Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.
This action is in response to the communication filed on 10/24/24.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 3, 4, 10, 11, 16, and 17 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claims 3, 10, and 16, the applicant’s original disclosure does not describe how the termination of virtual machines is “based” on collecting log data. At best, the applicant only discloses that the termination of virtual machines occurs after or subsequent to the collection of log data (e.g. Specification, par. 27, 48).
Regarding claims 4, 11, and 17, the applicant’s original disclosure does not describe that the determination of a type of software sample is “based” upon the queue in which the sample is queued. Rather, the applicant’s disclosure states essentially the opposite notion - specifically that the virtual machine manager first identifies the type of software sample so as to later determine a queue for the sample (e.g. Specification, par. 18).
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 3, 4, 10, 11, 16, and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 3, 10, and 16, the recitation “…terminating the … child virtual machines based on collecting the log data …” renders the scope of the claims indefinite. Specifically, the examiner notes that those having ordinary skill in the art understand that correlation does not equal causation. Thus, while the action of shutting down a virtual machine and the action of collecting log data may be related in time – such as in the termination of a VM occurs after the collection of log data – the correlation of these two events does not suggest to one of ordinary skill in the art that the action of collecting log data is the basis (i.e. “based on”) for the action of terminating the virtual machine.
Furthermore, the act of terminating a VM is unrelated and distinct from the act of collecting log data. Specifically, terminating a VM does not require nor depend upon a collection of log data, and the collection of log data does not require nor necessitate terminating a VM. Thus, it is unclear to one of ordinary skill in the art as to the meaning of the claimed actions of termination being “based on” the collection.
Furthermore, the applicant’s disclosure fails to describe any such relationship, i.e. that VM termination is “based on” log data collection, other than that the termination occurs subsequently to the log data collection (e.g. Specification, par. 27, 48).
Regarding claims 4, 11, and 17, the recitation of “… determining the type of the software sample is based on one of a plurality of queues in which the software sample was queued … “ renders the scope of the claims indefinite.
Specifically, one of ordinary skill in the art would fail to understand why software samples are claimed as being determined based on the queue in which the sample is placed. Particularly, it does not make logical sense to first place software samples into distinct queues before the type of software sample has even been determined or identified – and then subsequently use the queue as the basis for determining the type of software sample. Rather, as is originally disclosed (e.g. Specification, par. 18), one of ordinary skill in the art would first determine the type of software sample, and then use the type of software sample as the basis for placing the software sample into an appropriate queue.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ismael, US 2014/0337836 A1, in view of Tarasuk-Levin et al. (Levin), US 2018/0060104 A1.
Regarding claim 1, Ismael discloses:
A method comprising: booting a plurality of virtual machines (e.g. Ismael, fig. 4:410-415, 460-465) wherein each of the plurality of virtual machines has installed thereon a corresponding one of a plurality of guest operating systems (e.g. Ismael, par. 14, 16, 65, 69, 71 – herein each VM of the plurality of VMs may be instantiated with a different software profile, including a different type of guest operating system);
for each software sample of a plurality of software samples queued for malware analysis (e.g. Ismael, fig. 2:220; fig. 3:320; par. 4, 41, 42, 47, 49, 64-67), determining one or more guest operating systems of the plurality of guest operating systems with which the software sample is compatible based on a type of the software sample, wherein the one or more of the guest operating systems correspond to one or more virtual machines of the plurality of virtual machines (e.g. Ismael, par. 13, 25, 45-47, 65, 71, 72 – herein the suspicious malware samples are supplied to one or more VM’s (each having guest OSes) corresponding to a profile of the targeted operating system environment).
While Ismael discloses “cloning” virtual machines, Ismael does not appear to explicitly teach that such “cloning” is performed by “forking”.
Levin, however, teaches the cloning of virtual machines, wherein such cloning is performed by “forking” (e.g. Levin, par. 12, 16).
It would have been obvious to one of ordinary skill in the art to recognize the “forking” teachings of Levin, and the operations associated with the forking, within the virtual machine cloning system of Ismael. This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that “forking” a VM is the method for cloning the VM (i.e. Levin, par. 16 – “…forking, or cloning, …”).
Thus, the combination enables:
creating one or more child virtual machines based on forking the one or more virtual machines with a copy-on-write implemented fork (e.g. Ismael, par. 14-16, 72, 73; Levin, par. 16);
loading the software sample into each of the one or more child virtual machines (e.g. Ismael, par. 35, 47, 53);
and indicating if the software sample comprises malware based on analyzing behavior of the software sample in each of the one or more child virtual machines (e.g. Ismael, par. 54).
Regarding claim 2, the combination enables:
further comprising collecting log data from the one or more child virtual machines that indicate execution behavior of the software sample in the one or more child virtual machines, wherein analyzing behavior of the software sample comprises analyzing the log data (e.g. Ismael, par. 60, 67, 68).
.
Regarding claim 3, as best understood in view of the above noted issues of clarity, the combination enables:
further comprising terminating the one or more child virtual machines based on collecting the log data from the one or more child virtual machines (e.g. Ismael, par. 78, 81; Fig. 7a:725 – execution is completed, i.e. “terminated”, after analysis and event logging is collected).
Regarding claim 4, as best understood in view of the above noted issues of clarity, the combination enables:
determining the type of the software sample, wherein determining the type of the software sample is based on one of a plurality of queues in which the software sample was queued for malware analysis, wherein the plurality of queues corresponds to a plurality of types of software samples (e.g. Ismael, par. 33, 39, 47-49, 72).
Regarding claim 5, the combination enables:
wherein the plurality of guest operating systems comprise two or more versions of a first operating system, and wherein forking the one or more virtual machines comprises forking a subset of the plurality of virtual machines that corresponds to the two or more versions of the first operating system (e.g. Ismael, par. 13, 16, 18, 33, 47, 48, 61; Levin, Abstract; par. 80).
Regarding claim 6, the combination enables:
wherein forking the one or more virtual machines with a copy-on-write implemented fork comprises, for each of the one or more virtual machines, issuing a fork system call to create a corresponding one of the one or more child virtual machines, wherein the fork system call is implemented with copy-on-write (e.g. Ismael, par. 14-16, 72, 73; Levin, par. 14, 22, 85, 86).
Regarding claim 7, the combination enables:
further comprising pausing or quiescing each of the one or more virtual machines before forking the one or more virtual machines (e.g. Levin, Abstract; par. 2, 12-16, 22, 33-35; par. Ismael, par. 47-49).
Regarding claims 8 – 20 and 22, they are medium and apparatus claims, essentially corresponding to the method claims above, and they are rejected, at least, for the same reasons. Furthermore, Ismael discloses the recited medium, instructions, and processor (e.g. Ismael, par. 20, 21).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965. The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495