BINARY MALWARE ATTACK DETECTION

DETAILED ACTION The following claims are pending in this office action: 1-25 Claims 1, 9, 17, 21 and 24 are independent claims. The following claims are amended: 1, 3, 6, 9, 11, 17, 19, 21 and 23-24 The following claims are new: - The following claims are cancelled: - Claims 1-25 are rejected. This rejection is FINAL. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 10/21/2025 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, an initialed and dated copy of Applicant’s IDS form 1449 filed 10/21/2025 is attached to the instant Office action. RESPONSE TO ARGUMENTS Applicant’s arguments in the amendment filed 12/17/2025 have been fully considered but are moot in view of new grounds of rejection. Applicant notes: claims 1, 9, 17, 21 and 24 have been amended in accordance with the interview. This amended limitation is disclosed by Kedma et al. (US Pub. 2014/0123280) as explained below and rejected accordingly. Dependent claims 2-8, 10-16, 18-20, 22-23 and 25 depend on independent claims 1, 9, 17, 21 and 24. The amended elements in the claims are disclosed by Kedma et al. (US Pub. 2014/0123280) and in the case of claim 6, Anderson et al. (US Pub. 2013/0326625) as explained below, and so any additional features to the dependent claims are rejected accordingly. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 8-11, 16-19 and 21-25 are rejected under 35 U.S.C. 103 as being unpatentable over Malik et al. (US Patent No. 10,657,251) (hereinafter “Malik”) in view of Song et al. (US Pub. 2018/0309772) (hereinafter “Song”) and in view of Kedma et al. (US Pub. 2014/0123280) (hereinafter “Kedma”). As per claim 1, Malik teaches a method for binary malware attack detection comprising: ([Malik, col. 5, ln. 21-28] “A forensic malware detection method ... receive content for analysis... and ... implement a multistage malware detection scheme ... to confirm or verify the existence of malware in the content under analysis) processing, by a first set of one or more detectors, ([Malik, col. 10, ln. 38-42] “Preprocessing malware check logic 250 includes one or more software modules [first set of one or more detectors] to conduct static analysis of content within an object to determine whether such content [RTE code and associated interpretive code] includes characteristics of malware, such as information associated with known malware exploits”) run time environment (RTE) code ([col. 8, ln. 19-37] “an object is emulated and an output associated with such processing may be statically scanned to determine if portions of the output match any of the pre-stored malware identifiers ... emulator may be ... a ... run-time environment ... monitors ... the object [code] within the emulator [RTE code], for example, by intercepting or “hooking” function calls [RTE code]”) and associated interpretive code ([col. 7, ln. 26-29] “software modules ... receive one [RTE code] or more objects [associated interpretive code] within the content and perform a multi-stage static analysis on the objects”; [col. 8, ln. 29-33] “a JavaScript™ object [interpretive code] ... for emulation [associated with the RTE] ... the object being analyzed”) to detect signatures ([col. 10, ln. 38-44] “Preprocessing malware check logic 250 includes one or more software modules to conduct static analysis of content within an object to determine ... a malware signature matching operation”; although signature Malik discloses signatures are bits [characters/cipher] that are a known exploit pattern [special] which implies the limitation, detecting signatures as special cipher characters is more clearly by Song as explained below) and determine a first set of scores; ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the signature matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”) processing, by a second set of one or more detectors, the RTE code and the associated interpretive code to detect malware ([Malik, col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content [the RTE code and the associated interpretive code – see col. 7, ln. 49-52: “static analysis by comparing the contents of each object with known characteristics of malware”] matches any known malware”; as explained above, the objects include two sub-objections: code of the function produced in the RTE and code of the JavaScript emulated in the RTE) and determine a second set of scores; and ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the deconstructed code matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores] and post-processor [second set of scores]”) determining whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores and the second set of scores. ([Malik, col. 8, ln. 7-16] “The score generation logic 174 will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of scores and the second set of scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first and second set of scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik does not clearly teach detecting signatures as special cipher characters; and wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Song teaches detecting signatures as special cipher characters. ([Song, para. 0052] “the signature... can be ... a character string identical to a predefined character string pattern ... a combination of alphabetical character/number/special symbol [special cipher characters]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik with the teachings of Song to include detecting signatures as special cipher characters. One of ordinary skill in the art would have been motivated to make this modification because such a technique would be helpful for enhancing accuracy of automatic verification of the malware attack. (Song, para. 0059) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song with the teachings of Kedma to include wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. One of ordinary skill in the art would have been motivated to make this modification because such a technique would enable effective detection and prevention of replicator process’s actions before its one or more cloned process replicas are launched as well as detecting cloned process replicas as they are being created. (Kedma, para. 0104) As per claim 2, Malik in view of Song and Kedma teaches claim 1. Malik also teaches wherein the first set of one or more detectors is to determine a first set of characterizations and scores, ([Malik, col. 10, ln. 38-47] “Preprocessing malware check logic 250 includes one or more software modules [detectors] to conduct static analysis of content within an object to determine whether such content includes characteristics of malware [a first set of characterizations]”; [col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores]”) wherein the second set of one or more detectors is to determine a second set of characterizations and scores, ([col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content matches any known malware characteristics [determine a second set of characterizations]”; [col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the ... post-processor [second set of scores]”) and wherein determining whether one or both of the RTE code and the associated interpretive code are compromised is based on the first set of characterizations and scores and the second set of characterizations and scores. ([Col. 8, ln. 7-16] “The score generation logic 174 will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of characterizations and scores and the second set of characterizations and scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [based on the first set of characterizations and scores and the second set of characterizations and scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) As per claim 3, Malik in view of Song and Kedma teaches claim 1. Malik also teaches wherein the second set of one or more detectors is to detect native malware, ([Malik, col. 9, ln. 53-61] “The deconstruction process returns the native code ... as a deconstructed representation of the content ... The deconstructed representation [is to detect native code] is processed in the post-processor 270 [second set of one or more detectors] which receives the de-constructed content from the de-constructor ... The post-processor determines if the de-constructed content matches any known malware [is to detect native malware]”) and wherein the method further comprises: processing, by a third set of one or more detectors, the RTE code and the associated interpretive code to detect encoded or encrypted malware ([Malik, col. 5, ln. 66 to col. 6, ln. 10] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia signaling that the content has been compressed, encrypted or otherwise encoded [to detect encoded/encrypted malware]; [col. 5, ln. 31-40] the MCD system is a third of one or more detectors as: “a plurality of malware content detection (MCD) systems 1101-110N (N>1, e.g. N=3) communicatively coupled to a management system 120 ... cause one or more malware identifiers, each of which being information representative of prior detected malware, to be shared among some or all of the MCD systems ... for use in malware checks”, where they are different detections systems as described above: first MCD system is the detector for the signature/special character that matches the objects, the second MCD system is the detector for the natural/decompiled objects, and the third MCD system is the detector for the encrypted objects) and determine a third set of scores; and ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, being encrypted] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-18] “the suspiciousness score(s) generated in the preprocessor [first set of scores] ... post-processor [second set of scores] .... suspiciousness score assigned to the obfuscated content [third set of scores] ... individual indicators of suspiciousness used by the preprocessor [first set of scores] and post-processor [second set of scores] ... or a combination of one or more of the following [based on the first, second and third set of scores]”) determining whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores, the second set of scores, and the third set of scores. ([Malik, col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first, second and third set of scores as per above] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the third set of one or more detectors, the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the third set of one or more detectors, the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”; [para. 0079] “concurrently [in parallel] ... upon detection of a new process [a third detector as it performs a different function then process monitoring] ... checks for the presence of a clone file by search for a match ... of clone files”; [para. 0054] “The self-replication detection module [third detector] ... detects self-replication of the executable binary files”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Malik, Song and Kedma for the same reasons as disclosed above. As per claim 8, Malik in view of Song and Kedma teaches claim 1. Malik also teaches generating, in response to determining that one or both of the RTE code and the associated interpretive code are compromised, an alert. ([Malik, col. 9, ln. 35-37] “The reporting module 195 may issue alerts indicating the presence of malware, [in response to determining the code are compromised] and using pointers and other reference information to identify which content [one or both of the RTE code and the associated interpretive code as per above] may contain malware”) As per claim 9, Malik teaches a system for binary malware attack detection comprising: ([Malik, col. 5, ln. 21-28] “A forensic malware detection ... system ... receive content for analysis... and ... implement a multistage malware detection scheme ... to confirm or verify the existence of malware in the content under analysis) a first set of one or more detectors ([Malik, col. 10, ln. 38-42] “Preprocessing malware check logic 250 includes one or more software modules [first set of one or more detectors] to conduct static analysis of content within an object to determine whether such content [RTE code and associated interpretive code] includes characteristics of malware, such as information associated with known malware exploits”) to process run time environment (RTE) code ([col. 8, ln. 19-37] “an object is emulated and an output associated with such processing may be statically scanned to determine if portions of the output match any of the pre-stored malware identifiers ... emulator may be ... a ... run-time environment ... monitors ... the object [code] within the emulator [RTE code], for example, by intercepting or “hooking” function calls [RTE code]”) and associated interpretive code ([col. 7, ln. 26-29] “software modules ... receive one [RTE code] or more objects [associated interpretive code] within the content and perform a multi-stage static analysis on the objects”; [col. 8, ln. 29-33] “a JavaScript™ object [interpretive code] ... for emulation [associated with the RTE] ... the object being analyzed”) to detect signatures ([col. 10, ln. 38-44] “Preprocessing malware check logic 250 includes one or more software modules to conduct static analysis of content within an object to determine ... a malware signature matching operation”; although signature Malik discloses signatures are bits [characters/cipher] that are a known exploit pattern [special] which implies the limitation, detecting signatures as special cipher characters is more clearly by Song as explained below) and determine a first set of scores; ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the signature matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”) a second set of one or more detectors to process the RTE code and the associated interpretive code to detect malware ([Malik, col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content [the RTE code and the associated interpretive code – see col. 7, ln. 49-52: “static analysis by comparing the contents of each object with known characteristics of malware”] matches any known malware”; as explained above, the objects include two sub-objections: code of the function produced in the RTE and code of the JavaScript emulated in the RTE) and determine a second set of scores; and ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the deconstructed code matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores] and post-processor [second set of scores]”) a composite detector to determine whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores and the second set of scores. ([Malik, col. 8, ln. 7-16] “The score generation logic 174 [composite detector] will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of scores and the second set of scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first and second set of scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik does not clearly teach detecting signatures as special cipher characters; and wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Song teaches detecting signatures as special cipher characters. ([Song, para. 0052] “the signature... can be ... a character string identical to a predefined character string pattern ... a combination of alphabetical character/number/special symbol [special cipher characters]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik with the teachings of Song to include detecting signatures as special cipher characters. One of ordinary skill in the art would have been motivated to make this modification because such a technique would be helpful for enhancing accuracy of automatic verification of the malware attack. (Song, para. 0059) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song with the teachings of Kedma to include wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. One of ordinary skill in the art would have been motivated to make this modification because such a technique would enable effective detection and prevention of replicator process’s actions before its one or more cloned process replicas are launched as well as detecting cloned process replicas as they are being created. (Kedma, para. 0104) As per claim 10, Malik in view of Song and Kedma teaches claim 9. Malik also teaches wherein the first set of one or more detectors is to determine a first set of characterizations and scores, ([Malik, col. 10, ln. 38-47] “Preprocessing malware check logic 250 includes one or more software modules [detectors] to conduct static analysis of content within an object to determine whether such content includes characteristics of malware [a first set of characterizations]”; [col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores]”) wherein the second set of one or more detectors is to determine a second set of characterizations and scores, ([col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content matches any known malware characteristics [determine a second set of characterizations]”; [col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the ... post-processor [second set of scores]”) and wherein the composite detector is to determine whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of characterizations and scores and the second set of characterizations and scores. ([Col. 8, ln. 7-16] “The score generation logic 174 [composite detector] will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of characterizations and scores and the second set of characterizations and scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [based on the first set of characterizations and scores and the second set of characterizations and scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) As per claim 11, Malik in view of Song and Kedma teaches claim 9. Malik also teaches wherein the second set of one or more detectors is to detect native malware, ([Malik, col. 9, ln. 53-61] “The deconstruction process returns the native code ... as a deconstructed representation of the content ... The deconstructed representation [is to detect native code] is processed in the post-processor 270 [second set of one or more detectors] which receives the de-constructed content from the de-constructor ... The post-processor determines if the de-constructed content matches any known malware [is to detect native malware]”) and wherein the system further comprises: a third set of one or more detectors to process the RTE code1 and the associated interpretive code to detect encoded or encrypted malware ([Malik, col. 5, ln. 66 to col. 6, ln. 10] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia signaling that the content has been compressed, encrypted or otherwise encoded [to detect encoded/encrypted malware]; [col. 5, ln. 31-40] the MCD system is a third of one or more detectors as: “a plurality of malware content detection (MCD) systems 1101-110N (N>1, e.g. N=3) communicatively coupled to a management system 120 ... cause one or more malware identifiers, each of which being information representative of prior detected malware, to be shared among some or all of the MCD systems ... for use in malware checks”, where they are different detections systems as described above: first MCD system is the detector for the signature/special character that matches the objects, the second MCD system is the detector for the natural/decompiled objects, and the third MCD system is the detector for the encrypted objects) and determine a third set of scores, ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, being encrypted] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-18] “the suspiciousness score(s) generated in the preprocessor [first set of scores] ... post-processor [second set of scores] .... suspiciousness score assigned to the obfuscated content [third set of scores] ... individual indicators of suspiciousness used by the preprocessor [first set of scores] and post-processor [second set of scores] ... or a combination of one or more of the following [based on the first, second and third set of scores]”) and wherein the composite detector is to determine whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores, the second set of scores, and the third set of scores. ([col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first, second and third set of scores combined by the score generation logic/composite detector as per above] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the third set of one or more detectors, the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the third set of one or more detectors, the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”; [para. 0079] “concurrently [in parallel] ... upon detection of a new process [a third detector as it performs a different function then process monitoring] ... checks for the presence of a clone file by search for a match ... of clone files”; [para. 0054] “The self-replication detection module [third detector] ... detects self-replication of the executable binary files”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Malik, Song and Kedma for the same reasons as disclosed above. As per claim 16, Malik in view Song and Kedma teaches claim 9. Malik also teaches an alert monitor to generate, in response to determining that one or both of the RTE code and the associated interpretive code are compromised, an alert. ([Malik, col. 9, ln. 35-37] “The reporting module 195 [alert monitor] may issue alerts indicating the presence of malware, [in response to determining the code are compromised] and using pointers and other reference information to identify which content [one or both of the RTE code and the associated interpretive code as per above] may contain malware”) As per claim 17, Malik teaches an apparatus for binary malware attack detection comprising: ([Malik, col. 5, ln. 21-28] “A forensic malware detection method [an apparatus the method is performed by/comprises a processor – see below] ... receive content for analysis... and ... implement a multistage malware detection scheme ... to confirm or verify the existence of malware in the content under analysis) a processing device; and ([Malik, col. 7, ln. 26-29] “one or more processors 200 ... perform a multi-stage static analysis”) memory operatively coupled to the processing device, wherein the memory stores computer program instructions that, when executed, cause the processing device to: ([Malik, col. 7, ln. 26-30] “software modules [computer program instructions] executed by one or more processors 200 [processing device] that receive one or more objects within the content and perform a multi-stage static analysis [cause the processing device to perform the below described actions] on the objects, which may involve accessing [coupled to] one or more non-transitory storage mediums [memory] operating as database 175”) process, by a first set of one or more detectors, ([Malik, col. 10, ln. 38-42] “Preprocessing malware check logic 250 includes one or more software modules [first set of one or more detectors] to conduct static analysis of content within an object to determine whether such content [RTE code and associated interpretive code] includes characteristics of malware, such as information associated with known malware exploits”) run time environment (RTE) code ([col. 8, ln. 19-37] “an object is emulated and an output associated with such processing may be statically scanned to determine if portions of the output match any of the pre-stored malware identifiers ... emulator may be ... a ... run-time environment ... monitors ... the object [code] within the emulator [RTE code], for example, by intercepting or “hooking” function calls [RTE code]”) and associated interpretive code ([col. 7, ln. 26-29] “software modules ... receive one [RTE code] or more objects [associated interpretive code] within the content and perform a multi-stage static analysis on the objects”; [col. 8, ln. 29-33] “a JavaScript™ object [interpretive code] ... for emulation [associated with the RTE] ... the object being analyzed”) to detect signatures ([col. 10, ln. 38-44] “Preprocessing malware check logic 250 includes one or more software modules to conduct static analysis of content within an object to determine ... a malware signature matching operation”; although signature Malik discloses signatures are bits [characters/cipher] that are a known exploit pattern [special] which implies the limitation, detecting signatures as special cipher characters is more clearly by Song as explained below) and determine a first set of scores; ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the signature matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”) process, by a second set of one or more detectors, the RTE code and the associated interpretive code to detect malware ([Malik, col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content [the RTE code and the associated interpretive code – see col. 7, ln. 49-52: “static analysis by comparing the contents of each object with known characteristics of malware”] matches any known malware”; as explained above, the objects include two sub-objections: code of the function produced in the RTE and code of the JavaScript emulated in the RTE) and determine a second set of scores; and ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the deconstructed code matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores] and post-processor [second set of scores]”) determine whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores and the second set of scores. ([Malik, col. 8, ln. 7-16] “The score generation logic 174 will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of scores and the second set of scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first and second set of scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik does not clearly teach detecting signatures as special cipher characters; and wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Song teaches detecting signatures as special cipher characters. ([Song, para. 0052] “the signature... can be ... a character string identical to a predefined character string pattern ... a combination of alphabetical character/number/special symbol [special cipher characters]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik with the teachings of Song to include detecting signatures as special cipher characters. One of ordinary skill in the art would have been motivated to make this modification because such a technique would be helpful for enhancing accuracy of automatic verification of the malware attack. (Song, para. 0059) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song with the teachings of Kedma to include wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. One of ordinary skill in the art would have been motivated to make this modification because such a technique would enable effective detection and prevention of replicator process’s actions before its one or more cloned process replicas are launched as well as detecting cloned process replicas as they are being created. (Kedma, para. 0104) As per claim 18, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 19, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3. As per claim 21, Malik teaches a computer program product comprising a computer readable storage medium, wherein the computer readable storage medium comprises computer program instructions that, when executed: ([Malik, col. 7, ln. 26-30] “software modules [computer program instructions] executed by one or more processors 200 that receive one or more objects within the content and perform a multi-stage static analysis [cause the processing device to perform the below described actions] on the objects, which may involve accessing [coupled to] one or more non-transitory storage mediums [a computer readable storage medium] operating as database 175”) process, by a first set of one or more detectors, ([Malik, col. 10, ln. 38-42] “Preprocessing malware check logic 250 includes one or more software modules [first set of one or more detectors] to conduct static analysis of content within an object to determine whether such content [RTE code and associated interpretive code] includes characteristics of malware, such as information associated with known malware exploits”) run time environment (RTE) code ([col. 8, ln. 19-37] “an object is emulated and an output associated with such processing may be statically scanned to determine if portions of the output match any of the pre-stored malware identifiers ... emulator may be ... a ... run-time environment ... monitors ... the object [code] within the emulator [RTE code], for example, by intercepting or “hooking” function calls [RTE code]”) and associated interpretive code ([col. 7, ln. 26-29] “software modules ... receive one [RTE code] or more objects [associated interpretive code] within the content and perform a multi-stage static analysis on the objects”; [col. 8, ln. 29-33] “a JavaScript™ object [interpretive code] ... for emulation [associated with the RTE] ... the object being analyzed”) to detect signatures ([col. 10, ln. 38-44] “Preprocessing malware check logic 250 includes one or more software modules to conduct static analysis of content within an object to determine ... a malware signature matching operation”; although signature Malik discloses signatures are bits [characters/cipher] that are a known exploit pattern [special] which implies the limitation, detecting signatures as special cipher characters is more clearly by Song as explained below) and determine a first set of scores; ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the signature matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”) process, by a second set of one or more detectors, the RTE code and the associated interpretive code to detect malware ([Malik, col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content [the RTE code and the associated interpretive code – see col. 7, ln. 49-52: “static analysis by comparing the contents of each object with known characteristics of malware”] matches any known malware”; as explained above, the objects include two sub-objections: code of the function produced in the RTE and code of the JavaScript emulated in the RTE) and determine a second set of scores; and ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the deconstructed code matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores] and post-processor [second set of scores]”) determine whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores and the second set of scores. ([Malik, col. 8, ln. 7-16] “The score generation logic 174 will determine a score for the analyzed content using the results of the preprocessor 250 or post-processor 270 ... mathematically combining the object-level scores [based on the first set of scores and the second set of scores] to obtain an overall score for the content ... for use in further analysis to confirm the presence of malware within the content”; [col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first and second set of scores] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik does not clearly teach detecting signatures as special cipher characters; and wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Song teaches detecting signatures as special cipher characters. ([Song, para. 0052] “the signature... can be ... a character string identical to a predefined character string pattern ... a combination of alphabetical character/number/special symbol [special cipher characters]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik with the teachings of Song to include detecting signatures as special cipher characters. One of ordinary skill in the art would have been motivated to make this modification because such a technique would be helpful for enhancing accuracy of automatic verification of the malware attack. (Song, para. 0059) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song with the teachings of Kedma to include wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. One of ordinary skill in the art would have been motivated to make this modification because such a technique would enable effective detection and prevention of replicator process’s actions before its one or more cloned process replicas are launched as well as detecting cloned process replicas as they are being created. (Kedma, para. 0104) As per claim 22, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 23, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3. As per claim 24, Malik teaches a method for binary malware attack detection comprising: ([Malik, col. 5, ln. 21-28] “A forensic malware detection method ... receive content for analysis... and ... implement a multistage malware detection scheme ... to confirm or verify the existence of malware in the content under analysis) processing, by a first set of one or more detectors, ([Malik, col. 10, ln. 38-42] “Preprocessing malware check logic 250 includes one or more software modules [first set of one or more detectors] to conduct static analysis of content within an object to determine whether such content [RTE code and associated interpretive code] includes characteristics of malware, such as information associated with known malware exploits”) run time environment (RTE) code ([col. 8, ln. 19-37] “an object is emulated and an output associated with such processing may be statically scanned to determine if portions of the output match any of the pre-stored malware identifiers ... emulator may be ... a ... run-time environment ... monitors ... the object [code] within the emulator [RTE code], for example, by intercepting or “hooking” function calls [RTE code]”) and associated interpretive code ([col. 7, ln. 26-29] “software modules ... receive one [RTE code] or more objects [associated interpretive code] within the content and perform a multi-stage static analysis on the objects”; [col. 8, ln. 29-33] “a JavaScript™ object [interpretive code] ... for emulation [associated with the RTE] ... the object being analyzed”) to detect signatures ([col. 10, ln. 38-44] “Preprocessing malware check logic 250 includes one or more software modules to conduct static analysis of content within an object to determine ... a malware signature matching operation”; although signature Malik discloses signatures are bits [characters/cipher] that are a known exploit pattern [special] which implies the limitation, detecting signatures as special cipher characters is more clearly by Song as explained below) and determine a first set of scores; ([col. 7, ln. 63-67 to col. 8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the signature matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”) processing, by a second set of one or more detectors, the RTE code and the associated interpretive code to detect native malware ([Malik, col. 9, ln. 53-62] “The deconstruction process returns the native code ... as a deconstructed representation of the content ... The deconstructed representation [is to detect native code] is processed in the post-processor 270 [second set of one or more detectors] which receives the de-constructed content from the de-constructor ... The post-processor [second set of one or more detectors] determines if the de-constructed content [the RTE code and the associated interpretive code – see col. 7, ln. 49-52: “static analysis by comparing the contents of each object with known characteristics of malware”] matches any known malware”; as explained above, the objects include two sub-objections: code of the function produced in the RTE and code of the JavaScript emulated in the RTE) and determine a second set of scores; ([col. 7, ln. 63-67 to col.8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, the deconstructed code matching] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores] and post-processor [second set of scores]”) processing, by a third set of one or more detectors, the RTE code and the associated interpretive code to detect encoded or encrypted malware ([Malik, col. 5, ln. 66 to col. 6, ln. 10] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia signaling that the content has been compressed, encrypted or otherwise encoded [to detect encoded/encrypted malware]; [col. 5, ln. 31-40] the MCD system is a third of one or more detectors as: “a plurality of malware content detection (MCD) systems 1101-110N (N>1, e.g. N=3) communicatively coupled to a management system 120 ... cause one or more malware identifiers, each of which being information representative of prior detected malware, to be shared among some or all of the MCD systems ... for use in malware checks”, where they are different detections systems as described above: first MCD system is the detector for the signature/special character that matches the objects, the second MCD system is the detector for the natural/decompiled objects, and the third MCD system is the detector for the encrypted objects) and determine a third set of scores; and ([col. 7, ln. 63-67 to col.8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, being encrypted] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-18] “the suspiciousness score(s) generated in the preprocessor [first set of scores] ... post-processor [second set of scores] .... suspiciousness score assigned to the obfuscated content [third set of scores] ... individual indicators of suspiciousness used by the preprocessor [first set of scores] and post-processor [second set of scores] ... or a combination of one or more of the following [based on the first, second and third set of scores]”) determining whether one or both of the RTE code and the associated interpretive code are compromised based on the first set of scores, the second set of scores, and the third set of scores. ([Malik, col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first, second and third set of scores as per above] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”) Malik does not clearly teach detecting signatures as special cipher characters; and wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Song teaches detecting signatures as special cipher characters. ([Song, para. 0052] “the signature... can be ... a character string identical to a predefined character string pattern ... a combination of alphabetical character/number/special symbol [special cipher characters]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik with the teachings of Song to include detecting signatures as special cipher characters. One of ordinary skill in the art would have been motivated to make this modification because such a technique would be helpful for enhancing accuracy of automatic verification of the malware attack. (Song, para. 0059) Malik in view of Song does not clearly teach wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. However, Kedma teaches wherein the RTE code and the associated interpretive code are processed ([Kedma, para. 0051] “the process monitoring module ... monitors in runtime processes running on the computing device [associated interpretive code as the code is necessarily interpreted in order for it to be running on the device]”; [para. 0052] “the file monitoring module 203 monitors ... and identifies executable binary files [RTE code]”) in parallel by the second set of one or more detectors and the first set of one or more detectors. ([para. 0076] “Parallel monitors.... are launched [processed in parallel] ... 310 for file monitoring [RTE code] and 320 for process monitoring [associated interpretive code] ... file monitor 310 [first set of one or more detectors] ... process monitor 320 [second set of one or more detectors]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song with the teachings of Kedma to include wherein the RTE code and the associated interpretive code are processed in parallel by the second set of one or more detectors and the first set of one or more detectors. One of ordinary skill in the art would have been motivated to make this modification because such a technique would enable effective detection and prevention of replicator process’s actions before its one or more cloned process replicas are launched as well as detecting cloned process replicas as they are being created. (Kedma, para. 0104) As per claim 25, Malik in view of Song and Kedma teaches claim 24. Malik also teaches wherein the first set of one or more detectors is to determine a first set of characterizations and scores, ([Malik, col. 10, ln. 38-47] “Preprocessing malware check logic 250 includes one or more software modules [detectors] to conduct static analysis of content within an object to determine whether such content includes characteristics of malware [a first set of characterizations]”; [col. 7, ln. 63-67 to col.8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the preprocessor [first set of scores]”) wherein the second set of one or more detectors is to determine a second set of characterizations and scores, ([col. 9, ln. 60-62] “The post-processor [second set of one or more detectors] determines if the de-constructed content matches any known malware characteristics [determine a second set of characterizations]”; [col. 7, ln. 63-67 to col.8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-8] “the suspiciousness score(s) generated in the ... post-processor [second set of scores]”) wherein the third set of one or more detectors is to determine a third set of characterizations and scores, ([col. 5, ln. 66 to col. 6, ln. 10] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia [a third set of characterizations] signaling that the content has been compressed, encrypted or otherwise encoded [to detect encoded/encrypted malware]; [col. 7, ln. 63-67 to col.8, ln. 11] “If the comparison reveals a correlation between the contents of the object and one or more malware identifiers [in this case, being encrypted] ... the static analysis engine 170 determines whether the corresponding object is “suspicious” and assigns a score to the object ... assigning a score [set of scores] to individual objects [the RTE code and the interpretive code] found in the content”; [col. 5, ln. 7-18] “the suspiciousness score(s) generated in the preprocessor [first set of scores] ... post-processor [second set of scores] .... suspiciousness score assigned to the obfuscated content [third set of scores] ... individual indicators of suspiciousness used by the preprocessor [first set of scores] and post-processor [second set of scores] ... or a combination of one or more of the following [based on the first, second and third set of scores]) and wherein determining whether one or both of the RTE code and the associated interpretive code are compromised is based on the first set of characterizations and scores, the second set of characterizations and scores, and the third set of characterizations and scores. ([Col. 12, ln. 60-63] “based on a combination of the respective scores resulting from the static scans [first, second and third set of scores as per above] exceeding a threshold, the analyzed object [the RTE code and the associated interpretive code] may be classified as malicious [determined whether one or both are compromised as each object is analyzed – see col. 7, ln. 49-52]”; as the scores are based on the characterizations and the determining whether the code is compromised is based on the scores, the determining is based on the characterizations and scores) Claims 4-5, 7, 12-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Malik in view of Song and Kedma as applied to claims 3, 11 and 19 above and further in view of Hunt et al. (US Pub. 2021/0110037) (hereinafter “Hunt”) disclosed in the IDS dated 06/10/2024. As per claim 4, Malik in view of Song and Kedma teaches claim 3. Malik also teaches processing, by the third set of one or more detectors, the RTE code and the associated interpretive code. ([Malik, col. 5, ln. 66 to col. 6, ln. 10] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia signaling that the content has been compressed, encrypted or otherwise encoded”) Malik in view of Song and Kedma does not clearly teach wherein processing the code comprises: converting the code to data in one or more spectral formats; and analyzing the data in the one or more spectral formats. However, Hunt teaches wherein processing code, comprises: ([Hunt, para. 0042] "Feature extraction module 122 can work in concert with spectral format conversion module 124 ... Data analysis processes the outputs from data monitoring .... file binaries”) converting the code to data in one or more spectral formats; and ([Hunt, para. 0043] “Spectral format conversion module 124 may convert file binaries into spectral formats”) analyzing the data in the one or more spectral formats. ([Hunt, para. 0044] "Spectral analysis 132 analyzes the data spectrally ... analyzes binaries”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song and Kedma with the teachings of Hunt to include wherein processing the code comprises: converting the code to data in one or more spectral formats; and analyzing the data in the one or more spectral formats. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of being able to classify obfuscated or encrypted code designed to evade classical code string and heuristic analysis technique by uncovering subtle, low observable anomalies in code that is inconsistent with normal environmental attributes and behavior. (Hunt, para. 0044) As per claim 5, Malik in view of Song and Kedma and further in view of Hunt teaches claim 4. Malik in view of Song and Kedma does not clearly teach wherein the one or more spectral formats includes an acoustic format. However, Hunt teaches wherein the one or more spectral formats includes an acoustic format. ([Hunt, para. 0043] " Spectral format conversion module 124 may convert file binaries into spectral formats ... spectral formats may include: acoustic”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song and Kedma with the teachings of Hunt to include wherein the one or more spectral formats includes an acoustic format. One of ordinary skill in the art would have been motivated to make this modification because multiple inputs, analysis techniques, and detector systems, obfuscated or encrypted threats that may have previously avoided detection may be discovered and handled accordingly. (Hunt, para. 0023) As per claim 7, Malik in view of Song and Kedma and further in view of Hunt teaches claim 4. Malik in view of Song and Kedma does not clearly teach wherein the third set of one or more detectors includes one or more machine learning models trained using known malware. However, Hunt teaches wherein the third set of one or more detectors includes one or more machine learning models trained using known malware. ([Hunt, claim 5] “the spectral detector [third set of one or more detectors – see para. 0043] is a machine learning algorithm trained using converted data of known malware”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song and Kedma with the teachings of Hunt to include wherein the third set of one or more detectors includes one or more machine learning models trained using known malware. One of ordinary skill in the art would have been motivated to make this modification because by training in this manner, the feature extraction module in concert with the spectral conversion module enables the spectral analysis module to ingest the extracted and formatted features and perform the classification and scoring analysis thereby allowing the analysis to uncover subtle, low observable anomalies in code. (Hunt, para. 0042; and para. 0044) As per claim 12, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. As per claim 13, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. As per claim 14, Malik in view of Song, Kedma and Hunt teaches claim 12. Malik in view of Song does not clearly teach wherein the one or more spectral formats includes an image format. However, Hunt teaches wherein the one or more spectral formats includes an image format. ([Hunt, para. 0043] " Spectral format conversion module 124 may convert file binaries into spectral formats ... spectral formats may include ... image processing”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Malik, Song, Kedma and Hunt for the same reasons as disclosed above. As per claim 15, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7. As per claim 20, Malik in view of Song and Kedma teaches claim 19. Malik also teaches wherein the memory stores computer program instructions that, when executed, cause the processing device to: ([Malik, col. 7, ln. 26-30] “software modules [computer program instructions] executed by one or more processors 200 [processing device] that receive one or more objects within the content and perform a multi-stage static analysis [cause the processing device to perform the below described actions] on the objects, which may involve accessing one or more non-transitory storage mediums [memory] operating as database 175”) convert, by the third set of one or more detectors, the RTE code and the associated interpretive code to data in one or more formats. ([Col. 5, ln. 66 to col. 6, ln. 17] “static analysis is conducted by static analysis engine 170 within the first MCD system 1101 [third set of one or more detectors] ... the static analysis engine 170 determines whether the object contains obfuscated content ... The static analysis engine 170 may determine that the object [the RTE code and associated interpretive code] is obfuscated based on detecting, in the content, indicia signaling that the content has been compressed, encrypted or otherwise encoded ... the static analysis engine 170 will provide the object to an emulator 260 to render the obfuscated code to de-obfuscated format [convert to data in one or more formats]”) Malik in view of Song and Kedma does not clearly teach convert the code to data in one or more spectral formats; and analyze the data in the one or more spectral formats. However, Hunt teaches convert the code to data in one or more spectral formats; and ([Hunt, para. 0043] “Spectral format conversion module 124 may convert file binaries into spectral formats”) analyze the data in the one or more spectral formats. ([Hunt, para. 0044] "Spectral analysis 132 analyzes the data spectrally ... analyzes binaries”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Malik, Song, Kedma and Hunt for the same reasons as disclosed above. Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Malik in view of Song, Kedma and Hunt as applied to claim 4 above and further in view of Anderson et al. (US Pub. 2013/0326625) (hereinafter “Anderson”). As per claim 6, Malik in view of Song, Kedma and Hunt teaches claim 4. Malik in view of Song does not clearly teach wherein the one or more spectral formats includes an image format. However, Hunt teaches wherein the one or more spectral formats includes an image format. ([Hunt, para. 0043] " Spectral format conversion module 124 may convert file binaries into spectral formats ... spectral formats may include ... image processing”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Malik, Song and Hunt for the same reasons as disclosed above. Malik in view of Song, Kedma and Hunt does not clearly teach wherein converting the RTE code and the associated interpretive code to the data in the one or more spectral formats comprises converting the associated interpretive code to a grayscale image, and wherein analyzing the data in the one or more spectral formats comprises analyzing the grayscale image. However, Anderson teaches wherein converting the RTE code and the associated interpretive code to the data in the one or more spectral formats ([Anderson, para. 0188] “In one implementation of malware classification ... a binary data source [RTE code] can be used”; [para. 0036] “Fig. 29 shows a grayscale representation [converting to the data in one or more spectral formats] of a heat map for an implementation for a kernel based on a binary data source”) comprises converting the associated interpretive code to a grayscale image, and ([para. 0189] “in ... malware classification, dynamic data sources can be used”; [para. 0195] “dynamic sources of data ... the instruction traces or system call traces ... over run or execution of the program [associated interpretive code as it interprets the execution of the binary/program/RTE code]”) wherein analyzing the data in the one or more spectral formats comprises analyzing the grayscale image ([Anderson, para. 0059] “the similarity matrix [the grayscale image] sent to a kernel-based classification algorithm or process ... to perform classification [analyzing the grayscale image]”; [para. 0159] “grayscale representation of respective heat maps ... the values for the similarity matrix [the data in the one or more spectral formats/grayscale image]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Malik in view of Song, Kedma and Hunt with the teachings of Anderson to include wherein converting the RTE code and the associated interpretive code to the data in the one or more spectral formats comprises converting the associated interpretive code to a grayscale image, and wherein analyzing the data in the one or more spectral formats comprises analyzing the grayscale image. One of ordinary skill in the art would have been motivated to make this modification because combining data sources (such as using the grayscale image of the associated interpretive code above) can increase the performance of a classification system while lowing the number of false positives as well as achieving high performance in a sort amount of time. (Anderson, para. 0063) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Saxena et al. (US Pub. 2016/0328562) discloses providing an ability to execute data-parallel functions for searching memory in connection with malware detection tasks where scans can operate on memory corresponding to a plurality of process in parallel. Farhady et al. (US Pub. 2020/0162483) discloses malware detection where features of multiple binary files may be processed in parallel by a machine learning model which enhances speed optimization and leverages analysis of the same features for multiple binary files at the same time Vincent (US Patent No. 10,817,606) discloses detecting malware using run-time monitoring agents where the monitoring agents are un simultaneously or in parallel and using the monitoring agents to create a dynamic learning system. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634. The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000. /Z.L./Examiner, Art Unit 2493 /CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493