DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
Claim(s) 1 & 8 is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
The claim recites 1) “automatically creating malware variants…”
The specification does not provide sufficient detail to reasonably convey possession of how the system automatically creates malware variants beyond generic statement of modifying sub-techniques. No algorithm, data structures or transformation logic is described.
2) “identifying sub-techniques and procedures within the malware scenario or campaign”
The specification does not identity any algorithm, parsing mechanism, rule set or behavioral ontology capable of identifying sub-technique.
3) “changing the sub-techniques or their procedure without changing the techniques to obtain the modified variants”
The specification does not explain how sub-techniques can be modified while guaranteeing the higher level technique remains unchanged, nor describe structures ensuring such preservation.
4) “running the test case against each variant to validate the existence of the core behavior of the malware”
The specification does not sufficiently disclose how validation is performed, what constitutes “core behavior” or how the results are interpreted.
Claim(s) 1 & 8 is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
The claim states “identifying sub-techniques”, “changing the sub-technique”, “core behavior” and “risk” within a malware sample. The specification references MITRE ATT&CK sub-techniques but provides no method for mapping real code or behavior to these constructs. There are no mechanism for changing sub-techniques while preserving technique-level behavior. No rules, constraints, parameters, or examples are stated or provided.
In addition, there is a lack of a algorithm or process for validating “core behavior”. The specification only describes executing test cases at a high level, without disclosing validation logic, behavior comparison and success/failure condition. There is no method for computing or comparing “risk”. The specification includes examples of percentages (see Page(s) 10-11), however, no formula, weighting system, data sources or computational method are detailed.
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claim(s) 1 & 8 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim(s) 1 & 8 recites a method using the transition phrase “comprising” multiple times as independent preambles, including:
“A computer-implemented method, comprising:”
“automatically creating malware variants by a method comprising:”
“automatically modifying the malware by a method comprising:”
“A system comprising:”
“where the system is configured to execute a method comprising:”
“automatically creating a malware variant by a method comprising:”
“automatically modifying the malware by a method comprising:”
The repeated using of “a method comprising” in the body the claim introduces multiple nested methods. It is therefore, unclear whether Claim 1 & 8 is directed to a single method or multiple distinct methods, and it is unclear how the internal “method” clauses are intended to relate to the overall method.
As written, the claim lacks the reasonable clarity and precision required by 35 U.S.C. 112(b) and would not inform a person of ordinary skill in the art of the scope of the invention with reasonable clarity. See MPEP § 2173.02, 2173.05 and 2111.03.
The term “base scenario”, “known malware sample”, “test cases or TTPs”, “identifying sub-techniques and procedures” in claim 1 & 8 is a relative term which renders the claim indefinite. The term “base scenario”, “known malware sample”, “test cases or TTPs”, “identifying sub-techniques and procedures” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
It is unclear whether “base scenario” refers to malware code, behavior profiles, a campaign or something else. “known malware sample” fails to specify the structure, format or required attributes of the sample. “test cases or TTPs” conflates two different concepts without defining their boundaries or relationship. “identifying sub-techniques and procedures” does not specify how such identification is performed or what constitutes a sub-technique.
Claim 1 & 8 recites the limitation "…techniques…", “…sub-techniques…”, “…procedures….”, “…core behavior…” Claim 1, Line 7-8, 13 & 14, Claim 8, Line 13-15. There is insufficient antecedent basis for this limitation in the claim.
Claim(s) 2 & 9 contains the trademark/trade name “MITRE ATT&CK”, Claim 2, 2nd line of the claim & Claim 9, 2nd line of the claim. Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product. A trademark or trade name is used to identify a source of goods, and not the goods themselves. Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name. In the present case, the trademark/trade name is used to identify/describe test cases and TTPs. The recited “MITRE ATT&CK framework” does not provide definite structure, boundaries or limitations of the claimed TTPs, and its meaning is subject to change by the trademark owner. The scope of the claim therefore cannot be determine with reasonable certainty and, accordingly, the identification/description is indefinite.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-16 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claims are directed to an abstract idea without significantly more.
The claim(s) recite(s) steps that collectively amount to analyzing, modifying, and evaluating data, including: taking as input, a known malware sample, applying test cases or TTPs, identifying sub-techniques and procedures, modifying malware behavior, validating variants using test cases and comparing risks to a threshold. These operations represent mental processes, mathematical concepts and methods of organizing human activity involving classification, evaluation and comparison of information.
This judicial exception is not integrated into a practical application because the claim does not improve computer functionality, cybersecurity system architecture or malware detection. The specification does not describe any improvement in the functioning of the computer itself, nor any specialized hardware or technical architecture that is required to perform the steps.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional element such as “a computer”, “automatically creating malware variants”, “running test cases” and “comparing risk to a threshold” are all routine, conventional and well-understood computer operations that simply automate a conceptual process.
Claim(s) 1-16 is/are directed to an abstract idea and does not include additional elements that amount more than the judicial exception. Therefore, Claim(s) 1-16 is/are rejected under 35 U.S.C. 101 as ineligible subject matter.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Chen et al. (US 2022/0318387 A1)
Boutnaru et al. (US 2018/0131707 A1)
DE LOS SANTOS VILCHEZ et al. (US 2016/0021174 A1)
KIM (US 2024/0346135 A1)
KIM et al. (US 2024/0346142 A1)
COCHENOUR (US 2015/0172300 A1)
Kurtz et al. (US 2021/0117544 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER B ROBINSON whose telephone number is (571)270-0702. The examiner can normally be reached M-F 7:00-3:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached at 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER B ROBINSON/ Primary Examiner, Art Unit 2443