DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 4-10, and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid (US 9,838,417), further in view of Gafni (US 2016/0330215), and further in view of Subramanian (US 9,813,443).
 
Regarding claim 1, Khalid teaches A device (see Fig. 1 and col. 7, lines 43 and 44: “a first malware detection system (MDS) 110 1 is an electronic device”), comprising: one or more memories (see col. 19, lines 5-9 and Fig. 5: “the persistent storage 550 may be configured to store software components associated with the static analysis engine 145, the dynamic analysis engine 160, the classification engine 190 and the reporting engine 195”); and
one or more processors, operatively connected to the one or more memories (see Fig. 5 and col. 18, lines 50 and 51: “The MDS 1101 comprises one or more processors 500 (hereinafter "processor(s)")”. And see col. 19, lines 3 and 4: “The processor(s) 500 are further coupled to the persistent storage 550 via the transmission medium 560”), to:
receive a file (see col. 7, line 59- col. 8, line 8 and Fig. 1: “the interface 136 may operate as a data capturing device that is configured to receive at least a portion of network traffic propagating to/from one or more endpoints 132 and provide information associated with the received portion of the network traffic to the first MDS 1101 This information may include an object, namely multiple packets collectively forming an executable or a non-executable (e.g., a document embedded within an email message or a web page). Alternatively, although not shown, the interface 136 may be configured to receive files or other objects that are not provided over a network”) that has been downloaded to a first user device or that is to be downloaded to the first user device (see col. 8, lines 9-12 and Fig. 1: “the interface 136 may be configured to capture data typically directed to the endpoint 132, where the captured data includes at least one object 147 for analysis and its corresponding metadata 148”. And see col. 12, lines 43 and 44: “Responsive to non-anomalous behaviors by the object 147, the endpoint 132 is allowed to utilize the object”. The Examiner interprets the object 147 (“an executable or a non-executable, e.g., a document”) and the “endpoint (client device) 132” as a file and a first user device, respectively. Because Khalid teaches that “Responsive to non-anomalous behaviors by the object 147, the endpoint 132 is allowed to utilize the object”, Khalid discloses a file that has been downloaded to a first user device),
wherein the file is to be subject to a malware detection procedure (see col. 11, lines 61-67 and Fig. 1: “The data recorded by the UI framework log 176 may be referenced by the score determination logic 168, which determines a probability (score) that is used, at least in part by the classification engine determine (i) whether the suspect object 147 is associated with a malicious attack and (ii) severity of the malicious attack”); 
process the file to determine one or more file identification properties (see col. 9, lines 10-12: “The metadata extraction logic 154 is responsible for extracting and/or generating metadata 148 contained as part of and/or associated with the suspect object 147”. And see col. 9, lines 22-26: “Examples of metadata 148 may include, but are not restricted or limited to, information that identifies the type of object 147. For example, a particular document (e.g., Microsoft.RTM. Excel spreadsheet) is an example of an object type, which may be in the form of a non-executable”.  And see col. 9, line 46-col. 10, line 3: “From the extracted metadata, the object-type determination logic 156 may determine object type. For instance, the object-type determination logic 156 may analyze content within the object 147, which may identify the object type. For instance, as an illustrative example, the object-type determination logic 156 may identify a predetermined number of bytes at the beginning of the object 147 (sometimes referred to as the "magic numbers" for the object) and compare the values associated with these bytes with stored values within the magic number database 158. Upon a successful comparison, the object-type determination logic 156 has identified the object type. For instance, as an illustrative embodiment, the first few bytes of the object 147 may, in certain cases, be used to determine the object-type or at least infer the object based on the communication protocol in use. As an example, the object-type determination logic 156 may determine that the object 147 starts with the hexadecimal string value "4D5A" which, upon comparison with entries within the magic number database 158, identifies that the object 147 is an executable. Similar, the object-type determination logic 156 may determine that the object 147 starts with a hexadecimal string value of "25 50 44 46" and, upon comparing this value with stored data within the magic number database 158, determines that the object 147 is a PDF document”. The Examiner interprets using the first few bytes of process the file to determine one or more file identification properties); 
obtain metadata identifying user interactions associated with the file based on the one or more file identification properties (see col. 10, line 61-col. 11, line 15 and Fig. 1: “the VM 1701 may be provisioned with an operation system (OS) and, dependent on the object type, one or more applications 180, along with the monitoring logic 181 and user interaction (UI) control logic 182. …The UI control logic 182 provides simulated user interactions to detonate a malicious object that is loaded into the VM 1701 and requires some sort of user interaction to initiate a malicious attack. According to one embodiment of the disclosure, the UI control logic 182 comprises a plurality of components, which include (1) a profile selector 184 and (2) UI framework 186. According to one embodiment of the disclosure, the profile selector 184 selects an action profile from the action profile(s) 188 that are shown as being hosted in the VM 1701. This selection may be based, at least in part, on the metadata 148 associated with the suspect object 147. For example, the metadata 148 may include data produced by the object-type determination logic 156 that identifies an object type for the object 147”. And see col. 13, lines 34-45 and Fig. 3A: “each "action profile" is a collection of instructions and/or commands that performs UI functionality in accordance with a set of rules prescribed for that action profile. As a result, the selected action profile 3001 is configured for use in controlling UI functionality during analysis of the object 147. For instance, where the object 147 is identified as a Microsoft.RTM. Excel.RTM. spreadsheet, the selected action profile 3001 may conduct different UI functions (e.g., select tabs, add text to certain cells, scroll down a certain number of cell rows, etc.) than another action profile 300R for controlling UI functionality during analysis of a PDF document (e.g., scroll pages of the document, etc.)”. The Examiner interprets an action profile identifying user interactions (e.g., select tabs, add text to certain cells, scroll down a certain number of cell rows, etc. VS. e.g., scroll pages of the document, etc.) as metadata identifying user interactions associated with the file. The Examiner obtain metadata identifying user interactions associated with the file based on the one or more file identification properties),
test the file in a sandbox environment to obtain a result (see col. 11, lines 51-66 and Fig. 1: “the monitoring logic 181 and UI framework log 176 collectively operate to record, while the object 147 is launched in the VM 1701, the requests for input by the object 147. … The data recorded by the UI framework log 176 may be referenced by the score determination logic 168, which determines a probability (score) that is used, at least in part by the classification engine 190, to determine (i) whether the suspect object 147 is associated with a malicious attack”. The Examiner interprets VM 1701 as a sandbox environment),
wherein the one or more processors, when testing the file, are to:
perform the user interactions that are identified by the metadata (see col. 13, lines 46-63 and Fig. 3A: “upon selection of the action profile, the profile selector 184 provides signaling 310 to identify the selected action profile 300.sub.1 that is part of the pre-stored action profile(s) 188. In response, according to one embodiment of the disclosure, the content 320 of the selected action profile 300.sub.1 may be passed to the simulation logic 350 for use by the active UI simulation logic 360, the passive UI simulation logic 370, and the device control simulation logic 380”. And see col. 14, line 57-col. 15, line 3: “the active UI simulation logic 360, the passive UI simulation logic 370 and the device control simulation logic 380 are instantiated with or are instantiated to access content within the selected action profile 300.sub.1, which controls the simulated human and device control interactions conducted by the UI framework 186 during analysis of the object 147. Collectively, in accordance with the rules outlined in the selected action profile 300.sub.1, the simulation logic 350 conducts particular actions (e.g., expected user interface interactions and/or methods of activation) during particular operating states at which such actions are expected (e.g., in predetermined sequence (order) and/or at or within a predetermined period of time)”), and
execute the malware detection procedure to determine whether the file is malware (see col. 11, lines 61-67 and Fig. 1: “The data recorded by the UI framework log 176 may be referenced by the score determination logic 168, which determines a probability (score) that is used, at least in part by the classification engine 190, to determine (i) whether the suspect object 147 is associated with a malicious attack and (ii) severity of the malicious attack”. And see col. 16, lines 1-8: “the UI framework log 176 may record any suspicious activity and/or malicious activity as well as any actions taken, or refrained from being taken, any requested input and timestamps for all actions and requested input. Upon completion of the dynamic analysis, the information recorded in the UI framework log 176 may be accessible to the score determination logic 168 and/or the classification engine 190”); and
provide a notification that includes the result when the file is malware (see col. 12, lines 25-33 and FIG. 1: “the reporting engine 195 is adapted to receive information from the classification engine 190 via transmission medium 189 and generate alerts (e.g., various types of messages including text messages and email messages, display images, or other types of information over a wired or wireless transmission medium) that identify to a network administrator that the suspect object 147 is associated with a malicious attack and is user-interaction dependent”).

Khalid fails to teach wherein the user interactions include at least one of: a first group of user interactions that were performed when the file was accessed on the first user device, or a second group of user interactions that were performed when the file was accessed on one or more other user devices.
In the same field of endeavor, Gafni teaches A device (inspection server 150, see Fig. 1 and [0037]); to:
receive a file that has been downloaded to a first user device (see [0036] and Fig. 1: “Client devices 105 in, for example, an organization are involved in browsing websites via, for example, the Internet 110. The clients are linked via, for example, ethernet links 120 to, for example, an Internet Gateway 125 which in turn connects to, for example, the Internet 110. Web content is transmitted in an HTTP response from a particular destination web server 115 to a particular client device 105 upon receipt of an HTTP request from the specific client 105. Malware is potentially carried in HTTP responses from a destination web server 115 to a client device 105”. The Examiner interprets a client device 105 as a first user device. The Examiner further interprets the malware carried in HTTP responses from a destination web server 115 to a client device 105 as a file that has been downloaded to a first user device. And see [0037] and Fig. 1: “A server called the Database Server 130 is also linked to, for example, the Internet Gateway 125 via, for example, the interception link 135 which is, for example, an ethernet link that operates in sniffer mode so that all packet traffic received by the Internet Gateway 125 (from any input port) is received by the listener on the Interception Link 135. The Database Server 130 receives all packets from the Interception Link 135 and stores, for example, all the HTTP requests and HTTP responses that it receives over the Interception Link 135 so that they may be accessed subsequently by the Inspection Server 150”. And see [0077]: “FIG. 5 illustrates the process executed by the Database Server 130 to handle transactions from, for example, the Inspection Server 150”. And see [0081] and Fig. 5: “For a "Fetch HTTP Response" transaction, control is transferred to block 520. The transaction request includes, for example, an identifier uniquely specifying a client device instance and a full HTTP Request (including source and destination IP addresses) for a particular URL (Universal Resource Locator). At block 530, the process prepares and transmits a response transaction comprising, for example, the HTTP response that was observed to originate from the requested server in response to the supplied HTTP request from the Client HTTP Data Repository 270”. The Examiner interprets the receive a file that has been downloaded to a first user device ),
wherein the file is to be subject to a malware detection procedure (see [0041]-[0045] and Fig. 1: “For a particular Client Device 105 instance that is to be protected, the Inspection Server 150 creates or obtains a sandbox environment for emulation of, for example, the hardware, operating system, browser, and other characteristics of the particular Client Device 105…. The Web Proxy 155 gets the HTTP response data from, for example, the HTTP transaction data that has been stored in the the Database Server 130. In this manner, the sandboxed browser environment in the Inspection Server 150 closely emulates the web activity of the Client Device 105. … The Inspection Server 150 monitors the sandboxed environment for, for example, signs of anomalous or malicious behavior, and, for example, raises an alert upon detection of such”); 
obtain metadata identifying user interactions associated with the file (see [0043] and Fig. 1: “The Inspection Server 150 may also monitor, for example, the realtime user activity data sent by the Agent located on the Client Device 105 and applies these user activities (eg. keyboard presses and mouse clicks) to the session in the sandboxed browser environment”);
wherein the user interactions include at least one of:
a first group of user interactions that were performed when the file was accessed on the first user device, or
a second group of user interactions that were performed when the file was accessed on one or more other user devices (see [0083] and Fig. 5: “For a "Fetch User Activity Data" transaction, control is transferred to block 540. The transaction request includes, for example, an identifier uniquely specifying a client device instance. At block 540, the process prepares and transmits a response transaction comprising, for example, information regarding the user's keyboard, mouse, or other activity from the User Activity Data Repository 270”. And see [0038], [0039] and Fig. 1: “Client Devices 105 may include a The user activity records stored in the Client User Activity Data Repository 280 may include, for an example, an identifier of the specific Client Device such as MAC Address, IP address, or the like. The user activity logs stored in the database may also include, for example, timestamps or URL identifiers, or other data which allows correlation of user activity with HTTP transactions”. The Examiner interprets the user activity logs correlated with HTTP transactions as taught in [0056], where the HTTP transactions include an HTTP response containing the malware taught in [0036] (the file) received by the client device 105 (the first user device), as a first group of user interactions that were performed when the file was accessed on the first user device). 

Both Khalid and Gafni teach performing decoy user interactions to trigger malicious actions of an evasive malware so that the malware can be detected. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the device of Khalid by letting the user interactions performed by the device of Khalid include at least one of: a first group of user interactions that were performed when the file was accessed on the first user device, or a second group of user interactions that were performed when the file was accessed on one or more other user devices, as taught by Gafni. It would have been obvious because using actual user interactions recorded 

Khalid modified in view of Gafni fails to teach that the notification that includes the malware detection result is provided to the first user device to cause the first user device to perform one or more actions (emphasis added).
In the same field of endeavor, Subramanian teaches a device (server 206, see Fig. 2), to provide a notification that includes the result to the first user device to cause the first user device to perform one or more actions when the file is malware (see col. 5, lines 10-27: “identification module 104 may identify a file 208 on computing device 202. Reputation module 106 may then determine, using digital fingerprint 210, that the file's reputation 212 is unknown. Logging module 108 may, in response to determining that the file's reputation 212 is unknown, log changes 214 made by file 208 to computing device 202. At some later point in time, evaluation module 110 may determine that changes 214 made by file 208 are to be reversed (e.g., in response to determining that file 208 is malicious). In response to determining that changes made by file 208 are to be reversed, notification module 112 may then instruct computing device 202 to reverse changes 214 made by file 208 on computing device 202”. The Examiner interprets computing device 202 as the first user device).
Both Subramanian (see col. 6, lines 1-7) and Khalid modified in view of Gafni teach a device performing a malware detection procedure on a file downloaded to a first user device and providing a notification that includes the malware detection result when the file is malware. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the device of Khalid modified in view of Gafni by letting the notification that includes the malware detection result be provided to the first user device to cause the first user device to perform one or more actions, as taught by Subramanian. It would have been obvious because Subramanian 

Regarding claims 2 and 9, Khalid further teaches wherein the metadata identifying the user interactions includes data identifying user interactions with one or more interface objects associated with the file (see col. 6, lines 47-54: “An active simulated human interaction includes simulated actions that may be performed by a user in response to an event initiated by a suspect object under analysis. In some situations, the simulated action may be required before any further activities are conducted by the object. Examples of an active simulated human interaction include closing a window or dialog box; selecting a particular radio button; and/or entering characters into a text box)”. And see col. 15, lines 7-30: “Operating as part the UI framework 186, the active UI simulation logic 360 is a first type of simulated user interaction which is configured to detect input requests (e.g., password request, an attempt to display a dialog or text box for selection of a radio button or text input, etc.) initiated by the object 147 that require “active” human interaction. In response, based on the contents of the selected action profile 300 1, the active UI simulation logic 360 determines whether to provide a response and, where appropriate, the type of response that simulates the requested human interaction. For instance, the selected action profile 300 1 may cause the active UI simulation logic 360 to provide signaling that simulates human interaction responsive to the input request initiated by the launched object 147. For example, the signaling may simulate the user closing a dialog box that requires dismissal before continuing or simulate the user selecting a particular radio button that closes the dialog box and opens another dialog box for handling”. The Examiner interprets a dialog box, a text box or a radio button displayed by the object 147 as one or more interface objects associated with the file. And see col. 4, lines 18-28).

Regarding claims 4 and 10, Khalid further teaches wherein the one or more processors, when testing the file in the sandbox environment, are to: execute the malware detection procedure to determine that the file is malware, wherein the malware detection procedure determines that the file is malware based on a defense mechanism of the malware incorrectly assessing the user interactions as being performed by a human user (see col. 10, line 66 and col. 11, line 3: “The UI control logic 182 provides simulated user interactions to detonate a malicious object that is loaded into the VM 170 1 and requires some sort of user interaction to initiate a malicious attack”. And see col. 15, lines 59-65: “the device control simulation logic 380 may receive instructions from the selected action profile 300 1 to simulate certain device control interactions, such as simulate particular keystrokes and/or particular mouse movements, in an attempt to detonate a malicious object that is awaiting user interaction before conducting a malicious attack”. And see col. 2, lines 50-52 and col. 1, lines 28-47: “this processing may require user interaction, for example, in the form of an input initiated by an input device such as a graphical user interface (GUI), mouse, keyboard, keypad or the like. Based on an inability to provide the necessary user input, current malware detection systems may fail to activate the malicious content within the objects. One reason is that sophisticated malware often has a self-defense mechanism, which attempts to detect whether it is running in a virtual environment of a malware detection system rather than the intended environment of a client device under user control. One type of self-defense mechanism involves the malware monitoring whether user input expected by an application is supplied at the appropriate time. If it is not, the malware may simply hibernate (not activate), and thus not present itself for detection by the malware detection system”).

Regarding claim 5, Khalid further teaches wherein the one or more processors, when testing the file in the sandbox environment, are to: perform the user interactions identified by the metadata by interacting with one or more interface objects associated with the file using, or to simulate using, at least one of: a mouse, a keyboard, or a touch-screen (see col. 15, lines 59-65: “the device control simulation logic 380 may receive instructions from the selected action profile 300 1 to simulate certain device control interactions, such as simulate particular keystrokes and/or particular mouse movements, in an attempt to detonate a malicious object that is awaiting user interaction before conducting a malicious attack”).

Regarding claim 6, Khalid further teaches wherein the file is malware (see col. 12, lines 25-33 and FIG. 1: “the reporting engine 195 is adapted to receive information from the classification engine 190 via transmission medium 189 and generate alerts (e.g., various types of messages including text messages and email messages, display images, or other types of information over a wired or wireless transmission medium) that identify to a network administrator that the suspect object 147 is associated with a malicious attack and is user-interaction dependent”).
Khalid modified in view of Gafni fails to teach wherein the one or more processors, when providing the notification, are to: provide, as part of the notification, a set of instructions indicating how to undo a set of modifications, on the first user device, caused by the malware.
In the same field of endeavor, Subramanian teaches wherein the one or more processors, when providing the notification, are to: provide, as part of the notification, a set of instructions indicating how to undo a set of modifications, on the first user device, caused by the malware (see col. 5, lines 10-27: “identification module 104 may identify a file 208 on computing device 202. Reputation module 106 may then determine, using digital fingerprint 210, that the file's reputation 212 is unknown. Logging module 108 may, in response to determining that the file's reputation 212 is unknown, log evaluation module 110 may determine that changes 214 made by file 208 are to be reversed (e.g., in response to determining that file 208 is malicious). In response to determining that changes made by file 208 are to be reversed, notification module 112 may then instruct computing device 202 to reverse changes 214 made by file 208 on computing device 202”).
Both Subramanian (see col. 6, lines 1-7) and Khalid modified in view of Gafni teach a device performing a malware detection procedure on a file downloaded to a first user device and providing a notification that includes the malware detection result when the file is malware. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the device of Khalid modified in view of Gafni by letting the one or more processors, when providing the notification, provide, as part of the notification, a set of instructions indicating how to undo a set of modifications, on the first user device, caused by the malware, as taught by Subramanian. It would have been obvious because Subramanian teaches the following: “The systems and methods described herein may also issue instructions to reverse these logged changes from a remote device so that, even if the computing device becomes unresponsive, the computing device can be restored to a usable state” (see col. 1, lines 56-59).

Regarding claims 7 and 13, Khalid further teaches determine a likelihood of the user interactions triggering benign malware behavior of the file; determine whether the likelihood of the user interactions triggering the benign malware behavior satisfies a threshold likelihood of the user interactions triggering the benign malware behavior; and wherein the one or more processors, when testing the file in the sandbox environment, are to: test the file in the sandbox environment by performing either the user interactions identified by the metadata or different user interactions identified by other metadata based on whether the likelihood of the user interactions triggering the benign malware behavior satisfy the threshold likelihood (see col. 12, lines 4-24: “For instance, when a submitted object 147 is classified as malicious, the UI framework log 176 can provide information for understanding which simulation logic caused or helped a successful detonation. In other words, from data within the UI framework logic 176, a determination can be made as to the efficacy of action profiles and the UI framework. Such feedback can be used to “fine-tune” action profiles. Additionally, by use of data within the UI framework logic, malwares can be classified based on user interaction(s) necessary for detonation. This classification and details of user interaction(s) can augment the Threat Intelligence aspects such as forensic analysis of malwares and incidence response. Similarly, when the object 147 is classified as suspicious, the UI framework logic 176 provides information for understanding the shortcomings in the set of user interactions the UI framework 186 provides (e.g., a new feature might be required in UI framework 186 or new rules or parameters may be needed for the selected action profile). On the other hand, if a user interaction performed by the UI framework obstructs object detonation, it can be rectified in subsequent action profile update”).

Regarding claim 8, Khalid modified in view of Gafni and Subramanian teaches (see the rejection of claim 1 above) A method, comprising: receiving, by a device, a file that has been downloaded to a first user device or that is to be downloaded to the first user device; processing, by the device, the file to determine one or more file identification properties; obtaining, by the device and based on the one or more file identification properties, metadata identifying user interactions associated with the file that include at least one of: a first group of user interactions that were performed when the file was accessed on the first user device, or a second group of user interactions that were performed when the file was accessed on one or more other user devices; performing, by the device and within a sandbox environment, the user interactions identified by the metadata; executing, by the device and within the sandbox environment, a malware detection procedure to determine whether the file is malware; and providing, by the device and to the first user device, a notification indicating whether the file is malware to cause the first user device to perform one or more actions when the file is malware.
Khalid further teaches wherein the user interactions are performed to reduce or eliminate a likelihood of a malware defense mechanism triggering benign malware behavior prior to execution of the malware detection procedure (see col. 10, line 66 and col. 11, line 3: “The UI control logic 182 provides simulated user interactions to detonate a malicious object that is loaded into the VM 170 1 and requires some sort of user interaction to initiate a malicious attack”. And see col. 15, lines 59-65: “the device control simulation logic 380 may receive instructions from the selected action profile 300 1 to simulate certain device control interactions, such as simulate particular keystrokes and/or particular mouse movements, in an attempt to detonate a malicious object that is awaiting user interaction before conducting a malicious attack”. And see col. 2, lines 50-52 and col. 1, lines 28-47: “this processing may require user interaction, for example, in the form of an input initiated by an input device such as a graphical user interface (GUI), mouse, keyboard, keypad or the like. Based on an inability to provide the necessary user input, current malware detection systems may fail to activate the malicious content within the objects. One reason is that sophisticated malware often has a self-defense mechanism, which attempts to detect whether it is running in a virtual environment of a malware detection system rather than the intended environment of a client device under user control. One type of self-defense mechanism involves the malware monitoring whether user input expected by an application is supplied at the appropriate time. If it is not, the malware may simply hibernate (not activate), and thus not present itself for detection by the malware detection system”).

Regarding claim 12, Khalid further teaches wherein the file is a first file and wherein the malware detection procedure determines that the first file is not malware; the method further comprising: receiving a second file that has been downloaded to a second user device or that is to be downloaded to the second user device; executing the malware detection procedure on the second file to determine that the second file is malware; determining that a file identifier of the second file matches a particular file identifier of the first file; and performing one or more actions to re-determine whether the first file is malware using new metadata identifying particular user interactions that were used to determine that the second file is malware (see col. 12, lines 4-24: “For instance, when a submitted object 147 is classified as malicious, the UI framework log 176 can provide information for understanding which simulation logic caused or helped a successful detonation. In other words, from data within the UI framework logic 176, a determination can be made as to the efficacy of action profiles and the UI framework. Such feedback can be used to “fine-tune” action profiles. Additionally, by use of data within the UI framework logic, malwares can be classified based on user interaction(s) necessary for detonation. This classification and details of user interaction(s) can augment the Threat Intelligence aspects such as forensic analysis of malwares and incidence response. Similarly, when the object 147 is classified as suspicious, the UI framework logic 176 provides information for understanding the shortcomings in the set of user interactions the UI framework 186 provides (e.g., a new feature might be required in UI framework 186 or new rules or parameters may be needed for the selected action profile). On the other hand, if a user interaction performed by the UI framework obstructs object detonation, it can be rectified in subsequent action profile update”).

Regarding claim 14, Khalid modified in view of Gafni fails to teach wherein providing the notification comprises: providing, as part of the notification, a set of instructions indicating to undo a set of modifications caused by the malware to the first user device, wherein the set of instructions causes the first user device to undo the set of modifications caused by the malware..
In the same field of endeavor, Subramanian teaches wherein providing the notification comprises: providing, as part of the notification, a set of instructions indicating to undo a set of modifications caused by the malware to the first user device, wherein the set of instructions causes the first user device to undo the set of modifications caused by the malware (see col. 5, lines 10-27: “identification module 104 may identify a file 208 on computing device 202. Reputation module 106 may then determine, using digital fingerprint 210, that the file's reputation 212 is unknown. Logging module 108 may, in response to determining that the file's reputation 212 is unknown, log changes 214 made by file 208 to computing device 202. At some later point in time, evaluation module 110 may determine that changes 214 made by file 208 are to be reversed (e.g., in response to determining that file 208 is malicious). In response to determining that changes made by file 208 are to be reversed, notification module 112 may then instruct computing device 202 to reverse changes 214 made by file 208 on computing device 202”).
Both Subramanian (see col. 6, lines 1-7) and Khalid modified in view of Gafni teach a device performing a malware detection procedure on a file downloaded to a first user device and providing a notification that includes the malware detection result when the file is malware. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Khalid modified in view of Gafni by letting providing the notification comprise: providing, as part of the notification, a set of instructions indicating to undo a set of modifications caused by the malware to the first user device, wherein the set of instructions causes the first user device to undo the set of modifications caused by the malware, as taught by Subramanian. It would .

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Khalid (US 9,838,417), further in view of Gafni (US 2016/0330215), and further in view of Subramanian (US 9,813,443), and further in view of Zhou (US 2018/0278674).

Regarding claim 3, Khalid further teaches wherein the one or more processors, when processing the file, are to: process the file to determine: a file identifier that is to be used as a first file identification property (see col. 9, line 46-col. 10, line 3: “From the extracted metadata, the object-type determination logic 156 may determine object type”. The Examiner interprets using the first few bytes of the object 147 to determine the object-type as process the file to determine: a file identifier that is to be used as a first file identification property).
Khalid modified in view of Gafni and Subramanian fails to teach wherein the one or more processors, when obtaining the metadata identifying the user interactions, are to: obtain the metadata identifying the user interactions by using the first file identification property to search a data structure that associates particular metadata with particular file identification properties.
However, Zhou teaches wherein the one or more processors, when obtaining the metadata, are to: obtain the metadata by using the first file identification property to search a data structure that associates particular metadata with particular file identification properties (see [0031]: “After receiving the media information presentation request, the server searches the image file corresponding to the identifier from a plurality of saved image files according to the identifier of the image file, extracts a key word of the image file by analyzing the image file, and then performs matching between the key word of the image file and key word of each piece of media information, so as to determine one or more pieces of to-be-presented media information”. The Examiner interprets “one or more pieces of to-be-presented media information” as metadata).
Both Zhou and Khalid modified in view of Gafni and Subramanian teach obtaining metadata associated with a file identification property. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the device of Khalid modified in view of Gafni and Subramanian by letting the obtaining metadata taught by Khalid modified in view of Gafni and Subramanian comprise using the first file identification property to search a data structure that associates particular metadata with particular file identification properties, as taught by Zhou. Using the known technique of using a file identification property to search a data structure that associates metadata with file identification properties to obtain the metadata associated with a file identification property taught by Khalid modified in view of Gafni and Subramanian would have been obvious to one of ordinary skill. When the above modification is made, Khalid modified in view of Gafni, Subramanian and Zhou would teach wherein the one or more processors, when obtaining the metadata identifying the user interactions, are to: obtain the metadata identifying the user interactions by using the first file identification property to search a data structure that associates particular metadata with particular file identification properties.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Khalid (US 9,838,417), further in view of Gafni (US 2016/0330215), further in view of Subramanian (US 9,813,443), further in view of Zhou (US 2018/0278674), further in view of Official Notice, and further in view of Fabbio (US 7,456,832).

Regarding claim 11, Khalid modified in view of Gafni and Subramanian fails to teach wherein obtaining the metadata identifying the user interactions comprises: performing a search by using a first search query to search a data structure for the metadata identifying the user interactions, wherein the first search query includes a file identifier that is part of the one or more file identification properties.
However, Zhou teaches wherein obtaining the metadata comprises: performing a search by using a first search query to search a data structure for the metadata, wherein the first search query includes a file identifier that is part of the one or more file identification properties (see [0031]: “After receiving the media information presentation request, the server searches the image file corresponding to the identifier from a plurality of saved image files according to the identifier of the image file, extracts a key word of the image file by analyzing the image file, and then performs matching between the key word of the image file and key word of each piece of media information, so as to determine one or more pieces of to-be-presented media information”. The Examiner interprets “one or more pieces of to-be-presented media information” as metadata).
Both Zhou and Khalid modified in view of Gafni and Subramanian teach obtaining metadata associated with a file identification property. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Khalid modified in view of Gafni and Subramanian by letting the obtaining metadata taught by Khalid modified in view of Gafni and Subramanian comprise performing a search by using a first search query to search a data structure for the metadata, wherein the first search query includes a file identifier that is part of wherein obtaining the metadata identifying the user interactions comprises: performing a search by using a first search query to search a data structure for the metadata identifying the user interactions, wherein the first search query includes a file identifier that is part of the one or more file identification properties.
Khalid modified in view of Gafni, Subramanian and Zhou fails to teach receiving, based on performing the search, a result indicating that the metadata identifying the user interactions was not found, performing another search by using a second search query.
The Examiner takes Official Notice that the following is well-known: receiving, based on performing the search, a result indicating that the metadata was not found, performing another search by using a second search query.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Khalid modified in view of Gafni, Subramanian and Zhou by including the steps of receiving, based on performing the search, a result indicating that the metadata was not found, performing another search by using a second search query, as taught by Official Notice. It would have been obvious because doing so achieves the commonly understood benefit of increasing the probability of finding search results by using multiple search queries. When such a modification is made,  Khalid modified in view of Gafni, Subramanian, Zhou and Official Notice would teach receiving, based on performing the search, a result indicating that the metadata identifying the user interactions was not found, performing another search by using a second search query to search the data structure for the metadata identifying the user interactions.
Khalid modified in view of Gafni, Subramanian, Zhou and Official Notice fails to teach wherein the second search query includes, as part of the one or more file identification properties, one or more interface object identifiers that are associated with one or more interface objects that are displayed when the file is accessed in the sandbox environment, and receiving, based on performing the other search, another result that includes the metadata identifying the user interactions.
However, Fabbio teaches wherein the second search query includes, as part of the one or more file identification properties, one or more interface object identifiers that are associated with one or more interface objects that are displayed, and receiving, based on performing the other search, another result that includes the metadata (see col. 12, lines 40-52: “A general flow for traversing through the topology of the system is shown with reference to FIG. 8A-FIG. 8C. The id of the top menu is used as priming input to the menu processing module which uses the id to search for menu interface objects in the object data manager, step 801. The proper representation for the menu interface object is determined with reference to the linguistic and/or graphical environment. All objects found to meet the id key are sent for display to a screen library which enforces conformity by narrowing the interface to multiple graphical libraries, step 802. The collection of objects sent to the screen library from the interface tool is referred to herein as the logical frame presentation, since it has not yet been displayed to the user”).
Both Fabbio and Khalid modified in view of Gafni, Subramanian, Zhou and Official Notice teach obtaining metadata. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Khalid modified in view of Gafni, Subramanian, Zhou and Official Notice by letting the second search query include, as part of the one or more file identification properties, one or more interface object identifiers that are associated wherein the second search query includes, as part of the one or more file identification properties, one or more interface object identifiers that are associated with one or more interface objects that are displayed when the file is accessed in the sandbox environment, and receiving, based on performing the other search, another result that includes the metadata identifying the user interactions.


Claims 15-17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gafni (US 2016/0330215), further in view of Khalid (US 9,838,417), and further in view of Subramanian (US 9,813,443).

Regarding claim 15, Gafni teaches A non-transitory computer-readable medium storing instructions, the instructions comprising: 
one or more instructions that, when executed by one or more processors of a user device (a client device 105, see Fig. 1), cause the one or more processors to: 
receive a file that is to be accessed on the user device (see [0036] and Fig. 1: “Client devices 105 in, for example, an organization are involved in browsing websites via, for example, the Internet 110. …Web content is transmitted in an HTTP response from a particular destination web server 115 to a particular client device 105 upon receipt of an HTTP request from the specific client 105. Malware is potentially carried in HTTP responses from a destination web server 115 to a client device 105”. The Examiner interprets a client device 105 receiving the malware carried in HTTP responses from a destination web server 115 as receive a file that is to be accessed on the user device); 
capture user interactions (see [0038] and Fig. 1: “Client Devices 105 may include a module called the Agent... Additionally, the Agent may communicate, for example, real time user activity information such as keyboard usage and mouse clicks to the Database Server 130”), associated with the file (see [0056] and Fig. 2: “The Client User Activity Data Repository 280 is a database that stores records of user device activity (such as keyboard presses, mouse clicks, and the like) so that these may be used in conjunction with the sandboxed emulated browser sessions run by the inspection server. The user activity records stored in the Client User Activity Data Repository 280 may include, for an example, an identifier of the specific Client Device such as MAC Address, IP address, or the like. The user activity logs stored in the database may also include, for example, timestamps or URL identifiers, or other data which allows correlation of user activity with HTTP transactions”. The Examiner interprets the user activity logs correlated with HTTP transactions as taught in [0056], where the HTTP transactions include an HTTP response containing the malware taught in [0036] (the file) received by the client device 105, as user interactions, associated with the file); 
generate metadata identifying the user interactions associated with the file (see [0038] and Fig. 1: “Client Devices 105 may include a module called the Agent... Additionally, the Agent may communicate, for example, real time user activity information such as keyboard usage and mouse clicks to the Database Server 130”. And see [0056] and Fig. 2: “The Client User Activity Data Repository 280 is a database that stores records of user device activity (such as keyboard presses, mouse clicks, and the like) so that these may be used in conjunction with the sandboxed emulated browser sessions run by the inspection server. … The user activity logs stored in the database may also include, for example, timestamps or URL identifiers, or other data which allows correlation of user activity with HTTP transactions”. The Examiner interprets the user activity logs correlated with HTTP transactions as taught in [0056], where the HTTP transactions include an HTTP response containing the malware taught in [0036] (the file) received by the client device 105, as metadata identifying the user interactions associated with the file); 
provide the metadata to a data structure accessible by a security platform (see [0038], [0039] and Fig. 1: “Client Devices 105 may include a module called the Agent, … the Agent may communicate, for example, real time user activity information such as keyboard usage and mouse clicks to the Database Server 130. When the Agent on a specific client device 105 communicates this information to the the Database Server 130, the Database Server 130, for example, stores the information, so that it may be accessed subsequently by, for example, the Inspection Server 150”. The Examiner interprets the Database Server 130 and the Inspection Server 150 as a data structure and a security platform, respectively) to permit the security platform to test the file in a sandbox environment to determine whether the file is malware (see [0041]-[0045] and Fig. 1: “For a particular Client Device 105 instance that is to be protected, the Inspection Server 150 creates or obtains a sandbox environment for emulation of, for example, the hardware, operating system, browser, and other characteristics of the particular Client Device 105…. The Web Proxy 155 gets the HTTP response data from, for example, the HTTP transaction data that has been stored in the the Database Server 130. In this manner, the sandboxed browser environment in the Inspection Server 150 closely emulates the web activity of the Client Device 105. … The Inspection Server 150 monitors the sandboxed environment for, for example, signs of anomalous or malicious behavior, and, for example, raises an alert upon detection of such”. And see [0043]: “The Inspection Server 150 may also monitor, for example, the realtime user activity data sent by the Agent located on the Client Device 105 and applies these user activities (eg. keyboard presses and mouse clicks) to the session in the sandboxed browser environment”).

with one or more interface objects, that are displayed after the file is accessed (emphasis added). Gafni also fails to teach that the generated metadata identifying the user interactions identifies the user interactions with the one or more interface objects (emphasis added).
In the same field of endeavor, Khalid teaches user interactions with one or more interface objects, that are displayed after the file is accessed (see col. 6, lines 47-54: “An active simulated human interaction includes simulated actions that may be performed by a user in response to an event initiated by a suspect object under analysis. In some situations, the simulated action may be required before any further activities are conducted by the object. Examples of an active simulated human interaction include closing a window or dialog box; selecting a particular radio button; and/or entering characters into a text box)”. And see col. 15, lines 7-30: “Operating as part the UI framework 186, the active UI simulation logic 360 is a first type of simulated user interaction which is configured to detect input requests (e.g., password request, an attempt to display a dialog or text box for selection of a radio button or text input, etc.) initiated by the object 147 that require “active” human interaction. In response, based on the contents of the selected action profile 300 1, the active UI simulation logic 360 determines whether to provide a response and, where appropriate, the type of response that simulates the requested human interaction. For instance, the selected action profile 300 1 may cause the active UI simulation logic 360 to provide signaling that simulates human interaction responsive to the input request initiated by the launched object 147. For example, the signaling may simulate the user closing a dialog box that requires dismissal before continuing or simulate the user selecting a particular radio button that closes the dialog box and opens another dialog box for handling”. The Examiner interprets a dialog box, a text box or a radio button displayed by the object 147 as one or more interface objects, that are displayed after the file is accessed. And see col. 4, lines 18-28).
 that are displayed after the file is accessed, as taught by Khalid. It would have been obvious because user interactions with one or more interface objects that are displayed after the file is accessed can better indicate actual human actions and are more realistic and effective in tricking an evasive malware. When such a modification is made, Gafni modified in view of Khalid also teaches to generate metadata identifying the user interactions with the one or more interface objects associated with the file, as recited in claim 15.

Gafni fails to teach that the instructions stored by the non-transitory computer-readable medium cause the one or more processors to process the file to determine a file identifier. Gafni also fails to teach that the file identifier is provided together with the metadata identifying the user interactions with the one or more interface objects associated with the file to a data structure accessible by a security platform.
In the same field of endeavor, Khalid teaches to process the file to determine a file identifier (see col. 9, lines 10-12: “The metadata extraction logic 154 is responsible for extracting and/or generating metadata 148 contained as part of and/or associated with the suspect object 147”. And see col. 9, lines 22-26: “Examples of metadata 148 may include, but are not restricted or limited to, information that identifies the type of object 147. For example, a particular document (e.g., Microsoft.RTM. Excel spreadsheet) is an example of an object type, which may be in the form of a non-executable”.  And see col. 9, line 46-col. 10, line 3: “From the extracted metadata, the object-type determination logic 156 may determine object type. For instance, the object-type determination logic 156 may analyze content within the object 147, which may identify the object type. For instance, as an illustrative example, the object-type determination logic 156 may identify a predetermined number of bytes at the beginning of the object 147 (sometimes referred to as the "magic numbers" for the object) and compare the values associated with these bytes with stored values within the magic number database 158. Upon a successful comparison, the object-type determination logic 156 has identified the object type. For instance, as an illustrative embodiment, the first few bytes of the object 147 may, in certain cases, be used to determine the object-type or at least infer the object based on the communication protocol in use. As an example, the object-type determination logic 156 may determine that the object 147 starts with the hexadecimal string value "4D5A" which, upon comparison with entries within the magic number database 158, identifies that the object 147 is an executable. Similar, the object-type determination logic 156 may determine that the object 147 starts with a hexadecimal string value of "25 50 44 46" and, upon comparing this value with stored data within the magic number database 158, determines that the object 147 is a PDF document”. The Examiner interprets the object-type of the object 147 as a file identifier).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the non-transitory computer-readable medium of Gafni by letting the instructions stored by the non-transitory computer-readable medium cause the one or more processors to process the file to determine a file identifier, as taught by Khalid. It would have been obvious because Khalid teaches the following: “each action profile is configured for use in dynamically controlling UI actions associated with a certain type of object in contrast to the use of patterns per se. For instance, the action profile associated with a Microsoft® Excel® spreadsheet may conduct different UI actions (e.g., select tabs, add text to certain cells, scroll down a certain number of cell rows, etc.) than a PDF document (e.g., scroll pages of the document, etc.)” (see col. 3, lines 50-58). In other words, processing 
Additionally, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the non-transitory computer-readable medium of Gafni by not only providing the metadata identifying the user interactions with the one or more interface objects associated with the file to a data structure accessible by a security platform as taught by Gafni, but also providing the file identifier taught by Khalid to the data structure accessible by the security platform. It would have been obvious because doing so achieves the benefit of associating the metadata identifying the user interactions with the file identifier (the object-type) in the data structure accessible by the security platform so that the security platform can retrieve user interactions appropriate for the type of the file (the file identifier) from the data structure and use them to more effectively trick the potentially malicious file into believing that a human is interacting with the file.

Gafni modified in view of Khalid fails to teach that the instructions stored by the non-transitory computer-readable medium cause the one or more processors to receive, from the security platform, a notification indicating whether the file is malware; and perform one or more actions to undo a set of modifications to the user device that were caused by the malware based on receiving the notification and the notification indicating that the file is malware.
In the same field of endeavor, Subramanian teaches that the instructions stored by the non-transitory computer-readable medium cause the one or more processors to receive, from the security platform, a notification indicating whether the file is malware (see col. 8, lines 48-50 and Fig. 2: “evaluation module 110 may, as part of server 206 in FIG. 2, determine that changes 214 made by file 208 to computing device 202 are to be reversed”. The Examiner interprets server 206 as the security platform. And see col. 5, lines 10-27: “identification module 104 may identify a file 208 on computing device 202. Reputation module 106 may then determine, using digital fingerprint 210, that the file's reputation 212 is unknown. Logging module 108 may, in response to determining that the file's reputation 212 is unknown, log changes 214 made by file 208 to computing device 202. At some later point in time, evaluation module 110 may determine that changes 214 made by file 208 are to be reversed (e.g., in response to determining that file 208 is malicious). In response to determining that changes made by file 208 are to be reversed, notification module 112 may then instruct computing device 202 to reverse changes 214 made by file 208 on computing device 202”); and 
perform one or more actions to undo a set of modifications to the user device that were caused by the malware based on receiving the notification and the notification indicating that the file is malware (see col. 4, lines 28-32 and Fig. 1: “Exemplary system 100 may also include a notification module 112 that may, in response to determining that the changes made by the file are to be reversed, instruct the client device to reverse the changes made by the file to the client device”. And see col. 9, line 42-col. 10, line 5).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the non-transitory computer-readable medium of Gafni modified in view of Khalid by letting the instructions stored by the non-transitory computer-readable medium cause the one or more processors to receive, from the security platform, a notification indicating whether the file is malware; and perform one or more actions to undo a set of modifications to the user device that were caused by the malware based on receiving the notification and the notification indicating that the file is malware, as taught by Subramanian. It would have been obvious because Subramanian teaches the following: “The systems and methods described herein may also issue instructions to reverse these logged changes from a remote device so that, even if the computing device becomes unresponsive, the computing device can be restored to a usable state” (see col. 1, lines 56-59).

Regarding claim 16, Gafni further teaches wherein the file is malware (see [0036] and Fig. 1: “Malware is potentially carried in HTTP responses from a destination web server 115 to a client device 105”); and wherein providing the file identifier and the metadata to the data structure permits the security platform to perform the user interactions in the sandbox environment and to use a malware detection procedure to determine that the file is malware based on a defense mechanism of the malware incorrectly assessing the user interactions as being performed by a human user (see [0006]: “However, sandboxing does not detect all malware, such as in cases where particular user configurations or user actions are required to activate the exploit”. And see [0043]: “The Inspection Server 150 may also monitor, for example, the realtime user activity data sent by the Agent located on the Client Device 105 and applies these user activities (eg. keyboard presses and mouse clicks) to the session in the sandboxed browser environment”).

Regarding claim 17, Gafni further teaches wherein the user interactions include at least one of: a mouse click to a first interface object of the one or more interface objects, a keyboard entry to input a value to a second interface object of the one or more interface objects, or a touch-screen interaction with a third interface object of the one or more interface objects (see [0043] and Fig. 1: “The Inspection Server 150 may also monitor, for example, the realtime user activity data sent by the Agent located on the Client Device 105 and applies these user activities (eg. keyboard presses and mouse clicks) to the session in the sandboxed browser environment”).

Regarding claim 19, Subramanian further teaches wherein the set of modifications include at least one of: a first modification to change a register value, a second modification to open or close a port, a third modification to open or close a network connection, a fourth modification to add a new file or a new folder, or a fifth modification to modify an existing file or an existing folder (see col. 7, lines 5-22: “Logging module 108 may log changes made by the file to the client device in a variety of ways. … Examples of change descriptions include, without limitation, copies of data appended to files, copies of deleted files or portions of files, identifiers for created files, and/or records of file name or attribute changes. Change descriptions may also include records of changes made to file contents that include the location of the changes and the data at the change location before and after the changes. In some examples, logging module 108 may log changes made by the file by storing changes made to a registry entry. Registry entry changes may include the entire modified entry or a record of the modified portion of the entry”).

Regarding claim 20, Subramanian further teaches wherein the one or more instructions, that cause the one or more processors to perform the one or more actions to undo the set of modifications, cause the one or more processors to: 
compare state information of the user device at a first time period occurring prior to accessing the file and state information at a second time period occurring after receiving the notification indicating that the file is malware,  identify the set of modifications based on discrepancies identified while comparing the state information at the first time period and the state information at the second time period (see col. 7, lines 39-47: “As an example of how logging module 108 may log changes made by the file using a volume snapshot, MICROSOFT WINDOWS VSS may be configured to obtain a snapshot of a volume at regular intervals, such as at a certain time every day. In this example, logging module 108 may compare the contents of a file located in the volume to the copy of the file located in a volume snapshot to determine whether and how the contents of the file have been modified since VSS obtained the volume snapshot”), and 
undo the set of modifications that have been identified (see col. 8, lines 13-15: “Logging module 108 may log changes made by a file on a client device so that the changes can be reversed if, for example, the file is later determined to contain malware”).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Gafni (US 2016/0330215), further in view of Khalid (US 9,838,417), further in view of Subramanian (US 9,813,443), and further in view of Shani (US 2020/0310952).

Regarding claim 18, Gafni modified in view of Khalid and Subramanian fails to teach wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: capture display information for the one or more interface objects associated with the file; generate additional metadata identifying the display information for the one or more interface objects associated with the file; and wherein the one or more instructions, that cause the one or more processors to provide the file identifier and the metadata to the data structure, cause the one or more processors to: provide the additional metadata to the data structure to permit the security platform to use the additional metadata when determining whether the file is malware.
However, Shani teaches wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: capture display information for the one or more interface objects associated with the file; generate additional metadata identifying the display information for the one or more interface objects associated with the file; and wherein the one or more instructions, that cause the one or more processors to provide the file identifier and the metadata to the data structure, cause the one or more processors to: provide the additional metadata to the data structure to permit the security platform to use the additional metadata when determining whether the file is malware (see [0013]: “UI testing may be performed on an AUT using desired testing functions (e.g., keystrokes, mouse clicks, etc.) to simulate a user interaction with the AUT. However, a potential challenge in generating these scripts may include properly identifying UI objects in a way that the desired testing functions can be properly applied to the correct UI objects (e.g., button, menu item, etc.). Some methods of UI object identification may attempt to identify UI objects based on their attributes. For example, a UI object (such as a button) may have a number of attributes such as title, size, color, length, and the like”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the non-transitory computer-readable medium of Gafni modified in view of Khalid and Subramanian by letting the instructions stored by the non-transitory computer-readable medium further cause the one or more processors to: capture display information for the one or more interface objects associated with the file; generate additional metadata identifying the display information for the one or more interface objects associated with the file; and wherein the one or more instructions, that cause the one or more processors to provide the file identifier and the metadata to the data structure, cause the one or more processors to: provide the additional metadata to the data structure to permit the security platform to use the additional metadata when determining whether the file is malware, as taught by Shani. It would have been obvious because Shani teaches that “some methods of UI object identification may attempt to identify UI objects based on their attributes” (see [0013]). In other words, additional metadata identifying the display information (attributes) for the one or more interface objects helps to identify the one or more interface objects.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ZHIMEI ZHU/Examiner, Art Unit 2495           

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495