Forecasting Malware Capabilities from Cyber Attack Memory Images

§101 §103 §112

DETAILED ACTION A response to the notice of non-compliant amendment was received on 04 September 2025. By this response, Claims 1, 3, 6-9, 12, 14, and 17-19 have been amended. Claims 5, 10, 11, 13, 15, 16, and 20 have been canceled. No new claims have been added. Claims 1-4, 6-9, 12, 14, and 17-19 are currently pending in the present application. Drawings The drawings are objected to as failing to comply with 37 CFR 1.84(p)(4) because reference characters 1, 2, 3, 4, and 5 have been used to designate both steps in Figures 1A and 1B and multiple different elements in Figure 3. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. The drawings are objected to under 37 CFR 1.83(a). The drawings must show every feature of the invention specified in the claims. Therefore, the steps of the method of Claim 1 must be shown or the features canceled from the claims. No new matter should be entered. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. The drawings are objected to because they include informalities. In Figure 2C, it appears that “Culul_Ratio”, both in the label of the y-axis and near the dashed line on the graph, should read “Cumul_Ratio” for consistency. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Specification The abstract of the disclosure is objected to because it includes informalities. In line 1, the phrase “In method” should read “In a method”. In line 10, the sentence “Paths with a low probability of leaving a plurality of paths of interest are pruned” is grammatically unclear and not in clear idiomatic English. Correction is required. See MPEP § 608.01(b). The disclosure is objected to because of the following informalities: The specification includes minor grammatical and other errors. For example, in paragraph 0009, line 3, the abbreviation “C&C” has not been defined. In paragraph 0009, line 4, the term “concolic” does not appear to be clearly defined. In paragraph 0011, lines 11-12, the sentence “Paths with a low probability of leaving a plurality of paths of interest are pruned” is grammatically unclear and not in clear idiomatic English. In paragraph 0025, line 3, it is not clear what the object of “can leverage” is intended to be; that is, it is not clear what is leveraged. In paragraph 0034, line 6, the phrase “to for analysis” is grammatically unclear. In paragraph 0035, line 1, the phrase “one there are” is grammatically unclear. In paragraph 0038, line 3, the phrase “the output of can be” appears to be missing an object or other critical language. In paragraph 0040, line 3, the abbreviation “CFG” should be written out the first time it appears. In paragraph 0040, line 7, it appears that critical language is missing from the phrase “that enable to dynamically adapt”. In paragraph 0049, line 3, it appears that “Rach” may be intended to read “Each”. On page 14, line 6 (in paragraph 0049), the use of empty parentheses is unclear. In paragraph 0057, line 4, it appears that a noun is missing from the phrase “enables to verify”. In paragraph 0059, line 4, it is not clear what the subject of the verb “creates” is intended to be. On page 19, line 13 (in paragraph 0065), it is not clear what the subject of the verb “reports” is intended to be. In paragraph 0067, line 5, the phrase “shows ‘s analysis” is grammatically unclear. In paragraph 0070, line 5, it is not clear what the subject of the verb “shows” is intended to be. In paragraph 0071, line 4, the abbreviations “HKLM” and “HKCU” do not appear to be defined. In paragraph 0073, lines 7-8, it is not clear what the subjects of the verbs “builds”, “seeds”, and “attempts” are intended to be. In paragraph 0075, lines 3-4, it is not clear what the subjects of the verbs “reports” and “measures” are intended to be. Appropriate correction is required. The above is not intended as an exhaustive list of all errors in the specification. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more. Claim 1 is directed to a method that includes receiving a notification that a malware intrusion has been detected; capturing and parsing a memory image and reconstructing a prior execution context; extracting addresses and prototype summaries from the memory image; determining paths that are possible for execution; modeling each path; assigning a probability of each path being executed; pruning paths with low probabilities; matching APIs detected in the paths interest to a repository of plugins; and reporting to an analyst any APIs that match. The step of parsing the image constitutes abstract data manipulation which constitutes a mental process. The steps of determining and modeling the paths and assigning probabilities constitute mathematical operations. The step of pruning paths is a mental process that only requires comparison of probabilities to a threshold and removing certain data. The step of matching APIs to the repository is also a mental process of data comparison. The calculations constitute mathematical concepts, which are one of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2). Further, mental processes are also one of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2). Abstract ideas are judicial exceptions as per MPEP § 2106.04(I). See also Alice Corporation Pty. Ltd. v. CLS Bank, International, et al, 573 U.S. 208, 110 USPQ2d 1976 (2014). The judicial exception is not integrated into a practical application because the only use of the results is to report the matching APIs to an analyst. This amounts to necessary data output, which is insignificant post-solution activity as per MPEP § 2106.05(g). Nothing else is done with the report. The steps of receiving the notification, capturing the image, and extracting the addresses and summaries amounts to mere data gathering, which is insignificant extra-solution activity as per MPEP § 2106.05(g). There is nothing in the claim that would result in a particular transformation, as per MPEP § 2106.05(c), nor does the claim require the use of the abstract idea in conjunction with a particular machine or manufacture, as per MPEP § 2106.05(b). In fact, there appears to be no requirement that any of the claimed steps are performed by a computer; all could be performed by a person. The recitation of a CPU and memory appears at most to be a limitation to a particular technological environment, as per MPEP § 2106.05(f) and (h). There are no additional elements that apply or use the abstract idea in a meaningful way beyond merely linking the use of the judicial exception to a particular technological environment. There is no further step taken beyond the calculations and comparisons that would result in a practical application of the abstract ideas. Therefore, the claim is not directed to a practical application of the abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception for similar reasons as detailed above with respect to the question of a practical application of the judicial exception. The steps of receiving the notification capturing the memory image, extracting the addresses, and reporting to the analyst are claimed at a high level of generality and are generally directed to sending and receiving data over a network and/or storing and retrieving information in memory. These have been recognized by the courts as well-understood, routine, and conventional functions. See MPEP § 2106.05(d)(II), citing Symantec, TLI, OIP Techs, buySAFE, and Versata. Therefore, the claim as a whole, whether the functions are considered individually or as an ordered combination, is not directed to significantly more than the abstract idea. Dependent Claims 2-20 only recite further details of the abstract idea, or additional abstract steps such as other calculations or data manipulations. These claims recite abstract ideas for the same reasons as the independent claim, and also are not directed to a practical application and do not add significantly more to the abstract ideas recited in the independent claims. Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1-20 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above. Therefore, based on the above analysis, the claimed inventions are not directed to patent eligible subject matter. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. A determination of a failure to comply with the enablement requirement is made considering the undue experimentation factors set forth in MPEP § 2164.01(a). In the present application, the factors which appear to weigh most heavily are the breadth of the claims (MPEP § 2164.08), the amount of direction provided by the inventor (MPEP § 2164.03), and the existence of working examples (MPEP § 2164.02). Claim 1 broadly recites “determining paths that are possible for execution due to the malware based on the addresses and prototype summaries” and “modeling each path and assigning a probability of each path being executed with concrete data”. Claim 3 broadly recites “leveraging available concrete data in the memory image to concretize path constraints”. Claim 9 broadly recites “assigning each path a degree of concreteness”. Claim 12 broadly recites “analyzing a stack backtrace of a selected path to prune false successor states”, “performing addresses concretization based on a process memory layout corresponding to the selected path”, and “simulating API calls via analysis of loaded library functions in the memory image”. Claim 13 broadly recites “examining a forensic stack backtrace of the memory image to identify false paths whose function returns do not conform to previously established targets in a call stack”. Claim 14 broadly recites “verifying flow-correctness of a path analysis by comparing a first stack pointer and return addresses in the stack backtrace with a second stack pointer computed after executing a return”. Claim 15 broadly recites “using a data space of the memory image to concretize symbolic indices to a tractable range”. Claim 16 broadly recites “detecting when a state performs an access wherein an index is beyond a mapped code or data space of a process”. Claim 19 broadly recites “leveraging function summaries”. Claim 20 broadly recites “analyzing symbolic constraints on the input and output parameters of each API to verify a shared state”. The claims do not recite any detail of any of the above steps. The specification only broadly mentions determining and modeling paths in a manner similar to that recited in Claim 1. Similarly, the specification does not provide any detail of how to leverage concrete data to concretize path constraints as in Claim 3. Although the specification does provide one equation for calculating a degree of concreteness as in Claim 9, this single example is not sufficient to extrapolate to other ways to assign degrees of concreteness. The specification also generally describes analyzing the stack backtrace, performing address concretization, and simulating API calls in a similar manner as recited in Claims 12 and 13. The specification further only broadly describes verifying flow correctness in the same manner as recited in Claim 14, and of concretizing symbolic indices to a tractable range as in Claim 15. Similarly, the specification does not provide any detail of how to detect when a state performs an access , leveraging function summaries, or verifying a shared state as recited in Claims 16, 19, and 20 . There are no details of how any of these functions would be performed. With the exception of the equation for the degree of concreteness, there is not a clear working example of any of these functions. The lack of details or examples in any detail beyond the claim language suggests that there is little direction provided by the inventor. Combined with the broad scope of the claims, this suggests that the enablement of the description is not commensurate in scope with the claims (MPEP § 2164.08) and that undue experimentation would be required to make or use the invention based on the disclosure (MPEP § 2164.06). Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites “from the memory image from the symbolic environment” in line 10. It is not grammatically clear what the phrase “from the symbolic environment” is intended to modify. The claim further recites “paths that are possible” in line 11. The term “possible” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard of comparison for how to determine whether a path is possible. See MPEP § 2173.05(b). The claim additionally recites “pruning paths with a low probability of leaving a plurality of paths of interest” in line 15. First, the term “low” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard comparison for how to determine whether the probability is low or not. Further, it appears that there is not a clear object of the preposition “of”; that is, it is not clear what the probability is a probability of. The above ambiguities render the claim indefinite. Claim 5 recites “the step of pruning paths with a low probability of execution” in lines 1-2. There is not clear antecedent basis for this limitation in the claims. The claim further recites “a weight” in line 2, but it is not clear what factor is being weighted. Claim 6 recites “a high probability” in line 2. The term “high” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard of comparison for how to determine whether a probability is high. See MPEP § 2173.05(b). The claim further recites “which it sends out a network” in line 3. This phrase is not grammatically clear and appears to be missing critical language. Claim 7 recites “a path” in line 3. It is not clear whether this is intended to refer to one of the possible paths, or modeled paths, or paths of interest, or a distinct path. Claim 8 recites “the capability” in lines 3 and 3-4. It is not clear to which of the plural capabilities this limitation is intended to refer. Claim 10 recites “early concrete data” in line 2. The term “early” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard of comparison for how to determine whether data is early or not. See MPEP § 2173.05(b). The claim further recites “the path” in line 2. It is not clear to which of the plural paths this is intended to refer. Claim 11 uses labels (a), (b), and (c) for steps; this is unclear as to whether these are intended to refer back to the similarly-labeled steps in Claim 1. Claim 11 further recites “the path” in lines 2 and 3. It is not clear to which of the plural paths this is intended to refer. The claim further recites “summing the cumulative state conditions” in line 4. It is not clear how to quantify a “condition” to allow it to be added to a mathematical sum. Claim 12 uses labels (a), (b), and (c) for steps; this is unclear as to whether these are intended to refer back to the similarly-labeled steps in Claim 1. The use of the semicolon at the end of Claim 12, line 2, is grammatically unclear, although it appears that this may be intended to be a colon. The claim further recites “false successor states” in line 3. The specification does not provide a clear definition of how to determine whether a state is true or false. Claim 14 recites “the stack backtrace” in lines 2-3. It is not clear whether this is intended to refer to the stack backtrace of Claim 12 or the forensic stack backtrace of Claim 13, if these are distinct. Claim 14 further recites “an incorrect return”. The term “incorrect” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard of comparison for how to determine whether a return is correct. See MPEP § 2173.05(b). Claim 15 recites “a tractable range”. The term “tractable” is a relative term, and neither the claim nor specification appears to provide a clear definition or standard of comparison for how to determine whether a range is tractable. See MPEP § 2173.05(b). Claim 16 recites “a state” in line 1. It is not clear what this is a state of. The claim further recites “an access” in line 2. It is not clear what is being accessed. The claim additionally recites “an index” in line 2. It is not clear what this is an index of. The claim also recites “and designated the state as a false state” in line 3. This is grammatically unclear as to how it relates to the remainder of the claim. Claim 17 uses labels (a) and (b) for steps; this is unclear as to whether these are intended to refer back to the similarly-labeled steps in Claim 1. Claim 17 further recites “the API effect” in line 5. There is not clear antecedent basis for this limitation in the claims. Claim 18 uses labels (a), (b), (c), and (d) for steps; this is unclear as to whether these are intended to refer back to the similarly-labeled steps in Claim 1. The claim further recites “the function” in lines 3, 5, and 6; however, the claims previously recited plural functions, and it is not clear to which of the plural functions these limitations are intended to refer. Claim 19 uses labels (a) and (b) for steps; this is unclear as to whether these are intended to refer back to the similarly-labeled steps in Claim 1. The claim further recites “the function” in lines 3, 5, and 6; however, the claims previously recited plural functions, and it is not clear to which of the plural functions these limitations are intended to refer. Claim 20 recites “a shared state among each API” in line 2. It is not clear whether the state is shared pairwise between each respective pair of APIs, or if all APIs share a single state, for example. Claims not specifically referred to above are rejected due to their dependence on a rejected base claim. Claim Interpretation Because the claims are rendered indefinite and not enabled due to the numerous issues as detailed above in reference to the rejections under 35 U.S.C. 112(a) and (b) and 35 U.S.C. 101, it has not been possible to fully construe pending Claims 1-20 in order to analyze the claims for novelty under 35 U.S.C. 102 and non-obviousness under 35 U.S.C. 103. As per MPEP § 2173.06 II, if there is uncertainty as to the proper interpretation of the limitations of the claim, it would not be proper to reject such a claim on the basis of prior art. See also In re Steele, 305 F.2d 859, 134 USPQ 292 (CCPA 1962). A search has been performed to the extent possible, and references that appear to be relevant are cited on the attached form PTOL-892. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time. Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Zachary A. Davis/Primary Examiner, Art Unit 2492