DETAILED ACTION
This first non-final action is in response to applicants’ filing on 07/22/2024. Claims 1-20 are currently pending and have been considered as follows.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings filed on 07/22/2024 are accepted.
Claim Objections
Claims 12, 13, and 17 are objected to because of the following informalities:
Claim 12 line 11 recites “the similarity threshold,” which should be corrected as “the similarity threshold value,”; line 12 recites “the respective stored signature” which should be corrected as “the respective stored software signature”;
Claim 13 line 1 recites “the similarity threshold” which should be corrected as “the similarity threshold value”;
Claim 17 line 14 recites “one or more stored software signature” which should be corrected as “one or more stored software signatures”;
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-6 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu et al. (US 20050028002 A1, hereinafter Christodorescu) in view of Tuvell et al. (US 20070240217 A1, hereinafter Tuvell).
As to Claim 1:
Christodorescu discloses a computer-implemented method for identifying libraries used in applications (e.g. Christodorescu “a method of detecting malicious code portions that is largely indifferent to the expression of the malicious code but is instead sensitive to the function of the malicious code. This functional analysis is done by converting varying expressions into a standardized form prior to application of signature analysis” [0012]; “The program may include a library of patterns matching to one or more instructions of the suspect program, and the preprocessor may create the standardized version by replacing instructions of the suspect program with matching patterns. The library of standardized malicious code portions may also be collections of these patterns” [0027]), the method comprising:
accessing, by a computing system including one or more processors (e.g. Christodorescu computer with processor executing the computer program [0011]), application content for a respective application; wherein the application content includes a plurality of instructions associated with the application (e.g. Christodorescu “a preprocessor portion for receiving a suspect program and creating a logically equivalent standardized version of the program” [0011]; [0025]; “raw code 10 from a malicious program will be comprised of instruction lines 12 of instructions and/or data” [0038]; binary executable is received and listing of instructions is determined [0044]);
generating, by the computing system, one or more software signatures for the respective application based on an analysis of the plurality of instructions (e.g. Christodorescu “implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions. This functional analysis is made possible by a preprocessor that converts the program instructions into a standard form denoting their function. A search of the standard form of the suspect program for viral signatures in standard form is then used to detect the malicious code” [0010]; “create the standardized version by replacing instructions of the suspect program with matching patterns” [0027]);
determining, by the computing system, that the one or more software signatures match one or more stored software signatures from a plurality of stored software signatures stored in a database of known software signatures (e.g. Christodorescu “The library of standardized malicious code portions may also be collections of these patterns” [0027]; “A library of patterns may be implemented as a simple look-up table” [0029]; “The malicious code patterns 40 are stored in tables that may be updated like the tables for the standard definitions 28 as new malicious programs and/or obfuscation techniques are developed” [0060]; “performs a string comparison operation searching for the malicious code patterns 40 in the standardized version 31 with the data references” [0062]; “If a match is confirmed at this stage, then the instruction lines, in this case (7'), (2'), (3'), (4') and (9'), may be output as indicated by state 52, indicating there has been a match, plus providing the actual instruction lines 12 for possible additional analysis” [0064]);
determining, by the computing system, based on the one or more stored software signatures that match the one or more software signatures, one or more software issues within the respective application (e.g. Christodorescu “the malicious code will be rendered visible” [0066]; “reviewing the standardized version against the library of malicious code portions to provide an output indicating when a malicious code portion is present in the suspect program” [Claim 1]);
But Christodorescu does not specifically disclose:
the instructions are grouped into methods;
transmitting, by the computing system, data describing the one or more software issues for display.
However, the analogous art Tuvell does disclose the instructions are grouped into methods (e.g. Tuvell “the code instructions are decoded and divided in broad categories. In an exemplary embodiment, the following set of code instruction categories function” [0161]; “To analyze 906 the code, the feature based relationship determining method 900 extracts 904 object code for individual procedures, disassembles it into assembly code, and categorizes it. Most malicious procedures such as replication, spreading, and system corruption use system functions, e.g., functions like File Open, File Read, etc. Identifying 906 these functionalities in binary executables allows them to be used as feature elements in a feature set” [0202]; “a plurality of logically grouped categories of code instructions” [Claim 10]) and transmitting, by the computing system, data describing the one or more software issues for display (e.g. Tuvell “method provides a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware on a mobile network” [0023]; “The reporting/visualization component 1004 takes input from the client data server 1002 to generate statistics and dynamic graphs depicting malware activity…a handset upon detecting malware generates an internal log file in plain text containing the name of the infected file and the name of the malware that infected the file” [0247]; “The client virus scanners 1012 report back information about any malware to the client data server 1002” [0248]; “the reporting/visualization engine 1004 generates straightforward visual reports to alert managers and operators as to which platforms are infected” [0275]; “The report can be run to the screen 1110 or it can be exported 1108 in a data structure, for example a semi-colon delimited text file. When run to the screen 1110, the data can be presented any number of ways including, for example, a text list 1412 of which platforms are infected” [0280]). Christodorescu and Tuvell are analogous art because they are from the same field of endeavor in detecting malicious code instructions.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu and Tuvell before him or her, to modify the disclosure of Christodorescu with the teachings of Tuvell to include the instructions are grouped into methods and transmitting, by the computing system, data describing the one or more software issues for display as claimed. The suggestion/motivation for doing so would have been to provide a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware (Tuvell [0023]). Therefore, it would have been obvious to combine Christodorescu and Tuvell to obtain the invention as specified in the instant claim(s).
As to Claim 2:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim 1, wherein generating, by the computing system, one or more software signatures for the respective application based on an analysis of the plurality of instructions further comprises determining, by the computing system, one or more software subsections within the plurality of instructions (e.g. Christodorescu “identifying malicious portions in a suspect program” [0011]; “The detector portion may output a representation of the malicious code portion when the malicious portion is present in the suspect program” [0031]).
As to Claim 3:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim
2, wherein generating, by the computing system, one or more software signatures for the respective application based on an analysis of the plurality of instructions further comprises: generating a distinct software signature for each software subsection (e.g. Christodorescu “effectively implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions. This functional analysis is made possible by a preprocessor that converts the program instructions into a standard form denoting their function” [0010]; “identifying malicious portions in a suspect program. The computer program comprises a preprocessor portion for receiving a suspect program and creating a logically equivalent standardized version of the program. A detector portion of the computer program reviews the standardized version of the suspect program against a library of standardized malicious code portions to provide an output indicating when a malicious code portion is present in the suspect program” [0011]; “provide a unique functional expression of code that may be used to provide effective functional analysis” [0018]).
As to Claim 4:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim
2, wherein the one or more software subsections include methods within the plurality of instructions (e.g. Tuvell “extracting 904 object code from the selected applications, analyzing 906 the code by monitoring ARM branch-link commands, identifying common code procedures, and monitoring activated functions… malware detection method 901 scans 914 a target application's code, derives 916 which feature sets are present in the target application, and compares 918 the derived feature sets” [0180]; “The feature based malware extraction and detection methods 900, 901 use probability models to examine the relationship between a set of basic procedures used by normal non-malicious, or malware-free, programs and a set of procedures typically used by malicious malware” [0181]; [0183]; [0202]-[0223]). The Examiner supplies the same rationale for the combination of references Christodorescu and Tuvell as in Claim 1.
As to Claim 5:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim 1, wherein the software signature comprises a header section and a body section (e.g. Tuvell “a malware detection method for mobile platforms using search strings derived from the uncompressed headers and compressed code sections of data packages” [0026]; “A signature extraction method 100 builds a search string database 110 containing a semi-optimal set of signature or search strings extracted 108 from the header and code section candidate strings 130… a common set of strings labeled as candidate, or signature, strings 130 for each malware family is identified 106 in either or both the uncompressed header section 122 of the packaged executable 120a, 120b and the compressed code section 124” [0047]; [0049]). The Examiner supplies the same rationale for the combination of references Christodorescu and Tuvell as in Claim 1.
As to Claim 6:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim 5, wherein generating, by the computing system, one or more software signatures for the respective application based on an analysis of the plurality of instructions further comprises: identifying, by the computing system for a respective software subsection, one or more characteristics of the respective software subsection (e.g. Christodorescu “implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions… converts the program instructions into a standard form denoting their function” [0010]; “detecting malicious code portions that is largely indifferent to the expression of the malicious code but is instead sensitive to the function of the malicious code. This functional analysis is done by converting varying expressions into a standardized form prior to application of signature analysis” [0012]).
As to Claim 17:
Christodorescu discloses a computing system for evaluating applications automatically, the system comprising: one or more processors and one or more non-transitory computer-readable memories; wherein the one or more non-transitory computer-readable memories store instructions (e.g. Christodorescu “computer program for detecting malicious programs such as computer viruses and the like” [0002]; computer with processor executing the computer program [0011]; computer [0039])that, when executed by the processor, cause the computing system to perform operations , the operations comprising:
accessing application content for a respective application; wherein the application content includes a plurality of instructions associated with the application (e.g. Christodorescu “a preprocessor portion for receiving a suspect program and creating a logically equivalent standardized version of the program” [0011]; [0025]; “raw code 10 from a malicious program will be comprised of instruction lines 12 of instructions and/or data” [0038]; binary executable is received and listing of instructions is determined [0044]);
generating one or more software signatures for the respective application based on an analysis of the plurality of instructions (e.g. Christodorescu “implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions. This functional analysis is made possible by a preprocessor that converts the program instructions into a standard form denoting their function. A search of the standard form of the suspect program for viral signatures in standard form is then used to detect the malicious code” [0010]; “create the standardized version by replacing instructions of the suspect program with matching patterns” [0027]);
determining that the one or more software signatures match one or more stored software signatures from a plurality of stored software signatures stored in a database of known software signatures (e.g. Christodorescu “The library of standardized malicious code portions may also be collections of these patterns” [0027]; “A library of patterns may be implemented as a simple look-up table” [0029]; “The malicious code patterns 40 are stored in tables that may be updated like the tables for the standard definitions 28 as new malicious programs and/or obfuscation techniques are developed” [0060]; “performs a string comparison operation searching for the malicious code patterns 40 in the standardized version 31 with the data references” [0062]; “If a match is confirmed at this stage, then the instruction lines, in this case (7'), (2'), (3'), (4') and (9'), may be output as indicated by state 52, indicating there has been a match, plus providing the actual instruction lines 12 for possible additional analysis” [0064]);
determining based on the one or more stored software signature that match the one or more software signatures, one or more software issues within the respective application (e.g. Christodorescu “the malicious code will be rendered visible” [0066]; “reviewing the standardized version against the library of malicious code portions to provide an output indicating when a malicious code portion is present in the suspect program” [Claim 1]);
But Christodorescu does not specifically disclose:
the instructions are grouped into methods;
transmitting data describing the one or more software issues for display.
However, the analogous art Tuvell does disclose the instructions are grouped into methods (e.g. Tuvell “the code instructions are decoded and divided in broad categories. In an exemplary embodiment, the following set of code instruction categories function” [0161]; “To analyze 906 the code, the feature based relationship determining method 900 extracts 904 object code for individual procedures, disassembles it into assembly code, and categorizes it. Most malicious procedures such as replication, spreading, and system corruption use system functions, e.g., functions like File Open, File Read, etc. Identifying 906 these functionalities in binary executables allows them to be used as feature elements in a feature set” [0202]; “a plurality of logically grouped categories of code instructions” [Claim 10]) and transmitting data describing the one or more software issues for display (e.g. Tuvell “method provides a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware on a mobile network” [0023]; “The reporting/visualization component 1004 takes input from the client data server 1002 to generate statistics and dynamic graphs depicting malware activity…a handset upon detecting malware generates an internal log file in plain text containing the name of the infected file and the name of the malware that infected the file” [0247]; “The client virus scanners 1012 report back information about any malware to the client data server 1002” [0248]; “the reporting/visualization engine 1004 generates straightforward visual reports to alert managers and operators as to which platforms are infected” [0275]; “The report can be run to the screen 1110 or it can be exported 1108 in a data structure, for example a semi-colon delimited text file. When run to the screen 1110, the data can be presented any number of ways including, for example, a text list 1412 of which platforms are infected” [0280]). Christodorescu and Tuvell are analogous art because they are from the same field of endeavor in detecting malicious code instructions.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu and Tuvell before him or her, to modify the disclosure of Christodorescu with the teachings of Tuvell to include the instructions are grouped into methods and transmitting data describing the one or more software issues for display as claimed. The suggestion/motivation for doing so would have been to provide a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware (Tuvell [0023]). Therefore, it would have been obvious to combine Christodorescu and Tuvell to obtain the invention as specified in the instant claim(s).
As to Claim 18:
Christodorescu in view of Tuvell discloses the computer system of claim 17, wherein generating one or more software signatures for the respective application based on an analysis of the plurality of instructions further comprises determining one or more software subsections within the plurality of instructions (e.g. Christodorescu “identifying malicious portions in a suspect program” [0011]; “The detector portion may output a representation of the malicious code portion when the malicious portion is present in the suspect program” [0031]).
As to Claim 19:
Christodorescu in view of Tuvell discloses the computer system of claim
18, wherein generating one or more software signatures for the respective application based on an analysis of the plurality of instructions further comprises: generating a distinct software signature for each software subsection (e.g. Christodorescu “effectively implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions. This functional analysis is made possible by a preprocessor that converts the program instructions into a standard form denoting their function” [0010]; “identifying malicious portions in a suspect program. The computer program comprises a preprocessor portion for receiving a suspect program and creating a logically equivalent standardized version of the program. A detector portion of the computer program reviews the standardized version of the suspect program against a library of standardized malicious code portions to provide an output indicating when a malicious code portion is present in the suspect program” [0011]; “provide a unique functional expression of code that may be used to provide effective functional analysis” [0018]).
As to Claim 20:
Christodorescu discloses a non-transitory computer-readable medium storing instruction that, when executed by one or more computing devices, cause the one or more computing devices to perform operations (e.g. Christodorescu “computer program for detecting malicious programs such as computer viruses and the like” [0002]; computer with processor executing the computer program [0011]; register or memory [0024] of the computer [0039]), the operations comprising:
accessing application content for a respective application; wherein the application content includes a plurality of instructions associated with the application (e.g. Christodorescu “a preprocessor portion for receiving a suspect program and creating a logically equivalent standardized version of the program” [0011]; [0025]; “raw code 10 from a malicious program will be comprised of instruction lines 12 of instructions and/or data” [0038]; binary executable is received and listing of instructions is determined [0044]);
generating one or more software signatures for the respective application based on an analysis of the plurality of instructions (e.g. Christodorescu “implementing high level "function" signatures describing the function of the malicious code rather than its "expression" as a string of instructions. This functional analysis is made possible by a preprocessor that converts the program instructions into a standard form denoting their function. A search of the standard form of the suspect program for viral signatures in standard form is then used to detect the malicious code” [0010]; “create the standardized version by replacing instructions of the suspect program with matching patterns” [0027]);
determining that the one or more software signatures match one or more stored software signatures from a plurality of stored software signatures stored in a database of known software signatures (e.g. Christodorescu “The library of standardized malicious code portions may also be collections of these patterns” [0027]; “A library of patterns may be implemented as a simple look-up table” [0029]; “The malicious code patterns 40 are stored in tables that may be updated like the tables for the standard definitions 28 as new malicious programs and/or obfuscation techniques are developed” [0060]; “performs a string comparison operation searching for the malicious code patterns 40 in the standardized version 31 with the data references” [0062]; “If a match is confirmed at this stage, then the instruction lines, in this case (7'), (2'), (3'), (4') and (9'), may be output as indicated by state 52, indicating there has been a match, plus providing the actual instruction lines 12 for possible additional analysis” [0064]);
determining based on the one or more stored software signature that match the one or more software signatures, one or more software issues within the respective application (e.g. Christodorescu “the malicious code will be rendered visible” [0066]; “reviewing the standardized version against the library of malicious code portions to provide an output indicating when a malicious code portion is present in the suspect program” [Claim 1]);
But Christodorescu does not specifically disclose:
the instructions are grouped into methods;
transmitting data describing the one or more software issues for display.
However, the analogous art Tuvell does disclose the instructions are grouped into methods (e.g. Tuvell “the code instructions are decoded and divided in broad categories. In an exemplary embodiment, the following set of code instruction categories function” [0161]; “To analyze 906 the code, the feature based relationship determining method 900 extracts 904 object code for individual procedures, disassembles it into assembly code, and categorizes it. Most malicious procedures such as replication, spreading, and system corruption use system functions, e.g., functions like File Open, File Read, etc. Identifying 906 these functionalities in binary executables allows them to be used as feature elements in a feature set” [0202]; “a plurality of logically grouped categories of code instructions” [Claim 10]) and transmitting data describing the one or more software issues for display (e.g. Tuvell “method provides a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware on a mobile network” [0023]; “The reporting/visualization component 1004 takes input from the client data server 1002 to generate statistics and dynamic graphs depicting malware activity…a handset upon detecting malware generates an internal log file in plain text containing the name of the infected file and the name of the malware that infected the file” [0247]; “The client virus scanners 1012 report back information about any malware to the client data server 1002” [0248]; “the reporting/visualization engine 1004 generates straightforward visual reports to alert managers and operators as to which platforms are infected” [0275]; “The report can be run to the screen 1110 or it can be exported 1108 in a data structure, for example a semi-colon delimited text file. When run to the screen 1110, the data can be presented any number of ways including, for example, a text list 1412 of which platforms are infected” [0280]). Christodorescu and Tuvell are analogous art because they are from the same field of endeavor in detecting malicious code instructions.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu and Tuvell before him or her, to modify the disclosure of Christodorescu with the teachings of Tuvell to include the instructions are grouped into methods and transmitting data describing the one or more software issues for display as claimed. The suggestion/motivation for doing so would have been to provide a comprehensive means for collecting, reporting, and providing visual depictions of information regarding the propagation and effect of worms, viruses and other malware (Tuvell [0023]). Therefore, it would have been obvious to combine Christodorescu and Tuvell to obtain the invention as specified in the instant claim(s).
Claims 12, 13, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Tuvell as applied to Claim 1, and further in view of Watkins (US 20170171226 A1).
As to Claim 12:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim 1, wherein determining, by the computing system, that the one or more software signatures match one or more stored software signatures from a plurality of stored software signatures stored in a database of known software signatures (e.g. Christodorescu “The library of standardized malicious code portions may also be collections of these patterns” [0027]; “A library of patterns may be implemented as a simple look-up table” [0029]; “The malicious code patterns 40 are stored in tables that may be updated like the tables for the standard definitions 28 as new malicious programs and/or obfuscation techniques are developed” [0060]; “performs a string comparison operation searching for the malicious code patterns 40 in the standardized version 31 with the data references” [0062]; “If a match is confirmed at this stage, then the instruction lines, in this case (7'), (2'), (3'), (4') and (9'), may be output as indicated by state 52, indicating there has been a match, plus providing the actual instruction lines 12 for possible additional analysis” [0064]), but does not specifically disclose:
for a respective stored signature in the plurality of stored software signatures: determining, by the computing system, a similarity score between a respective software signature in the one or more software signatures and the respective stored software signature; determining, by the computing system, whether the similarity score satisfies a similarity threshold value; and in accordance that the similarity score satisfies the similarity threshold, determining that the respective software signature matches the respective stored signature.
However, the analogous art Watkins does disclose for a respective stored signature in the plurality of stored software signatures (e.g. Watkins “a plurality of malware traffic signatures stored in a malware traffic signature library” [0005]): determining, by the computing system, a similarity score between a respective software signature in the one or more software signatures and the respective stored software signature (e.g. Watkins “comparison (by the malware detector 110) to traffic signature (e.g., delay signature) data observed by execution of one of the client applications 22. As such, the malware detector 110 may be trained on traffic signatures of malware, and may be configured to compare presently observed delay signatures to the traffic signatures of malware to determine a matching score between the two” [0033]); determining, by the computing system, whether the similarity score satisfies a similarity threshold value; and in accordance that the similarity score satisfies the similarity threshold, determining that the respective software signature matches the respective stored signature (e.g. Watkins “If the matching score is above a predetermined threshold for a given traffic signature of known malware, a match may be declared and the corresponding application may be identified as malware” [0033]; [0034]). Christodorescu, Tuvell, and Watkins are analogous art because they are from the same field of endeavor in detecting malicious code using signatures.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu, Tuvell, and Watkins before him or her, to modify the combination of Christodorescu and Tuvell with the teachings of Watkins to include for a respective stored signature in the plurality of stored software signatures: determining, by the computing system, a similarity score between a respective software signature in the one or more software signatures and the respective stored software signature; determining, by the computing system, whether the similarity score satisfies a similarity threshold value; and in accordance that the similarity score satisfies the similarity threshold, determining that the respective software signature matches the respective stored signature as claimed. The suggestion/motivation for doing so would have been to be able to remotely identify the malware executing on the device (e.g., a mobile device) based on delay signatures of known malware without requiring software to be loaded onto the monitored device (Watkins [0014]). Therefore, it would have been obvious to combine Christodorescu, Tuvell, and Watkins to obtain the invention as specified in the instant claim(s).
As to Claim 13:
Christodorescu in view of Tuvell and Watkins discloses the computer-implemented method of claim 12, wherein the similarity threshold is predetermined (e.g. Watkins “If the matching score is above a predetermined threshold for a given traffic signature of known malware, a match may be declared and the corresponding application may be identified as malware” [0033]; [0034]).
As to Claim 16:
Christodorescu in view of Tuvell and Watkins discloses the computer-implemented method of claim 12, wherein the software issues include malicious software (e.g. Christodorescu “detecting malicious programs such as computer viruses” [0002]; “the present invention provides a computer program for identifying malicious portions in a suspect program” [0011]; [0062]).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Tuvell and Watkins as applied to Claim 12, and further in view of Navarro (US 20190230098 A1).
As to Claim 14:
Christodorescu in view of Tuvell and Watkins discloses the computer-implemented method of claim 12, but does not specifically disclose:
wherein the similarity score is based on one or more of a Levenshtein distance and a Harmonic distance.
However, the analogous art Navarro does disclose wherein the similarity score is based on one or more of a Levenshtein distance and a Harmonic distance (e.g. Navarro “system may employ a Levenshtein distance to calculate the similarity score. The Levenshtein distance is a string metric for determining a similarity between IoC metadata and data records of a malicious threat” [0019]; [0034]). Christodorescu, Tuvell, Watkins, and Navarro are analogous art because they are from the same field of endeavor in detecting malicious threats.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu, Tuvell, Watkins, and Navarro before him or her, to modify the combination of Christodorescu, Tuvell, and Watkins with the teachings of Navarro to include wherein the similarity score is based on one or more of a Levenshtein distance and a Harmonic distance as claimed. The suggestion/motivation for doing so would have been to provide a string metric for determining a similarity between data records of a malicious threat (Navarro [0019]). Therefore, it would have been obvious to combine Christodorescu, Tuvell, Watkins, and Navarro to obtain the invention as specified in the instant claim(s).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Tuvell as applied to Claim 1, and further in view of Koohgoli et al. (US 20170032117 A1, hereinafter Koohgoli).
As to Claim 15:
Christodorescu in view of Tuvell discloses the computer-implemented method of claim 1, but does not specifically disclose:
wherein the software issues include a software vulnerability.
However, the analogous art Koohgoli does disclose wherein the software issues include a software vulnerability (e.g. Koohgoli “generated code signature may be created for a malicious or vulnerable code snippet and then compared to signatures within a code database to determine if the code snippet is present” [0004]; “Code quality attributes may also be derived through analysis of source file 302, for example security vulnerabilities determined through source code analysis” [0047]). Christodorescu, Tuvell, and Koohgoli are analogous art because they are from the same field of endeavor in detecting malicious code using signatures.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Christodorescu, Tuvell, and Koohgoli before him or her, to modify the combination of Christodorescu and Tuvell with the teachings of Koohgoli to include wherein the software issues include a software vulnerability as claimed. The suggestion/motivation for doing so would have been to manage quality and security vulnerabilities of software, as well as ensure compliance (Koohgoli [0002]; [0003]). Therefore, it would have been obvious to combine Christodorescu, Tuvell, and Koohgoli to obtain the invention as specified in the instant claim(s).
Allowable Subject Matter
Claims 7-11 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Malyshev et al. (US 20100180344 A1)
Anderson et al. (US 20130326625 A1)
Okereke et al. (US 20160070911 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9:30am-5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KENNETH W CHANG/Primary Examiner, Art Unit 2438
PNG
media_image1.png
35
280
media_image1.png
Greyscale
04.10.2026