DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5, 7, 9-15, 17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bartram (U.S. Patent Number 8,458,789) in view of Ducau et al. (U.S. Patent Application Publication Number 2020/0364338), hereinafter referred to as Ducau, further in view of Mon Divakaran et al. (U.S. Patent Application Publication Number 2025/0141887), hereinafter referred to as Mon Divakaran.
Bartram disclosed techniques for identifying unwanted code associated with network communications. In an analogous art, Ducau disclosed techniques for machine learning for malware recognition. Also in an analogous art, Mon Divakaran disclosed techniques for detecting malicious activity using backups and machine learning. All of these systems deal directly with malware recognition.
Regarding claim 1, Bartram discloses a method for a malware detection, a method comprising: identifying at least one entry of data (column 2, lines 54-67, identifies network communications); retrieving a record associated with the at least one entry (column 3, lines 56-63, code for comparison); applying a transformation to original contents of the record, wherein the transformation restructures text in the record (column 3, lines 23-30, breaks obfuscation); and scanning the transformed contents of the record for a malware signature (column 3, line 59 through column 4, line 3, code compared against non-trusted code); in response to detecting a portion of the transformed contents that matches the malware signature, executing a remediation action that removes a corresponding portion from the original contents of the record (column 4, lines 12-15, code associated with unwanted code, and column 4, lines 55-58, reaction performed); and updating the entry by replacing the at least one entry with an entry of the record on which the remediation action was executed (column 4, lines 61-65, removes references to unwanted code).
Bartram does not explicitly state that the at least one entry is an entry of a database and the updating being for the database. However, identifying malware in databases was well known in the art as evidenced by Ducau. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bartram by adding the ability that the at least one entry is an entry of a database and the updating being for the database as provided by Ducau (see paragraph 41, analysis object includes database tables). One of ordinary skill in the art would have recognized the benefit that analyzing databases in this way would assist in protecting a computer from a malware attack (see Ducau, paragraph 2).
The combination of Bartram and Ducau does not explicitly state identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database. However, detecting malicious activity in backups was well known in the art as evidenced by Mon Divakaran. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram and Ducau by adding the ability for identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database as provided by Mon Divakaran (see paragraph 30, backup archives, and paragraph 30, detects changes and analyzes changes for exploits). One of ordinary skill in the art would have recognized the benefit that leveraging backup archives for the detection of changes in this way would assist in verifying whether modifications are normal or exploits (see Mon Divakaran, paragraph 25).
Regarding claim 2, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein detecting the change in the at least one entry of the first replica database comprises parsing transactions written in a binary log of the first replica database to identify database queries, effected tables, and data modifications (Mon Divakaran, paragraph 35, detects malicious binaries).
Regarding claim 3, the combination of Bartram, Ducau, and Mon Divakaran discloses comparing a hash value of data stored on the first replica database with other hash values of data stored on other replica databases of the plurality of replica databases; and in response to detecting that the hash value matches the other hash values: assigning a scan result of a scan performed on the first replica database to the other replica databases; and executing the remediation action on the other replica databases without scanning data on the other replica databases (Mon Divakaran, paragraph 44, compares hash values of respective files, and paragraph 55, analysis of changes performed once and results applied to all other web servers).
Regarding claim 4, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein analyzing the change for malware occurs when a threshold number of changes are detected in the first replica database since a prior scan on the first replica database (Mon Divakaran, paragraph 32, triggers alarm when changes greater than predefined threshold, where it would have been obvious to one of ordinary skill to analyze the changes over one or more of the backups).
Regarding claim 5, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein analyzing the change for malware occurs when a threshold number of changes are detected across the plurality of replica databases since a prior scan on any replica database of the plurality of replica databases (Mon Divakaran, paragraph 32, triggers alarm when changes greater than predefined threshold, where it would have been obvious to one of ordinary skill to analyze the changes over one or more of the backups).
Regarding claim 7, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the transformation comprises one or more of: (1) normalizing, (2) de-serializing, (3) de-obfuscating (Bartram, column 3, lines 23-30, breaks obfuscation), (4) converting to another code page, and (5) unescaping.
Regarding claim 9, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein de-obfuscating comprises detecting and decoding a predefined obfuscation, wherein a key is a grabbed obfuscated fragment in the original content and a value is a de-obfuscated fragment (Bartram, column 3, lines 23-30, encryption requires key).
Regarding claim 10, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein converting to the another code page comprises: changing a byte representation of the original content without changing text in the original content (Bartram, column 3, lines 18-23, hash representation of code).
Regarding claim 11, Bartram discloses a system for detecting malware signatures in a data structure, the system comprising: at least one memory; and at least one hardware processor coupled with the at least one memory configured, individually or in combination, to: identify at least one entry of data (column 2, lines 54-67, identifies network communications); retrieving a record associated with the at least one entry (column 3, lines 56-63, code for comparison); applying a transformation to original contents of the record, wherein the transformation restructures text in the record (column 3, lines 23-30, breaks obfuscation); and scanning the transformed contents of the record for a malware signature (column 3, line 59 through column 4, line 3, code compared against non-trusted code); in response to detecting a portion of the transformed contents that matches the malware signature, execute a remediation action that removes a corresponding portion from the original contents of the record (column 4, lines 12-15, code associated with unwanted code, and column 4, lines 55-58, reaction performed); and update the entry by replacing the at least one entry with an entry of the record on which the remediation action was executed (column 4, lines 61-65, removes references to unwanted code).
Bartram does not explicitly state that the data structure is a database, the at least one entry is an entry of a database, and the updating being for the database. However, identifying malware in databases was well known in the art as evidenced by Ducau. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bartram by adding the ability that the data structure is a database, the at least one entry is an entry of a database, and the updating being for the database as provided by Ducau (see paragraph 41, analysis object includes database tables). One of ordinary skill in the art would have recognized the benefit that analyzing databases in this way would assist in protecting a computer from a malware attack (see Ducau, paragraph 2).
The combination of Bartram and Ducau does not explicitly state identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database. However, detecting malicious activity in backups was well known in the art as evidenced by Mon Divakaran. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram and Ducau by adding the ability for identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database as provided by Mon Divakaran (see paragraph 30, backup archives, and paragraph 30, detects changes and analyzes changes for exploits). One of ordinary skill in the art would have recognized the benefit that leveraging backup archives for the detection of changes in this way would assist in verifying whether modifications are normal or exploits (see Mon Divakaran, paragraph 25).
Regarding claim 12, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the at least one hardware processor is configured to detect the change in the at least one entry of the first replica database by parsing transactions written in a binary log of the first replica database to identify database queries, effected tables, and data modifications (Mon Divakaran, paragraph 35, detects malicious binaries).
Regarding claim 13, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the at least one hardware processor is further configured to: compare a hash value of data stored on the first replica database with other hash values of data stored on other replica databases of the plurality of replica databases; and in response to detecting that the hash value matches the other hash values: assign a scan result of a scan performed on the first replica database to the other replica databases; and execute the remediation action on the other replica databases without scanning data on the other replica databases (Mon Divakaran, paragraph 44, compares hash values of respective files, and paragraph 55, analysis of changes performed once and results applied to all other web servers).
Regarding claim 14, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the at least one hardware processor is configured to analyze the change for malware when a threshold number of changes are detected in the first replica database since a prior scan on the first replica database (Mon Divakaran, paragraph 32, triggers alarm when changes greater than predefined threshold, where it would have been obvious to one of ordinary skill to analyze the changes over one or more of the backups).
Regarding claim 15, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the at least one hardware processor is configured to analyze the change for malware when a threshold number of changes are detected across the plurality of replica databases since a prior scan on any replica database of the plurality of replica databases (Mon Divakaran, paragraph 32, triggers alarm when changes greater than predefined threshold, where it would have been obvious to one of ordinary skill to analyze the changes over one or more of the backups).
Regarding claim 17, the combination of Bartram, Ducau, and Mon Divakaran discloses wherein the transformation comprises one or more of: (1) normalizing, (2) de-serializing, (3) de-obfuscating (Bartram, column 3, lines 23-30, breaks obfuscation), (4) converting to another code page, and (5) unescaping.
Regarding claim 19, the combination of Bartram and Ducau discloses wherein de-obfuscating comprises detecting and decoding a predefined obfuscation, wherein a key is a grabbed obfuscated fragment in the original content and a value is a de-obfuscated fragment (Bartram, column 3, lines 23-30, encryption requires key).
Regarding claim 20, Bartram discloses a non-transitory computer readable medium storing thereon computer executable instructions for detecting malware signatures in a data structure, including instructions for: identifying at least one entry of data (column 2, lines 54-67, identifies network communications); retrieving a record associated with the at least one entry (column 3, lines 56-63, code for comparison); applying a transformation to original contents of the record, wherein the transformation restructures text in the record (column 3, lines 23-30, breaks obfuscation); and scanning the transformed contents of the record for a malware signature (column 3, line 59 through column 4, line 3, code compared against non-trusted code); in response to detecting a portion of the transformed contents that matches the malware signature, executing a remediation action that removes a corresponding portion from the original contents of the record (column 4, lines 12-15, code associated with unwanted code, and column 4, lines 55-58, reaction performed); and updating the entry by replacing the at least one entry with an entry of the record on which the remediation action was executed (column 4, lines 61-65, removes references to unwanted code).
Bartram does not explicitly state that the data structure is a database, the at least one entry is an entry of a database, and the updating being for the database. However, identifying malware in databases was well known in the art as evidenced by Ducau. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bartram by adding the ability that the data structure is a database, the at least one entry is an entry of a database, and the updating being for the database as provided by Ducau (see paragraph 41, analysis object includes database tables). One of ordinary skill in the art would have recognized the benefit that analyzing databases in this way would assist in protecting a computer from a malware attack (see Ducau, paragraph 2).
The combination of Bartram and Ducau does not explicitly state identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database. However, detecting malicious activity in backups was well known in the art as evidenced by Mon Divakaran. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram and Ducau by adding the ability for identifying a plurality of replica databases corresponding to a master database, wherein data stored on each replica database of the plurality of replica databases is synchronized with data stored on the master database in real-time, and in response to detecting a change in at least one entry of a first replica database of the plurality of replica databases, analyzing the change for malware, and the updating being for the first replica database as provided by Mon Divakaran (see paragraph 30, backup archives, and paragraph 30, detects changes and analyzes changes for exploits). One of ordinary skill in the art would have recognized the benefit that leveraging backup archives for the detection of changes in this way would assist in verifying whether modifications are normal or exploits (see Mon Divakaran, paragraph 25).
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bartram in view of Ducau, in view of Mon Divakaran, further in view of Singh et al. (U.S. Patent Number 10,192,052), hereinafter referred to as Singh.
The combination of Bartram, Ducau, and Mon Divakaran disclosed techniques for identifying unwanted code associated with network communications. In an analogous art, Singh disclosed techniques for classifying files using scanning. Both systems deal directly with malware recognition.
Regarding claim 6, the combination of Bartram, Ducau, and Mon Divakaran does not explicitly state in response to not detecting the malware signature in the transformed contents, scanning the original contents of the record for the malware signature; and in response to detecting a portion of the original contents that matches the malware signature, removing the portion from the original contents of the record. However, scanning for malware in such a fashion was well known in the art as evidenced by Singh. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram, Ducau, and Mon Divakaran by adding the ability for, in response to not detecting the malware signature in the transformed contents, scanning the original contents of the record for the malware signature; and in response to detecting a portion of the original contents that matches the malware signature, removing the portion from the original contents of the record as provided by Singh (see column 11, lines 43-51, when no malicious event detected, conducts second scan of deconstructed file, and column 13, lines 24-30, remediation). One of ordinary skill in the art would have recognized the benefit that a multi-tier scanning scheme would assist in detecting additional exploits (see Singh, column 1, lines 29-41).
Regarding claim 16, the combination of Bartram, Ducau, and Mon Divakaran does not explicitly state wherein the at least one hardware processor is further configured to: in response to not detecting the malware signature in the transformed contents, scan the original contents of the record for the malware signature; and in response to detecting a portion of the original contents that matches the malware signature, remove the portion from the original contents of the record. However, scanning for malware in such a fashion was well known in the art as evidenced by Singh. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram, Ducau, and Mon Divakaran by adding the ability that the at least one hardware processor is further configured to: in response to not detecting the malware signature in the transformed contents, scan the original contents of the record for the malware signature; and in response to detecting a portion of the original contents that matches the malware signature, remove the portion from the original contents of the record as provided by Singh (see column 11, lines 43-51, when no malicious event detected, conducts second scan of deconstructed file, and column 13, lines 24-30, remediation). One of ordinary skill in the art would have recognized the benefit that a multi-tier scanning scheme would assist in detecting additional exploits (see Singh, column 1, lines 29-41).
Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Bartram in view of Ducau, in view of Mon Divakaran, further in view of Lloyd et al. (U.S. Patent Application Publication Number 2013/0144834), hereinafter referred to as Lloyd.
The combination of Bartram, Ducau, and Mon Divakaran disclosed techniques for identifying unwanted code associated with network communications. In an analogous art, Lloyd disclosed techniques for managing canonical URLs. Both systems deal directly with the parsing and analyzing of URLs.
Regarding claim 8, the combination of Bartram, Ducau, and Mon Divakaran does not explicitly state wherein normalizing comprises removing all whitespaces in the text and replacing one or more of chr() sequences, urlencoded sequences, HTML entities, and escaped sequences present in the text with corresponding characters. However, modifying code in such a fashion was well known in the art as evidenced by Lloyd. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram, Ducau, and Mon Divakaran by adding the ability that normalizing comprises removing all whitespaces in the text and replacing one or more of chr() sequences, urlencoded sequences, HTML entities, and escaped sequences present in the text with corresponding characters as provided by Lloyd (see paragraph 39, special characters converted to normal characters). One of ordinary skill in the art would have recognized the benefit that managing code in this way would assist in reducing the usage of limited resources (see Lloyd, paragraph 2).
Regarding claim 18, the combination of Bartram, Ducau, and Mon Divakaran does not explicitly state wherein normalizing comprises removing all whitespaces in the text and replacing one or more of chr() sequences, urlencoded sequences, HTML entities, and escaped sequences present in the text with corresponding characters. However, modifying code in such a fashion was well known in the art as evidenced by Lloyd. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bartram, Ducau, and Mon Divakaran by adding the ability that normalizing comprises removing all whitespaces in the text and replacing one or more of chr() sequences, urlencoded sequences, HTML entities, and escaped sequences present in the text with corresponding characters as provided by Lloyd (see paragraph 39, special characters converted to normal characters). One of ordinary skill in the art would have recognized the benefit that managing code in this way would assist in reducing the usage of limited resources (see Lloyd, paragraph 2).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Avrahami et al. (U.S. Patent Application Publication Number 2016/0173507) disclosed techniques for detecting malicious code insertion in data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493