Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/13/2020 has been entered.
 
EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Scott Elchert (Reg. No. 55,149) on 2/11/2021.




1. (Currently amended) A non-transitory computer-readable storage medium storing a program that causes an information processing apparatus to execute a process, the process comprising: 
executing a first program using a system including a kernel of an operating system (OS), the first program being a target for determining whether the target is a malware; 
acquiring first information regarding a first Application Programming Interface (API) call in communication with the kernel in the execution of the first program, the first information including a first type of the first API call, a first number of executions of the first API call, [[and]] a first call order of the first API call, and a first return of the first API call; 
executing each of a plurality of second programs using the system, each of the plurality of second programs being a software which performs fraudulent processing by the malware; 
acquiring second information regarding a second API call in communication with the kernel in the execution of the each of the plurality of second programs, the second information including a second type of the second API call, a second number of executions of the second API call, [[and]] a second call order of the second API call, and a second return of the second API call; 
judging a first similarity between the first program and the each of the plurality of second programs by comparing the first type with the second type; 

judging a third similarity between the first program and the each of the plurality of second programs by comparing the first call order with the second call order; 
judging a fourth similarity between the first program and each of the plurality of second programs by comparing the first return with the second return; and 
outputting, by judging results of the first similarity, second similarity, [[and]] the third similarity, and the fourth similarity, a program which is similar to the first program, among the plurality of second programs.

4. (Currently amended) An information processing apparatus comprising: 
a memory; and 
a processor coupled to the memory and configured to: 
execute a first program using a system including a kernel of an operating system (OS), the first program being a target for determining whether the target is a malware; 
acquire first information regarding a first Application Programming Interface (API) call in communication with the kernel in the execution of the first program, the3PATENTFujitsu Ref. No.: 16-01786App. Ser. No.: 15/844,189 first information including a first type of the first API call, a first number of executions of the first API call, [[and]] a first call order of the first API call, and a first return of the first API call; 

acquire second information regarding a second API call in communication with the kernel in the execution of the each of the plurality of second programs, the second information including a second type of the second API call, a second number of executions of the second API call, [[and]] a second call order of the second API call, and a second return of the second API call; 
judge a first similarity between the first program and the each of the plurality of second programs by comparing the first type with the second type; 
judge a second similarity between the first program and the each of the plurality of second programs by comparing the first number of executions with the second number of executions; 
judge a third similarity between the first program and the each of the plurality of second programs by comparing the first call order with the second call order; 
judge a fourth similarity between the first program and the each of the plurality of second programs by comparing the first return with the second return; and 
output, by judging results of the first similarity, second similarity, [[and] the third similarity, and the fourth similarity, a program which is similar to the first program, among the plurality of second programs.

7. (Currently amended) A method executed by a computer, the method comprising: 

acquiring first information regarding a first Application Programming Interface (API) call in communication with the kernel in the execution of the first program, the first information including a first type of the first API call, a first number of executions of the first API call, [[and]] a first call order of the first API call, and a first return of the first API call; 
executing each of a plurality of second programs using the system, each of the plurality of second programs being a software which performs fraudulent processing by the malware; 
acquiring second information regarding a second API call in communication with the kernel in the execution of the each of the plurality of second programs, the second information including a second type of the second API call, a second number of executions of the second API call, [[and]] a second call order of the second API call, and a second return of the second API call; 
judging a first similarity between the first program and the each of the plurality of second programs by comparing the first type with the second type; 
judging a second similarity between the first program and the each of the plurality of second programs by comparing the first number of5PATENTFujitsu Ref. No.: 16-01786 App. Ser. No.: 15/844,189executions with the second number of executions; 
judging a third similarity between the first program and the each of the plurality of second programs by comparing the first call order with the second call order; 
judging a fourth similarity between the first program and the each of the plurality of second programs by comparing the first return with the second return; and
outputting, by judging results of the first similarity, second similarity, [[and]] the third similarity, and the fourth similarity, a program which is similar to the first program, among the plurality of second programs.



Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: The previously cited references, Bhatkar et al., US 9,652,616 (filed 2011-03), in view of Cheng et al., “AN INFORMATION RETRIEVAL APPROACH FOR MALWARE CLASSIFICATION BASED ON WINDOWS API CALLS” (published 2013), and Rostami-Hesarsorkh et al., US 10,230,749 (filed 2016-02), do not disclose a “return” value of the API call or performing a judgement base thereupon.  An updated search determined the following references of relevance for this feature:
Ciubotariu, US 10,645,099, discloses malware detection based on an address in the return of an API call.
Malik et al., US 2016/0292417, discloses detecting unpacking of malicious malware by looking up return addresses from API calls.
Soeder et al., “Advanced Return Address Discovery using Context Aware Machine Code Emulation”, discloses that it is useful to log API call addresses in order to track code execution paths.

However, none of the newly determined references, alone or in combination with those previously cited and/or of record, would anticipate or reasonably render obvious the combination of features presented in independent claims 1, 4, and 7.  As such, claims 1, 4, and 7 along with their dependents 2, 3, 5, 6, 8, and 9 are ALLOWED.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 

/MICHAEL W CHAO/Examiner, Art Unit 2492