DETAILED ACTION
	Claims 1-10, 17 and 21-30 are pending. Claims 11-16 and 18-20 were canceled. Claims 1-2, 10, 17 and 30 are amended. This is in response to Applicant’s Pre-Brief Appeal filed on January 14, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim 1 have been considered and are persuasive. The rejection is withdrawn. However, upon further consideration a new ground of rejection is presented herein.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 


Claims 1-5, 10, 17, 21-26 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over PG Pub 20160378640 (hereinafter Hron) in view of PG Pub 20180018459 (hereinafter Zhang) and further in view of NPL 2004 (hereinafter Nethercote)
	Regarding claim 1, Hron discloses a method for identifying that malware based on an analysis of dynamic binary instrumentation (DBI) framework state information, the method comprising:
 	receiving program code included in a data set after a first processor has added an identifier to metadata of the data set, the identifier indicating that the program code in the data set is suspected of being malware wherein the first processor rendered the suspect program code inactive by inserting one or more instructions into the suspect program code (Figs. 1-2, par. [0015]-[0033] disclose process of detecting malware in an application using DBI framework where a point of interest of a program can be under-examined. Hron further discloses a context structure (e.g. identifier) is an indicator that the thread should be switched to execution in DBI/DBT mode once the point of interest is reached. As known in the art, DBI framework is inserting code into a point of interest for malware inspection); 
 	identifying that the metadata of the data set includes the malware program code identifier (par. [0027] and {0030] discloses the context structure holds information about the thread being executed. For example, the context data can include processor state (e.g. CPU states, register states, stack states etc.). Since the DBI framework detects for 
 	Hron discloses the DBI framework can be bypassed for sections of code that do not contain instructions that may potentially cause a change in the flow of control of a thread and thus can be safely run natively (par. [0032]). Although Hron does not expressly discloses rendering the suspect program code active by removing the one or more instructions, this is well-known in the art using DBI. For example, Nethercote discloses different tools can be used for DBI such as DynInst where “…DynInst’s main strength is that it can add/remove instrumentation to/from an already-running program…”. Furthermore, Nethercote discloses “…the mutator instruments the client by replacing each chosen instruction in-place with a jump to an analysis code snippet…” (pages 46-47). Since Nethercote teaches using the jump instruction to skip normal execution of the suspected code to the analysis code snippet, once the instrumented code is removed it will allow the suspected code active as claimed. Therefore, it would have been obvious before the claimed invention date to further teach the claimed features. One would have done so to use these known DBI tools disclosed in Nethercote such as DynInst that may be best fit for the DBI purpose since very little analysis code needs to be added and also because it works on by far the most platforms of any of the mentioned frameworks; 
 	Hron further disclose loading the suspect program code and a set of observation instructions of a DBI framework to be loaded into at least a portion of a memory for execution; observing: one or more actions performed during the execution of the suspect program code that was loaded in the portion of the memory by executing the set of observation instructions of the DBI framework; associating the one or more actions with the DBI framework state information; identifying that the suspect program code is malicious based on the an identification that the DBI framework state information corresponds to a malicious program code behavior (same citation of Figs. 1-2 for detecting malware pattern); 
Hron does not disclose what to do if malware is found. Zhang discloses performing one or more actions if malware is detected to protect the client device from the attack (Figs 4B, 7 and par. [0052] and [0075]-[0078]). Therefore, it would have been obvious to modify Hron with Zhang to further teach performing a corrective action based on the identification that the suspect program code is malicious. One would have done so to instantly notifies mobile devices when the particular application program is identified as malware to improve the efficiency and coverage that cannot offer comprehensive and efficient protection against malware where unwanted applications such as riskware, pornware, risky payment apps, hacktool and adware that bring unpleasant experience in smart phone usage (Zhang, Background and Summary sections).

	Regarding claim 2, Hron discloses identify that the data set includes the program code; allow one or more instructions of the program code to be executed out of the memory by a processor; insert one or more observation instructions of the set of observation instructions between the one or more program code instructions; analyze data associated with the one or more observation instructions, wherein the program code is identified as having performed a suspicious activity (see claim 1 rejection); 
classify the data set as possibly including the malicious program code based on the identified suspicious activity; and perform at least one action based on the classification (par. [0035]). Therefore, it would have been obvious to modify Hron with Zhang to further teach the claimed feature. One would have done so to apply the machine learning models based on behavior analysis techniques such as regression, support vector machine (SVM), decision trees, and neural network classifiers to improve detection rates (Zhang, par. [0039]).

 	Regarding claim 3, Zhang discloses wherein the at least one action includes modifying the data set to include the classification and storing the modified data set (Fig. 2 and par. [0033]-[0041] discloses the classification is included in the application package to inform more information about the application to users).

	Regarding claim 4, the combination of Hron, Zhang and Nethercote further discloses wherein the modification of the data set includes adding the classification to the metadata of the data set (Zhang, Fig. 6 and par. [0064]-[0065] discloses a hardware layer classification module, a kernel layer classification module, a framework layer classification module, and an application layer classification module that each classify the application program based on the application program's behavior. With the framework layer classification, it would be an obvious variation to include the classification into the context structure as taught in Hron).

 wherein the first processor is located at a first computer system that is physically separate from a second computer that receives the program code included in the data set (Hron discloses the examined process is a process where portions of the process or threads of the process will be subject to DBI where the examined process includes a host and a guest. The Guest is the native executable binary code for the examined process. In other words, guest comprises the un-translated binary executable code where the Host includes callbacks and DBI/DBT module. Although Fig. 1 does not disclose the Host and the Guest are in different physical computer, but par. [0035] states “…the system can be spread across many physical hosts. Therefore, many systems and sub-systems of FIG. 3 can be involved in implementing the inventive subject matter”. This suggests the Host(s) and Guest(s) can be in different physical workspace).

 	 	 Claims 10, 17 and 30 correspond to the method of claim 1. Therefore, claims 10 and 17 are rejected for the same reasons presented for claim 1.

 	Regarding claim 21, Hron discloses executing the one or more observation instructions inserted into the program code, wherein execution of the one or more observation instructions generates the data associated with the one or more observation instructions, the associated data indicating observation information regarding the program code (see citation of Fig. 2 and related paragraphs for code instrumented by the DBI process to detect malware pattern).

identifying that the observation information includes at least one of content of a register, a program code process parameter, content of one or more specified memory locations, memory state data, or memory allocation data (see claim 1 rejection in view of Hron for observing state information of registers).  

 	Regarding claim 23, Hron discloses identifying from the observation information that at least one operating system (OS) loader instruction has been executed to load data into the portion of the memory. (see claim 1 rejection in view of Hron, particularly par. [0015]-[[0023] which discloses the injector 102 causes an operating system to load a binary executable for guest 120 of examined process into memory). 
 
 	Regarding claim 24, Hron discloses identifying from the observation information that the suspect program code has been loaded into the portion of the memory (see claim 23 rejection).  

 	Regarding claim 25, Zhang discloses identifying from the observation information that data included in the suspect program code has been decrypted (par. [0069]).

	Regarding claim 26, Hron discloses identifying from the observation information that data included in the suspect program code has been reordered (par. [0031] discloses malware patterns comprises a contiguous block of instructions that ends with .  

	Claims 6 and 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Hron in view of Zhang, Nethercote and further in view of  PG Pub 20110078794 (hereinafter Manni)
 	Regarding claim 27-29, Hron does not disclose identifying from the observation information that a boot block has been written to; identifying from the observation information that a system registry has been updated; identifying from the observation information that file system data has been changed.  Manni discloses this features (par. [0060] discloses an inspected binary file within a configured virtual environment are monitored in order to detect any suspicious behavior or activity.  The monitoring can include attempted CPU instrumentation by the suspicious binary file, network behavior anomalies, network pattern matches, operating system behavior, data theft, key logging, startup, file registry process, code injection, changes to files, and changes to registry keys). Therefore, it would have been obvious to modify Hron, Zhang and Nethercote with Manni to further teach the claimed features. One would have done so to prevent malware introduced by network content by visited websites that is not caught by the user’s computer software such as antivirus, firewalls, etc. (Manni, par. [0006]).

	Regarding claim 6, Hron discloses executing instructions by a virtual set of operating system software (par. [0015] discloses the DBI framework can be .

	Claims  7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Hron in view of Zhang, Nethercote and further in view of Vincent et al. PG Pub 20150096022 (hereinafter Vincent)
 	Regarding claim 7, Shukla does not disclose wherein the at least one action includes sending the data set to another computer for further analysis.  Vincent discloses this feature (Figs. 1A-B discloses a 2-stage analysis using static and dynamic modules).  Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Hron, Zhang and Nethercote with Vincent to perform malware detection with greater flexibility in the conduct of malware analysis to realize greater efficiencies with improved efficacy (Vincent, par. [0023]).

 	Regarding claim 8, Vincent discloses monitoring the program code via a background process that polls memory and that is separate from a main execution path of the program code (par. [0066] discloses "…The scheduler 740 then launches VM 752 in which dynamic analysis module 103 is running within VM 752 and configured to monitor activities and behavior of specimen 706. An emulation analysis may be performed by emulation analysis module 104 as described above. Furthermore, the analysis results generated by static analysis module 102 and/or dynamic analysis module 103 may be stored in corresponding VM disk files 760, for example, as part of intelligence store 110").

 	Regarding claim 9, Vincent discloses associating the portion of memory with a first set of contextual information and associating a set of analysis code with a second set of contextual information (par. [0047] discloses "…Referring to FIG. 1 B, in addition to those components, such as, controller 106, static analysis module 102, dynamic analysis module 103, malware classifier 105, and intelligence store 110 as shown in FIG. 1A, system 150 further includes an emulation analysis module (also referred to as an emulator or emulation logic) 104 for performing an emulation analysis on a specimen to generate an emulation analysis result 113. Emulation analysis module 104 is communicatively coupled to controller 106, static analysis 102, dynamic analysis module 103, malware classifier 105, and intelligence store 110. In one embodiment, emulation analysis module 104 is configured to emulate operations associated with the processing of a particular specimen in context with an emulated computer application (rather than a "real" application, as may be run in a virtual machine in the dynamic analysis) or in context with an emulated dynamic library…").  

Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TRI M TRAN/Primary Examiner, Art Unit 2494