DETAILED ACTION
Claims 1-15 have been examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Priority
The current application claims foreign priority to 2024-044191, filed 03/19/2024. Acknowledgment is made of applicant's claim for foreign priority based on an application filed in Japan on 03/19/2024. It is noted, however, that applicant has not filed a certified copy of the 2024-044191 application as required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/09/2024 has been considered by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) are: “dynamic analysis units”, “control flow graph creation unit”, “branch specification unit”, and “screen depiction unit” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 recites the limitation "the dynamic analysis unit" in line 3. There is insufficient antecedent basis for this limitation in the claim due to claim 1 has “a plurality of dynamic analysis units”. Thus, it is unclear which of said “plurality of dynamic analysis units” within claim 1 are being referred to within claim 2. Amending claim 2 so as to read “one of the plurality of dynamic analysis units” would overcome the indefiniteness of said claim. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No. US 20240346142 A1 to Kim et al., hereinafter Kim, and further in view of United States Patent Application Publication No. US 20130160121 A1 to Yazdani, hereinafter Yazdani.
Regarding claim 1, Kim discloses an analysis evasion function detection system for malware connected to the Internet, comprising:
a plurality of dynamic analysis units performing dynamic analysis of the malware (paragraph 129, “dynamic analysis information for determining whether malicious activity is performed by executing information obtained from the input file”, paragraph 171, “The framework 1201 may generate analysis information on the malware from the input file…respectively analyze cyber threat information in various ways, such as static analysis, dynamic analysis, in-depth analysis, and correlation analysis”, and paragraph 174, “The dynamic analysis module included in framework 1210 may analyze malware-related information by performing various activities based on various type of information obtained from the input file”);
a control flow graph creation unit combining dynamic analysis results of a plurality of dynamic analysis operations performed by the plurality of dynamic analysis units to create a control flow graph related to the malware (paragraph 429, “identifying an attack technique and an attack group based on characteristic information considering a control flow and order according to instructions executed by several functions in a program”, and paragraphs 442, 443, 479, and 506);
and a screen depiction unit presenting the evasion function of the malware as support information to an analyst (paragraph 1008, “cyber threat information including an attack group which is active at the time point may be displayed” and “screen”, paragraph 1097, “a screen provided to the user”, paragraph 1193, “may be displayed as part of a detailed screen when the user selects APT attack information”, and paragraph 1201, “the intelligence platform may output 12 at the top of the screen the total number of attack techniques used in the selected APT attack”).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “a branch specification unit specifying a branch related to an evasion function of the malware in the control flow graph, using a predetermined signature, to detect the evasion function”. Yazdani discloses said claim limitations, as cited below. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yazdani with the teachings of Kim so that “When a branch is reached, the accumulated value of the checksum/hash is compared to the previously calculated value of the checksum/hash. As long as the two values match, the program executes normally. If a mismatch is detected, a security exception can be issued and the detected intruder code eliminated or otherwise addressed to mitigate its effects” (Yazdani – paragraph 20).
The obviousness to combine for claim 1 also pertains to claims 4-8 and 13-15.
Further regarding claim 1, Yazdani discloses a branch specification unit specifying a branch related to an evasion function of the malware in the control flow graph, using a predetermined signature, to detect the evasion function (Figure 2B, paragraphs 20 and 25, “the intruder appends its code to the legitimate executable code, inserts a portion of its code into the legitimate executable, and/or changes some data to cause the legitimate program to branch to the malicious code. Code changes such as code changes caused by an intruder can be detected by comparing and/or matching the code at execution time with the original build of the code to make sure that the original build has not been altered following the original build, e.g. before or during the execution.”, paragraph 26, “the computer system 100 determines whether the executed code leading to a branch instruction has been altered and whether the target of the branch is legitimate. For example, the computer system 100 may verify that no branch target has been altered during or before execution to cause the code to branch to code that did not exist at build time. For another example, the computer system 100 can verify that the instruction sequence of the executed code leading to a branch (including the branch instruction) matches the code sequence of the original binary. Violation of any of these constraints is indicative of an intrusion and causes a security exception.”, and paragraph 28).
Regarding claim 2, Kim discloses wherein the dynamic analysis unit actually runs the malware for a predetermined period of time to perform the dynamic analysis of the malware (paragraph 29, “it is possible to more clearly detect and recognize different attack techniques or different attack groups generated according to differences in an execution process even when execution results of executed files are the same”, paragraph 129, “dynamic analysis information for determining whether malicious activity is performed by executing information obtained from the input file”, and paragraph 428, “when the attack technique or the attack group is identified based on several functions executing the same logic in the program as that of execution of one function in this way, the attack technique and the attack group may be identified as the same attack technique and attack group”).
Regarding claim 3, Kim discloses wherein the control flow graph creation unit compares and combines relationships between the plurality of dynamic analysis results to create the control flow graph (paragraph 429, “identifying an attack technique and an attack group based on characteristic information considering a control flow and order according to instructions executed by several functions in a program”, and paragraphs 442, 443, 479, and 506).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein the branch specification unit specifies the branch from the control flow graph and detects a function causing the branch”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 4, Yazdani discloses wherein the branch specification unit specifies the branch from the control flow graph and detects a function causing the branch (paragraphs 20, 25, 26, “the computer system 100 determines whether the executed code leading to a branch instruction has been altered and whether the target of the branch is legitimate. For example, the computer system 100 may verify that no branch target has been altered during or before execution to cause the code to branch to code that did not exist at build time. For another example, the computer system 100 can verify that the instruction sequence of the executed code leading to a branch (including the branch instruction) matches the code sequence of the original binary. Violation of any of these constraints is indicative of an intrusion and causes a security exception.”, and paragraph 44).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein the branch specification unit compares the branch of the control flow graph with the signature to specify the branch”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 5, Yazdani discloses wherein the branch specification unit compares the branch of the control flow graph with the signature to specify the branch (paragraphs 3, 20, 25, and 26).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein the branch specification unit uses, as the signature, any one of the function, a pattern of the control flow graph, and a combination of the pattern of the control flow graph and the function”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 6, Yazdani discloses wherein the branch specification unit uses, as the signature, any one of the function, a pattern of the control flow graph, and a combination of the pattern of the control flow graph and the function (paragraphs 20, 25, 26, and 29).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein the branch specification unit specifies the branch on the basis of a difference in a pattern of a branch destination of the branch in the control flow graph”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 7, Yazdani discloses wherein the branch specification unit specifies the branch on the basis of a difference in a pattern of a branch destination of the branch in the control flow graph (paragraphs 20, 25, 26, and 47, “branch address” and paragraph 48).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein the branch specification unit compares a plurality of the control flow graphs and analyzes a difference to specify the branch”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 8, Yazdani discloses wherein the branch specification unit compares a plurality of the control flow graphs and analyzes a difference to specify the branch (paragraphs 43 and 44).
Regarding claim 9, Kim discloses a user terminal connected via a predetermined network, wherein the screen depiction unit displays the support information on a screen of the user terminal (paragraph 202, “devices such as small terminals”, paragraph 1008, “cyber threat information including an attack group which is active at the time point may be displayed” and “screen”, paragraph 1097, “a screen provided to the user”, paragraph 1193, “may be displayed as part of a detailed screen when the user selects APT attack information”, and paragraph 1201, “the intelligence platform may output 12 at the top of the screen the total number of attack techniques used in the selected APT attack”).
Regarding claim 10, Kim discloses wherein the screen depiction unit displays a malware summary of the malware and an evasion function detection result of the evasion function as the support information on the screen of the user terminal (paragraph 1039, “it is possible to provide the malignancy (AI) of the attack action determined by the AI algorithm according to the date of initial collection, the hash value related to the attack action, the file type related to the attack action, the attack target country, the attack target industry, and summary information related to the attack action”, paragraph 1082, “summary icon”, paragraph 1083, “summary icon 8338”, paragraph 1097, “a description will be given of a screen provided to the user by the intelligence platform in case of selecting the summary icon 8338 of any file among at least one file included in the APT attack information list 8310 included in the known attack group or the APT attack information list 8320 included in the unknown attack group”, paragraph 1099, “summary page 8350 of APT attack information may be output as a pop-up window”, and paragraph 1136).
Regarding claim 11, Kim discloses wherein the malware summary includes the dynamic analysis results of the plurality of dynamic analysis operations, and the evasion function detection result includes a function related to the evasion function and an evaded dynamic analysis environment of the dynamic analysis unit (paragraph 1039, “it is possible to provide the malignancy (AI) of the attack action determined by the AI algorithm according to the date of initial collection, the hash value related to the attack action, the file type related to the attack action, the attack target country, the attack target industry, and summary information related to the attack action”, paragraph 1082, “summary icon”, paragraph 1083, “summary icon 8338”, paragraph 1097, “a description will be given of a screen provided to the user by the intelligence platform in case of selecting the summary icon 8338 of any file among at least one file included in the APT attack information list 8310 included in the known attack group or the APT attack information list 8320 included in the unknown attack group”, paragraph 1099, “summary page 8350 of APT attack information may be output as a pop-up window”, and paragraph 1136).
Regarding claim 12, Kim discloses an external user terminal connected to the Internet, wherein the screen depiction unit displays the support information on a screen of the external user terminal (paragraph 202, “devices such as small terminals”, paragraph 1008, “cyber threat information including an attack group which is active at the time point may be displayed” and “screen”, paragraph 1097, “a screen provided to the user”, paragraph 1193, “may be displayed as part of a detailed screen when the user selects APT attack information”, and paragraph 1201, “the intelligence platform may output 12 at the top of the screen the total number of attack techniques used in the selected APT attack”).
Regarding claim 13, Kim teaches an analysis evasion function detection method in an analysis evasion function detection system for malware connected to the Internet, the analysis evasion function detection method comprising:
a dynamic analysis step of performing dynamic analysis of the malware using a plurality of dynamic analysis units (paragraph 129, “dynamic analysis information for determining whether malicious activity is performed by executing information obtained from the input file”, paragraph 171, “The framework 1201 may generate analysis information on the malware from the input file…respectively analyze cyber threat information in various ways, such as static analysis, dynamic analysis, in-depth analysis, and correlation analysis”, and paragraph 174, “The dynamic analysis module included in framework 1210 may analyze malware-related information by performing various activities based on various type of information obtained from the input file”);
a control flow graph creation step of combining dynamic analysis results of a plurality of dynamic analysis operations performed by the plurality of dynamic analysis units to create a control flow graph related to the malware, using a control flow graph creation unit (paragraph 429, “identifying an attack technique and an attack group based on characteristic information considering a control flow and order according to instructions executed by several functions in a program”, and paragraphs 442, 443, 479, and 506);
and a screen depiction step of presenting the evasion function of the malware as support information to an analyst using a screen depiction unit (paragraph 1008, “cyber threat information including an attack group which is active at the time point may be displayed” and “screen”, paragraph 1097, “a screen provided to the user”, paragraph 1193, “may be displayed as part of a detailed screen when the user selects APT attack information”, and paragraph 1201, “the intelligence platform may output 12 at the top of the screen the total number of attack techniques used in the selected APT attack”).
Kim teaches the claimed invention, as cited above. However, Kim is not relied upon to teach the claim limitations pertaining to “a branch specification step of specifying a branch related to an evasion function of the malware in the control flow graph with a predetermined signature to detect the evasion function, using a branch specification unit”. Yazdani teaches said claim limitations, as cited below.
Further regarding claim 13, Yazdani teaches a branch specification step of specifying a branch related to an evasion function of the malware in the control flow graph with a predetermined signature to detect the evasion function, using a branch specification unit (Figure 2B, paragraphs 20 and 25, “the intruder appends its code to the legitimate executable code, inserts a portion of its code into the legitimate executable, and/or changes some data to cause the legitimate program to branch to the malicious code. Code changes such as code changes caused by an intruder can be detected by comparing and/or matching the code at execution time with the original build of the code to make sure that the original build has not been altered following the original build, e.g. before or during the execution.”, paragraph 26, “the computer system 100 determines whether the executed code leading to a branch instruction has been altered and whether the target of the branch is legitimate. For example, the computer system 100 may verify that no branch target has been altered during or before execution to cause the code to branch to code that did not exist at build time. For another example, the computer system 100 can verify that the instruction sequence of the executed code leading to a branch (including the branch instruction) matches the code sequence of the original binary. Violation of any of these constraints is indicative of an intrusion and causes a security exception.”, and paragraph 28).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein, in the branch specification step, the branch is specified from the control flow graph, and a function causing the branch is detected”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 14, Yazdani teaches wherein, in the branch specification step, the branch is specified from the control flow graph, and a function causing the branch is detected (paragraphs 20, 25, 26, “the computer system 100 determines whether the executed code leading to a branch instruction has been altered and whether the target of the branch is legitimate. For example, the computer system 100 may verify that no branch target has been altered during or before execution to cause the code to branch to code that did not exist at build time. For another example, the computer system 100 can verify that the instruction sequence of the executed code leading to a branch (including the branch instruction) matches the code sequence of the original binary. Violation of any of these constraints is indicative of an intrusion and causes a security exception.”, and paragraph 44).
Kim discloses the claimed invention, as cited above. However, Kim is not relied upon to disclose the claim limitations pertaining to “wherein, in the branch specification step, the branch of the control flow graph and the signature are compared to specify the branch”. Yazdani discloses said claim limitations, as cited below.
Regarding claim 15, Yazdani teaches wherein, in the branch specification step, the branch of the control flow graph and the signature are compared to specify the branch (paragraphs 3, 20, 25, and 26).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to malware detection.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JEREMIAH L AVERY/Primary Examiner, Art Unit 2431