Prosecution Insights
Last updated: July 17, 2026
Application No. 18/795,468

BACKDOOR INSPECTION APPARATUS, METHOD, AND NON-TRANSITORY COMPUTER READABLE MEDIUM

Non-Final OA §101§103
Filed
Aug 06, 2024
Priority
Aug 28, 2023 — JP 2023-137804
Examiner
JEON, JAE UK
Art Unit
Tech Center
Assignee
NEC Corporation
OA Round
1 (Non-Final)
75%
Grant Probability
Favorable
1-2
OA Rounds
1y 2m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
308 granted / 411 resolved
+14.9% vs TC avg
Strong +46% interview lift
Without
With
+46.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
28 currently pending
Career history
445
Total Applications
across all art units

Statute-Specific Performance

§101
10.4%
-29.6% vs TC avg
§103
80.4%
+40.4% vs TC avg
§102
0.7%
-39.3% vs TC avg
§112
1.7%
-38.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 411 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION 1. This Office Action is in response to the application filed on 08/06/2024. Claims 1-11 are pending in this application. Claims 1, 10 and 11 are independent claims. Claim Rejections - 35 USC § 101 2. 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 3. Claims 1-11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The independent claims 1, 10 and 11 are corresponding to one of four statutory categories including method, system, and method respectively under step 1. The claims 1, 10 and 11 recite “a backdoor inspection apparatus comprising at least one memory storing instructions, and at least one processor configured to execute the instructions to: acquire a program to be analyzed and starting point information of analysis; analyze a data flow included in the program, based on the acquired program to be analyzed and starting point information of the analysis, and output data flow analysis information; and extract, as a candidate for a backdoor trigger, a conditional branch in which external input data are directly propagated, by using the data flow analysis information “. The limitation of the claims 1, 10 and 11 of “analyze a data flow included in the program, based on the acquired program to be analyzed and starting point information of the analysis” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “analyzing” in the context of this claim encompasses the user may analyze a data flow included in the program, based on the acquired program to be analyzed and starting point information of the analysis with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. The limitation of the claims 1, 10 and 11 of “extract, as a candidate for a backdoor trigger, a conditional branch in which external input data are directly propagated, by using the data flow analysis information” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “extracting (identifying)” in the context of this claim encompasses the user may extract, as a candidate for a backdoor trigger, a conditional branch in which external input data are directly propagated, by using the data flow analysis information with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. This judicial exception is not integrated into a practical application. In particular, the claims 1, 10 and 11 recite additional elements such as “acquire a program to be analyzed and starting point information of analysis”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to mere data gathering under MPEP § 2106.05(g): Insignificant Extra-Solution Activity, which does not impose any meaningful limits on practicing the mental process (insignificant additional element). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to insignificant additional elements under Step 2A Prong 2 and Step 2B. This judicial exception is not integrated into a practical application. In particular, the claims 1, 10 and 11 recite additional elements such as “output data flow analysis information”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to mere data gathering under MPEP § 2106.05(g): Insignificant Extra-Solution Activity, which does not impose any meaningful limits on practicing the mental process (insignificant additional element). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to insignificant additional elements under Step 2A Prong 2 and Step 2B. This judicial exception is not integrated into a practical application. In particular, the claim 2 recites additional elements such as “the external input data are data supplied from an outside of a program, and includes at least one of an input from an input device, an input via network communication, an input by file reading, an input by reading an environment variable, and an input from another process”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to field of use under MPEP § 2106.05(h): Field of Use and Technological Environment, which does not impose any meaningful limits on practicing the mental process. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea under Step 2A Prong 2 and 2B. This judicial exception is not integrated into a practical application. In particular, the claim 3 recites additional elements such as “a conditional branch in which the external input data are directly propagated includes a conditional branch in which the external input data are used as a comparison target without changing a property, and excludes a conditional branch in which the external input data change the property”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to field of use under MPEP § 2106.05(h): Field of Use and Technological Environment, which does not impose any meaningful limits on practicing the mental process. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea under Step 2A Prong 2 and 2B. The limitation of the claim 4 of “analyze a data flow from the external input data to the program, based on the external input data being the acquired starting point information of the analysis” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “analyzing” in the context of this claim encompasses the user may analyze a data flow from the external input data to the program, based on the external input data being the acquired starting point information of the analysis with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. This judicial exception is not integrated into a practical application. In particular, the claim 4 recites additional elements such as “the starting point information of the analysis is the external input data”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to field of use under MPEP § 2106.05(h): Field of Use and Technological Environment, which does not impose any meaningful limits on practicing the mental process. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea under Step 2A Prong 2 and 2B. The limitation of the claim 5 of “analyze a control flow up to the end point of the analysis, based on the acquired program to be analyzed and the acquired starting point and end point of the analysis” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “analyzing” in the context of this claim encompasses the user may analyze a control flow up to the end point of the analysis, based on the acquired program to be analyzed and the acquired starting point and end point of the analysis with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. The limitation of the claim 5 of “extract, as a candidate of a backdoor trigger, a conditional branch in which the external input data are directly propagated, by using the data flow analysis information from the analyzed external input data and the control flow analysis information up to the end point of the analysis” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “extracting” in the context of this claim encompasses the user may extract, as a candidate of a backdoor trigger, a conditional branch in which the external input data are directly propagated, by using the data flow analysis information from the analyzed external input data and the control flow analysis information up to the end point of the analysis with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. This judicial exception is not integrated into a practical application. In particular, the claim 5 recites additional elements such as “acquire end point information of analysis that is selected from a list of functions which can affect a system”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to mere data gathering under MPEP § 2106.05(g): Insignificant Extra-Solution Activity, which does not impose any meaningful limits on practicing the mental process (insignificant additional element). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to insignificant additional elements under Step 2A Prong 2 and Step 2B. This judicial exception is not integrated into a practical application. In particular, the claim 5 recites additional elements such as “output control flow analysis information”. Examiner would like to point out that with the broad reasonable interpretation, this element amounts to mere data outputting under MPEP § 2106.05(g): Insignificant Extra-Solution Activity, which does not impose any meaningful limits on practicing the mental process (insignificant additional element). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to insignificant additional elements under Step 2A Prong 2 and Step 2B. The limitation of the claim 6 of “use the data flow analysis information and the control flow analysis information, and thereby extract, as candidates of backdoor triggers, conditional branches up to a n-th layer, in addition to a conditional branch of a 0th layer as viewed from the external input data” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “extracting” in the context of this claim encompasses the user may extract, as candidates of backdoor triggers, conditional branches up to a n-th layer, in addition to a conditional branch of a 0th layer as viewed from the external input data using the data flow analysis information and the control flow analysis information with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. The limitation of the claim 7 of “score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger, depending on a layer of data dependency” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “scoring” in the context of this claim encompasses the user may score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger, depending on a layer of data dependency with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. The limitation of the claim 8 of “increasing a score of a backdoor trigger as a layer of data dependency becomes shallower, or assign a lower constant score to a conditional branch having a constant number of layers or more” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “increasing a score” in the context of this claim encompasses the user may increase a score of a backdoor trigger as a layer of data dependency becomes shallower, or assign a lower constant score to a conditional branch having a constant number of layers or more with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. The limitation of the claim 9 of “score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger from a characteristic of type information of a variable constituting the conditional branch, based on a conditional branch scoring policy” as drafted, is a mental process that, under its broadest reasonable interpretation, covers a mental process but for the recitation of generic computer components. For example, but for the “scoring” in the context of this claim encompasses the user may score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger from a characteristic of type information of a variable constituting the conditional branch, based on a conditional branch scoring policy with a pen and paper or in a human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea under Step 2A Prong 1. Dependent claims 2-9 are also similar rejected under same rationale as cited above wherein these claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. These claims are merely further elaborate the mental process itself or providing additional definition of process which does not impose any meaningful limits on practicing the abstract idea. Claims 2-9 are also rejected for incorporating the deficiency of their independent claim 1. Claim Rejections - 35 USC § 103 4. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 6. Claims 1-4, 7, 8, 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Bishop (US PGPub 20220108022), in view of Thomas (US PGPub 20160085967). As per Claim 1, Bishop teaches of a backdoor inspection apparatus comprising at least one memory storing instructions, and at least one processor configured to execute the instructions to: acquire a program to be analyzed [and starting point information of analysis]; (Par 4-5, a security vulnerability in the source code may be related to insider threats. by identifying different correlations related to an insider threat, potential insider threat candidates can be identified. The potential insider threat candidates may go through further analysis to determine whether they are indeed insider threats, such as a composite analysis. The composite analysis determines points of correlations between static analysis techniques including data flow analysis, and control flow analysis. Par 10, the disclosed system provides a practical application of improving the operations of software systems/products/applications by identifying instances of security vulnerabilities in their corresponding source code. Par 136, Thus, the coder 318-1 has successfully hidden their malicious code 330, such that it is executed when the software application A is being used at the target of the insider threat 302.) analyze a data flow included in the program, based on the acquired program to be analyzed [and starting point information of the analysis,] and output data flow analysis information; and (Par 8, 1) identifying instances of a particular security vulnerability in data flow and/or control flow of a plurality of source code (e.g., by implementing a static analysis on the plurality of source code using semantic, data flow, and control flow analyses in combination with machine learning clustering techniques) Par 142, While the example code portion 164 of FIG. 4 includes one function with two arguments, it is understood that any number of arguments, layers, conditional statements, and patterns of conditional statements may be used to obfuscate malicious code 330a. Par 152, In other words, the composite analysis engine 314 is configured to find points of correlations between the results (i.e., code portions 164) individually outputted from the semantic analysis, data flow analysis, and control flow analysis.) extract, as a candidate for a backdoor trigger, a conditional branch in which external input data are directly propagated, by using the data flow analysis information. (Par 134, In an example scenario, consider the coder 318-1 who is an employee of the organization A has written a first source code 112 for a software application A. The software application A works as intended within the organization A. Assume that the coder 318-1 hides in the first source code 112, a malicious code 330 which remains undetected and unexecuted until the software application A receives a rare input R which matches predefined rare input criteria. In response to receiving rare input R, software application A executes the malicious code 330. The malicious code 330 [backdoor] may thus be outside of mainline or mainstream of normal operation of the software application A (i.e. is purposefully layered, e.g. by hiding it within conditional statements e.g. “if statements” [conditional branch] that get executed only if the rare input R is received by the software application A). Thus, the coder 318-1 has successfully hidden their malicious code 330 until a time when the rare input R is received by the software application A. Par 141, For example, assume that parameters A and B individually are harmless. Thus, malicious code 330 may be layered in one or more conditional statements, such that the malicious code 330 is triggered only when both parameters A and B are passed (or are logical True). In other words, concealing the malicious code 330 using ordinary and trusted parameters (e.g., A and B), such that nobody would suspect statements executed when all of those trusted parameters are passed (e.g., A+B=triggering the malicious code 330); Thus, identifying the if statement (conditional branch) 330a as a candidate is to extract the conditional branch from the target source code as in Fig. 4 by using data flow analysis information. Par 16, The data flow analysis is configured to identify data transfer paths where external data with respect to each code portion is used. The control flow analysis is configured to identify execution paths where one or more coding layers are used to obfuscate a content.) Bishop does not specifically teach, however Thomas teaches to acquire starting point information of analysis; (Par 2, Interrupt handling is a core function of many operating systems, and both the kernel components and kernel data structures that implement and support interrupt handling may be used as a “choke point” [starting point] in a flow of execution of instructions either to perform malicious operations or to detect and prevent them. par 14, As part of detecting and stopping malicious activity by malware, an anti-malware routine may modify various kernel components and/or data structures to cause the anti-malware routine to at least be provided with an indication [starting point] of whenever specific actions that may be those of malware [backdoor] are taking place or are about to take place. By way of example, the anti-malware routine may modify one or more of the ISRs to insert executable instructions to notify the anti-malware routine when particular ones of the ISRs are called [starting point] and/or to cause a flow execution of instructions to jump away from one or more the ISRs to the anti-malware routine to enable the anti-malware routine to determine whether execution of those ISRs should be allowed to proceed. Par 36, Again, the IDT 231 includes pointers to the locations of the first executable instruction of each ISR of the set of ISRs 241, thereby enabling the change component to access each of the ISRs of the set of ISRs 241 that the change component 471 is to modify.) analyze a data flow included in the program, based on starting point information of the analysis (Par 116, In Example 5, which includes the subject matter of any of Examples 1-4, the modification by the anti-malware routine may include a modification to an interrupt service routines (ISR) of the set of ISRs, the ISR may handle an interrupt associated with a hardware component accessible to the processor component, the modification to the ISR may cause a flow of execution by the processor component to jump from the ISR to the anti-malware routine to enable the anti-malware routine to analyze a call to the ISR in the flow of execution to determine whether the call is to perform a malicious operation, and the anti-malware routine may prevent execution of the ISR by the processor component based on the determination of whether the call is to perform a malicious operation) Therefore, it would have been obvious for one of the ordinary skill in the art before the effective filing date of the claimed invention to add acquire starting point information of analysis and analyze a data flow included in the program, based on starting point information of the analysis, as conceptually seen from the teaching of Thomas, into that of Bishop because this modification can help prevent the malware from being executed by analyzing the software code including the malware where the candidate of malware or backdoor program might be triggered at the starting point in order to detect and prevent the malware or backdoor program efficiently. As per Claim 2, Bishop further teaches of the backdoor inspection apparatus according to claim 1, wherein the external input data are data supplied from an outside of a program, and includes at least one of an input from an input device, an input via network communication, an input by file reading, an input by reading an environment variable, and an input from another process. (Par 32, where the third party is able to take advantage of flaws in data processing that cause user inputs to be interpreted as system commands or include a malicious script in uploaded files.) As per Claim 3, Bishop further teaches of the backdoor inspection apparatus according to claim 1, wherein a conditional branch in which the external input data are directly propagated includes a conditional branch in which the external input data are used as a comparison target without changing a property, and excludes a conditional branch in which the external input data change the property. (Par 5, The composite analysis determines points of correlations between static analysis techniques including data flow analysis, and control flow analysis, whereby grouping or “gluing” results from these analyses, instances that are likely to include intentional insider threats are determined. Also, by determining and comparing a coding style used in the insider threat and coding styles of suspects of committing the insider threat, the author of the insider threat can be identified. Par 13, or each potential unpermitted data candidate, the processor determines whether the potential unpermitted data candidate is among the unpermitted data by comparing the potential unpermitted data candidate category and factor weights against a set of known unpermitted data category & factor weights (e.g., threshold). In response to a determination that the potential unpermitted data candidate is not among the set of known unpermitted data, the processor adjusts the one or more factor weights and the one or more category weights in the vulnerability analysis. Par 17, For each of the potential insider threat candidates, the processor determines whether the insider threat candidate is among the insider threats by comparing the potential insider threat candidate with a set of known insider threats.) As per Claim 4, Bishop further teaches of the backdoor inspection apparatus according to claim 1, wherein the starting point information of the analysis is the external input data, and the at least one processor is configured to execute the instructions to analyze a data flow from the external input data to the program, based on the external input data being the acquired starting point information of the analysis. (Par 16, The data flow analysis is configured to identify data transfer paths where external data with respect to each code portion is used. Par 150, Referring to FIG. 4, the data flow analysis returns function foo because it includes arg 1 and arg 2 that are external data with respect to the function foo. The data flow analysis may also return all other functions that include arg 1 and arg 2 to determine their transfer paths from where they are originated to where they are used. PAr 140, Thus, the malicious code 330 in the external library E may remain undetected and on harvested or triggered upon the software application A receiving the rare input R that matches the input criteria predefined by the coder 318-1. Upon the software application A receiving the rare input R, the malicious code 330 is executed and, for example, data stored in a database is exfiltrated, destroyed, modified, etc.) As per Claim 7, Bishop further teaches of the backdoor inspection apparatus according to claim 1, wherein the at least one processor is configured to execute the instructions to score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger, depending on a layer of data dependency. (Par 27 and Claim 1, determine a score value of the code portion by calculating a weighted sum of one or more factor weights and their corresponding one or more category weights; identify code portions having score values above a threshold value as potential unpermitted data candidates; for each of the potential unpermitted data candidates: determine whether the potential unpermitted data candidate is among the unpermitted data by comparing the potential unpermitted data candidate with a set of known unpermitted data; and in response to a determination that the potential unpermitted data candidate is not among the set of known unpermitted data, adjust the one or more factor weights and the one or more category weights in the vulnerability analysis.) As per Claim 8, Bishop further teaches of the backdoor inspection apparatus according to claim 7, wherein the at least one processor is configured to execute the instructions to increase a score of a backdoor trigger as a layer of data dependency becomes shallower, or assign a lower constant score to a conditional branch having a constant number of layers or more. (Par 141, Thus, malicious code 330 may be layered in one or more conditional statements, such that the malicious code 330 is triggered only when both parameters A and B are passed (or are logical True). For example, layering the malicious code 330 in a particular code portion 164 that performs an ordinary function as expected most of the time (e.g., 99.99% of the time), such that the layered malicious code 330 is executed only when the conditions of the layers used to conceal the malicious code 330 are satisfied; 5) getting another coder 318 to commit a particular code portion 164 containing the malicious code 330, thereby isolating from being associated with or traced from the particular code portion 164;) Re Claim 10, it is the method claim, having similar limitations of claim 1. Thus, claim 10 is also rejected under the similar rationale as cited in the rejection of claim 1. Re Claim 11, it is the product claim, having similar limitations of claim 1. Thus, claim 11 is also rejected under the similar rationale as cited in the rejection of claim 1. 7. Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Bishop (US PGPub 20220108022), in view of Thomas (US PGPub 20160085967), and further in view of Huang (US Patent 10162966). As per Claim 5, neither Bishop nor Thomas specifically teaches, however Huang teaches of the backdoor inspection apparatus according to claim 4, wherein the at least one processor is configured to execute the instructions to: further acquire end point information of analysis that is selected from a list of functions which can affect a system; analyze a control flow up to the end point of the analysis, based on the acquired program to be analyzed and the acquired starting point and end point of the analysis, and output control flow analysis information; and extract, as a candidate of a backdoor trigger, a conditional branch in which the external input data are directly propagated, by using the data flow analysis information from the analyzed external input data and the control flow analysis information up to the end point of the analysis. (Col 6 line 52-Col 8, line 15, When a breakpoint is hit in the image space of the sample and the breakpoint was not previously set a conditional statement being evaluated (step 406 to step 407), the malware detection system searches the image space of the sample for conditional statements that are defined in the semantic patterns that are included in the semantic patterns configuration 301. A data flow analysis may be performed to determine if the semantic operations (defined with the conditional statements in the semantic pattern) affect conditional variables of the conditional statements by way of assignment or other operation. The malware detection system checks if the semantic of control dependency is established (step 408). In one embodiment, the semantic of control dependency is established when data flow from semantic operations (defined in the semanticOperations field of a semantic pattern) to a conditional variable of a corresponding conditional statement (defined in the conditionalStatements field of the semantic pattern) is confirmed. More particularly, the malware detection system may determine if a conditional statement defined in a particular semantic pattern and found in the image space of the sample, is affected by preceding semantic operations that are defined in the particular semantic pattern. This is the case when the value of a conditional variable of the conditional statement depends on the preceding semantic operations. When the semantic of control dependency cannot be established between the conditional statement and the preceding semantic operations, the malware detection system determines the address from where the current subprogram was called, and set a new breakpoint on the address to be returned by the called API or subprogram (step 408 to step 405), in order to start a next round of execution. Otherwise, when the semantic of control dependency can be established between the conditional statement and the preceding semantic operations, a new breakpoint is set on the conditional statement where a conditional variable is going to be evaluated (step 408 to step 409). The malware detection system thereafter resumes execution from the current breakpoint (step 409 to step 413). As previously noted, when a breakpoint is hit in the image space of the sample (step 404 to step 406), the malware detection system determines if the breakpoint was previously set at a conditional statement that is being evaluated (step 406). If so (step 406 to step 410), the actual evaluated value of the conditional statement at runtime is compared to the expected value of the conditional statement as defined in the expectedCondition field of the corresponding semantic pattern (step 410 to step 411). When the expected and actual evaluated values of the conditional statement are the same (step 411 to step 413), this indicates that the sample program is taking the expected/normal execution path. In that case, the malware detection system simply resumes execution from the current breakpoint without changing the execution path (step 411 to step 413). (35) Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken. Instead of inversing the conditional variable, other ways of changing the execution path may also be performed including jumping directly to the address of instructions to be executed, altering the value of the program counter register (e.g., EIP in x86 architecture) to the address of the expected branch, etc. Thereafter, the malware detection system resumes execution from the current breakpoint (step 412 to step 413). Breakpoints where rectification have already been performed may be removed. The runtime behavior of the sample is analyzed during execution in the malware detection system (step 420). As can be appreciated, by rectifying the execution path of the sample, malicious code that otherwise may be bypassed are executed, thereby allowing for proper dynamic analysis of the sample.) Therefore, it would have been obvious for one of the ordinary skill in the art before the effective filing date of the claimed invention to add acquiring end point information of analysis that is selected from a list of functions which can affect a system; analyzing a control flow up to the end point of the analysis, based on the acquired program to be analyzed and the acquired starting point and end point of the analysis, and outputting control flow analysis information; and extracting, as a candidate of a backdoor trigger, a conditional branch in which the external input data are directly propagated, by using the data flow analysis information from the analyzed external input data and the control flow analysis information up to the end point of the analysis, as conceptually seen from the teaching of Huang, into that of Bishop and Thomas because this modification can help prevent the malware or backdoor software to be executed by analyzing the software code where the potential malware can be started and ended. As per Claim 6, Bishop further teaches of the backdoor inspection apparatus according to claim 5, wherein the at least one processor is configured to execute the instructions to use the data flow analysis information and the control flow analysis information, and thereby extract, as candidates of backdoor triggers, conditional branches up to a n-th layer, in addition to a conditional branch of a 0th layer as viewed from the external input data. (Par 141, Thus, malicious code 330 may be layered in one or more conditional statements, such that the malicious code 330 is triggered only when both parameters A and B are passed (or are logical True). For example, layering the malicious code 330 in a particular code portion 164 that performs an ordinary function as expected most of the time (e.g., 99.99% of the time), such that the layered malicious code 330 is executed only when the conditions of the layers used to conceal the malicious code 330 are satisfied; 5) getting another coder 318 to commit a particular code portion 164 containing the malicious code 330, thereby isolating from being associated with or traced from the particular code portion 164. It’s obvious to extract conditional branches/statements up to nth layer, which is a trigger for the malware or backdoor.) 8. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Bishop (US PGPub 20220108022), in view of Thomas (US PGPub 20160085967), and further in view of Satish (US PGPub 20120005750). As per Claim 9, neither Bishop nor Thomas specifically teaches, however Satish teaches of the backdoor inspection apparatus according to claim 1, wherein the at least one processor is configured to execute the instructions to score the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger from a characteristic of type information of a variable constituting the conditional branch, based on a conditional branch scoring policy. (Par 31, The phrase "heuristic-based classifier," as used herein, may refer to any generic malware-detection algorithm capable of detecting malware. Heuristic-based classifiers may include one or more expressions, similar to rules or conditional statements, configured to evaluate file attributes during malware scans. As will be explained in greater detail below, by applying the attributes of files to such expressions, a security-software product may determine whether files encountered during malware scans represent or contain malware.) Therefore, it would have been obvious for one of the ordinary skill in the art before the effective filing date of the claimed invention to add scoring the extracted conditional branch as to how likely the conditional branch is to be a backdoor trigger from a characteristic of type information of a variable constituting the conditional branch, based on a conditional branch scoring policy, as conceptually seen from the teaching of Satish, into that of Bishop and Thomas because this modification can help prevent the malware from being executed by analyzing the software code with malware by ranking the candidates of malware triggers such as conditional branch. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAE UK JEON whose telephone number is (571)270-3649. The examiner can normally be reached 10am-6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached at 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAE U JEON/Primary Examiner, Art Unit 2193
Read full office action

Prosecution Timeline

Aug 06, 2024
Application Filed
Jun 16, 2026
Non-Final Rejection mailed — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12675264
INSERTING A MEMORY FENCE IN A PROGRAM IN RESPONSE TO A DETERMINATION THAT PREDETERMINED PATTERN(S) DO NOT EXIST IN THE PROGRAM
4y 1m to grant Granted Jul 07, 2026
Patent 12676030
IN-VEHICLE COMMUNICATION SYSTEM, DATA STRUCTURE OF REPROGRAMMING POLICY METADATA, AND DATA STRUCTURE OF DOWNLOAD METADATA
2y 6m to grant Granted Jul 07, 2026
Patent 12663976
CONTROL SYSTEM, MOBILE OBJECT, CONTROL METHOD AND COMPUTER-READABLE STORAGE MEDIUM
4y 7m to grant Granted Jun 23, 2026
Patent 12664078
SOURCE CODE LEVEL CHAOS INJECTION
2y 7m to grant Granted Jun 23, 2026
Patent 12650847
TECHNIQUES FOR BUILDING A DATA CENTER USING A SKILLS SERVICE
2y 7m to grant Granted Jun 09, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+46.2%)
3y 1m (~1y 2m remaining)
Median Time to Grant
Low
PTA Risk
Based on 411 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month