DETAILED ACTION
This communication is responsive to the amendment filed on 10/28/2020. 
Claims 1, 3, 9 and 10 have been amended.
Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 112
Applicant’s remarks concerning the previous rejection of claims 21-24, 29, 31, 34, 37, 39, 41 and 45 under 35 U.S.C. § 112(b) or 35 U.S.C. § 112 (pre-AIA ) second paragraph as being indefinite for failing to point out and distinctly claim the subject matter is persuasive.  Therefore, the Examiner has withdrawn the rejection of said claims under 35 U.S.C. § 112(b) or 35 U.S.C. § 112 (pre-AIA ) second paragraph 


Claim Rejections - 35 USC § 101
Applicant’s remarks concerning the previous rejection of claims 40-45 under 35 U.S.C. § 101 as being directed to non-statutory subject matter, i.e., A computer-readable medium storing executable instruction is persuasive in light the amendment to the claims, which specifically disclose, “A non-transitory computer medium…” Therefore, the Examiner has withdrawn the rejection of claims 40-45 under 35 U.S.C. § 101.

Response to Arguments
Applicant Argument:
(A) On pages 8-9 of the Applicant’s argument, see Remarks, filed 10/26/2020, with respect to the rejection of claim 21, 23-24, 27-28, 32-33 and 40 under 35 USC § 102(a)(1) as being anticipated by Zhu (US Pat. 8,838,992 B2) has been fully considered and is not persuasive. In particular, the Applicant argues that the primary reference, Zhu does not disclose the claimed limitation features, “determining, based on execution of at least a portion of the one or more scripts, one or features associated with the one or more scripts; and determining, based [on] the one or more features, that the one or more scripts are associated with one or more malicious behaviors.”  The Examiner respectfully disagrees
 
Examiner Response:
In response to the Applicant’s argument with respect to the rejection of claims 21 under 35 USC § 102, The Examiner notes that the Applicant discloses: 
“script data is extracted from a data stream at the network level and emulated in a controlled environment. Based upon a comparison of features extracted from emulation of the script to a set of heuristics, malicious script data can be identified for further analysis or processing” (Instant Application, Abstract).
Zhu discloses that anti-malware 245 may comprise computer-readable program code configured to be executed by the processor of the client computer 230 to evaluate the script 242 for malicious content. The anti-malware 245 may determine whether or not the script 242 comprises malicious code by decrypting the script 242 if it is encrypted, performing emulation of the script 242, or scanning the script 242 using a pattern matching algorithm, for example. The anti-malware 245 may also employ other means of detecting malicious code without detracting from the merits of the present invention. The anti-malware 245 may allow the web browser 243 to employ the script 242 when the script 242 is deemed to be normal. Otherwise, when the script 242 comprises malicious code, the anti-malware 245 may perform one or more responsive actions including blocking and removing the script 242 and the web page 241, blocking communications to and from the server computer 240, and alerting the user or administrator of the client computer 230 (Zhu, col. 5 lines 21-35).  The Examiner asserts that utilizing anti-malware to evaluate the script for malicious content and determining whether the script comprises malicious code by performing emulation of the script reads on the claimed limitation, and therefore maintains the rejection.   

Applicant Argument:
(B) On page 10 of the Applicant Remarks, the Applicant argues that the rejection of claims 22, 25-26, 34-36 and 41-43 under 35 U.S.C. 103 as being unpatentable over Zhu in view of their respective secondary references, i.e., Kejriwa (US Pat. 8,789,178), 

Examiner Response:
In response to the Applicant’s argument that the rejection of claims 22, 25-26, 34-36 and 41-43 under 35 U.S.C. 103 as being unpatentable over Zhu in view of the cited secondary records moot for the same reasons outlined in the Examiner’s response to Applicant’s argument (A) above.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 21, 23-24, 27-28, 32-33 and 40 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhu et al. (US Pat. 8,838,992 B1 filed 04/28/2011).
As to claim 21, Zhu discloses:
“A method, comprising:
receiving, via a network, data comprising one or more scripts, wherein the data is intended for a user device” (Zhu, col. 4 lines 49-53;  client computer 230 receives web page along with script 242, e.g., JavaScript, from a host website);

“determining, based on execution of at least a portion of the one or more scripts, one or more features associated with the one or more scripts” (Zhu, col. 4 line 64 – col. 5 line 4 and lines 18-25; normal script identifier 244 of client computer 230 executes program code that extracts features from script 242, generates a feature vector which can be used to classify script 242 as either a normal or a potentially malicious script; anti-malware 245 may comprise computer-readable program code configured to be executed by the processor of the client computer 230 to evaluate the script 242 for malicious content. The anti-malware 245 may determine whether or not the script 242 comprises malicious code by decrypting the script 242 if it is encrypted, performing emulation of the script 242);
“determining, based the one or more features, that the one or more scripts are associated with one or more malicious behaviors” (Zhu, col. 4 lines 49-54 and col. 5 lines 21-25; client computer 230 comprising support vector machine model (SVM), feature set 223, e.g., attributes associate with script 223 utilizes anti-malware 245 may determine whether or not the script 242 comprises malicious code by decrypting the script 242 if it is encrypted, performing emulation of the script 242, or scanning the script 242 using a pattern matching algorithm); and
“sending, based on the one or more malicious behaviors and to the user device, a message indicating that the one or more scripts comprise malign content” (Zhu, col. 5 lines 7-13 and 31-35; when the script 242 comprises malicious code, i.e., as determined by the script’s feature vector derived from the script’s feature set, the anti-malware 245 may provide an alert to the user or administrator of the client computer 230).

“wherein the portion comprises one or more combined segments of the one or more scripts” (Zhu, fig. 3, col. 5 lines 54-58   ; sample scripts 221, i.e., labeled script snippets, relevant portions of scripts, and extracted script feature set 223 are used to derive SVM model).

As to claim 24, Zhu disclosed the invention of claim 21.  Zhu further discloses: 
“wherein execution of the portion provides an indication of a same function as execution of the one or more scripts by the user device” (Zhu, col. 5 line 64 – col. 6 line 3; each script in the set of known potentially malicious scripts is tagged as "NeedToCheck" to indicate that these scripts need to be checked by the anti-malware 245. The scripts tagged as NeedToCheck may need to be emulated at the client level or sent to a back-end system of the computer security vendor for further analysis).

As to claim 27, Zhu disclosed the invention of claim 21.  Zhu further discloses:
“wherein the determining, that the one or more scripts are associated with the one or more malicious behaviors, is further based on a machine learning model” (Zhu, col. 4 lines 14-21 and 40-43; training computer 220 may comprise a server computer for building a machine learning model that comprises sample scripts 221, feature sets 223 for use by model generator 224 to classify script behavior, e.g., normal or malicious behavior).



“wherein the machine learning model is based on at least one of: 
a support vector machine, a Bayesian belief network, a neural network, or a decision tree (Zhu, col. 4 lines 24-31; training computer 220 may comprise a server computer for building a machine learning model further comprises a support vector machine (SVM) model 225).

As to claim 32, Zhu disclosed the invention of claim 21.  Zhu further discloses: 
“wherein the one or more scripts comprise executable data that is written in a scripting language” (Zhu, col. 2 lines 24-27; JavaScript, VBscript, Jscript, and Action Script are examples of commonly-used scripts employed on the World Wide Web to perform various functions).

As to claim 33, claim 33 represents a device for processing executable instructions that are substantively similar in scope to the invention of claim 1.  Claim 33 is therefore rejected for the same reasons outlined in the rejection of claim 1 above.

As to claim 40, claim 40 represents a computer-readable medium that stores processor executable code that are substantively similar in scope to the invention of claim 1.  Claim 40 is therefore rejected for the same reasons outlined in the rejection of claim 1 above.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 22, 25-26, 34-36 and 41-43 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu in view Kejriwal et al. (US Pat. 8,789,178 B2 filed 11/24/2011).
As to claim 22, Zhu disclosed the invention of claim 21.  Zhu does not explicitly disclose:
“wherein the portion is associated with one or more security conditions comprising at least one of: 
redirecting a browser of the user device, or access to an operating system of the user device.”
However, Kejriwal discloses:
“wherein the portion is associated with one or more security conditions comprising at least one of: 
redirecting a browser of the user device, or access to an operating system of the user device” (Kejriwal, fig. 5 steps 477-479, col. 6 lines 25-27 and 36-40; inferring malicious script activity includes memory manipulation and redirection of the client’s browser away from original website) .


As to claim 25, Zhu disclosed the invention of claim 21.  Zhu does not explicitly disclose:
“wherein the one or more malicious behaviors indicate one or more effects of the user device executing the one or more scripts.”
However, Kejriwal discloses:
“wherein the one or more malicious behaviors indicate one or more effects of the user device executing the one or more scripts” (Kejriwal, col. 2 line 34 – col. 3 line 10;
Javascript code that executes in a browser without user activity may exhibit hostile behavior, i.e., dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the website, operating an eval function on an argument which is resolved into shell code, etc.)
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Zhu with Kejriwal to detect and prevent a client’s browser based malicious JavaScript contents and identify websites that attempt to download malicious JavaScripts that could compromise a client’s computer (Kejriwal, col. 1 lines 27-30).

“wherein the one or more malicious behaviors comprise at least one of: 
redirecting a browser of the user device to a website, causing the user device to download malicious software, or causing the user device to communicate with a computing device.”
However, Kejriwal discloses:
“wherein the one or more malicious behaviors comprise at least one of: 
redirecting a browser of the user device to a website, causing the user device to download malicious software, or causing the user device to communicate with a computing device” (Kejriwal, col. 2 line 34 – col. 3 line 10; Javascript code that executes in a browser without user activity may exhibit hostile behavior, i.e., dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the website, operating an eval function on an argument which is resolved into shell code, etc.)
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Zhu with Kejriwal to detect and prevent a client’s browser based malicious JavaScript contents and identify websites that attempt to download malicious JavaScripts that could compromise a client’s computer (Kejriwal, col. 1 lines 27-30).



As to claim 35, claim 35 is substantively similar in scope to the invention of claim 25.  Claim 35 is therefore rejected for the same reasons outlined in the rejection of claim 25 above.

As to claim 36, claim 36 is substantively similar in scope to the invention of claim 26.  Claim 36 is therefore rejected for the same reasons outlined in the rejection of claim 26 above.

As to claim 41, claim 41is substantively similar in scope to the invention of claim 22.  Claim 41 is therefore rejected for the same reasons outlined in the rejection of claim 22 above.

As to claim 42, claim 42 is substantively similar in scope to the invention of claim 25.  Claim 42 is therefore rejected for the same reasons outlined in the rejection of claim 25 above.

As to claim 43, claim 43 is substantively similar in scope to the invention of claim 26.  Claim 43 is therefore rejected for the same reasons outlined in the rejection of claim 26 above.
Claims 29-30, 37-38 and 44 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu in view Tyagi, (US Pat. 9,419,991 B2 filed 09/30/2014).
As to claim 29, Zhu disclosed the invention of claim 21.  Zhu does not explicitly disclose:
“generating, based on removal of format inconsistencies or obfuscated code from the one or more scripts, the portion.”
However, Tyagi discloses:
“generating, based on removal of format inconsistencies or obfuscated code from the one or more scripts, the portion” (Tyagi, col. 3 lines 19-30; mitigating the threat posed by a malicious script by [i]ntercepting script-containing data sent over a network to an end-point device associated with the user, normalizing and de-obfuscating the script contained within the data, comparing the normalized/de-obfuscated script to a regular expression signature associated with a malicious script).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Zhu with Tyagi, in order to provide for the mitigation of threats posed by a malicious scripts sent to end-point devices associated with a user, by normalizing and de-obfuscating the script data, comparing the normalized/de-obfuscated script to a regular expression signature associated with a malicious script, and preventing scripts from being delivered to end-point devices if the script matches a malicious signature (Tyagi, col. 3 lines 19-30).



“wherein the one or more features comprise at least one of: 
an obfuscated variable name, a number of updates to a variable name exceeding a first threshold, an obfuscated Uniform Resource Locator (URL) protocol, an obfuscated scripting language keyword, an obfuscated scripting language reserved word, or entropy of a string exceeding a second threshold.”
However, Tyagi discloses:
“wherein the one or more features comprise at least one of: 
an obfuscated variable name, a number of updates to a variable name exceeding a first threshold, an obfuscated Uniform Resource Locator (URL) protocol, an obfuscated scripting language keyword, an obfuscated scripting language reserved word, or entropy of a string exceeding a second threshold.” (Tyagi, fig. 4, col. 7 lines 20-36; network device 230 may determine whether to perform dynamic de-obfuscation based on [a] condition or a set of conditions associated with performing dynamic de-obfuscation, e.g., analyzing new scripts to determine whether the new scripts are malicious; a condition may include a level and/or indicia of obfuscation--such as satisfying an obfuscation level threshold based on a heuristic algorithm or based on a preliminary signature matching).
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Zhu with Tyagi, in order to provide for the mitigation of threats posed by a malicious scripts sent to end-point devices associated with a user, by normalizing and de-obfuscating the script data, 

As to claim 37, claim 37 is substantively similar in scope to the invention of claim 29.  Claim 37 is therefore rejected for the same reasons outlined in the rejection of claim 29 above.

As to claim 38, claim 38 is substantively similar in scope to the invention of claim 30.  Claim 38 is therefore rejected for the same reasons outlined in the rejection of claim 30 above.

As to claim 44, claim 44 is substantively similar in scope to the invention of claim 30.  Claim 44 is therefore rejected for the same reasons outlined in the rejection of claim 30 above.

Claims 31, 39 and 45 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu in view Dewey et al. (US Pat. 8,201,245 B2 filed 12/05/2007).
As to claim 31, Zhu disclosed the invention of claim 21. Zhu does not explicitly disclose:
“wherein the execution comprises executing one or more branches associated with the portion to cause evaluation of the portion to true and false cases.”
However, Dewey discloses:
(Dewey, fig. 4, steps 90-114; col. 6 lines 24-36; if detector 45 identifies any malicious script code or other malicious program code in the revised program code, e.g., decision 110, yes branch, detector 45 takes appropriate action (step 112); if detector 45 does not identify any malicious program code in the revised program code, e.g., decision 110, no branch, then detector 45 returns to the program step in the execution engine 44 just after the hooking/jump step 50 to execute the revised program code, step 114).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Zhu with Dewey in order to detect obfuscated malicious code embedded in an HTML or its associated files that otherwise might not be detected prior to execution by a web browser (Dewey, col. 2 lines 1-9).

As to claim 39, claim 39 is substantively similar in scope to the invention of claim 31.  Claim 39 is therefore rejected for the same reasons outlined in the rejection of claim 31 above.

As to claim 45, claim 45 is substantively similar in scope to the invention of claim 31.  Claim 45 is therefore rejected for the same reasons outlined in the rejection of claim 31 above.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to /FELICIANO S MEJIA/ whose telephone number is (571)270-5994.  The examiner can normally be reached on 8:30am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 

/FELICIANO S. MEJIA/
Examiner
Art Unit 2492




/SALEH NAJJAR/           Supervisory Patent Examiner, Art Unit 2492