MALICIOUS SCRIPT DETECTION

DETAILED ACTION A Request for Continued Examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on March 24, 2026 has been entered. Claims 1, 3, 4, 7, 9, 11, 12, 15, 17, and 19 have been amended. No new claims have been added. Claims 1-20 are currently pending and directed toward a MALICIOUS SCRIPT DETECTION. Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s arguments with regards to claims 1-20 have been fully considered, but they are moot because of new grounds of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 4, 5, 8-10, 12, 13, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Saxe et al. (US 10,635,813, Filed Oct. 6, 2017), in view of Zakorzhevsky et al. (US 2017/0091457, Mar. 30, 2017), hereinafter referred to as Saxe and Zakorzhevsky. As per claim 1, Saxe teaches a method comprising: receiving data, comprising code, intended for a user device (The malware detection device 100 can be configured to receive a file (e.g., file 124 described herein) from the communication network and store the received file in the memory 120. Saxe, Column 3, lines 49-52); determining, based on execution of at least a portion of the code, one or more features associated with the code (The code includes code to cause the processor to identify the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. Saxe, Column 3, lines 24-29); Zakorzhevsky further teaches emulating execution (According to embodiments, systems and methods of the invention are configured to detect malicious executable files including a script language interpreter by combining a script emulator and a machine code emulator. Zakorzhevsky, [0007]). Saxe in view of Zakorzhevsky are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Saxe in view of Zakorzhevsky. This would have been desirable because as a result of such embodiments, the security of computer systems is increased. More generally, computer security is achieved by detecting malicious executable files using a combination of emulators (Zakorzhevsky, [0007]). And Saxe in view of Zakorzhevsky further teaches causing, based on a determination by a machine learning model that the one or more features are associated with one or more malicious behaviors (The method includes analyzing each fragment from the second set of fragments using the machine learning model to identify within each fragment from the second set of fragments second information potentially relevant to whether the file is malicious. Saxe, Column 2, lines 61-66), output of a message indicating that the data is associated with the one or more malicious behaviors (Specifically, the master machine learning model 112 generates a binary output indicating whether the information related to the set of fragments is malicious or not. Saxe, Column 8, lines 63-66). As per claim 2, Saxe in view of Zakorzhevsky teaches the method of claim 1, wherein the one or more malicious behaviors comprise at least one of: redirecting a browser of the user device to a website, causing the user device to download malicious software, causing the user device to communicate with a computing device, or access to an operating system of the user device (Some other types of malware can include program code designed to illegally gather users' personal and/or financial credentials, monitor users' web browsing, display unsolicited advertisements, redirect affiliate marketing revenues and/or the like. Saxe, Column 1, lines 22-26). As per claim 4, Saxe in view of Zakorzhevsky teaches the method of claim 1, wherein emulating the execution of the least the portion of the code provides an indication of a same function as execution of the code by the user device (In the training mode, the master machine learning model 112 can function as a differentiable model. The master machine learning model can learn and/or be trained to identify and/or determine whether information associated with a set of fragments provides an indication of whether the file is malicious or not ( e.g., identifies information that is potentially relevant to determining whether the file is malicious. Saxe, Column 8, lines 43-50, see also cause the computing platform to implement an analyzer configured to convert a script into pseudocode, the script being related to the executable file, and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, wherein the analyzer is further configured to analyze the emulator operation log to determine if the executable file is malicious. Zakorzhevsky, [0008]). As per claim 5, Saxe in view of Zakorzhevsky teaches the method of claim 1, wherein the machine learning model is based on at least one of: a support vector machine, a Bayesian belief network, a neural network, or a decision tree (The inspector machine learning model 114 can be any suitable type of machine learning model such as, for example, a neural network, a decision tree model, a random forest model, a deep neural network and/or the like. Saxe, Column 6, lines 34-38). As per claim 8, Saxe in view of Zakorzhevsky teaches the method of claim 1, wherein the code is written in a scripting language (For example, the file can be at least one of a Hypertext Markup Language (HTML) file(s), a JavaScript file(s), or a Hypertext Preprocessor (PHP) file(s ), and/or the like. The file 124 can include a software code, a webpage(s), a data file(s), a model file(s), a source file(s), a script(s), a process(es), a binary executable file(s), Saxe, Column 4, lines 6-13). Claims 9, 10, 12, 13, and 16-18 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Saxe et al. (US 10,635,813, Filed Oct. 6, 2017), in view of Zakorzhevsky et al. (US 2017/0091457, Mar. 30, 2017), in view of Moskovitch et al. (Acquisition of Malicious Code Using Active Learning, PinKDD'08, August 24, 2008, 9 pages), hereinafter referred to as Saxe, Zakorzhevsky and Moskovitch. As per claim 3, Saxe in view of Zakorzhevsky teaches the method of claim 1, but does not teach stream, Moskovitch however teaches wherein the data comprises one or more data streams, the method further comprising combining segments from the one or more data streams into a single data stream comprising the portion of the code and generic code that is associated with common functions to enable emulation of the execution of at least a portion of the code (Figure 2 illustrates the evaluation scheme describing the varying contents of the test set and Acquisition set that will be explained shortly. The datasets contain two types of files: Malicious (M) and Benign (B). While the Malicious region is presented as a bit smaller, it is actually significantly smaller. These datasets contain varying files partially known to the classifier, from the training set, and a larger portion of New (N) files, which are expected to be acquired by the Active Learner, illustrated by a circle. The active learner acquires from the stream part of the files, illustrated by the Acquired (A) circle. Moskovitch, page 5). Saxe in view of Zakorzhevsky in view of Moskovitch are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Saxe in view of Zakorzhevsky in view of Moskovitch. This would have been desirable because in this study we wanted to evaluate the acquisition performance of the Active-Learner from a stream of files presented by the test set, containing benign and malicious executables, including new (unknown) and not-new files. Actually, the task here is to evaluate the capability of the module to acquire the new files in the test set, which cannot be evaluated only by the common measures evaluated earlier (Moskovitch, page 5). Claims 11 and 19 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Saxe et al. (US 10,635,813, Filed Oct. 6, 2017), in view of KEJRIWAL et al. (US 2011/0289582, Pub. Date: Nov. 24, 2011), hereinafter referred to as Saxe and KEJRIWAL. As per claim 6, Saxe in view of Zakorzhevsky teaches the method of claim 1, but does not teach obfuscation, KEJRIWAL however teaches wherein the one or more features comprise at least one of: an obfuscated variable name, a number of updates to a variable name exceeding a first threshold, an obfuscated Uniform Resource Locator (URL) protocol, an obfuscated scripting language keyword, an obfuscated scripting language reserved word, or entropy of a string exceeding a second threshold ([0115] One such attack creates large number of objects to exploit an opportunity. This could be simply caught by counting number of CreateElement executions and flag if the count is above threshold. [0116] Second pattern: Large memory write with Unicode characters [0117] Decoded/Deobfuscatedcontents: fromCharCode( ), unescape( ) functions are traced that are highly used by attackers today to decode contents at some point. [0118] Document.write attacks: Check the contents javascript is about to dynamically write on the page. Heurisitics/pattern applied: [0119] iframe 'src' should be pointing the domain other than origin (host) domain. This is rather common, such as in case "widget" like bookmarking appended on the page which are appended dynamically via javascript to iframe. We overcome this by tracing if the iframe contents have been decoded before which is a pretty good indicator of malicous contents. However sometimes these write could be via <script> tag or <img> tag both of which load and pointed contents on page load event itself. [0120] eval: check eval which is javascript evaluation function and executes javascript code passed as a string argument. These contents could be checked for presence of the malicious keywords, or large Unicode strings for shellcode, vulnerable clsid etc. In addition if these contents are decoded before, that gives a pretty good indication of the malicious contents. KEJRIWAL, [0115]-[0120]). Saxe in view of Zakorzhevsky in view of KEJRIWAL are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Saxe in view of Zakorzhevsky in view of KEJRIWAL. This would have been desirable because it is the observation of the applicant that most malicious web-based activity involves javascript. Detecting and blocking malicious javascript is essential for preventing web-based compromises. Most malicious javascript is obfuscated, which renders static analysis, such as signature matching, approaches ineffective (KEJRIWAL, [0002]). Claims 14 and 20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Saxe et al. (US 10,635,813, Filed Oct. 6, 2017), in view of Vasudevan et al. (Cobra: Fine-grained Malware Analysis using Stealth Localized-executions, Proceedings of the 2006 IEEE Symposium on Security and Privacy, 15 pages). As per claim 7, Saxe in view of Zakorzhevsky teaches the method of claim 1, wherein emulating the execution of the at least the portion of the code comprises emulating execution (According to embodiments, systems and methods of the invention are configured to detect malicious executable files including a script language interpreter by combining a script emulator and a machine code emulator. Zakorzhevsky, [0007]). Saxe in view of Zakorzhevsky are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Saxe in view of Zakorzhevsky. This would have been desirable because as a result of such embodiments, the security of computer systems is increased. More generally, computer security is achieved by detecting malicious executable files using a combination of emulators (Zakorzhevsky, [0007]). but does not teach branches, Vasudevan however teaches one or more branches associated with the portion of the code to cause evaluation of the portion of the code to both true and false cases (In some cases, where block creation terminates because a predefined number of non-CTIs were reached, Cobra treats the block as ending with an unconditional branch/jump instruction and creates a corresponding xfer-stub. Figure 3b shows the xfer-stub implementations for conditional and unconditional CTIs on the IA-32 (and compatible) processors. For unconditional CTIs the corresponding xfer-stub simply performs an unconditional jump (JMP) into the BCXE. For conditional CTIs, the xfer-stub translates a conditional into a conditional and an explicit JMP. This ensures that the BCXE gets control for both situations where the conditional evaluates to true and false. Vasudevan, page 5). Saxe in view of Zakorzhevsky in view of Vasudevan are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Saxe in view of Zakorzhevsky in view of Vasudevan. This would have been desirable because This is particularly true with polymorphism [56, 47] and metamorphism [48] that are techniques employed by most if not all current generation malware. Also it is impossible to statically analyze certain situations due to undecidability (eg. indirect branches). Further, static code analysis also has limitations related to code obfuscation, a technique used by malware to prevent their analysis and detection (Vasudevan, page 1). Claim 15 has limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Pertinent Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US Patents: 9,501,643 Teaches methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. US Pg Pubs: 2014/0380482 Teaches performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938. The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLEG KORSAK/ Primary Examiner, Art Unit 2492