Detail Action
This Final Office Action is in response to amendment filed on 07/22/2025. Claims
1 – 8 have been amended, no claims have been canceled. New claims 9 – 14 have been added. Claims 1 - 14 remain pending in the application.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner notes
The disclosure is objected to because throughout the disclosure abbreviation "NW IF” is disclosed but does not specify its unabbreviated meaning. Appropriate correction is needed in response to the office action.
Response to Amendment
The amended filed on 07/22/2025 has been entered. See above on lines 1-3 of
this office action.
Response to Arguments
Remarks regarding rejections under 35 U.S.C § 103 filed 05/28/2025 Applicant’s
amendment to Claims 1 - 8 arguments are carefully considered
and are persuasive. However, upon further consideration, arguments are moot in
view of new found prior art.
Remarks regarding rejections under 35 U.S.C § 112 filed 05/28/2025 Applicant’s
amendment to Claims 1 - 8 arguments are carefully considered and are
persuasive. Claims amendments have overcome claims rejection under 35 U.S.C § 112.
With respect to the new added claims 11 – 12 and 14 are reject under 35 U.S.C § 112 (a) lack of written description for the use of runtime state. The specification doesn’t have a support for runtime or abnormal or unexpected.
With respect to applicant’s argument to the remaining dependent claims 2 - 7
on pages 12 - 13 of the remark, the applicant is relying on the newly added
amendments of the independent claim 1. Please see examiner’s
response above and the detail of the rejection below.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 11-12, and 14 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The specification does not use the word runtime, abnormal or unexpected. For examination purpose, examiner interprets the limitations with issue as part of analysis performed by analysis computer where the runtime state is being analyze for difference in result with previous result.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 8, and 10 -14 are rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in further view of Vincent et al. (US-20150096022-A1 hereafter Vincent).
Regarding claim 1 Kospiah teach a malware analysis support system which supports a malware analysis of a user using an analyst computer and an analysis computer (see Kospiah fig. 1 and par0026: “include an analysis system 104 (Analyst computer) coupled to or in communication with one or more client system(s) 102 (Analysis computer.”, par.0029: “the processor 170 may perform operations including receiving a request ( e.g., a request 120) from a client system (e.g., the client system(s) 102) to analyze a software component (e.g., malware). To illustrate, an analyst may send the request 120 from the client system(s) 102 to analyze the software component 150 to the analysis system 104), wherein
the analyst computer comprises a processor connected to a memory and is configured to execute programs stored in the sub storage device to control functions of the analyst computer including inputting analysis conditions of the malware analysis, (see Kospiah par.0026: “The analysis system 104 may also include, be coupled to, or be in communication with a correlation engine 106 and a database 108.”, par.0027: “The analysis system 104 may include a processor 170 and a memory 180.”par.0066: “the correlation analysis data 128 may indicate that executing the other software component had a particular effect in response to particular operating conditions. In this example, the particular procedure may include creating the particular operating conditions to determine whether execution of the software component 150 results in the particular effects. To illustrate, the correlation analysis data 128 may indicate that the other software component attempted to access a particular network after a particular time period (e.g., 1 week) of execution of the other software component..”), inputting analysis purpose information that is information corresponding to a malware analysis purpose included in the analysis conditions and collected through the malware analysis (see Kospiah par.0032: “the analyst may be interested in analyzing the behavior of the software component 150 on the particular client hardware configuration without putting the actual client device at risk from harmful effects of executing the software component 150”),, par.0042: “the software component 150 may correspond to a particular malware and the other software component may correspond to another malware. The data analyzer 146 may determine similarities and differences between the first monitoring data 184 and the second monitoring data 186. To illustrate, the analyst may be interested in determining whether the particular malware is related to ( e.g., is a modified, older, or newer version of) the other malware.”.), and displaying an analysis procedure of the malware analysis, (see Kospiah par.0091: “an analysis creation user interface that may be displayed by the system of FIG. 1. The analysis creation user interface 500 may include a title identifying a software component (e.g., the software component 150), may include one or more analysis options to indicate tools to analyze the software component, may include one or more reports options to indicate report formats for results of the analysis, and may include a submit input for submitting one or more selections of the options.”, par.0094 “the analysis creation user interface 500 may enable the analyst to specify particular analysis tools to be used to analyze the software component. The analyst may also specify particular standardized reporting formats for the results of the analysis. The analysis creation user interface 500 may allow changes of the system 100 to be easily conveyed to the analyst.”.).
Kospiah fail to explicitly disclose however Walters teaches the analysis computer comprises a processor connected to a memory and is configured to execute programs stored in the sub storage device to control functions of the analysis computer including executing a process for calculating the analysis procedure to be recommended to the user on a basis of the analysis conditions, the analysis purpose information, a past analysis procedure, and a current analysis procedure, [wherein the analysis procedure is calculated by determining similarity between the past analysis procedure and the current analysis procedure using specific criteria including the analysis purpose information, an analysis environment, a family name, and the current analysis procedure,] (see Walters par.0030: “Some embodiments described herein may provide at least one processing device for cyber intrusion investigations, the at least one processing device comprising: at least one processor; a memory having instructions stored therein for execution by the at least one processor; a storage device for storing data;”, par. 0088: “FIG. 1B illustrates an exemplary architecture of an analysis system that may be used to interrogate, manage, and/or evaluate the live runtime state information from one or more computing machines 108 or runtime state information previously collected ( e.g., across an enterprise) for indications of abnormal conditions. In some embodiments, the analysis system may also be configured to archive and track changes in the state of one or more computing machines 108 over time that may indicate abnormal conditions.”, par.0101-0102: “example, via a workstation, the user ( e.g., Analyst A, B, and/or C) may specify a memory source at operation 400 and may specify a type of investigation at operation 402. In some embodiments, from the graphical user interface 130, a user may select either a local or remote file containing a sample of memory, or they may specify a remote computing machines's live memory to access. Then the user may specify a particular type of investigation or workflow the user is planning to perform.” “Exemplary process for detecting and analyzing one or more computer systems that may be suspected of, or exhibiting, indications of anomalous conditions by collecting and comparing state information over time in accordance with some embodiments described herein. In some embodiments, this may enable a user to compare the current runtime state of the computing machine to that of a previous point in time. Such a comparison may be desirable for helping determine when an unexpected change may have taken place or for having a baseline to identify later arising anomalies. For example, a user may identify that a set of kernel modules or processes were not running when the computing machine was originally installed and thus warrant further investigation. As illustrated, in some embodiments, the process may begin with a user identifying a particular computing machine via a workstation at operation 500. A system model, including e.g., the hardware profiles, the operating system profiles, and/or the application profiles, of the specified computing machine may be loaded into the computing machine at operation 502. An analysis engine on the computing machine may analyze memory data of the computing machine at operation 504 and may compare memory resident artifacts with a previous analysis at operation 506 based on a provided historical analysis database 508. In some embodiments, changes in a runtime state may be denoted in operation 510 and the changes may be archived in operation 512 in the historical analysis database 508. Operations 500-512 may be repeated in a predefined manner to continue to compare resident artifacts with a previous analysis (see par. 0060), and
the processor of the analyst computer recommends, to the user, the analysis procedure calculated by the processor of the analysis computer. (See Walters par.0105: “the state information and/or query results (e.g., artifacts) derived from the runtime state information (e.g., memory information) may be stored within a database that can be indexed, distributed among users for collaborative analysis, or archived for future comparisons. Once the data has been extracted, the system may provide a graphical user interface and/or scriptable interface to enable a user to formulate”.).
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah teaching “facilitate analysis of software components. A software component may be analyzed
in a virtual machine implementing a requested operating environment that represents a client operating environment. Collective evaluation of the software component may
be facilitated by recommending procedures to analyze the software component based on information regarding other evaluations.”, (see Kospiah par.009), with Walters teaching “the RPC communication module may enable the system to be decoupled to take advantage of high-powered hardware that may be located remotely relative to the user. The RPC communication module 138 on the extraction and analysis server 140 may be configured to accept queries from the user interface related to what analysis
should be performed and may provide information about the status of that analysis back to the user.”, (see Walters par.0091).
although, Walters teaches that " The analysis computer comprises a processor connected to a memory and is configured to execute programs stored in the sub storage device to control functions of the analysis computer including executing a process for calculating the analysis procedure to be recommended to the user on a basis of the analysis conditions, the analysis purpose information, a past analysis procedure, and a current analysis procedure, However, Kospiah as modified by Walters does not explicitly disclose but Vincent teaches wherein the analysis procedure is calculated by determining similarity between the past analysis procedure and the current analysis procedure using specific criteria including the analysis purpose information, an analysis environment, a family name, and the current analysis procedure, (see Vincent par.0019: “Techniques for malware detection (analysis procedure). using intelligent static analysis and dynamic analysis are described herein. According to one embodiment, a malware detection system includes (calculated), but is not limited to, a first analysis module (e.g., a static analysis module), a second analysis module (e.g., a dynamic analysis module), a malware classifier, and a controller.”, par.0025-0027: “ A static analysis may include signature match (family name), protocol semantics anomalies check, source reputation check, malware source blacklist or whitelist checking, and/or emulation. Dynamic analysis module 103 is to perform a dynamic analysis on the specimen, including monitoring behaviors of the specimen 180 during its virtual execution (analysis environment) to detect any unexpected behaviors having one or more anomalies. Malware classifier 105 is to classify (analysis purpose) whether the specimen is likely malicious based on the results of the static analysis and dynamic analysis, and other information such as information stored in the intelligence store 110…The intelligence information stored in the intelligence store 110 includes a variety of information obtained during the current malware detection (current analysis) session and prior malware detection sessions (if any), and/or other information received or updated from other information sources, such as external analysis data and control server 120 in the cloud (e.g., over the Internet)…. controller 106 may be equipped with a logger to log all the events or activities occurred during the processes of the respective components. The logged information may also be stored in intelligence store 110 and accessible by all components. As a result, each of the components of the malware detection system has all the intelligence information available from the intelligence store 110 during the corresponding stage of processes and it can perform a more comprehensive and accurate analysis in view of all the intelligence information generated from the past and current malware detection sessions (similarity between past and current analysis).”, par.0032: “controller 106 may determine an operating system and version thereof, an application and version thereof for the virtual environment of the dynamic analysis.”)
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah in view of
Walters teaching, as described above, with Vincent teaching “As a result, embodiments of the invention may perform malware detection with greater flexibility in the conduct of the analysis, and realize greater efficiencies with improved efficacy in detecting malware than in known two-phase malware detection solutions.”, (see Vincent par.0023).
Regarding Claims 8 is directed to a method, reciting the same reasons as set forth in the rejections of claim 1, respectively. Therefore, claim 8 is rejected for the same reasons as set forth in the rejections of claim 1 above, respectively.
Regarding claim 10 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Walters further teaches wherein the analysis computer includes a plugin module configured to communicate with multiple external security services using remote application programming interface (API) communication. (See Walters par.0090: “investigator workstations 100 (analysis computer) may be coupled to the data analytics platform 112 and configure to enable a user to interface with the systems, methods, and/or devices described herein. The investigator workstation may include a graphical user interface 130 (plugin module), one or more whitelists databases 132, remote procedure call (RPC) communication modules 136, 138, extraction and analysis server 140, one or more algorithms databases 142, one or more profiles databases 144, and one or more memory samples databases 146.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1, with Walters teaching “ a method is performed comprising: communicating with at least one remote processing device via a secure web services application program interface, providing a graphical user interface for formulating queries and displaying artifacts related to anomalous conditions, providing storage for whitelists and detected anomalies, the whitelists comprising information related to normal known, or trusted, conditions, and requesting and receiving information regarding artifacts and data structures found in a memory sample.”, (see Walters par.0030).
Regarding claim 11 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Walters further teaches wherein the analysis computer is configured to track changes in runtime state of one or more computing machines over time to detect abnormal conditions. (See Walters par.0088: “an analysis system that may be used to interrogate, manage, and/or evaluate the live runtime state information from one or more computing machines 108 or runtime state information previously collected ( e.g., across an enterprise) for indications of abnormal conditions. In some embodiments, the analysis system may also be configured to archive and track changes in the state of one or more computing machines 108 over time that may indicate abnormal conditions.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1 with Walters teaching “The present disclosure describes processor-implemented systems, methods, and/or devices for evaluating, analyzing, and visualizing abnormal conditions. For example, the systems, methods, and/or devices for evaluating, analyzing, and visualizing abnormal conditions described herein may operate to detect abnormal conditions in a system's runtime state across one or more computing machines.”, (see Walters par.0079).
Regarding claim 12 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Walters further teaches wherein the analysis computer is configured to compare a current runtime state of a computing machine to a previous point in time to identify unexpected changes. (See Walters par.0102: “an exemplary process for detecting and analyzing one or more computer systems that may be suspected of, or exhibiting, indications of anomalous conditions by collecting and comparing state information over time in accordance with some embodiments described herein. In some embodiments, this may enable a user to compare the current runtime state of the computing machine to that of a previous point in time. Such a comparison may be desirable for helping determine when an unexpected change may have taken place or for having a baseline to identify later arising anomalies… An analysis engine on the computing machine may analyze memory data of the computing machine at operation 504 and may compare memory resident artifacts with a previous analysis at operation 506 based on a provided historical analysis database 508. In some embodiments, changes in a runtime state may be denoted in operation 510 and the changes may be archived in operation 512 in the historical analysis database 508. Operations 500-512 may be repeated in a predefined manner to continue to compare resident artifacts with a previous analysis.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1 with Walters teaching “unique challenges with performing runtime state analysis and including memory resident artifacts may be that the analysis and the methods used to detect abnormal conditions may be tied closely to particular versions of the operating system and the applications that are running on the computing machine. In addition, these operating systems and applications may be frequently updated to address security concerns or add new features. In contrast, traditional systems (e.g., anti-virus, etc.) that depend on analyzing files or parsing file systems formats rarely ever change. As a result, the systems, methods, and/or devices described herein may be designed to adapt (e.g., automatically adapt) as software is updated, as new applications are introduced, and/or as new operating systems are installed.”, (see Walters par.0128).
Regarding claim 13 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Walters further teaches wherein the analysis computer is configured to store analysis results in a database that can be indexed and distributed among users for collaborative analysis. (See Walters par.0105: “the state information and/or query results (e.g., artifacts) derived from the runtime state information (e.g., memory information) may be stored within a database that can be indexed, distributed among users for collaborative analysis, or archived for future comparisons.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1 with Walters teaching “the detections may help automate the identification of certain types of
artifacts. In some embodiments, this type of detection may be beneficial if the user desires to perform a particular type of investigation. In some embodiments, the types of detections may include scripts, database queries, byte sequence signatures, string matching, registry keys/values, and/or whitelists. The scripts may include e.g. python scripts that may query the data (e.g., the one or more databases). In some embodiments, the systems, methods, and/or devices described herein may enable a user to query the database and then perform a desired action (e.g., actions enabled by
Python) with the data.”, (see Walters par.0120-0121).
Regarding claim 14 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Walters further teaches wherein the analysis computer includes a plugin module configured to communicate with multiple external security services using remote application programming interface (API) communication (See Walters par.0090: “investigator workstations 100 (analysis computer) may be coupled to the data analytics platform 112 and configure to enable a user to interface with the systems, methods, and/or devices described herein. The investigator workstation may include a graphical user interface 130 (plugin module), one or more whitelists databases 132, remote procedure call (RPC) communication modules 136, 138, extraction and analysis server 140, one or more algorithms databases 142, one or more profiles databases 144, and one or more memory samples databases 146.”), and
wherein the analysis computer is programmed to:
track changes in runtime state of one or more computing machines over time to detect abnormal conditions ((See Walters par.0088: “an analysis system that may be used to interrogate, manage, and/or evaluate the live runtime state information from one or more computing machines 108 or runtime state information previously collected ( e.g., across an enterprise) for indications of abnormal conditions. In some embodiments, the analysis system may also be configured to archive and track changes in the state of one or more computing machines 108 over time that may indicate abnormal conditions.”);
compare a current runtime state of a computing machine to a previous point in time to identify unexpected changes (See Walters par.0102: “an exemplary process for detecting and analyzing one or more computer systems that may be suspected of, or exhibiting, indications of anomalous conditions by collecting and comparing state information over time in accordance with some embodiments described herein. In some embodiments, this may enable a user to compare the current runtime state of the computing machine to that of a previous point in time. Such a comparison may be desirable for helping determine when an unexpected change may have taken place or for having a baseline to identify later arising anomalies… An analysis engine on the computing machine may analyze memory data of the computing machine at operation 504 and may compare memory resident artifacts with a previous analysis at operation 506 based on a provided historical analysis database 508. In some embodiments, changes in a runtime state may be denoted in operation 510 and the changes may be archived in operation 512 in the historical analysis database 508. Operations 500-512 may be repeated in a predefined manner to continue to compare resident artifacts with a previous analysis.”); and
store analysis results in a database that can be indexed and distributed among users for collaborative analysis. (See Walters par.0105: “the state information and/or query results (e.g., artifacts) derived from the runtime state information (e.g., memory information) may be stored within a database that can be indexed, distributed among users for collaborative analysis, or archived for future com parisons.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1 with Walters previous teaching with similar described claims 10, 11, 12, and 13.
Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters),in view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in further view of Falk et al. (US-9021260-B1 hereafter Falk).
Regarding claim 2 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, wherein Kospiah further teaches
the processor of the analyst computer is further configured to present the
calculated recommended analysis purpose information to the user and accept the analysis purpose information input by the user on the basis of the recommended analysis purpose information. (See Kospiah par.0132: “the analysis manager 144 of FIG. 1 may initiate display of a plurality of analysis options including the recommended procedures by sending the analysis data 130 to the client system(s) 102. The analysis data 130 may indicate the recommended procedures. In response to the analysis data 130, the client system(s) 102 may display the plurality of analysis options. The analyst may select one or more of the analysis options. The client system(s) 102 may send data
indicating the selected one or more analysis options to the analysis manager 144. The data analyzer 146 may analyze the software component 150 based on the selected one or more analysis options.”.).
Kospiah in view of Walters and Vincent appears to silence on
However, Falk teaches the processor of the analysis computer is further configured to calculate recommended analysis purpose information for being recommended to the user on the basis of the analysis purpose information input by the processor of the analyst computer, and (See Falk Col. 11 lines 7-24: “If the system determines that the file data item was previously received, at block 116 the system provides a previously determined analysis to the analyst and notifies the analyst… the system may retrieve a previous analysis of the previously submitted file data item from a data store of the system, and as shown at block 114 provide a user interface to the analyst with the previous analysis information a new submission data item associated with the current submission is generated by the system and associated with the previously submitted file data item. The submission data item may include, for example, the various information provided in the user interface of FIG. 2A. Generation and association of submission data items in connection with each submission by a user enables the system to determine all instances of particular file data items being submitted to the system, associate those instances with the file data item, and present that information to the analyst.”.),
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters and Vincent the malware analysis support system according to claim 1, with Falk teaching “The system may generate a submission data item with each submission of a file data item, which submission data item may be associated with the submitted file data item. The system may automatically determine whether or not a particular submitted data item was previously submitted to the system and, if so, may associate a new submission data item with the previously submitted file data item.”, (see Falk Col.2 lines 4-10).
Regarding claim 3 Kospiah in view of Walters, Vincent and Falk teach the malware analysis support system according to claim 2 wherein
the processor of the analyst computer is further configured to track work in the analyst computer and automatically create the current analysis procedure. (See Falk Col. 1 lines 46-62: “analysis system ( also referred to herein as "the system") that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) ( also referred to herein as file data item(s)) may include one or more automatic analysis techniques. Automatic analysis of a file data item may include production and gathering of various items of information… The analysis information items may be automatically associated with the file data item, and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the file data item.”.).
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah in view of Walters, Vincent and Falk the malware analysis support system according to claim 2, with Falk teaching “The analysis information items may be automatically associated with the file data item, and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the file data item. For example, the analyst may quickly determine one or more characteristics of the file data item, whether or not the file data item is malware.”, (see Falk Col1 lines:58-62)
Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in view of Falk et al. (US-9021260-B1 hereafter Falk), in further view of Seul et al. (US-20200336497-A1 hereafter Seul).
Regarding claim 4 Kospiah in view of Walter, Vincent and Falk teach the malware analysis support system according to claim 3, but fail to teach wherein
the processor of the analysis computer is further configured to predefine a method of executing a part of the analysis procedure and automatically execute the analysis procedure according to the predefined method of execution.
However, Seul teaches wherein the processor of the analysis computer is further configured to predefine a method of executing a part of the analysis procedure and automatically execute the analysis procedure according to the predefined method of execution. (See Seul par.0013: “The system may
comprise a receiving unit adapted for receiving a sequence of security events and a determination unit adapted for determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of the cyber-attack chain.”.).
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah in view of Walters, Vincent and Falk teaching of the malware analysis support system according to claim 3 with Seul teaching “According to one advantageous embodiment of the method, the set of rules may use information about malware attribute enumeration and characterization-known as MEAC-and structured threat information expressions known as STIX. Thereby, the relational references between the indicator of compromise and attack patterns that are part of a cyber-attack chain may be used. The related information may be set to a repository being accessible by the proposed method and/or the related system.”, (see Seul par.0021).
Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in view of Falk et al. (US-9021260-B1 hereafter Falk), in further view of Crabtree et al. (US-20220224723-A1 hereafter Crabtree).
Regarding claim 5 Kospiah in view of Walter, Vincent, and Falk teach the malware analysis support system according to claim 2, wherein Kospiah in view of Walters, Vincent and Falk appear to be silence on
the processor of the analysis computer is further configured to create an analysis report on the basis of a result of the malware analysis and present the analysis report to the user.
However, Crabtree teaches the processor of the analysis computer is further configured to create an analysis report on the basis of a result of the malware analysis and present the analysis report to the user. (See Crabtree par.0030: “using a malware detection system; correlating maliciously classified packets from a malware detection system, with known malicious behavior, using a security logic engine; analyzing the risk of detected malware, using a security logic engine; and reporting the malware to administrators, using a security logic engine.”, par.0180: “Scoring logic 3870 may be used to score specific packets that are detected as being of interest or potentially malicious based on the results of dynamic or static analyses 3820, 3840 winch may be specified manually by administrators or which may be programmatically specified by machine learning algorithms operating in the heuristic engine 3835 and event logic 3862 for determining how serious or fatal a given packet of data might be. The score is then classified with a classifying engine 3880 and sent to an indicator generator 3885 to develop an indicator that maybe used to recognize similar data packets if it was not picked up initially by the static analysis 3820, or which may be skipped over if it was already detected by the indicator scanner 3830. In this way, both static analyses and dynamic testing and simulations may be performed to try to find malware being distributed over networks and between devices on networks, in an evolving and efficient manner. A security logic engine 3900 may be alerted by a reporting engine 3890 which may alert an external or internal security logic engine 3900, and either additionally or alternatively forward the results of the analyses, scanning, scoring, and classifying, to other devices on the network or to network administrators.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters, Vincent, and Falk teaching of the malware analysis support system according to claim 2 with Crabtree teaching " Cybersecurity defensive recommendations implemented on the real-world networked system can be reflected in the system model, and a new round of machine learning simulations can be run to identify new attack strategies that may be used on the changed system. This iterative machine learning process narrows the possible avenues of attack on a networked system, first identifying attack strategies with a high likelihood of success and large impacts, and in each subsequent iteration identifying attack strategies with lower and lower likelihoods of success. The recommendation engine provides the cost-benefit analysis to determine at what point it no longer makes economic sense to implement defensive strategies in certain directions.”, (see Crabtree par.0084).
Claims 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in view of Falk et al. (US-9021260-B1 hereafter Falk), in view of Crabtree et al. (US-20220224723-A1 hereafter Crabtree), in further view of Yang et al. (US-20220070185-A1 hereafter Yang).
Regarding claim 6 Kospiah in view of Walters, Vincent, Falk, and Crabtree teach the malware analysis support system according to claim 5, but fail to teach wherein
the processor of the analysis computer is further configured to cooperate with an external security device on the basis of the result of the malware analysis.
However, Yang teaches wherein
the processor of the analysis computer is further configured to cooperate with an external security device on the basis of the result of the malware analysis.
(See Yang par.0048-0049: “The plugin program module (80-1, 80-2, 80-N) can carry out a remote API communication with various external security services (90) and/or various unit security systems (10; for example, NAC (96), firewall (97) and the like). plugin program module can be provided for each security solution or each security unit. Alternatively, single plugin program module can be provided to carry out the remote API communication with a plurality of security solutions or security units. The security service in this specification is an external security intelligence service that a security analyst uses to determine whether the threat detected from basic security-associated data (for example, log data) is a real threat to the system.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Kospiah in view of Walters, Vincent, Falk, and Crabtree teaching of the malware analysis support system according to claim 5 with Yang teaching “The inquiry about IP reputation is for checking whether an external IP which is accessed from within has attacked other organization. The IP in the ticket is extracted and then API of the security solution called by the plugin program module checks the reputation of the external IP.”, (see Yang par. 0037).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in further view of Zaitsev et al. (US-20130247193 -A1 hereafter Zaitsev).
Regarding claim 7 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, wherein Kospiah in view of Walters and Vincent fail to explicitly teach the processor of the analyst computer calculates a progress ratio of the analysis procedure from the past analysis procedure and the current analysis procedure, and presents the calculated progress ratio to the user.
However, Zaitsev explicitly teaches the processor of the analyst computer calculates a progress ratio of the analysis procedure from the past analysis procedure and the current analysis procedure, and presents the calculated progress ratio to the user. (See Zaitsev par.0051: “the treatment scenario execution module 120 has executed the received computer treatment scenario, the inspection module 110 will create a follow-up inspection log and will send it to the log analyzer module 140. The log analyzer module 140 analyzes the follow-up inspection log in order to determine the activity of malicious applications need for any further removal of both malicious applications themselves and effects of their operation. Also, the log analyzer module 140 can send information on the objects related to the malicious applications to the effectiveness calculation module 130, which contains saved information on the objects found during the previous inspection log analysis. By comparing information on the objects related to malicious applications found during the current analysis of the inspection log and the analysis of the previous iteration's inspection log, the effectiveness calculation module130 determines the treatment effectiveness.”, par.0052: “Where Xl is the number of objects related to malicious applications found during the previous iteration of the computer 100 scan, and X2 is the number of objects related to malicious applications found during the current iteration of the computer 100 scan.”, par.0059: “There may be a situation in which the system determines that the computer system cannot be effectively treated without resulting in the risk of side effects being above the set threshold. In this case, the user can be notified about the proposed treatment.”.).
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah in view of Walters, and Vincent teaching of the malware analysis support system according to claim 1, with Zaitsev teaching “After the assessment of the treatment effectiveness, the effectiveness calculation module 130 determines the need for further treatment of the computer 100 by comparing the treatment effectiveness with a preset threshold, which can be either set empirically by experts, or automatically modified based on the statistics gathered in the malware knowledge base 190. For example, if the treatment effectiveness calculated using the formula above equals 1, it means that all objects related to malicious applications were removed and/ or modified, and no further treatment is required.”, (see Zaitsev par.0054).
Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Kospiah et al. . (US-20150019915-A1 hereafter Kospiah), in view of Walters et al. (US-20190251258-A1 hereafter Walters), in further view of Vincent et al. (US-20150096022-A1 hereafter Vincent), in view of Thomas et al. (US-10530802-B2 hereafter Thomas), in further view of Jacob et al. (US-20080266250-A1 hereafter Jacob).
Regarding claim 9 Kospiah in view of Walters and Vincent teach the malware analysis support system according to claim 1, Kospiah in view of Walters and Vincent appear to be silence however Thomas teaches wherein the analysis conditions comprise at least one of an analysis purpose, a sample hash, an analysis environment, a sample family, [an analyst identifier, and an analyst skill level]. (See Thomas Col.4 lines 50-60: “the system receives input(s) (e.g., malicious files) and a set of user preferences. The system performs an initial static analysis on the file or files and then dispatches the file or files to a physical machine, virtual machine, or emulator for dynamic analysis. The analysis engine uses forensic tools and techniques to determine what changed on the file system, registry, and in memory. The analysis engine scans for rootkits (described in more detail below in relation to the rootkit component) and inserts the data in the database (purpose). The website allows users to browse and interact with reports.”, Col.5 lines 10-14: “embodiments may utilize one or more of the following components: a web site that customers can log into to submit malware samples (sample family); a group of re-usable virtual machines (environment) and physical machines on which to execute the malware samples and/or other files;”, Col.6 lines 48-52: “Pre-processing tasks can be performed such as scanning the file with antivirus signatures, determining the file type, detecting packers (i.e., methods to obfuscate the file), and computing cryptographic hashes (hash) to determine if the file is already in the database.”).
Although, Thomas teaches that “wherein the analysis conditions comprise at least one of an analysis purpose, a sample hash, an analysis environment, a sample family, However, Kospiah in view of Walters and Vincent as modified by Thomas does not explicitly disclose but Jacob teaches an analyst identifier, and an analyst skill level. (See Jacob par.0027: “in some embodiments the received information may be analyzed to gauge one or more of the user's response(analyst identifier) times in the simulation. That is, the time it takes the user to respond to events in the simulation may be measured. Such measurements may be an indication of the user's level of skill (analyst skill level)”, par.0030: “at least an indication of the user's level of skill is formed based on the analysis of the received information… a review may lead to trends in the user's responses being identified.”).
It would have been obvious to someone of ordinary skill in the art before the
effective filing date of the claimed invention to have combined Kospiah in view of Walters, and Vincent teaching of the malware analysis support system according to claim 1, with Thomas teaching described above along with Jacob teaching “an indication that the user's level of skill is lower than the simulation's current level of difficulty setting. As such, the difficulty level of the simulation is adjusted to make the simulation easier because a decreased level of difficulty appears to be more suitable for the use”, (see Jacob par.0031).
Conclusion
The prior art made of record and not relied upon is considered pertinent to
applicant's disclosure:
SUGIMOTO et al. (US 20210029153 A1) a processing procedure related to the vulnerability detection processing. Here, the vulnerability detection processing of the vulnerability detector will be mainly described. Such processing needs to be executed in advance before (at least immediately before) the threat analysis processing is performed in the threat analysis server. In addition, since the system information (information obtained from the administration target device 101), the vulnerability information (information obtained from the vulnerability information disclosing organization), and the like are approximately subjected to addition, update, or the like in the administration target device and the vulnerability i