Office Action Predictor
Application No. 17/535,947

SELECTIVE SECURITY SCAN TO REDUCE SIGNATURE CANDIDATES

Final Rejection §102§103§112
Filed
Nov 26, 2021
Examiner
PATEL, HARESH N
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Mcafee, LLC
OA Round
4 (Final)
78%
Grant Probability
Favorable
5-6
OA Rounds
3y 1m
To Grant
95%
With Interview

Examiner Intelligence

78%
Career Allow Rate
631 granted / 814 resolved
Without
With
+17.5%
Interview Lift
avg trend
3y 1m
Avg Prosecution
43 pending
857
Total Applications
career history

Statute-Specific Performance

§101
15.2%
-24.8% vs TC avg
§103
41.4%
+1.4% vs TC avg
§102
19.8%
-20.2% vs TC avg
§112
12.7%
-27.3% vs TC avg
Black line = Tech Center average estimate • Based on career data

Office Action

§102 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-18, 41, 42 are presented for examination. Claims 19-26, 28, 29, 31-40 are cancelled. Claims 1-18 dated 12/10/25 are rejoined, as they now belong to the original claims 1-18 6/20/24, examined in office action dated 11/12/24. Original claims 27 and 30 were examined in office action dated 9/10/25. Election/Restrictions Applicant’s following remarks is noted: The Examiner has restricted the claims and sua sponte elected claims 27 and 30 for prosecution. The Applicant respectfully traverses the restriction and the election on the grounds that no proper Restriction Requirement has been issued in this case. Applicant further maintains that (1) the claims do not claim distinct inventions; and (2) even if the claims are distinct, Applicant has been given no opportunity to elect a species for prosecution. If the Examiner continues to maintain that the claims are distinct, Applicant respectfully requests that the Examiner issue a proper Restriction Requirement and new Non final Office Action that correctly examines all outstanding claims. However, the claims 27 and 30 belonged to original examined claims and were subject to examination. In response to the examination of claims 27 and 30, Applicant has cancelled the claims 27 and 30. The claims 1-18 dated 12/12/24 were restricted over the original claims that were examined in office action dated 11/12/24. Now that the Applicant has presented claims 1-18 dated 12/10/25, which belong to the original examined claims that were examined in office action dated 11/12/24, claims 1-18 dated 12/10/25 are entered and examined. The office action dated 9/10/25 contained following: Newly submitted /Amended claims 1-18 dated 12/12/24 and the previously presented claims are related as they extract data from an object under analysis, wherein the object under analysis is a device-local executable object; compute a partial match value according to a partial match algorithm of the extracted data; send the partial match value to a remote service via the network interface. However, Newly submitted /Amended claims 1-18 dated are directed to an invention that is independent or distinct from the invention originally claimed for the following reasons: Newly submitted /Amended claims are drawn to an invention, based on a response from the remote service, select a subset of candidate signatures from the local signature cache for comparison, wherein the subset is less than all signatures in the local signature cache; compare the object under analysis to the candidate signatures; and if the compare identifies a matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of the matching signature. of para 150, which is a distinct embodiment, MPEPE 806.05(j), which requires: select a subset of candidate signatures from the local signature cache for comparison, wherein the subset is less than all signatures in the local signature cache; compare the object under analysis to the candidate signatures; and if the compare identifies a matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of the matching signature. Previously presented claims were drawn to invention, of para 14, 24, 45, which is a distinct embodiment, MPEPE 806.05(j), which requires, receive from the remote service, via the network interface, a list of candidate signatures that correspond to the partial match value, wherein the candidate signatures are a superset of true matches to the object under analysis; compare the object under analysis to the candidate signatures; and if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature. Since applicant has received an action on the merits for the originally presented invention, this invention has been constructively elected by original presentation for prosecution on the merits. Accordingly, claims 1-18 are withdrawn from consideration as being directed to a non-elected invention. See 37 CFR 1.142(b) and MPEP § 821.03. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-18, 41 and 41 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Regarding claims 1, 14, 41, the limitation “device-local executable” is not found anywhere in the original disclosure. While the present invention may result in/include “device-local executable”, the limitation in question is not recited anywhere in the original disclosure. Portions of the specification relating to “executable” object under analysis are found in par. [0016], [0027], [0071], and [0096]. However, none of these passages mention that the “executable” is “device-local”. Moreover, at par. [0215], “executable” is defined as “including software instructions executable by a processor”. Therefore, the specification does not provide a disclosure of the claimed subject matter in sufficient detail to demonstrate to one of ordinary skill in the art that the inventor possessed the invention under 35 U.S.C. 112(a). Regarding claims 1, 14, 41, the limitation “device-local security policy” is not found anywhere in the original disclosure. While the present invention may result in/include “device-local security policy”, the limitation in question is not recited anywhere in the original disclosure. Portions of the specification relating to “device-local” for signature cache are found in par. [0057]. However, none of these passages mention that the “security policy” is “device-local”. Moreover, at par. [0215], “executable” is defined as “including software instructions executable by a processor”. Therefore, the specification does not provide a disclosure of the claimed subject matter in sufficient detail to demonstrate to one of ordinary skill in the art that the inventor possessed the invention under 35 U.S.C. 112(a). Regarding claims 1, 14, 41, addition of limitations, “apply to the object under analysis a device-local security policy associated with the second object” are not disclosed in the specification. Further, the specification is not limited on how the “associated with” the second object is defined, which claims association(s) that are beyond the specification. Claims 2-13, 15-18, 42 fall together accordingly. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-4, 8-11, 41, and 14-17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hunt et al. (US 20170286544 A1), hereinafter Hunt ‘544. Regarding claims 1, 41, Hunt ‘544 discloses A computing apparatus, comprising: a computer-implemented method of inspecting an object under analysis, wherein the object under analysis is a device-local portable executable object: provisioning a local signature cache within a device-local memory, a hardware platform comprising a processor circuit and a memory; (Hunt ‘544, Fig. 2 #210/211/212) a network interface; and (Hunt ‘544, #213/240) instructions encoded within the memory to instruct the processor circuit to: (Hunt ‘544, Fig. 12) extract data from an object under analysis, wherein the object under analysis is a device-local executable object;; (Hunt ‘544, #1201/1202, [0147] “a hash signature generation module may generate a DOM object hash value of the target website based on the rendered DOM object.”; [0034] “In such websites, the HTML code provided by the original web server may include executable code (e.g., JavaScript) that when executed by a java client present on the computer and/or the browser can perform any number of different functions. As such, a small amount of code can, when executed, include a large amount of functionality and generate a large amount of additional information received and provided by the website and any number of other websites. However, by rendering a DOM object and fully executing all of the JavaScript and other executable functions embedded in the HTML code, a full view of the functionality of the website may be obtained. For example, when rendering the DOM object, a browser may take the HTML code and build a DOM tree. The DOM tree can be updated which can manipulate the HTML code being executed by the browser.”) compute a partial match value according to a partial match algorithm of the extracted data; (Hunt ‘544, #1202/1203) send the partial match value to a remote service via the network interface; (Hunt ‘544, #1205) receive from the remote service, via the network interface, a list of candidate signatures that correspond to the partial match value, wherein the candidate signatures are a superset of true matches to the object under analysis; (Hunt ‘544, #1206, [0152] “the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database.”) compare the object under analysis to the candidate signatures; and (Hunt ‘544, #1206-1209) if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature. (Hunt ‘544, #1208/1213) apply to the object under analysis a device-local security policy associated with the second object (Hunt ‘544, para 18, 132). Note: claimed “device-local security policy” is not limited to any particular policy or limited to any particular object(s). This policy does not limit to having any rule that impacts any actions. The “associated with” is not limited to any particular association. Regarding claim 2, 42, Hunt ‘544 discloses The computing apparatus of claim 1, wherein the second object is a malware object, and wherein classifying the object under analysis comprises classifying the object under analysis as malware, and wherein the remote service is a malware service. (Hunt ‘544, Fig. 10 #1010A, [0118] “Phishing classifications may include hash signatures for websites that are confirmed 1010A and/or dismissed 1010B as performing phishing functionality. The confirmed hash signatures may be websites that have been independently confirmed as having phishing website formatting, functionality, a particular common web server associated with the phishing functionality, and/or through any suitable method for identifying confirmed associations with phishing functionality. The dismissed hash signatures 1010B may include websites that have been analyzed and do not include any such functionality. Hash signatures from a broad base of different types of websites may be included in the classification to allow a wide-range of different similar material to be identified between the dismissed 1010B and confirmed 1010A hash signatures of websites.”) It is noted, the term “malware” is a broad genus that includes all types of malicious software, including malicious websites, such as those used for phishing. Regarding claim 3, Hunt ‘544 discloses The computing apparatus of claim 1, wherein the partial match algorithm is a hash. (Hunt ‘544, [0028] “Additionally, in some embodiments, applying a hashing function may include “Locality Sensitive Hashing” (LSH) which computes a hash of groups of hashed values. For example, a grouping of MinHash values hashed together may be referred to as a band. The collection of hashed bands computed during LSH samples the MinHash values and further reduces the amount of data required to determine similar documents. Thus, the LSH processing samples the MinHash signatures to further compress a document signature. Documents can be compared by determining if a subset of their LSH buckets match. Because the values are hashed into buckets, the system may obtain candidate pairs for matching similarity by determining if they share the same bucket. Comparing LSH values and their offsets between two documents gives candidate pairs. This can be done in order O(n) time. If a match, a candidate pair is found. The documents may then be compared using a similarity measurement between the two documents to determine a similarity between the documents that share the same bucket.”) Examiner notes, the term “hash” is a genus anticipated by the species of “MinHash”. In other words, if the prior art teaches a MinHash algorithm, it is teaching a hash algorithm. Regarding claim 4, Hunt ‘544 discloses The computing apparatus of claim 1, wherein the partial match algorithm is a MinHash. (Hunt ‘544, [0028] “Additionally, in some embodiments, applying a hashing function may include “Locality Sensitive Hashing” (LSH) which computes a hash of groups of hashed values. For example, a grouping of MinHash values hashed together may be referred to as a band. The collection of hashed bands computed during LSH samples the MinHash values and further reduces the amount of data required to determine similar documents. Thus, the LSH processing samples the MinHash signatures to further compress a document signature. Documents can be compared by determining if a subset of their LSH buckets match. Because the values are hashed into buckets, the system may obtain candidate pairs for matching similarity by determining if they share the same bucket. Comparing LSH values and their offsets between two documents gives candidate pairs. This can be done in order O(n) time. If a match, a candidate pair is found. The documents may then be compared using a similarity measurement between the two documents to determine a similarity between the documents that share the same bucket.”) Regarding claim 8, Hunt ‘544 discloses The computing apparatus of claim 1, wherein the extracted data comprise a list of strings that occur in the object under analysis. (Hunt ‘544, [0027] ““Shingling” may include any process of breaking information into consistent portions of data, each of the data portions being a predetermined length. For example, shingling may include picking a window size and sliding the chosen window over content within a document or object such that it produces contiguous subsequences of the text under consideration. For instance, separating content within the DOM object may include shingling the text, HTML headers, labels, and any other information included within a rendered DOM object into a plurality of data portions of equal and fixed length. For example, each of the data portions may be ten characters long.”) Regarding claim 9, Hunt ‘544 discloses The computing apparatus of claim 1, wherein comparing the object under analysis to the candidate signatures comprises comparing the object under analysis to each of the candidate signatures. (Hunt ‘544, [0152] “At step 1206, the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database. The computing device may compare each hash value within the target hashing signature to the corresponding hash value within the classified hash signatures stored for that classification. For example, the system may determine the number of classified hash signatures that have a −13 as the minimum hash value for the first hash function. The system may store the result of the classified website results with a matching result for the first hash function and may continue through each of the hash values in the target website hash signature.”) Regarding claim 10, Hunt ‘544 discloses The computing apparatus of claim 1, further comprising caching the candidate signatures to a signature cache. (Hunt ‘544, [0152] “At step 1206, the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database. The computing device may compare each hash value within the target hashing signature to the corresponding hash value within the classified hash signatures stored for that classification. For example, the system may determine the number of classified hash signatures that have a −13 as the minimum hash value for the first hash function. The system may store the result of the classified website results with a matching result for the first hash function and may continue through each of the hash values in the target website hash signature.”) Examiner notes, term “cache” is a synonym for “store”. Hunt discloses that the client device stores (or caches) the returned hash signatures before comparing to classify the signature of the object under analysis. Regarding claim 11, Hunt ‘544 discloses The computing apparatus of claim 10, wherein the instructions are further to search the signature cache for the candidate signatures before comparing the object under analysis to the candidate signatures. (Hunt ‘544, [0152] “At step 1206, the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database. The computing device may compare each hash value within the target hashing signature to the corresponding hash value within the classified hash signatures stored for that classification. For example, the system may determine the number of classified hash signatures that have a −13 as the minimum hash value for the first hash function. The system may store the result of the classified website results with a matching result for the first hash function and may continue through each of the hash values in the target website hash signature.”) Examiner notes, the same reasoning for claim 10 applies to claim 11, as the candidate signatures are stored (or cached) before the comparing step. The instructions of claim 14 are drawn to the corresponding instructions executed by the apparatus of claim 1. Therefore, claim 14 correspond(s) to claim 1 and is rejected for the same reasons of anticipation as used above for claim 1 over Hunt ‘544. Further claim 14, Provide a local object signature cache (Hunt ‘544, Fig. 12); identify a test object for analysis, wherein the test object is a device-local executable object (Hunt ‘544, #1201/1202, [0147]; compute a partial match value for the test object based on one or more properties or elements of the test object (Hunt ‘544, #1202/1203); send the partial match value to a cloud service (Hunt ‘544, #1205); based on a response from the cloud service, select a subset of candidate signatures from the local object signature cache, wherein the subset is less than all signatures in the local object signature cache; determine whether the candidate signatures are available in the local object signature cache (Hunt ‘544, #1206-1209, [0152] if a matching signature for a second object is found from among the candidate signatures, assign the test object a reputation according to a property of the matching signature / if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature. (Hunt ‘544, #1208/1213) apply to the object under analysis a device-local security policy associated with the second object (Hunt ‘544, para 18, 132). Note: claimed “device-local security policy” is not limited to any particular policy or limited to any particular object(s). This policy does not limit to having any rule that impacts any actions. The “associated with” is not limited to any particular association. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5-7, 18, 27 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Hunt as applied to claims 4 and 17 above, and further in view of Yoon et al. (US 20220229810 A1). Regarding claim 5, Hunt discloses The computing apparatus of claim 4, but fails to disclose wherein the MinHash has a resolution of between 64 and 256 bits. However, Yoon teaches wherein the MinHash has a resolution of between 64 and 256 bits. (Yoon, [0071] “The hash code generating unit 330 may employ a MinHash function as a hash function and may consume relatively less system resources such as the CPU and the memory by using the MinHash function, thereby improving a search speed..”; [0072] “The hash code generating unit 330 may determine N hash functions. In one embodiment, the hash code generating unit 330 may determine a hash function based on a fixed size of the hash code. For example, the hash code generating unit 330 may determine that a hash function has an output of 32 bits, 64 bits, 128 bits, 160 bits, 192 bits, 224 bits, 256 bits, 512 bits, 1024 bits, or 2056 bits. In another embodiment, the hash code generating unit 330 may select N hash functions from a hash function population based on a type of document. For example, when the document corresponds to a text file, the hash code generating unit 330 may select a hash function that outputs a hash code having a relatively large fixed size. In another example, when the document corresponds to a binary file, the hash code generating unit 330 may select a hash function that outputs a hash code having a relatively small fixed size.”) Yoon is directed to a hash code-based search apparatus that utilizes a MinHash algorithm to generate hashes of a fixed size for identifying malware. Hunt is similarly, directed to searching a database using a MinHash algorithm for identifying malware, thus the teachings of Yoon are applicable to the teachings of Hunt. Hunt teaches the base apparatus ready for the claimed improvement, while Yoon teaches the known technique of generating a MinHash resolution of between 64 and 256 bits. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply the known technique of generating a MinHash resolution of between 64 and 256 bits to the base apparatus taught by Hunt to yield the predictable result of the computing apparatus of claim 4, wherein the MinHash has a resolution of between 64 and 256 bits. Regarding claim 6, Hunt ‘544 discloses The computing apparatus of claim 4, wherein the MinHash has a resolution of 128 bits. (Yoon, [0071] “The hash code generating unit 330 may employ a MinHash function as a hash function and may consume relatively less system resources such as the CPU and the memory by using the MinHash function, thereby improving a search speed..”; [0072] “For example, the hash code generating unit 330 may determine that a hash function has an output of 32 bits, 64 bits, 128 bits, 160 bits, 192 bits, 224 bits, 256 bits, 512 bits, 1024 bits, or 2056 bits.”) Hunt ‘544 teaches the base apparatus ready for the claimed improvement, while Yoon teaches the known technique of generating a MinHash resolution of between 64 and 256 bits. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply the known technique of generating a MinHash resolution of between 64 and 256 bits to the base apparatus taught by Hunt to yield the predictable result of the computing apparatus of claim 4, wherein the MinHash has a resolution of 128 bits. Regarding claim 7, Hunt ‘544 discloses The computing apparatus of claim 4, wherein the MinHash has a resolution of 256 bits. (Yoon, [0071] “The hash code generating unit 330 may employ a MinHash function as a hash function and may consume relatively less system resources such as the CPU and the memory by using the MinHash function, thereby improving a search speed..”; [0072] “For example, the hash code generating unit 330 may determine that a hash function has an output of 32 bits, 64 bits, 128 bits, 160 bits, 192 bits, 224 bits, 256 bits, 512 bits, 1024 bits, or 2056 bits.”) Hunt ‘544 teaches the base apparatus ready for the claimed improvement, while Yoon teaches the known technique of generating a MinHash resolution of between 64 and 256 bits. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply the known technique of generating a MinHash resolution of between 64 and 256 bits to the base apparatus taught by Hunt to yield the predictable result of the computing apparatus of claim 4, wherein the MinHash has a resolution of 256 bits. The instructions of claim 18 are drawn to the corresponding instructions executed by the apparatus of claim 7. Therefore, claim 18 correspond(s) to claim 7 and is rejected for the same reasons of obviousness as used above for claim 7 over Hunt ‘544 in view of Yoon. Regarding claim 27, Hunt discloses A computer-implemented method of assigning a reputation to a device-local portable executable (PE) (Hunt ‘544, [0034] “In such websites, the HTML code provided by the original web server may include executable code (e.g., JavaScript) that when executed by a java client present on the computer and/or the browser can perform any number of different functions...”), comprising: designating the PE for analysis; (Hunt ‘544, #1201, [0025] “A “Document Object Model object” or “DOM object” is a platform- and language-neutral interface that allows programs and scripts to dynamically access and update the content, structure and style of documents. The documents may include any data that can be exchanged and stored by computer environments. For example, a document may include received HTML code for a webpage.”; [0026] ““Web site information” may include any relevant information associated with a host website. For example, website information may include a URL for the website, the HTML code received once contacting the web server, instructions for contacting other remote server computers for content, JavaScript functionality for loading executable information within the website, meta data associated with the HTML code, and any other information that may be received from a web server for rendering a webpage associated with a website.”) extracting data or metadata from the PE, wherein the data or metadata are usable to provide a security reputation for the PE; (Hunt ‘544, #1201/1202, [0147] “a hash signature generation module may generate a DOM object hash value of the target website based on the rendered DOM object.”) computing a MinHash from the data or metadata, (Hunt ‘544, #1202/1203) sending the MinHash to a cloud service; (Hunt ‘544, #1205) receiving from the cloud service a list of candidate signatures that match the MinHash; (Hunt ‘544, #1206, [0152] “the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database.”) comparing the PE to the candidate signatures; and (Hunt ‘544, #1206-1209) if a matching signature is found, assigning the PE a reputation that corresponds to an object from which the matching signature was taken. (Hunt ‘544, #1208/1213) Hunt fails to explicitly disclose wherein the MinHash has a resolution between 64 and 256 bits. However, Yoon teaches wherein the MinHash has a resolution between 64 and 256 bits; (Yoon, [0071] “The hash code generating unit 330 may employ a MinHash function as a hash function and may consume relatively less system resources such as the CPU and the memory by using the MinHash function, thereby improving a search speed..”; [0072] “The hash code generating unit 330 may determine N hash functions. In one embodiment, the hash code generating unit 330 may determine a hash function based on a fixed size of the hash code. For example, the hash code generating unit 330 may determine that a hash function has an output of 32 bits, 64 bits, 128 bits, 160 bits, 192 bits, 224 bits, 256 bits, 512 bits, 1024 bits, or 2056 bits. In another embodiment, the hash code generating unit 330 may select N hash functions from a hash function population based on a type of document. For example, when the document corresponds to a text file, the hash code generating unit 330 may select a hash function that outputs a hash code having a relatively large fixed size. In another example, when the document corresponds to a binary file, the hash code generating unit 330 may select a hash function that outputs a hash code having a relatively small fixed size.”) Yoon is directed to a hash code-based search apparatus that utilizes a MinHash algorithm to generate hashes of a fixed size for identifying malware. Hunt is similarly, directed to searching a database using a MinHash algorithm for identifying malware, thus the teachings of Yoon are applicable to the teachings of Hunt. Examiner notes, par. [0016] of the instant specification equates a “portable executable” with “a URL, a webpage” and “a document object model (DOM) object”. Absent a formal definition of what Applicant intends a PE to include, Examiner draws the DOM and web site information of Hunt to the PE as disclosed by Applicant. Hunt teaches the base apparatus ready for the claimed improvement, while Yoon teaches the known technique of generating a MinHash resolution of between 64 and 256 bits. Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply the known technique of generating a MinHash resolution of between 64 and 256 bits to the base apparatus taught by Hunt to yield the predictable result of the computing apparatus of claim 4, wherein the MinHash has a resolution of between 64 and 256 bits. Regarding claim 30, Hunt in view of Yoon disclose The method of claim 27, wherein the data or metadata comprise a list of strings that occur in the PE. (Hunt ‘544, [0027] ““Shingling” may include any process of breaking information into consistent portions of data, each of the data portions being a predetermined length. For example, shingling may include picking a window size and sliding the chosen window over content within a document or object such that it produces contiguous subsequences of the text under consideration. For instance, separating content within the DOM object may include shingling the text, HTML headers, labels, and any other information included within a rendered DOM object into a plurality of data portions of equal and fixed length. For example, each of the data portions may be ten characters long.”) Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Hunt ‘544 as applied to claim 10 above, and further in view of Hunt et al. (US 20170041330 A1), hereinafter Hunt ‘330. Regarding claim 12, Hunt ‘544 discloses The computing apparatus of claim 10, wherein the instructions are further to identify one or more missing signatures not found in the signature cache, and to request the missing signatures from the remote service. (Hunt ‘330, [0070] “In some embodiments, the page checking engine 248 may compare the temporary page profile of the webpage with one or more baseline page profiles using a fuzzy match algorithm. In some embodiments, the baseline page profiles may be retrieved from a datastore 108 in real-time to avoid undue delays in the user experience. In some embodiments, the user device 104 may have previously received the baseline page profiles from the page profiler server 106 and may have stored them to local storage. For example, the page profiler server 106 may transmit baseline page profiles to the user device 104 as they are generated so that the page checking engine 248 may retrieve locally stored baseline page profiles while it processes requested webpages and/or generates the temporary profile. Retrieving locally stored baseline page profiles may reduce any unnecessary delays (e.g., latency delays), ensuring that requested webpages are processed quickly to determine if there is fraud. Alternatively, the user device may dynamically retrieve the baseline page profiles as the user device 104 is in operation based on predicted webpages that may be accessed by the user device.”) Hunt ‘330 is directed to identifying malicious webpages using a “baseline page profile” comparison. The “page profile” is compared using a MinHash algorithm to “fuzzy match” a webpage with an identified malicious webpage page profile. Further, Hunt ‘330, similarly to Hunt ‘544, discloses a client in communication with a server that provides the “page profiles” for comparison to determine whether a webpage is malicious. In this process, Hunt ‘330 discloses that the client may locally store the baseline page profiles for comparison, and retrieve them dynamically (i.e. retrieve missing baseline page profiles). Hunt ‘330 also discloses that the page profiles may be hashes. (par. [0048]). Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hunt ‘544 to incorporate the teachings of Hunt ‘330 to include wherein the instructions are further to identify one or more missing signatures not found in the signature cache, and to request the missing signatures from the remote service. Such modification(s) would be motivated to reduce any unnecessary delays, ensuring that the object under analysis can be quickly classified. (Hunt ‘330, [0070]) Regarding claim 13, Hunt ‘544 discloses The computing apparatus of claim 10, wherein the signature cache is a device-local signature cache. (Hunt ‘330, [0070] “In some embodiments, the page checking engine 248 may compare the temporary page profile of the webpage with one or more baseline page profiles using a fuzzy match algorithm. In some embodiments, the baseline page profiles may be retrieved from a datastore 108 in real-time to avoid undue delays in the user experience. In some embodiments, the user device 104 may have previously received the baseline page profiles from the page profiler server 106 and may have stored them to local storage. For example, the page profiler server 106 may transmit baseline page profiles to the user device 104 as they are generated so that the page checking engine 248 may retrieve locally stored baseline page profiles while it processes requested webpages and/or generates the temporary profile. Retrieving locally stored baseline page profiles may reduce any unnecessary delays (e.g., latency delays), ensuring that requested webpages are processed quickly to determine if there is fraud. Alternatively, the user device may dynamically retrieve the baseline page profiles as the user device 104 is in operation based on predicted webpages that may be accessed by”) Response to Arguments Remarks/Arguments filed 12/10/25, 12/12/24 have been fully considered but they are not persuasive. Therefore, rejection of claims 1-18, 41 and 42 is maintained. Considering the amendments to the claims the rejections are updated accordingly. a computing apparatus, comprising: a computer-implemented method of inspecting an object under analysis, wherein the object under analysis is a device-local portable executable object: provisioning a local signature cache within a device-local memory, a hardware platform comprising a processor circuit and a memory; (Hunt ‘544, Fig. 2 #210/211/212) a network interface; and (Hunt ‘544, #213/240) instructions encoded within the memory to instruct the processor circuit to: (Hunt ‘544, Fig. 12) extract data from an object under analysis, wherein the object under analysis is a device-local executable object;; (Hunt ‘544, #1201/1202, [0147] “a hash signature generation module may generate a DOM object hash value of the target website based on the rendered DOM object.”; [0034] “In such websites, the HTML code provided by the original web server may include executable code (e.g., JavaScript) that when executed by a java client present on the computer and/or the browser can perform any number of different functions. As such, a small amount of code can, when executed, include a large amount of functionality and generate a large amount of additional information received and provided by the website and any number of other websites. However, by rendering a DOM object and fully executing all of the JavaScript and other executable functions embedded in the HTML code, a full view of the functionality of the website may be obtained. For example, when rendering the DOM object, a browser may take the HTML code and build a DOM tree. The DOM tree can be updated which can manipulate the HTML code being executed by the browser.”) compute a partial match value according to a partial match algorithm of the extracted data; (Hunt ‘544, #1202/1203) send the partial match value to a remote service via the network interface; (Hunt ‘544, #1205) receive from the remote service, via the network interface, a list of candidate signatures that correspond to the partial match value, wherein the candidate signatures are a superset of true matches to the object under analysis; (Hunt ‘544, #1206, [0152] “the website classification module may compare the hashing signature of the target website with the stored hash signatures returned from the search through the classified database associated with the database.”) compare the object under analysis to the candidate signatures; and (Hunt ‘544, #1206-1209) if the compare identifies one or more matching signature, classify the object under analysis as belonging to a same class as at least one second object that is a source of a matching signature. (Hunt ‘544, #1208/1213) apply to the object under analysis a device-local security policy associated with the second object (Hunt ‘544, para 18, 132). Note: claimed “device-local security policy” is not limited to any particular policy or limited to any particular object(s). This policy does not limit to having any rule that impacts any actions. The “associated with” is not limited to any particular association. For clarification the interview summary of the examiner dated 11/17/2025 with Mr. Jerome Bastien in the prosecution history was mistakenly entered. It does not belong to this application. Conclusion Note: In addition to the above rejections, please see claims 1, 14 and 41, which contains “if”. The limitations following “if” condition is not limited to be part of the claim (BRI). Pertinent references: Copsey, 20140280275, [0088] The images depicted in FIGS. 5A and 5B illustrate a simplified embodiment. For example, in other embodiments, multiple short signatures may be taken throughout the document and compared to the content signature database. In some embodiments, a cache may contain a signature or multiple signatures locally and the system may search for a match within the local cache. Cui et al., US 20170262314 A1, [0045] Once the bottlenecked subsystem is identified, a workload identifier 408 determines if a similar workload exists in a sub-cache 402 that is associated with a workload being performed by the subsystem. For example, if the subsystem is associated with sub-cache 402-1, workload identifier 408 uses the sensors defined for the current workload to generate a signature s.sub.1. Then, workload identifier 408 analyzes signatures s.sub.2 within sub-cache 402-1 to determine if there is a match. For example, the sub-cache may be organized as a list of workload signatures and parameter setting pairs. When a workload in the sub-cache includes a signature s.sub.2 that is similar to the current signature s.sub.1, workload identifier 408 selects that workload 5.sub.2 and retrieves the parameter setting. This is considered a warm start because parameter settings from a previous search are being used. When no signatures 5.sub.2 in sub-cache 402-1 match the current workload signature s.sub.1, then the optimization starts cold. That is, there are no parameter values to use to start off with from prior workloads being optimized. MCCOMBE et al.,WO 2019113215 A1 In some embodiments, a signature may be created for a kernel or for a collection of points, based on the salient features most important to the comparison function. In this case, kernels or point collections that would be compared most closely with each other would have the same or very nearby signatures. This signature may help quickly locate the most appropriate matching entries for a query, within the cache. Last para, page 14 CHRAIM et al., CN 108885105 A, FIG. 20 An exemplary proxy relationship between location and agent action, wherein curve 2000 shows exemplary proxy along with time changes of location accuracy level. before the time T2010, the location accuracy level of agent remains below a threshold level T2020. Therefore, agent of the load moving focus location, because it tries to construct more complete and accurate locating table is the area, as hereinbefore described. once the proxy location accuracy level increases beyond the threshold value T2020, the agent adding a mapping activity, preferably while continuing to construct a location signature list. can be tracked with the success of time push number or proportion of signature matching (i.e., agent for matching number between the observed signature in the cache of CPSI 1142 the presence of a signature) to determine the positioning accuracy through the proxy. a location engine on operation of the vehicle may be based on the space with the voxel or voxels packet matching the frequency of implementing different modalities. In an exemplary embodiment, when a previously un-accessed area can activate one mode, when the area is not sufficient to consistently locating part signature list can be used when the other mode, and can be applied to third mode when enough signature and the group present in the table and vehicle can correct its trajectory. signature matching may depend on vehicle near the transition between modalities of observed voxels and local signature reference list in the presence of consistency between voxels. These different modes may affect the cloud application server 1800 receives information from the proxy mode. Therefore, based on (among other conditions) of the vehicle end to generate the host location signature table 1805 or main 3 D contribution of semantic map 1810 positioning mode, it can give those greater or lesser contribution of trust level. 1st para, page 11 CHEN et al., CN 110162488 A, the digital signature of the online object digital signature is associated cache object of the cache object to match, determining the digital signature in the cache is consistent with the online calculation. 3rd last para, page 5 Stojancic et al., 20190373311, para 127 Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hunt to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide caching information. The signatures would be retained by the caching function and the signatures would be retrieved in a high-speed retrieval as compared to regular memory, which would provide optimum performance for the matching. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973. The examiner can normally be reached on M-F 9-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HARESH N PATEL/Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Nov 26, 2021
Application Filed
Mar 09, 2024
Non-Final Rejection — §102, §103, §112
Jun 20, 2024
Response Filed
Oct 31, 2024
Final Rejection — §102, §103, §112
Dec 03, 2024
Interview Requested
Dec 12, 2024
Response after Non-Final Action
Jan 25, 2025
Response after Non-Final Action
Feb 11, 2025
Request for Continued Examination
Feb 14, 2025
Response after Non-Final Action
Sep 05, 2025
Non-Final Rejection — §102, §103, §112
Oct 24, 2025
Interview Requested
Oct 27, 2025
Interview Requested
Nov 12, 2025
Applicant Interview (Telephonic)
Nov 12, 2025
Examiner Interview Summary
Nov 13, 2025
Examiner Interview Summary
Nov 13, 2025
Applicant Interview (Telephonic)
Dec 10, 2025
Response Filed
Dec 30, 2025
Final Rejection — §102, §103, §112
Apr 02, 2026
Notice of Allowance

Precedent Cases

Applications granted by this same examiner with similar technology. Study what changed to get past this examiner.

Patent 12598058
MUTABLE DIGITAL ASSET STORAGE UNITS FOR VERIFYING OTHER STORAGE UNITS IN A DECENTRALISED PEER-TO-PEER STORAGE NETWORK
2y 5m to grant Granted Apr 07, 2026
Patent 12568384
BOOTSTRAPPING AND TROUBLESHOOTING OF REMOTE DEVICES
2y 5m to grant Granted Mar 03, 2026
Patent 12563036
DISTRIBUTED MANAGEMENT SYSTEM AND MANAGEMENT METHOD FOR SMART CARD MANAGEMENT APPARATUSES
2y 5m to grant Granted Feb 24, 2026
Patent 12563388
SYSTEMS AND METHODS FOR SECURITY ASSOCIATION ENABLING MAKE-BEFORE-BREAK-ROAMING (MBBR)
2y 5m to grant Granted Feb 24, 2026
Patent 12542805
DETECTING AND MITIGATING BLUETOOTH BASED ATTACKS
2y 5m to grant Granted Feb 03, 2026

AI Strategy Recommendation

Click below to generate an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
78%
Grant Probability
95%
With Interview (+17.5%)
3y 1m
Median Time to Grant
High
PTA Risk
Based on 814 resolved cases by this examiner