SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE BY AN INTERPRETER IN A COMPUTING DEVICE

§101 §102 §103 §112

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-20 are pending. Claim Objections Claims 6, 8, 9, 11, 12, 13, 14, 17, 19, and 20 are objected to because of the following informalities: “upon intercepting that the interpreter” in claims 6, 19 should read “upon the intercepting of the interpreter”. “the known functions name” in claim 8 should read “the known function names”. “interpreter binary image or mapped binary image” in claim 8 should read “the interpreter binary image or the mapped binary image”. “to the function names” in claim 8 should read “to the known function names”. “the call” in claims 9, 13 and 20 should read “the calls”. “the modified function name” in claim 11 should read “the corresponding modified function name”. “during execution” in claim 12 should read “during the execution”. Claim 12 recites limitation for performing certain step(s) only if a specific condition is satisfied (IF Statement) “modifying the program or script to reference the corresponding modified function name or bytecode if the program or script qualify for runtime morphing, and not modifying the program or script otherwise”. Such limitations are considered as optional limitations since they are not performed until specific conditions are met. Applicant should change the word “if” to “responsive to determining that…” in order to alter an optional limitation to a required limitation. For the purpose of examination, claimed limitations will be considered as optional limitations since they are not performed until specific conditions are met. “the method of:” in claim 14 should read “operations of:”. “The system of claim 14, comprising” in claim 17 should read “The system of claim 14, wherein the operations further comprising”. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-8, 11 and 14-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites modifying a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode; determining that a program or script to be executed by the interpreter references the original function name or bytecode; and modifying the program or script to reference the corresponding modified function name or bytecode. The limitation of modifying a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “modifying” in the context of this claim encompasses the user changing a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode. The limitation of determining that a program or script to be executed by the interpreter references the original function name or bytecode as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “determining” in the context of this claim encompasses the user finding out that a program or script to be executed by the interpreter references the original function name or bytecode. The limitation of modifying the program or script to reference the corresponding modified function name or bytecode as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “modifying” in the context of this claim encompasses the user changing the program or script to reference the corresponding modified function name or bytecode. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application. Claim 1 does not recite any additional elements that integrate the judicial exception into a practical application. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea. The claim is not patent eligible. Dependent claims 2-8 and 11 further clarify the concept recited in claim 1 however this clarification still falls under the concept recited in claim 1 and does not amount to significantly more than the judicial exception. Dependent claims 2-8 and 11 are rejected for at least the reason stated above with respect to claim 1. Claim 14 although not using the exact claim language, contains similar elements as recited in claim 1 and is also rejected for similar reasons. Claim 14 recites additional elements of a memory and a processor. However, the additional elements are recited at a high level of generality and amount to no more than mere instructions to apply the exception using generic computer components. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Dependent claims 15-19 further clarify the concept recited in claim 14 however this clarification still falls under the concept recited in claim 14 and does not amount to significantly more than the judicial exception. Dependent claims 15-19 are rejected for at least the reason stated above with respect to claim 14. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claim 1 recites “modifying a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode”. However, it’s unclear whether this limitation refers to (1) modifying a translation table referencing an original function name to reference a corresponding modified function name or modifying bytecode of the interpreter to reference a corresponding modified bytecode, (2) modifying a translation table referencing an original function name of the interpreter to reference a corresponding modified function name or modifying bytecode of the interpreter to reference a corresponding modified bytecode, (3) modifying a translation table referencing an original function name to reference a corresponding modified function name or modifying a translation table referencing bytecode of the interpreter to reference a corresponding modified bytecode, (4) modifying a translation table referencing an original function name of the interpreter to reference a corresponding modified function name or modifying a translation table referencing an original bytecode of the interpreter to reference a corresponding modified bytecode, or (5) some other meaning. For examination purposes, interpretation (1) has been adopted. Claims 2-11 and 20 depend from claim 1 and thus also have this issue. Independent claims 12 and 14 recite similar limitation and thus also have this issue. Claims 13 and 15-19 depend from independent claims 12 and 14 and thus also have this issue. Claims 2 and 3 recite “the function name”. However, it’s unclear whether this refers to (1) “an original function name” or (2) “a corresponding modified function name” in claim 1. For examination purposes, interpretation (1) has been adopted. Claims 15-16 recite similar limitation and thus are also rejected for similar reasons. Claims 5, 18 recite “the intent”. There is insufficient antecedent basis for this limitation in the claims. Claims 6, 19 recite “the storage device”. There is insufficient antecedent basis for this limitation in the claims. Claim 7 recites “the executable code” and “the interpreter binary image”. There is insufficient antecedent basis for these limitations in the claim. Claim 8 depends from claim 7 and thus also has this issue. Claim 8 recites “the references”. There is insufficient antecedent basis for this limitation in the claim. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-4, 7, 9, and 14-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Gibbons (US 11741197). Claim 1, Gibbons discloses A method for detecting malicious code by an interpreter in a computing device, the method comprising: modifying a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode; (e.g. figs. 1-4, col. 8, ll. 20-27, col. 9, ll. 61-col. 10, ll. 30, col. 11, ll. 8-41, col. 12, ll. 55-col. 13, ll. 38, col. 15, ll. 22-31, col. 19, ll. 24-42, col. 20, ll. 1-21: The code in Snippet 2 has been output as a human-readable intermediate language. The intermediate language can be converted to bytecode. For example, each line in Snippet 2 may be mapped to one or more characters, numbers, or symbols that form bytecode instructions which may be understood by a bytecode interpreter. A particular interpreter may expect each instruction in Snippet 2 to correspond to a particular number. For example, “PUSH_IMMEDIATE_INT” may correspond to the number 14. When the particular interpreter reads the number 14, it executes a “PUSH_IMMEDIATE_INT” instruction. Thus, when executed by an interpreter, the alternate instructions in Snippet 3 perform the same steps as those illustrated by Snippet 2…Snippet 3 is a data structure that comprises bytecode instructions, as well as other information that the interpreter may use for executing the bytecode instructions…bytecode interpreter 140 is programmed or configured to interpret a set of bytecode operations of an ISA. A call to a particular bytecode operation in the set of bytecode operations may cause bytecode interpreter 140 to execute the particular bytecode operation. Executing the particular bytecode operation may comprise executing one or more bytecode interpreter instructions corresponding to the particular bytecode operation. As an example, the set of bytecode operations may include a read operation, a write operation, and an add operation. Bytecode interpreter 140 may include a first function corresponding to the read operation, a second function corresponding to the write operation, and a third function corresponding to the add operation. Assume bytecode instructions 152 includes a call to the add operation. Bytecode interpreter 140 may interpret the call to the add operation and execute the add operation by executing the third function…the computer may store one or more data defining a plurality of functions, where each function corresponding to a respective bytecode operation. The compiler 210 may generate, for each bytecode operation, a set of numbers, letters, and/or characters representing the bytecode operation. The compiler 210 may generate an interpreter that includes the plurality of functions, where the interpreter maps each function to the set of numbers, letters, and/or characters generated for the corresponding bytecode operation. For example, a function may comprise instructions that, when executed, perform a “push” operation. The compiler may generate the character string “yyzz” for representing the “push” operation, and generate one or more instructions that cause the function to be executed when the character string “yyzz” is read from a set of bytecode instructions…the server computer may generate, for each bytecode operation of a plurality of bytecode operations, a set of numbers, letters, and/or characters representing the bytecode operation. The server computer may generate interpreter instructions where each set of numbers, letters, and/or characters causes the interpreter to execute instructions for the corresponding bytecode operation…the set of interpreter instructions and the set of alternate instructions are modified to use the one or more combined operations.) determining that a program or script to be executed by the interpreter references the original function name or bytecode; and (e.g. figs. 1-4, col. 8, ll. 5-15, col. 8, ll. 55-col. 9, ll. 64, col. 13, ll. 63-67: the compiler can transform the JavaScript instructions in methods 122 and 124 into a set of bytecode instructions 152 that conform to the target ISA…Snippet 4 is a sequence of bytecode instructions contained in bytecode instructions 152. For the purpose of illustrating a clear example, the bytecode operations are written using human-readable operation and variable names. Snippet 4 Line 01: Push 1 Line 02: Push Var x Line 03: Add . . . Line 11: Push 2 Line 12: Push Var Y Line 13: Add) modifying the program or script to reference the corresponding modified function name or bytecode. (e.g. figs. 1-4, col. 14, ll. 54-col. 15, ll. 3: The compiler may replace one or more instances of a bytecode sequence with a combined bytecode operation corresponding to the sequence. For example, the compiler may generate the following modified bytecode instructions in Snippet 5. Snippet 5 Line 01: Push_Push_Add 1, Var X . . . Line 09: Push_Push_Add 2, Var Y In Snippet 5, the first sequence of operations, from Lines 1-3 of Snippet 4, has been replaced with a single “push_push_add” operation. The two parameters from the “push” operations of the original sequence, “1” and “Var X,” are provided to the combined bytecode operation. Similarly, the second sequence of operations, from Lines 11-13 of Snippet 4, has been replaced with another “push_push_add” operation, with the parameters “2” and “Var Y.”) Claim 2, Gibbons discloses The method of claim 1, wherein determining that the program or script to be executed by the interpreter references the function name or bytecode is performed upon loading of the program or script. (e.g. figs. 1-4, col. 8, ll. 5-15, col. 8, ll. 55-col. 9, ll. 64) Claim 3, Gibbons discloses The method of claim 1, wherein modifying the program or script comprises: parsing the program or script to locate the function name or bytecode; and replacing the function name or bytecode within the program or script with the corresponding modified function name or bytecode. (e.g. figs. 1-4, col. 8, ll. 5-15, col. 8, ll. 55-col. 9, ll. 64, col. 14, ll. 54-col. 15, ll. 3) Claim 4, Gibbons discloses The method of claim 1, comprising determining that the interpreter is executed, wherein modifying the translation table is performed upon determining that the interpreter is executed. (e.g. col. 10, ll. 1-25, col. 11, ll. 15-41, col. 12, ll. 55-col. 13, ll. 38) Claim 7, Gibbons discloses The method of claim 1, wherein modifying the translation table comprises: locating the translation table in the executable code of the interpreter binary image or mapped binary image. (e.g. figs. 1-4, col. 8, ll. 20-27, col. 9, ll. 61-col. 10, ll. 30, col. 11, ll. 8-41, col. 12, ll. 55-col. 13, ll. 38) Claim 9, Gibbons discloses The method of claim 1, further comprising trapping calls to the original function name or bytecode, wherein trapping the calls to the original function name or bytecode comprises mapping the original function name or bytecode to a trapping routine that is configured to log the call. (e.g. col. 9, ll. 1-64, col. 11, ll. 24-41, col. 13, ll. 4-26, col. 19, ll. 24-29) Claim 14, this claim is rejected for similar reasons as in claim 1. Gibbons further discloses a memory; and a processor configured to perform the method (e.g. col. 1, ll. 52-56, col. 2, ll. 15-35). Claim 15, this claim is rejected for similar reasons as in claim 2. Claim 16, this claim is rejected for similar reasons as in claim 3. Claim 17, this claim is rejected for similar reasons as in claim 4. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gibbons (US 11741197) in view of Ladikov (US 20160180086). Claim 5, Gibbons discloses The method of claim 4, (see above) and does not explicitly disclose but Ladikov discloses wherein determining that the interpreter is executed comprises: obtaining a notification from an operating system that a file was opened with the intent to be executed; obtaining characteristics of the file; and analyzing the characteristics of the file to determine whether the file is the interpreter. (e.g. ¶23) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ladikov into the invention of Gibbons for the purpose of selecting an appropriate interpreter for executing the script (Ladikov, ¶23). Claim 18, this claim is rejected for similar reasons as in claim 5. Claims 6, 10, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gibbons (US 11741197) in view of Paithane (US 10033747). Claim 6, Gibbons discloses The method of claim 1, and does not appear to explicitly disclose but Paithane discloses intercepting the execution of the interpreter by performing at least one of: kernel hooking of commands indicative of a binary image of the interpreter being loaded into memory and being executed; detecting file access events to files related to the interpreter on the storage device; and detecting loading of libraries related to the interpreter, wherein modifying the translation table is performed upon intercepting that the interpreter. (e.g. col. 2, ll. 52-67) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane into the invention of Gibbons for the purpose of detecting and classifying malicious attacks (Paithane, col. 2, ll. 43-45). Claim 10, Gibbons discloses The method of claim 9 (see above) and does not appear to explicitly disclose but Paithane discloses in response to trapping the calls, performing at least one of: providing a notification to a user; terminating the interpreter; terminating the program or script; and providing a notification to a remote server. (e.g. col. 4, ll. 45-62, col. 11, ll. 57-64) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane into the invention of Gibbons for the purpose of ensuring that a centralized management system or administrator is aware of the exploit attack (Paithane, col. 4, ll. 61-62). Claim 19, this claim is rejected for similar reasons as in claim 6. Claim 20, this claim is rejected for similar reasons as in claim 10. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Gibbons (US 11741197). Claim 11, Gibbons discloses The method of claim 1, wherein modifying a translation table comprises selecting the modified function name or bytecode. (e.g. figs. 1-4, col. 9, ll. 61-col. 10, ll. 30, col. 11, ll. 8-41, col. 12, ll. 55-col. 13, ll. 38, col. 15, ll. 22-31, col. 19, ll. 24-42, col. 20, ll. 1-21) Although Gibbons discloses selecting the modified function name or bytecode (see above), Ribbons does not appear to explicitly disclose randomly selecting. However, in a related description, Ribbons discloses randomly selecting (e.g. col. 12, ll. 39-49, col. 15, ll. 16-18). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ribbons regarding random selection into the invention of Gibbons for the purpose of making it harder for an attacker to identify the interpreter instructions thereby increasing the security of the system. Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Gibbons (US 11741197) in view of Yu (US 20080083012). Claim 12, Gibbons discloses A method for detecting malicious code by an interpreter in a computing device, the method comprising: modifying a translation table referencing an original function name or bytecode of the interpreter to reference a corresponding modified function name or bytecode; (e.g. figs. 1-4, col. 8, ll. 20-27, col. 9, ll. 61-col. 10, ll. 30, col. 11, ll. 8-41, col. 12, ll. 55-col. 13, ll. 38, col. 15, ll. 22-31, col. 19, ll. 24-42, col. 20, ll. 1-21: The code in Snippet 2 has been output as a human-readable intermediate language. The intermediate language can be converted to bytecode. For example, each line in Snippet 2 may be mapped to one or more characters, numbers, or symbols that form bytecode instructions which may be understood by a bytecode interpreter. A particular interpreter may expect each instruction in Snippet 2 to correspond to a particular number. For example, “PUSH_IMMEDIATE_INT” may correspond to the number 14. When the particular interpreter reads the number 14, it executes a “PUSH_IMMEDIATE_INT” instruction. Thus, when executed by an interpreter, the alternate instructions in Snippet 3 perform the same steps as those illustrated by Snippet 2…Snippet 3 is a data structure that comprises bytecode instructions, as well as other information that the interpreter may use for executing the bytecode instructions…bytecode interpreter 140 is programmed or configured to interpret a set of bytecode operations of an ISA. A call to a particular bytecode operation in the set of bytecode operations may cause bytecode interpreter 140 to execute the particular bytecode operation. Executing the particular bytecode operation may comprise executing one or more bytecode interpreter instructions corresponding to the particular bytecode operation. As an example, the set of bytecode operations may include a read operation, a write operation, and an add operation. Bytecode interpreter 140 may include a first function corresponding to the read operation, a second function corresponding to the write operation, and a third function corresponding to the add operation. Assume bytecode instructions 152 includes a call to the add operation. Bytecode interpreter 140 may interpret the call to the add operation and execute the add operation by executing the third function…the computer may store one or more data defining a plurality of functions, where each function corresponding to a respective bytecode operation. The compiler 210 may generate, for each bytecode operation, a set of numbers, letters, and/or characters representing the bytecode operation. The compiler 210 may generate an interpreter that includes the plurality of functions, where the interpreter maps each function to the set of numbers, letters, and/or characters generated for the corresponding bytecode operation. For example, a function may comprise instructions that, when executed, perform a “push” operation. The compiler may generate the character string “yyzz” for representing the “push” operation, and generate one or more instructions that cause the function to be executed when the character string “yyzz” is read from a set of bytecode instructions…the server computer may generate, for each bytecode operation of a plurality of bytecode operations, a set of numbers, letters, and/or characters representing the bytecode operation. The server computer may generate interpreter instructions where each set of numbers, letters, and/or characters causes the interpreter to execute instructions for the corresponding bytecode operation…the set of interpreter instructions and the set of alternate instructions are modified to use the one or more combined operations.) evaluating a program or script; (e.g. figs. 1-4, col. 8, ll. 5-15, col. 8, ll. 55-col. 9, ll. 6: the compiler can transform the JavaScript instructions in methods 122 and 124 into a set of bytecode instructions 152 that conform to the target ISA. For example, the methods 122 and 124 can be compiled to potentially hinder or prevent attackers from identifying the instructions defined in the JavaScript methods 122 and 124…The bytecode interpreter 140 can include one or more sets of bytecode interpreter instructions 142, which may be used to interpret instructions contained in bytecode instructions 152… assume Snippet 1 is a method specified in the JavaScript language and contained in original JavaScript file 120…A compiler may parse Snippet 1, generate one or more data structures based on parsing Snippet 1) executing the program or script by the interpreter; (e.g. figs. 1-4, col. 8, ll. 5-30, col. 11, ll. 15-23: the compiler can transform the JavaScript instructions in methods 122 and 124 into a set of bytecode instructions 152 that conform to the target ISA…the bytecode interpreter 140 can be generated or retrieved in response to receiving original JavaScript file 120. The bytecode interpreter 140 can include one or more sets of bytecode interpreter instructions 142, which may be used to interpret instructions contained in bytecode instructions 152…The bytecode interpreter 140 comprises one or more bytecode interpreter instructions 142 which, when executed by a browser on a client computer, causes the browser to interpret or execute bytecode file 150. In an embodiment, bytecode interpreter 140, when executed by a browser with a JavaScript runtime environment, may configure the runtime environment to interpret or execute bytecode file 150. In an embodiment, bytecode interpreter 140 may be a set of JavaScript instructions.) determining, during execution, that the program or script references the original function name or bytecode; and (e.g. figs. 1-4, col. 8, ll. 5-15, col. 8, ll. 55-col. 9, ll. 64, col. 13, ll. 63-67: the compiler can transform the JavaScript instructions in methods 122 and 124 into a set of bytecode instructions 152 that conform to the target ISA…Snippet 4 is a sequence of bytecode instructions contained in bytecode instructions 152. For the purpose of illustrating a clear example, the bytecode operations are written using human-readable operation and variable names. Snippet 4 Line 01: Push 1 Line 02: Push Var x Line 03: Add . . . Line 11: Push 2 Line 12: Push Var Y Line 13: Add) modifying the program or script to reference the corresponding modified function name or bytecode. (e.g. figs. 1-4, col. 14, ll. 54-col. 15, ll. 3: The compiler may replace one or more instances of a bytecode sequence with a combined bytecode operation corresponding to the sequence. For example, the compiler may generate the following modified bytecode instructions in Snippet 5. Snippet 5 Line 01: Push_Push_Add 1, Var X . . . Line 09: Push_Push_Add 2, Var Y In Snippet 5, the first sequence of operations, from Lines 1-3 of Snippet 4, has been replaced with a single “push_push_add” operation. The two parameters from the “push” operations of the original sequence, “1” and “Var X,” are provided to the combined bytecode operation. Similarly, the second sequence of operations, from Lines 11-13 of Snippet 4, has been replaced with another “push_push_add” operation, with the parameters “2” and “Var Y.”) Although Gibbons discloses evaluating a program or script and modifying the program or script to reference the corresponding modified function name or bytecode (see above), Gibbons does not appear to explicitly disclose but Yu discloses evaluating a program or script to determine if the program or script qualify for runtime morphing and modifying the program or script to reference the corresponding modified function name or bytecode if the program or script qualify for runtime morphing, and not modifying the program or script otherwise (e.g. figs. 3B, 12, ¶53-54, 101, 104: the rewritten script program is part of an instrumented version of the document, and the instrumented version of the document includes hidden script, which is rewritten when the hidden script is generated during run-time. In one embodiment, the instrumentation of higher-order script is handled through an extra level of indirection, as demonstrated in FIG. 3B. During the instrumentation, explicit security events such as load(url) are directly rewritten with code that performs pertinent security checks and user warnings (abstracted by safe-load(url)). However, further events may be hidden in the generated script doc. Without inspecting the content of doc, which is a hardship statically, the doc is fed verbatim to some special code instr. The special code, when executed at "run-time", calls back to the instrumentation process to perform the necessary inspection on the evaluation result of doc. Such a treatment essentially delays some of the instrumentation tasks until "run-time", making it happen on demand…Whenever an action act(A) is identified, the action is redirected to the action interface check(A), trusting the policy module to perform an appropriate replacement action at "run-time". Upon receiving a higher-order script write(E), the document is fed argument E verbatim to a special interface instr(E), whose implementation calls back to the rewriting process at "run-time" after E is evaluated… For instr(E), the purpose is to mark script generation and delay the instrumentation until "run-time". Therefore, its operational semantics evaluate the argument expression and feed it through rewriting.). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Yu into the invention of Gibbons for the purpose of delaying some of the instrumentation tasks until runtime making it happen on demand (Yu, ¶54). Claim 13, Gibbons-Yu discloses The method of claim 12, further comprising trapping calls to the original function name or bytecode, wherein trapping the calls to the original function name or bytecode comprises mapping the original function name or bytecode to a trapping routine that is configured to log the call. (e.g. Gibbons, col. 9, ll. 1-64, col. 11, ll. 24-41, col. 13, ll. 4-26, col. 19, ll. 24-29) Allowable Subject Matter Claim 8 would be allowable if rewritten (a) in independent form including all of the limitations of the base claim and any intervening claims and (b) to overcome the claim objections and 101 and 112(b) rejections set forth above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Johnson (US 20030172293) discloses a method of foiling alien-code attacks (50) in accordance with an embodiment of the present invention. The method (50) comprises the steps of encoding the local machine executable or script (51), and modifying the loader or interpreter (52) such that it is able to read the encoded executable or script. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312. The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TRONG H NGUYEN/Primary Examiner, Art Unit 2436