Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Status of Claims
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on December 11th, 2020 has been entered.

Applicants’ amendment dated December 11th, 2020 responding to the Final Office Action provided in the rejection of claims 1-7. 
Claims 1 has been amended.
Claims 1-7 remain pending and have been fully considered by the examined.  Claim 1 is in independent form.


REMARKS
Applicant's traversal of the claim rejections, with respect to prior art, primarily consists of the following arguments, which will be addressed below:
The present invention is detecting malicious codes in a command line, as potential malicious scripts are passed to command parser (cmd.exe, powershell.exe, etc.) as parameters directly, and not file related. As such, the present invention is a defense against malwares such as cmd/ps script malwares. The present invention also includes a customized interceptor command line parser for different interceptors in the extraction step… the combination/modification of Wang with Szor fails to result in essential features of the amended independent claim, nor in their specific combination. (See Remarks, pages 6-7).
Prior Art’s Arguments - Rejections
Applicants’ arguments filed on December 11th, 2020 have been fully considered but they are not persuasive. For example:
Applicant contends, prior arts of record do not teach detecting malicious codes in a command line, as potential malicious scripts are passed to command parser, which includes a customized interceptor command line parser for different interceptors in the extraction step , (cmd.exe, powershell.exe, etc.) as parameters directly and the defense against malwares such as cmd/ps script malwares. However, Applicant’s arguments with respect to claims 1-7 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. See Pavlyushchik (U.S. Publication No. 2019/0102552 – art made of record) in view of Szor (U.S. Publication No. 2005/0022018 – hereinafter, Szor) in detailed rejection below.
Claim Rejections - 35 U.S.C § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. § 103 as being unpatentable over Pavlyushchik (U.S. Publication No. 2019/0102552 – hereinafter, Pavlyushchik) in view of Szor (U.S. Publication No. 2005/0022018 – hereinafter, Szor).
Regarding claim 1:
Pavlyushchik discloses a method of detecting script texts passed to interpreter and sending the script texts to security components comprising:  
5extracting embedded script from command line parameters or documents, where said embedded script is fileless, (FIG. 1 and associated text such as, “In one examplary aspect of the disclosure, the trusted file 111 is a file of a script interpreter, such as PowerShell. The detection of malicious code in the address space 112 of PowerShell is necessary, because PowerShell scripts, by using the abilities provided by the interpreter, are able to download executable files (which may be malicious), save these files in a memory area in the address space 112 specially set aside for this (and without saving the files on a storage device of the computer system, such as a hard disk), and execute all the function of the OS loader (sometimes also called the ‘executable file loader’, being part of the OS). Therefore in Powershell, the executable file loaded into the memory can be converted into an executable file image available for execution, and , and a customized interceptor command line parser for different interceptors which accept script text as a parameter is used for said extracting (FIG. 2 and associated text such as, “Examplary In step 201 the intercept module 110 is used to detect the launching of a process from an executable file 111… Such images of other files may be loaded into the address space 112 during the execution of the process, for example, if the process is launched from the executable file of the script interpreter PowerShell, where a script (sometimes known as a ‘script file’) transferred to the process is processed, for example, as a parameter of a command line or in another way.” (See par. [0052]));
But, Pavlyushchik does not explicitly teach:
saving said embedded script to a script file, 
and passing a file path to security components for scanning, said security components comprising a scanner, a whitelist, or a sandbox, to detect attacks from said fileless embedded script.
However, Szor, an analogous art because Pavlyushchik and Szor are in the same field of endeavor of detecting fileless malicious code/malware, discloses:
saving said embedded script to a script file (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In create extracted malicious code packet operation 214, an extracted malicious code , 
and passing a file path to security components for scanning, said security components comprising a scanner, a whitelist, or a sandbox, to detect attacks from said fileless embedded script (“In one embodiment, the extracted malicious code packet is sent via a secure channel, e.g., an encrypted/authenticated channel (SESA). By using an encrypted/authenticated channel, the extracted malicious code packet is not intercepted by intrusion detection system 108. Further, by using an encrypted/authenticated channel, the authenticity of the extracted malicious code packet received by local analysis center computer system 112 is assured. In one embodiment, the extracted malicious code packet is sent to local analysis center computer system 112 as discussed further below in reference to FIG. 4. In another embodiment, the extracted malicious code packet is sent directly to global analysis center 116. In yet another embodiment, the extracted malicious code packet is sent to both local analysis center computer system 112 and global analysis center 116.” (Emphasis added – See pars. [0071] – [0072)).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szor into the teachings of Pavlyushchik because that would have provided intrusion detection system, which is a network based intrusion detection system that is capable of detecting fileless malicious code as suggested by Szor (See par. [0025]).



The rejection of claim 1 is incorporated, Pavlyushchik further discloses where said embedded script is retrieved from 10said interpreter comprising: 
starting said interpreter (FIG. 1 and associated text such as, “In one examplary aspect of the disclosure, the trusted file 111 is a file of a script interpreter, such as PowerShell. The detection of malicious code in the address space 112 of PowerShell is necessary, because PowerShell scripts, by using the abilities provided by the interpreter, are able to download executable files (which may be malicious), save these files in a memory area in the address space 112 specially set aside for this (and without saving the files on a storage device of the computer system, such as a hard disk), and execute all the function of the OS loader (sometimes also called the ‘executable file loader’, being part of the OS). Therefore in Powershell, the executable file loaded into the memory can be converted into an executable file image available for execution, and control can be transferred to the executable code from the downloaded file. Thus, it is possible to carry out an attack on the computer system using ‘fileless’ malware” (See par. [0045])), 
retrieving full command line parameters (FIG. 2 and associated text such as, “Examplary In step 201 the intercept module 110 is used to detect the launching of a process from an executable file 111… Such images of other files may be loaded into the address space 112 during the execution of the process, for example, if the process is launched from the executable file of the script interpreter PowerShell, where a script (sometimes known as a ‘script file’) transferred to the process is processed, for example, as a parameter of a command line or in another way.” (See par. [0052])), 
extracting embedded scripts from said full command line parameters (FIG. 2 and associated text such as, “Examplary In step 201 the intercept module 110 is used to detect the launching of a process from an executable file 111… Such images of other files may be loaded into the address space 112 during the execution of the process, for example, if the process is launched from the executable file of the script interpreter PowerShell, where a script (sometimes known as a ‘script file’) transferred to the process is processed, for example, as a parameter of a command line or in another way.” (See par. [0052])), 
reporting file to security components if said file can be used as script file (“Having detected access to a suspicious address, the intercept module 110 sends to the security module 120 a notification as to the detecting of access to a suspicious address, along with an indication of which address in the memory is suspicious.” (See par. [0052])), [[otherwise saving file to temporary script file and passing it to security components]].
But, Wang does not explicitly teach:
checking if script text is a file path or name, 15otherwise saving file to temporary script file and passing it to security components.
However, Szor further discloses: 
15otherwise saving file to temporary script file and passing it to security components (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In create extracted malicious code packet operation 214, an extracted malicious code packet is created.” (See pars. .
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szor into the teachings of Pavlyushchik because that would have provided intrusion detection system, which is a network based intrusion detection system that is capable of detecting fileless malicious code as suggested by Szor (See par. [0025]).

Regarding claim 3:
The rejection of claim 1 is incorporated, Szor further discloses where multiple pieces of scripts are executed in a single command comprising:  
20intercepting script text (“An intrusion detection system 108 is also coupled to network 106. Intrusion detection system 108 is a network based intrusion detection system that is capable of detecting fileless malicious code.” (See par. [0025])), 
saving all codes to a temporary script file (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In , 
passing a script file to said security components (“In one embodiment, the extracted malicious code packet is sent via a secure channel, e.g., an encrypted/authenticated channel (SESA). By using an encrypted/authenticated channel, the extracted malicious code packet is not intercepted by intrusion detection system 108. Further, by using an encrypted/authenticated channel, the authenticity of the extracted malicious code packet received by local analysis center computer system 112 is assured. In one embodiment, the extracted malicious code packet is sent to local analysis center computer system 112 as discussed further below in reference to FIG. 4. In another embodiment, the extracted malicious code packet is sent directly to global analysis center 116. In yet another embodiment, the extracted malicious code packet is sent to both local analysis center computer system 112 and global analysis center 116.” (See pars. [0071] – [0072)). 

Regarding claim 4:
The rejection of claim 1 is incorporated, Szor further discloses where interceptors do not accept scripts as 25parameter comprising:  
18extracting full parameter (“In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location. As discussed above, in one embodiment, behavior blocking application 126A provides the memory location, sometimes called the caller's address, of the malicious code, for example using a stack trace module. Accordingly, in one embodiment, the malicious , 
treating parameter as embedded script (“In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location. As discussed above, in one embodiment, behavior blocking application 126A provides the memory location, sometimes called the caller's address, of the malicious code, for example using a stack trace module. Accordingly, in one embodiment, the malicious code is copied or cut, sometimes called removed, from the memory location during extract malicious code operation 208. In one embodiment, the entire content, sometimes called raw data, of the entire memory location, e.g., buffer, is copied or cut and thus non-malicious code may be included with the malicious code. From extract malicious code operation 208, flow moves to an append malicious code parameters operation 212.” (See par. [0043])), 
saving said parameter to a script file (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In create extracted malicious code packet operation 214, an extracted malicious code packet is created.” (See pars. [0042] – [0050])), 
reporting the script file (““In one embodiment, the extracted malicious code packet is sent via a secure channel, e.g., an encrypted/authenticated channel (SESA).” (See par. [0071])), 
5passing said script file to security components (“In one embodiment, the extracted malicious code packet is sent to local analysis center computer system 112 as discussed further below in reference to FIG. 4. In another embodiment, the extracted malicious code packet is sent directly to global analysis center 116. In yet another embodiment, the extracted malicious code packet is sent to both local analysis center computer system 112 and global analysis center 116.” (See par. [0072)).

Regarding claim 5:
The rejection of claim 1 is incorporated, Szor further discloses where said embedded script is extracted from documents comprising: 
launching in a text editor that supports active content (FIG. 5), 
10detecting said embedded script (“An intrusion detection system 108 is also coupled to network 106. Intrusion detection system 108 is a network based intrusion detection system that is capable of detecting fileless malicious code.” (See par. [0025])), 
saving said embedded script to a temporary embedded script file (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In create extracted malicious code packet operation 214, an extracted malicious code packet is created.” (See pars. [0042] – [0050])), 
passing said embedded script file to said security components (“” (See par. [0044]). “The extracted malicious code information is transferred to the malicious code analysis system 200 to perform an automatic analysis.” (See par. [0050])).

Regarding claim 6:
The rejection of claim 1 is incorporated, Szor further comprising after the step of passing a file path to security components for scanning: 
reaching a verdict of allowing said embedded script execution, blocking said embedded script execution, or sending said embedded script to quarantine (“behavior blocking application 126A hooks critical operating system functions, e.g., send functions, of host computer system 104A and monitors calls to the hooked critical operating system functions. Calls by suspected or actual malicious code, hereinafter .

Regarding claim 7:
The rejection of claim 1 is incorporated, Pavlyushchik where said embedded script text is extracted by: 
checking if an interpreter is present (FIG. 1 and associated text such as, “In one examplary aspect of the disclosure, the trusted file 111 is a file of a script interpreter, such as PowerShell. The detection of malicious code in the address space 112 of PowerShell is necessary, because PowerShell scripts, by using the abilities provided by the interpreter, are able to download executable files (which may be malicious), save these files in a memory area in the address space 112 specially set aside for this (and without saving the files on a storage device of the computer system, such as a hard disk), and execute all the function of the OS loader (sometimes also called the ‘executable file loader’, being part of the OS). Therefore in Powershell, the executable file loaded into the memory can be converted into an executable file image available for execution, and control can be transferred to the executable code from the downloaded file. Thus, it is possible to carry out an attack on the computer system using ‘fileless’ malware” (See par. [0045])); 
parsing the command line of the interpreter (FIG. 1 and associated text such as, “In one examplary aspect of the disclosure, the trusted file 111 is a file of a script interpreter, such as PowerShell. The detection of malicious code in the address space 112 of PowerShell is necessary, because PowerShell scripts, by using the abilities provided by the interpreter, are able to download executable files (which may be malicious), save these files in a memory area in the address space 112 specially set aside for this (and without saving the files on a storage device of the computer system, such as a hard disk), and execute all the function of the OS loader (sometimes also called the ‘executable file loader’, being part of the OS). Therefore in Powershell, the executable file loaded into the memory can be converted into an executable file image available for execution, and control can be transferred to the executable code from the downloaded file. Thus, it is possible to carry out an attack on the computer system using ‘fileless’ malware” (See par. [0045])); 
checking said parsed interpreter command line for said embedded script (FIG. 2 and associated text such as, “Examplary In step 201 the intercept module 110 is used to detect the launching of a process from an executable file 111… Such images of other files may be loaded into the address space 112 during the execution of the process, for example, if the process is launched from the executable file of the script interpreter PowerShell, where a script (sometimes known as a ‘script file’) transferred to the process is processed, for example, as a parameter of a command line or in another way.” (See par. [0052])); 
But, Pavlyushchik does not explicitly teach:
saving said embedded script to a temporary script file; 
passing said temporary script file to said security components.
However, Szor discloses:
saving said embedded script to a temporary script file (FIG. 2 and associated text, such as, “In extract malicious code operation 208, the malicious code or a copy of the malicious code is extracted from the memory location… From append malicious code parameters operation 212, flow moves to a create extracted malicious code packet operation 214. In create extracted malicious code packet operation 214, an extracted malicious code packet is created.” (See pars. [0042] – [0050])).
passing said temporary script file to said security components (“In one embodiment, the extracted malicious code packet is sent to local analysis center 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szor into the teachings of Pavlyushchik because that would have provided intrusion detection system, which is a network based intrusion detection system that is capable of detecting fileless malicious code as suggested by Szor (See par. [0025]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANH THI MINH BUI whose telephone number is (571)270-1976.  The examiner can normally be reached on Monday - Friday: 7-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HANH THI-MINH BUI/Primary Examiner, Art Unit 2192                                                                                                                                                                                                        January 13th, 2021