MALWARE ANALYSIS APPARATUS, MALWARE ANALYSIS METHOD, AND MALWARE ANALYSIS SYSTEM

DETAILED ACTION This non-final Office Action is in response to applicants’ filing on 07/05/2024. Claims 1-14 are currently pending and have been considered as follows. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Priority Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). The certified copy has been retrieved on 08/02/2024. Drawings The drawings filed on 07/05/2024 are accepted. Information Disclosure Statement The information disclosure statement (IDS) submitted on 07/05/2024 has been placed in the application file, and the information referred therein has been considered as to the merits. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) are: “an analysis section”, “a conversion section”, “a generation section” in Claim 1 and “a malware analysis apparatus”, “an analysis section”, “a conversion section”, “a generation section” in Claim 14. Because these claim limitations are being interpreted under pre-AIA 35 U.S.C. 112, sixth paragraph (or 35 U.S.C. 112(f)), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA 35 U.S.C. 112, sixth paragraph (or 35 U.S.C. 112(f)) limitations: Specification para. [0048]-[0050]; FIG. 1. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 2, 4, 10, 11, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over DASGUPTA et al. (US 20220366048 A1, hereinafter Dasgupta) in view of LU (US 20130091571 A1). As to Claim 1: Dasgupta discloses a malware analysis apparatus (e.g. Dasgupta “An artificial intelligence (AI) based advanced malware detection tool (AIMaD), which uses a combination of both static and dynamic malware analysis in a machine learning (ML) framework. It uses reverse engineering and feature extraction technique at DLL, function call, and assembly levels; these multi-level features are then processed with N-gram (i.e., Natural Language Processing, NLP), association rule mining to feed in different machine learning classifiers. The AIMaD is able to detect malware/ransomware with high accuracy and low false-positive rate” [Abstract]) comprising: an analysis section (e.g. Dasgupta instructions executed by computer’s central processing unit (CPU) [0025]) that performs dynamic analysis and static analysis of analysis target malware (e.g. Dasgupta “tool (AIMaD), which uses a combination of both static and dynamic malware analysis” [0004]; “Static analysis is used to capture the structural properties of the binary (executable)” [0013]; “Dynamic analysis is done using a virtualized environment such as, but not limited to, a Cuckoo sandbox, and a dynamic binary instrumentation (DBI) tool, such as, but not limited to, PIN. Cuckoo sandbox has a modular design supporting multiple environments and provides flexibility in result analysis. Other forms of virtualized environment may be used” [0014]); a conversion section that converts a result of the dynamic analysis and a result of the static analysis into natural language, and generates explanations of the analysis results (e.g. Dasgupta “these multi-level features are then processed with N-gram (i.e., Natural Language Processing, NLP), association rule mining to feed in different machine learning classifiers” [0004]; “features are extracted at DLL, function call and assembly level, and processed with NLP” [0012]; “Natural Language Processing (NLP) techniques such as N-gram, Term Frequency-Inverse Document Frequency (TF-IDF), and Term Frequency (TF) are used and leveraged to generate a feature database to be fed into the ML classifiers” [0016]; “Malware and ransomware specific behavioral chains are basically multilevel chains which are constructed by studying the behavior of different ransomware families… Both static and dynamic analysis of ransomware binaries reveals the different chains which are seen in a wide range of malware and ransomware families” [0028]; [0030]-[0046]; “automatically performing multi-level classification using said feature list to determine one or more behavior chains in said code, based on relations and patterns among variables at multiple levels in said code” [0055]); and a generation section that generates information regarding a behavior of the analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]), But Dasgupta does not specifically disclose: the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis. However, the analogous art LU does disclose the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis (e.g. LU “Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]; “malware behavior reports from the dynamic analysis process(es) 820 may also be provided as an input to the comparison routine 816” [0055]). Dasgupta and LU are analogous art because they are from the same field of endeavor in malware detection and analysis. It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Dasgupta and LU before him or her, to modify the disclosure of Dasgupta with the teachings of LU to include the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis as claimed. The suggestion/motivation for doing so would have been so that the static analysis and dynamic analysis components work together processing malware original disassembly code to provide important discovery of the malware in high-speed, high-volume implementations (LU [0035]). Therefore, it would have been obvious to combine Dasgupta and LU to obtain the invention as specified in the instant claim(s). As to Claim 2: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 1, wherein the generation section generates and uses the information regarding the behavior of the analysis target malware to assist an analyst in analyzing the analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; [0046]; see also LU “Once the analyzer 120 completes analysis, the sample management platform/components 110 will retrieve analysis results, perform secondly parsing and analysis, and forward such result to a desired location or recipient” [0019]; [0034]; “In connection with the detail reports and summary reports 1118, the intelligent reporting process may also directly produce alerts to IT administrators or systems 1120” [0060]). The Examiner supplies the same rationale for the combination of references Dasgupta and LU as in Claim 1. As to Claim 4: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 1, wherein the generation section generates the information regarding the behavior of the analysis target malware on a basis of a difference between the explanations generated respectively from the dynamic analysis and the static analysis (e.g. LU “Here, for example, such electronic and/or graphical representation may show the entire malware logic execution, using two different indicia (e.g., different markers, colors, etc.) to distinguish the latent code path from executed logic path” [0033]; “Malware binary code may be reverse engineered to at least the disassembly level, e.g., to reveal latent logic bombs or other executables that are inaccessible, unavailable or otherwise unable to be explored during dynamic analysis. Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]). The Examiner supplies the same rationale for the combination of references Dasgupta and LU as in Claim 1. As to Claim 10: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 1, wherein the generation section compares the results of the static analysis and/or the results of the dynamic analysis to generate the information regarding the behavior of the analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]; see also LU “Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]; “malware behavior reports from the dynamic analysis process(es) 820 may also be provided as an input to the comparison routine 816” [0055]). The Examiner supplies the same rationale for the combination of references Dasgupta and LU as in Claim 1. As to Claim 11: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 10, wherein the generation section detects extended functionality of an analysis target by comparing the results of the static analysis of different pieces of the analysis target malware (e.g. LU “This detail and completed malware disassembly source code may then be provided to static analysis engine at 544, wherein it compares all malware code logic execution path with the paths already executed showing in run time logs, such that the malware latent code (malware code logic that hasn't been executed) may be uncovered. Further, when graphical means are utilized, different indicia such as colors may be used to highlight the logic path executed and ones not executed yet in the calling graph at 548. Also, at 550, the input of completed detail disassembly source code may then be used to classify the malware family” [0043]; “All this information may be utilized, at 722, wherein a static analysis engine or process sorts out all calling functions and sub functions, system API names and symbols. Next, at 724, static analysis may proceed to building malware execution logic path graphs or other logic representations, wherein currently executed path or path(s) are delineated and represented, and logic code path(s) that haven't yet been executed (e.g., potential payloads, hidden logic, etc.) are also delineated and represented. The process may then proceed to providing listings of all malware logic paths 726, including those executed and not executed, and then producing logic execution graphs (e.g., .gml files, etc.), highlighting the various branching conditions, nodes, etc” [0048]). The Examiner supplies the same rationale for the combination of references Dasgupta and LU as in Claim 1. As to Claim 13: Dasgupta discloses a malware analysis method of, by a processor, executing a program recorded in a memory (e.g. Dasgupta “methods to prevent and protect against attacks by advanced malware, including, but not limited to, ransomware” [0002]; instructions executed by computer’s central processing unit (CPU) [0025]), the method comprising: performing dynamic analysis and static analysis of analysis target malware (e.g. Dasgupta “tool (AIMaD), which uses a combination of both static and dynamic malware analysis” [0004]; “Static analysis is used to capture the structural properties of the binary (executable)” [0013]; “Dynamic analysis is done using a virtualized environment such as, but not limited to, a Cuckoo sandbox, and a dynamic binary instrumentation (DBI) tool, such as, but not limited to, PIN. Cuckoo sandbox has a modular design supporting multiple environments and provides flexibility in result analysis. Other forms of virtualized environment may be used” [0014]); converting a result of the dynamic analysis and a result of the static analysis into natural language (e.g. Dasgupta [Abstract]; “these multi-level features are then processed with N-gram (i.e., Natural Language Processing, NLP), association rule mining to feed in different machine learning classifiers” [0004]; “features are extracted at DLL, function call and assembly level, and processed with NLP” [0012]; “Natural Language Processing (NLP) techniques such as N-gram, Term Frequency-Inverse Document Frequency (TF-IDF), and Term Frequency (TF) are used and leveraged to generate a feature database to be fed into the ML classifiers” [0016]), and generating explanations of the analysis results (e.g. Dasgupta “Malware and ransomware specific behavioral chains are basically multilevel chains which are constructed by studying the behavior of different ransomware families… Both static and dynamic analysis of ransomware binaries reveals the different chains which are seen in a wide range of malware and ransomware families” [0028]; [0030]-[0046]; “automatically performing multi-level classification using said feature list to determine one or more behavior chains in said code, based on relations and patterns among variables at multiple levels in said code” [0055]); and generating information regarding a behavior of analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]); But Dasgupta does not specifically disclose: information that is obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis. However, the analogous art LU does disclose information that is obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis (e.g. LU “Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]; “malware behavior reports from the dynamic analysis process(es) 820 may also be provided as an input to the comparison routine 816” [0055]). Dasgupta and LU are analogous art because they are from the same field of endeavor in malware detection and analysis. It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Dasgupta and LU before him or her, to modify the disclosure of Dasgupta with the teachings of LU to include information that is obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis as claimed. The suggestion/motivation for doing so would have been so that the static analysis and dynamic analysis components work together processing malware original disassembly code to provide important discovery of the malware in high-speed, high-volume implementations (LU [0035]). Therefore, it would have been obvious to combine Dasgupta and LU to obtain the invention as specified in the instant claim(s). As to Claim 14: Dasgupta discloses a malware analysis system (e.g. Dasgupta “An artificial intelligence (AI) based advanced malware detection tool (AIMaD), which uses a combination of both static and dynamic malware analysis in a machine learning (ML) framework. It uses reverse engineering and feature extraction technique at DLL, function call, and assembly levels; these multi-level features are then processed with N-gram (i.e., Natural Language Processing, NLP), association rule mining to feed in different machine learning classifiers. The AIMaD is able to detect malware/ransomware with high accuracy and low false-positive rate” [Abstract]) comprising: a malware analysis apparatus that analyzes analysis target malware (e.g. Dasgupta “The system is used to inspect the function and activity traces of major malware and ransomware families, and define the major chains which are seen therein” [0029]); and a display apparatus that presents a result of analysis of the analysis target malware to an analyst (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]); wherein the malware analysis apparatus includes: an analysis section (e.g. Dasgupta instructions executed by computer’s central processing unit (CPU) [0025]) that performs dynamic analysis and static analysis of the analysis target malware (e.g. Dasgupta “tool (AIMaD), which uses a combination of both static and dynamic malware analysis” [0004]; “Static analysis is used to capture the structural properties of the binary (executable)” [0013]; “Dynamic analysis is done using a virtualized environment such as, but not limited to, a Cuckoo sandbox, and a dynamic binary instrumentation (DBI) tool, such as, but not limited to, PIN. Cuckoo sandbox has a modular design supporting multiple environments and provides flexibility in result analysis. Other forms of virtualized environment may be used” [0014]), a conversion section that converts a result of the dynamic analysis and a result of the static analysis into natural language, and generates explanations of the analysis results (e.g. Dasgupta “these multi-level features are then processed with N-gram (i.e., Natural Language Processing, NLP), association rule mining to feed in different machine learning classifiers” [0004]; “features are extracted at DLL, function call and assembly level, and processed with NLP” [0012]; “Natural Language Processing (NLP) techniques such as N-gram, Term Frequency-Inverse Document Frequency (TF-IDF), and Term Frequency (TF) are used and leveraged to generate a feature database to be fed into the ML classifiers” [0016]; “Malware and ransomware specific behavioral chains are basically multilevel chains which are constructed by studying the behavior of different ransomware families… Both static and dynamic analysis of ransomware binaries reveals the different chains which are seen in a wide range of malware and ransomware families” [0028]; [0030]-[0046]; “automatically performing multi-level classification using said feature list to determine one or more behavior chains in said code, based on relations and patterns among variables at multiple levels in said code” [0055]), and a generation section that generates information regarding a behavior of the analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]), But Dasgupta does not specifically disclose: the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis. However, the analogous art LU does disclose the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis (e.g. LU “Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]; “malware behavior reports from the dynamic analysis process(es) 820 may also be provided as an input to the comparison routine 816” [0055]). Dasgupta and LU are analogous art because they are from the same field of endeavor in malware detection and analysis. It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Dasgupta and LU before him or her, to modify the disclosure of Dasgupta with the teachings of LU to include the information being obtained by comparing the explanations generated respectively from the dynamic analysis and the static analysis as claimed. The suggestion/motivation for doing so would have been so that the static analysis and dynamic analysis components work together processing malware original disassembly code to provide important discovery of the malware in high-speed, high-volume implementations (LU [0035]). Therefore, it would have been obvious to combine Dasgupta and LU to obtain the invention as specified in the instant claim(s). Claims 3 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Dasgupta in view of LU as applied to Claim 1, and further in view of Rostami-Hesarsorkh et al. (US 20170251003 A1, hereinafter Rostami). As to Claim 3: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 2, wherein the generation section generates and uses the information regarding the behavior of the analysis target malware (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]), but does not specifically disclose: to suggest a target to be analyzed by the analyst with respect to the analysis target malware. However, the analogous art Rostami does disclose to suggest a target to be analyzed by the analyst with respect to the analysis target malware (e.g. Rostami “the malware analysis platform provides a user interface that can be utilized to show logs of a selected malware sample and highlight the most suspicious lines in the log (e.g., lines with high malware count/low benign count)” [0079]; “malware analysis platform for threat intelligence, artifacts are highlighted both on the dashboard and within search results (e.g., search results spotlight significant artifacts that are identified according to risk; and the dashboard and search editor both can allow a user” [0167]; “the dashboard widgets highlight the top ten artifacts depending on the context (e.g., organization, industry, or all) and time range selected, including the following… Top Malware (e.g., displays the ten malware samples with the most hits)” [0193]; [0209]). Dasgupta, LU, and Rostami are analogous art because they are from the same field of endeavor in malware detection and analysis. It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Dasgupta, LU, and Rostami before him or her, to modify the combination of Dasgupta and LU with the teachings of Rostami to include to suggest a target to be analyzed by the analyst with respect to the analysis target malware as claimed. The suggestion/motivation for doing so would have been to provide a malware analysis platform that can facilitate viewing, analyzing, and acting upon attributes (e.g., high-risk attributes) associated with malware (Rostami [0043]). Therefore, it would have been obvious to combine Dasgupta, LU, and Rostami to obtain the invention as specified in the instant claim(s). As to Claim 5: Dasgupta in view of LU discloses the malware analysis apparatus according to claim 4, wherein the generation section generates the information that is determined based on the difference (e.g. LU “Once the disassembly source code is obtained, static analysis features may be employed to reveal all of the Malware's logic paths and compare such results with dynamic analysis result, to obtain information regarding hidden logic executables or bombs, such as those that are only trigged at future times, events” [0044]; “malware behavior reports from the dynamic analysis process(es) 820 may also be provided as an input to the comparison routine 816” [0055]; with the same rationale for the combination of references Dasgupta and LU as in Claim 1), and uses the generated information as the information regarding the behavior of the analysis target malware. (e.g. Dasgupta “The software tool (AIMaD) provides a user-interpretable summary report of the malware analysis which is very useful for mitigation” [0013]; “the system considers association rules with minimum support threshold 2 and confidence threshold 0.8, and check whether these match with the defined chain ingredients. Only the matching chains are considered to form the functionality chains” [0047]; “The AIMaD tool uses these techniques and systems and provides the meaningful analysis of results” [0048]; “automatically determining whether any of said one or more behavior chains in said code comprise a malware-specific chain” [0056]), but does not specifically disclose: to recommend a portion of the analysis target malware that should be analyzed by an analyst. However, the analogous art Rostami does disclose to recommend a portion of the analysis target malware that should be analyzed by an analyst (e.g. Rostami “the malware analysis platform provides a user interface that can be utilized to show logs of a selected malware sample and highlight the most suspicious lines in the log (e.g., lines with high malware count/low benign count)” [0079]; “malware analysis platform for threat intelligence, artifacts are highlighted both on the dashboard and within search results (e.g., search results spotlight significant artifacts that are identified according to risk; and the dashboard and search editor both can allow a user” [0167]; “the dashboard widgets highlight the top ten artifacts depending on the context (e.g., organization, industry, or all) and time range selected, including the following… Top Malware (e.g., displays the ten malware samples with the most hits)” [0193]; [0209]). Dasgupta, LU, and Rostami are analogous art because they are from the same field of endeavor in malware detection and analysis. It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Dasgupta, LU, and Rostami before him or her, to modify the combination of Dasgupta and LU with the teachings of Rostami to include to recommend a portion of the analysis target malware that should be analyzed by an analyst as claimed. The suggestion/motivation for doing so would have been to provide a malware analysis platform that can facilitate viewing, analyzing, and acting upon attributes (e.g., high-risk attributes) associated with malware (Rostami [0043]). Therefore, it would have been obvious to combine Dasgupta, LU, and Rostami to obtain the invention as specified in the instant claim(s). Allowable Subject Matter Claims 6-9 and 12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure. KIM et al. (US 20110239294 A1) Vincent et al. (US 20150096022 A1) DHANKHA et al. (US 20200026851 A1) Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9:30am-5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KENNETH W CHANG/Primary Examiner, Art Unit 2438 PNG media_image1.png 35 280 media_image1.png Greyscale 01.20.2026