Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 2-22 are pending. Claims 2, 4, 9, 10, 11, 16, and 17 have been amended.
Applicant’s amendment does not overcome the rejection of claims under 35 U.S.C. 101 for being directed to an abstract idea. The rejection of claims are maintained.
Response to Arguments
Applicant's amendments/arguments filed on 02-25-2026 have been fully considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 2-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 2 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…receiving forensic information indicating a spread of program code…identifying a spike in a number of embedded processes associated with the program code; identifying that the program code has spread to one or more computing devices within the computing network based on the forensic information and the spike; monitoring actions performed by the program code…determining whether the monitored actions are representative of new malware or previously identified malware; and sending updates to one or more recipient device, wherein the updates include configuration for identifying the new malware program code when the monitored actions are determined to be a new malware action…”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply receiving for example, on a piece of paper or by looking at a computer display, information indicating spread of program code, identifying, spike or increase in processes associated with the program code, identifying by looking at data record from one or more computing devices displayed on a computer monitor or a piece of paper that the program code has spread to other computer devices, collecting and observing information regarding actions performed by the program codes, determining if the actions are representative of new malware (i.e., by comparing the actions against a list of malwares), and sending updates (i.e., a new list of malwares) to one or more recipient, enabling the one or more recipient to identify new malwares. Thus, the above steps of the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation (“computing devices ”, “computing network”) appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The receiving step is recited at a high level of generality (i.e., as a general means of collecting forensic information), and amount to mere data gathering, which is a form of insignificant extra solution activity. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere “…receiving forensic information indicating a spread of program code…; identifying a spike in a number of embedded processes associated with the program code; identifying that the program code has spread to one or more computing devices within the computing network based on the forensic information and the spike; monitoring actions performed by the program code…determining whether the monitored actions are representative of new malware or previously identified malware; and sending updates to one or more recipient device, wherein the updates include configuration for identifying the new malware program code when the monitored actions are determined to be a new malware action…” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 9 and 16 include limitations similar to the limitations of claim 2 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 3-8, 10-15 and 17-22 do not recite nor impart any further limitation(s) that would bring the invention in conformance with 35 U.S.C. §101 as patentable subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2, 5, 6, 9, 12, 13, 16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Xi et al. (US Publication No. 2012/0304244 ), hereinafter Xie, in view of Peled et al. (US Publication No.2019/0188389), hereinafter Peled, in view of Reybok, JR. et al. (US publication No. 2018/0324207), hereinafter Reybok, further in view of Stolfo et al. (US Patent No. 7,657,935), hereinafter Stolfo.
As per claim 2, 9 and 16, Xie discloses a method for identifying effects of malware spread, the method comprising: receiving forensic information indicating a spread of program code within a computing network (paragraph [0044],“the security device 202…can communicate with security cloud service 210 … to provide the monitored traffic information (e.g., potential malware samples [program code], such as in the form of subsets of such monitored traffic information, such as a portion of the packet flow, monitored URL/DNS information, monitored files requested for upload/download/access, and/or other information, along with possibly other information, such as content information for the client device associated with the traffic flow and possibly user identification and/or application identification information as well)”); identifying that the program code has spread to one or more computing devices within the computing network based on the forensic information (paragraph [0052] the traffic flow from the client devices are monitored and if not matched with preexisting signature potential malware sample is generated and sent to malware analysis device, where it is determined based on behavior profile analysis that the potential malware sample is malware. By determining based on behavior profile analysis that the potential malware sample is a malware it is identified that the program code has spread to the computing device); monitoring actions performed by the program code that is being executed in real- time by the one or more computing devices (paragraph [0044], “the security cloud service 210 can perform additional real-time and or post analysis (e.g., additional heuristic analysis as described herein with respect to various embodiments”)), wherein one or more actions performed by the program code is observed (paragraph [0052], “the potential malware sample is sent to a malware analysis device (e.g., a Virtual Machine (VM) appliance or a server that executes VMs for behavior profile analysis”)); determining whether the monitored actions are representative of new malware or previously identified malware (paragraph [0052], “a new signature is automatically generated if the potential malware sample is determined to be malware”); and sending updates to one or more recipient device, wherein the updates include configuration for identifying the new malware program code when the monitored actions are determined to be a new malware action (paragraph [0042]and [0044],“automatically generate a new signature for the malware, which can then be sent to the firewall 212 for updating the signature/data and/or rules/policies of the firewall 212 so that the malware can be detected and appropriate actions taken by the firewall 212, such as to block the malware. Thus, using these techniques, even zero-day attacks can be detected and blocked”).
Xie does not explicitly discloses, wherein the forensic information is associated with a forensic analysis performed after one or more computers at the computing network have been affected by the program code; identifying a spike in a number of embedded processes associated with the program code, wherein the spike comprises an increase in a number of emails with a certain subject line or a certain email attachment spawned after a user opens an email or an email attachment; and identifying that the program code has spread to one or more computing devices within the computing network based on the spike.
However, in an analogous art, Peled discloses identifying a spike in a number of embedded processes associated with the program code; and identifying that the program code has spread to one or more computing devices within the computing network based on the spike (paragraph [0052]-[0053], network monitor device analyzes the bandwidth of traffic, such as a large spike in communication bandwidth between two devices typically having a low amount of traffic between them, analyzes the communication pattern to determine if it is similar to a known virus, paragraph [0062], network monitor device store the behavior of device which is used for forensic analysis. The data stored is used to determine how an attack spread through a network).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Xie with Peled. This would have been obvious because one of ordinary skill in the art would have been motivated to prevent rouge devices from accessing network resources.
Xi in view of Peled does not explicitly disclose, wherein the forensic information is associated with a forensic analysis performed after one or more computers at the computing network have been affected by the program code; and wherein the spike comprises an increase in a number of emails with a certain subject line or a certain email attachment spawned after a user opens an email or an email attachment.
However, in an analogous art, Reybok discloses, wherein the forensic information is associated with a forensic analysis performed after one or more computers at the computing network have been affected by the program code (figure 4, paragraph [0075], “The example technique 400 includes receiving 430 a search result of the search from the agent device ( e.g., agent device 340). For example, the search result may include an indication of an observable, a count of occurrences of the observable, and identification of one or more components of the customer network associated with the observable. [0076], [0077] and [0081] “The central instance may be configured to generate network security threat information based in part on the data that is based on the search result and share the network security threat information…”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Xi and Peled with Reybok. This would have been obvious because one of ordinary skill in the art would have been motivated to facilitate sharing network security information and intelligence.
Xi in view of Peled and Reybok does not explicitly disclose, wherein the spike comprises an increase in a number of emails with a certain subject line or a certain email attachment spawned after a user opens an email or an email attachment. However, in an analogous art, Stolfo discloses, the spike comprises an increase in a number of emails with a certain subject line or a certain email attachment spawned after a user opens an email or an email attachment (column 7, line 64-column 8, line 2, “Some statistics that are reported for each malicious attachment is the prevalence of an attachment and the birth rate of an attachment. The prevalence is the number of occurrences an attachment was observed by the client 20 and the birth rate is the average number of copies of the attachment which are transmitted from the same email account”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Xi, Peled and Reybok with Stolfo. This would have been obvious because one of ordinary skill in the art would have been motivated to provide a technique for modeling the behavior of attachments and behavior of email accounts.
Xi furthermore discloses, computer -readable storage including program and processor that execute instructions stored in memory, as claimed in claims 9 and 16 (paragraph [0014]).
As per claim 5, 12 and 19, Xie furthermore discloses, wherein the computing devices includes one or more of a recipient computer, firewall, a sandbox, capture computer, or quarantine computer (paragraph [0041] and figure 2).
As per claim 6, 13 and 20, Xie furthermore discloses, wherein determining whether the monitored actions are representative of new malware or previously identified malware includes: generating one or more signatures based on the new malware; determining whether the generated signatures are new signatures or whether the generated signatures have been previously detected; and updating deployed instances of signature detection assets when the generated signatures are identified as new signatures (paragraph [0042], “the firewall 212 can send potential malware samples for which no preexisting signatures match to the VM appliance/server 216 for further analysis using the techniques described herein. If the potential malware sample is determined to be malware, then the VM appliance server 216 (e.g., or another function/device) can automatically generate a new signature for the malware, which can then be sent to the firewall 212 for updating the signature/data and/or rules/policies of the firewall 212”).
Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Xi in view of Peled, Reybok, Stolfo, further in view of Gaustad (US Publication No. 2019/0065744), hereinafter Gaustad.
As per claims 3, 10 and 17, Xi as modified does not explicitly disclose, but in an analogous art, Gaustad discloses, the spike includes one or more new emails spawned associated with opening an email or an email attachment (paragraph [0069], “Data moving on, into, and out of the network 202 can be analyzed to identify malicious script documents. For example, a new email may be sent to a user of one of the clients 204. The new email 220 can be routed through a cloud email scanner that can perform security scans on the new email 220. For example, the cloud email scanner may perform a signature-based scan of the new email 220 and any attachments to the new email 220” ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Xie with Gaustad. This would have been obvious because one or ordinary skill in the art would have been motivated to thwart attempts to obfuscate malware within a scripting code.
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable Xi in view of Peled, Reybok, Stolfo, further in view of Vadlamani (US Patent No. 10,855,722), hereinafter Vadlamani.
As per claim 4, 11 and 18, Xi as modified does not explicitly disclose, but in an analogous art, Vadlamani discloses, the forensic information includes one or more evaluated emails stored on an email server associated with the computing network (column 5, lines 43-45, “the deception service agent(s) will start monitoring the live emails that are inbound to and/or stored in email server”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Xie with Vadlamani. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in order to achieve the predictable result of detecting malicious emails.
Claims 7, 14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Xi in view of Peled, Reybok, Stolfo, further in view of Lesperance et al. (US Publication No. 2021/0126944), hereinafter Lesperance.
As per claims 7, 14 and 21, Xi as modified does not explicitly disclose the forensic information includes one or more user inputs received via a graphical user interface regarding unusual operation of an associated one of the computing devices after a file is opened or a universal resource locator (URL) is selected by the associated computing device. However, in an analogous art, Lesperance discloses the forensic information includes one or more user inputs received via a graphical user interface regarding unusual/suspicious email (paragraph [0025], “an email 114 is identified to be potentially phishing or suspicious by a user via the user interface 112”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Xi with Lesperance. This would have been obvious because one of ordinary skill in the art would have been motivated to allow end user to report identified potential threats.
While Lesperance discloses user input received via user interface is regarding a suspicious email, Lesperance does not explicitly disclose the input received is in regard to unusual operation of an associated one of the computing devices after a file is opened or a URL is selected. However, it would have been obvious to one of ordinary skill in the art that in Lesperance the input by user beside identifying suspicious email could simply include or identify other unusual activities of computing system. The process for receiving user input via a user interface regarding suspicious email could have been similarly applied for receiving any other type of user input (i.e., unusual operation of an associated one of the computing devices after a file is opened or a URL is selected) without exercising an inventive techniques. Such modification would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention providing the benefit of enabling a user to report suspicious activities within the computer system.
Claims 8, 15 and 22, are rejected under 35 U.S.C. 103 as being unpatentable over Xi in view of Peled, Reybok, Stolfo, further in view of Boney et al. (US Publication No. 2007/0261117), hereinafter Boney.
As per claims 8, 15 and 22, Xie as modified does not explicitly disclose, but in an analogous art, Boney discloses scanning data storage devices associated with the computing network to identify one or more alterations to file system attributes, registry settings, boot information, or other stored data; and identifying damage to the computing network based on the identified alterations (claim 11, “record, while the driver is preventing the running process from exiting, at least one change the running process has made to the computer since the running process was launched; and inspect the computer for damage associated with the at least one recorded change when the pestware detection module has determined that the running process is associated with a compressed pestware executable object”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Xie with Boney. This would have been obvious because one or ordinary skill in the art would have been motivated to detect a compressed pestware executable object that altering the system.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sun et al. (US Publication No.2012/0260343) discloses, an automated malware signature generation. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature..
Mashevsky et al. (US Patent No. 7,743,419) discloses, a system, method and computer program product for detection of epidemics caused by malware programs or computer viruses. Detection of local and global epidemics is performed automatically. A source of an epidemic is calculated and
analyzed based on collected statistics. A spread of the epidemic is predicted and an accurate prognosis referring to the time frame and to geographical areas of the epidemic spread is made. The prognosis is made based on a calculated value of "connection strength" coefficient. The connection strength
coefficient reflects a volume of information exchange (i.e., a number and a quality of connection channels) between the countries. An epidemic is detected in its infancy and its spread is monitored in time and propagation across different countries. Then, effective security and protection measures can be
invoked in a timely manner.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437