 36-67 of Harris, its “schema may, for example, organize the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection… The descriptor may include a reputation of the object, static threat detection data for the object, and the like. The static threat detection data may include a hash of the object, a signature of the object, a file size of the object, and so forth.” Therefore, the Harris reference already discloses a data structure being sent to a remote threat management facility, where the data structure includes a descriptor comprising a hash of the object, a signature of the object, and a file size of the object. Harris additionally discusses that any suitable structure, syntax, format, and the like may be used.
Although Harris generally discloses object hashes and signatures, and also any suitable structure/syntax/format, it does not specify a platform identification string as the structure/syntax/format nor using SHA-1/MD5. It further does not specify the ordering of the SHA-1/MD5 value. As such, the Aslam reference has been relied upon. Section 5 on page 142 of Aslam suggests “to include a hash-value pair in the CPE WFN for every software/application by its vendor (e.g cpe:/a:software:vendor:version:sha1).” Therefore, the Harris-Aslam combination discloses the structure/syntax format being a CPE string and having a SHA-1 value succeeding the name of the application.
While Harris-Aslam discloses static threat detection data including “a hash of the object, a signature of the object, a file size of the object, and so forth” and a CPE string with a SHA-1 value, it does not specify a file size following the SHA-1 value. However, [0045] of Pham states that “a request can include the operation requested, the request source host computer IP address, the request target host computer IP address, a target resource identified by a path or other identifier, user identification, the source application instance session and process identifiers, and a secure signature and file size of the source application instance,” with [0046] and [0054] of Pham further specifying SHA-1 for the signature. Pham describes a request with attributes listed in the same order as claim language, and would have suggested at least this particular ordering of the file size attribute to one of ordinary skill in the art. As such, the Harris-Aslam-Pham combination is considered to disclose the structure/syntax/format as a CPE string having a SHA-1 value followed by a file size value.
Where Applicant argues that “because Pham does not specify any data structure, Pham cannot be relied upon as teaching an application of its word order to a specific data structure. So, while Pham might suggest including a file size in the Aslam CPE name, Pham cannot dictate how the Aslam CPE name would have been modified to include that file size,” it is noted that the Harris-Aslam combination already specifies a data structure with the claimed attributes of a name of an application, an identifier for an action of the application, a SHA-1 of the application, and a file size. Additionally, Pham likewise concerns intercepting application actions and sending a request for more information with these same attributes (e.g., [0038] and [0045] of Pham). As such, Pham is relied upon for its particular permutation of attribute ordering for the file size attribute in Harris-Aslam. With respect to “how the Aslam CPE name would have been modified to include that file size,” it is noted that this modification is merely to append the file size value after the SHA-1 value.
Where Applicant cites to MPEP 2144.08 II and argues that “the Examiner has misguidedly asserted that Pham has disclosed a species of data structure that includes a particular order-despite that reference's silence as to any data structure-to suggest its teachings could be applied to a genus of data structures. The evidentiary record does not support such application,” it is first again noted that Pham is relied upon for the order of attributes it suggests in view of the data structure in Harris-Aslam. Harris-Aslam already teaches a request data structure having an application name, action identifier, application SHA-1, and file size. Pham teaches a request with an application name, action identifier, application SHA-1, and file size in a particular order. One of ordinary skill in the art would have looked to Pham because it is both in the same field of endeavor and reasonably pertinent to Applicant’s invention, evaluating application actions against policy using a request and response. The ordering of request attributes is considered to be a design choice, and [0045] of Pham at minimum suggests the order in which the attributes are written.
Applicant additionally argues that “the Examiner has continued beyond his assumptions regarding the data structure alleged to be inherent to Pham, as well as his picking-and-choosing from Pham and Harris, to improperly shift the burden of proof to Appellant. For example, the Advisory Action ventured, ‘one of ordinary skill in the art may have contemplated permuting the attributes in the CPE string in generally any ordering that does not break the common usage of the standard...’ Appellant has no obligation to show that permuting attributes in a CPE string to arrive at Appellant's Claim 1 would break the CPE standard, until the Examiner has established a prima facie case of obviousness.” In response, it is noted that “in generally any ordering that does not break the common usage of the standard” should be taken to mean that one of ordinary skill in the art would not rearrange “cpe:/a:software:vendor:version:sha1” to change the ordering of “cpe,” “:,” “/,” and the letter distinguishing an OS from an application.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 6, 10, 21-22, 24-25, 27-29, 31-32, 34-36, and 38-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Note that the courts do not distinguish between mental processes that are performed entirely in the human mind and mental processes that require a human to use a physical aid (e.g., pen and paper or a slide rule) to perform the claim limitation (refer to MPEP 2106.04(a)(2)).
Example independent claim 1 recites the following abstract idea limitations:
receive, from an [entity], a platform identification string comprising a name of an application and an identifier for an action of the application, the platform identification string further comprising at least one of an md5 of the application or a sha-1 of the application and a file size, wherein, in the platform identification string, the name of the application precedes the at least one of the md5 or the sha-1, and the file size succeeds and is adjacent, in the platform identification string, to the at least one of the md5 or sha-1 (observation as part of performing a mental process—e.g., an analyst receiving information for review from an entity, the information having a particular format);
query a vulnerability [information repository] and platform identification string [information repository] to procure an application-specific grayware reputation for the action, wherein the application-specific grayware reputation for the action represents a likelihood that the action, if taken by the application on the [entity], would be unwanted (evaluation as part performing a mental process—e.g., the analyst looking up reference information from stored information);
provide to the [entity] a response code for the action (delivering work as part of certain methods of organizing human activity—e.g., the analyst delivering the result of their evaluation to the requesting entity);
determine that the application has an update or patch to repair a vulnerability of the application related to the action (evaluation as part of a mental process—e.g., the analyst reviewing stored information associated with an application); and
provide a notification to the [entity] that the update or patch is available (delivering work as part of certain methods of organizing human activity—e.g., the analyst delivering the result of their evaluation to the requesting entity).
Example independent claim 1 recites the following limitations which may comprise additional elements that are sufficient to amount to significantly more than the abstract idea: “A server apparatus, comprising: a hardware platform comprising a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to [perform the abstract idea limitations];” the entity further comprising “an endpoint;” each respective information repository further comprising a “database.”
With respect to step 2A, the judicial exception is not integrated into a practical application because it is drawn to receiving and looking up information at a high level of generality, and because adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). For instance, the claim is drawn to receiving a string specifying an action, looking up the action in an information repository, determining whether an update exists, and providing notice of the lookup and determination results. This may be performed by a human analyst with pen and paper analogues. Further, the claim does not actually include performing the action by the application. A computer and application performing the action is outside of the scope of the claim language. Additionally, the determination of whether an update exists may merely be the analyst relying on their own personal knowledge.
Where the claim recites a “server apparatus, comprising: a hardware platform comprising a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to [perform the abstract idea limitations],” “endpoint,” and “database,” these are considered to merely require implementing the abstract idea on a base level computer (i.e., the communicating entity and analyst being computerized and the computers being base level computers consisting of a processor, memory, and database). No particular computer or database technology is specified beyond the generic terminology.
As such, the invention is addressing a problem that transcends computing (performing information lookup and providing results to a requesting entity) rather than improving the functioning of a computer, or an improvement to other technology or a technical field.
With respect to step 2B, the claim does the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient-see MPEP 2106.05(f). In this case, the “server apparatus, comprising: a hardware platform comprising a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to [perform the abstract idea limitations],” “endpoint,” and “database” may be interpreted as any generic base level computer (e.g., processor and memory) and database for storing information as part of performing the judicial exception. Merely performing the judicial exception using a base level computer and basic computing components is not considered to be sufficient.
Independent claims 10 and 25 are substantially similar to independent claim 1, and are therefore likewise rejected under the same analysis.
Regarding dependent claim 6, it recites the following abstract idea limitations: wherein the instructions are further to receive a confirmation that the endpoint has installed an updated application or applied a requested patch, and to update a platform identification string for the endpoint (observation and evaluation as part of a mental process—e.g., the analyst receives additional information and updates their stored information in response to evaluation). As such, it is rejected under the same analysis.
Regarding dependent claim 21, it recites the following abstract idea limitations: wherein the response code indicates locally modifying network communication for the application comprising directing the action to a local circular buffer (adding insignificant extra-solution activity to the judicial exception—i.e., merely further specifying the information sent as part of the analyst delivering the result of their evaluation). Claim 21 does not actually comprise performing “modifying network communication for the application comprising directing the action to a local circular buffer.” Instead, it concerns providing information about doing so, where doing so is outside of the claim scope. Therefore, claim 21 is rejected under the same analysis.
Regarding dependent claims 22, 24, 27-29, 31-32, 34-36, and 38-40, they are likewise rejected under the same analysis because they merely further specify the format of the information (i.e., the string having additional information; the order it appears in the string).
Dependent claims 2 and 7 are not rejected as being drawn to an abstract idea without significantly more.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 10, 22, 24-25, 27-29, 31-32, 35-36, and 38-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Harris (US 9,967,264 B2) in view of Aslam (“Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques”) and Pham (US 2005/0182958 A1).
Regarding claim 1, Harris discloses: A server apparatus (e.g., threat management facility 204 in FIG. 2 of Harris), comprising:
a hardware platform comprising a processor circuit and a memory; and
instructions encoded within the memory to instruct the processor circuit to:
receive, from an endpoint (e.g., endpoint 202 in FIG. 2 of Harris), a platform identification string comprising a name of an application (e.g., Col. 9, Ll. 62-64 and Col. 60, Ll. 36-48 of Harris concerning an object and descriptor such as a name), and an identifier for an action of the application, the platform identification string further comprising a file size (e.g., Col. 60, Ll. 50-54 of Harris concerning the file size of an object as part of the descriptor);
Refer to at least Col. 35, Ll. 3-31 of Harris concerning accessing a network resource as an exemplary “action.”
Refer to at least 1202-1204 in FIG. 12 and Col. 55, Ll. 3-21 of Harris with respect to detecting an action by an application at an endpoint, collecting descriptions, and providing an indication of compromise (IOC) transmission to the threat management facility.
query a vulnerability database and platform identification string database to procure an application-specific grayware reputation for the action, wherein the application-specific grayware reputation for the action represents a likelihood that the action, if taken by the application on the endpoint, would be unwanted;
Refer to at least 1206 in FIG. 12 and Col. 55, Ll. 22-38 of Harris with respect to the threat management facility looking up a reputation score for the particular action / IOC.
Refer to at least Col. 55, Ll. 39-51 of Harris with respect to the reputation score being any suitable score for any level of granularity (e.g., 1-100).
Refer to at least FIG. 16 of Harris with respect to unknown (grayware) reputations and application-specificity.
[generate] a response code (e.g., colors as response codes according to at least [0074] of the instant specification) for the action;
Refer to at least Col. 61, Ll. 19-Col. 62, Ll. 20 of Harris with respect to an evaluation tool on the threat management facility, which may generate a score or color for IOCs.
determine that the application has an update or patch to repair a vulnerability of the application related to the action; and
Refer to at least Col. 62, Ll. 34-37 of Harris with respect to a determination to fix the object responsive to the evaluation. Further refer to at least Col. 10, Ll. 15-19 of Harris, wherein the threat management facility may provide for patch management for applications to reduce vulnerability to threats. Additionally, at least Col. 18, Ll. 54-58 of Harris discloses that as threats are identified and characterized, the threat management facility may create definition updates to detect and remediate applications.
provide a notification to the endpoint that the update or patch is available.
Refer to at least Col. 16, Ll. 35-43 of Harris with respect to the threat management facility providing updates, e.g., in reaction to a threat notice. Further see at least Col. 19, Ll. 1-17 of Harris with respect to providing updated definition files to a client facility responsive to a received malicious code alert.
Refer to at least Col. 18, Ll. 20-53 of Harris with respect to pushing information from the threat management facility (e.g., updates).
Although Harris teaches a descriptor for the object as part of the IOC, it does not appear to specify: the platform identification string further comprising at least one of an md5 of the application or a sha-1 of the application; wherein, in the platform identification string, the name of the application precedes the at least one of the md5 or the sha-1, and the file size succeeds and is adjacent, in the platform identification string, to the at least one of the md5 or sha-1. Harris also does not specify generating a response code for the action further comprising: provide to the endpoint a response code. However, Harris in view of Aslam discloses: the platform identification string further comprising at least one of an md5 of the application or a sha-1 of the application; wherein, in the platform identification string, the name of the application precedes the at least one of the md5 or the sha-1;
Refer to at least the last paragraph in section 5 of Aslam and to section 3.2 of Aslam with respect to a suggestion to include a reference hash in a CPE string. The following example string is provided: “cpe:/a:software:vendor:version:sha1.”
The teachings of Aslam likewise concern a remote verifier and software security, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Harris to further include a CPE string and reference hash as suggested in Aslam for at least the reasons discussed in the cited portions of Aslam (i.e., improved usability of security metrics by a large community of users). Further, the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., the ordering of the elements within the CPE string).
Harris-Aslam does not specify: the file size succeeds and is adjacent, in the platform identification string, to the at least one of the md5 or sha-1; generating a response code for the action further comprising: provide to the endpoint a response code. However, Harris-Aslam in view of Pham discloses: the file size succeeds and is adjacent, in the platform identification string, to the at least one of the md5 or sha-1;
Refer to at least [0045] of Pham with respect to an operation-related policy request (e.g., [0038] of Pham concerning intercepted operations) comprising “the operation requested, the request source host computer IP address, the request target host computer IP address, a target resource identified by a path or other identifier, user identification, the source application instance session and process identifiers, and a secure signature and file size of the source application instance.” At minimum, Pham suggests including the request attributes in the order they are written.
generating a response code for the action further comprising: provide to the endpoint a response code.
Refer to at least [0045] of Pham with respect to a request response containing an enabled, qualified enable, or denied status value which is returned.
The teachings of Pham likewise concern querying a server for policy information associated with application operations, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Harris-Aslam to further implement a given ordering of elements in a request because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., changing the ordering of optional/extended elements in the CPE string). It further would have been obvious to implement response codes for at least the purpose of reducing required network bandwidth (i.e., sending a simple response rather than detailed policy and enforcement information).
Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations).
Regarding independent claim 10, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).
Regarding claim 22, Harris-Aslam-Pham discloses: The server apparatus of claim 1, wherein the platform identification string further comprises an identifier of a version of the application.
Refer to at least “Step 2 – Vulnerability Assessment” and the last paragraph in section 5 of Aslam with respect to version information as part of the CPE string.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Harris-Aslam-Pham to further include version information as part of the CPE string because particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (i.e., it is part of the CPE standard and naming convention).
Regarding claims 24 and 27, they are substantially similar to claim 22 above, and are therefore likewise rejected.
Regarding independent claim 25, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).
Regarding claim 28, Harris-Aslam-Pham discloses: The server apparatus of claim 22, wherein the identifier of the version of the application precedes, in the platform identification string, the at least one of the md5 or the sha-1.
Refer to at least the last paragraph in section 5 of Aslam and to section 3.2 of Aslam with respect to example string “cpe:/a:software:vendor:version:sha1.” The version element is before the sha1 element.
This claim would have been obvious for substantially the same reasons as claims 1 and 22 above.
Regarding claim 29, Harris-Aslam-Pham discloses: The server apparatus of claim 1, wherein the platform identification string further comprises a vendor name of the application, and the vendor name precedes, in the platform identification string, the name of the application.
Refer to at least “Step 2 – Vulnerability Assessment” of Aslam with respect to example string “cpe:/a:google:chrome:27.0.1453.112.” The vendor name element (google) precedes the application name element (chrome).
This claim would have been obvious for substantially the same reasons as claims 1 and 22 above.
Regarding claims 31-32 and 35-36, they are substantially similar to claims 28-29 above, and are therefore likewise rejected.
Regarding claim 38, Harris-Aslam-Pham discloses: The server apparatus of claim 28, wherein the identifier of the version of the application is adjacent, in the platform identification string, to the name of the application.
See “cpe:/a:google:chrome:27.0.1453.112” in 4.2 of Aslam, where the version value “27.0.1453.112” is adjacent to the name of the application “chrome.”
This claim would have been obvious for substantially the same reasons as claims 1 and 22 above.
Regarding claims 39-40, they are substantially similar to claim 38 above, and are therefore likewise rejected.
Claim(s) 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Harris-Aslam-Pham as applied to claims 1-2, 10, 22, 24-25, 27-29, 31-32, 35-36, and 38-40 above, and further in view of Zhu (US 2013/0036470 A1).
Regarding claim 21, Harris-Aslam-Pham does not disclose: wherein the response code indicates locally modifying network communication for the application comprising directing the action to a local circular buffer. However, Harris-Aslam-Pham in view of Zhu discloses: wherein the response code indicates locally modifying network communication for the application comprising directing the action to a local circular buffer.
Refer to at least the abstract and FIG. 3A-B of Zhu with respect to initializing a circular buffer to intercept packets for network filtering.
The teachings of Harris-Aslam-Pham and Zhu concern malware and malicious traffic detection and filtering, and are considered to be within the same field of endeavor and combinable as such. Further, at least [0013] of Zhu implies interoperability with a firewall (e.g., the firewall of Harris).
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention modify the teachings of Harris-Aslam-Pham to include utilizing a circular buffer for filtering network traffic for at least the purpose of increasing performance (e.g., [0008] of Zhu).
Claim(s) 6-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Harris-Aslam-Pham as applied to claims 1-2, 10, 22, 24-25, 27-29, 31-32, 35-36, and 38-40 above, and further in view of Chen (US 2016/0092190 A1).
Regarding claim 6, Harris-Aslam-Pham does not disclose: wherein the instructions are further to receive a confirmation that the endpoint has installed an updated application or applied a requested patch, and to update a platform identification string for the endpoint. However, Harris-Aslam-Pham in view of Chen discloses: wherein the instructions are further to receive a confirmation that the endpoint has installed an updated application or applied a requested patch, and to update a platform identification string for the endpoint.
Refer to at least [0074]-[0076] and FIG. 4 of Chen with respect to logging application installation by a user.
The teachings of Harris-Aslam-Pham and Chen concern inspecting and remediating applications and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Harris-Aslam-Pham to include update confirmation and logging for at least the purpose of providing correct information in later requests as per at least FIG. 4 of Chen (i.e., the next request to the server would have correctly updated information for the application at issue).
Regarding claim 7, Harris-Aslam-Pham-Chen discloses: The server apparatus of claim 6, wherein the instructions are further to instruct a shim agent of the endpoint to monitor the updated or patched application.
Refer to at least FIG. 3, [0051], and [0054] of Chen with respect to a client installed on the mobile device, the client configured for downloading and reinstalling applications.
Refer to at least FIG. 3, [0049], and [0052] of Chen with respect to the client and its monitoring module.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention modify the teachings of Harris-Aslam-Pham to include a patching client because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., the implementation of pushing a patch to an endpoint).
Claim(s) 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Harris-Aslam-Pham as applied to claims 1-2, 10, 22, 24-25, 27-29, 31-32, 35-36, and 38-40 above, and further in view of Nemcek (“Analysis of Malware Classification Schemas”).
Regarding claim 34, Harris-Aslam-Pham does not disclose: wherein the CPE-like string further comprises the md5 and the sha-1, and the md5 is adjacent, in the CPE-like string, to the sha-1. However, Harris-Aslam-Pham in view of Nemcek discloses: wherein the CPE-like string further comprises the md5 and the sha-1, and the md5 is adjacent, in the CPE-like string, to the sha-1.
Refer to at least pages 75-76 of Nemcek with respect to “<File0bj:Hashes> “ including an MD5 hash and a SHA1 hash.
The teachings of Nemcek likewise relate to malware classification schemas and semantics, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention modify the teachings of Harris-Aslam-Pham to include both sha-1 and md5 signatures because all of the claimed elements were known in the prior art (md5 and sha-1 algorithms and using the digests as signatures) and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions (concatenating additional elements in the string as needed, using colon/semicolon according to the standard), and the combination would have yielded predictable results to one of ordinary skill in the art at the time (a CPE string with given optional/extended elements).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/V.S/Examiner, Art Unit 2432
/ALI SHAYANFAR/Supervisory Patent Examiner, Art Unit 2432