DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 01/22/2021 has been fully considered. 
Regarding claim[s] 1, 2, 3, 5, 7, 9 under the anticipatory rejection, applicant’s remarks are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below. 
Regarding claim[s] 4, 6 under the obviousness rejection, applicant’s remarks are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below.
The examiner will address all other remarks that do not concern the prior art rejections, if any, in the office action.
Response to Amendment
Status of the instant application:
Claim[s] 1 – 7, 9 are pending in the instant application. 
Claim[s] 8 is cancelled. 
Regarding claim[s] 1, 2, 3, 5, 7, 9 under the anticipatory rejection, applicant’s claim amendments have been considered, therefore, the rejections are withdraw. However, there are new prior art rejections on the claim[s] to address applicant’s newly added claim amendments. See the office action below.
Regarding claim[s] 4, 6 under the obviousness rejection, applicant’s claim amendments have been considered, therefore, the rejections are withdraw. However, there are new prior art rejections on the claim[s] to address applicant’s newly added claim amendments. See the office action below.
Specification
Applicant’s amendment to the specification regarding the title has been inspected and is in compliance with the appropriate title requirement, therefore, the objection is withdrawn. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim [s] 1, 2, 3, 5, 7, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Liu [US PAT # 9516055] in view of Song et al. [US PGPUB # 2015/0262036]
As per claim 1. Liu does teach a selection apparatus [Liu, col. 2, lines 31 – 33, The computer system 100 may be employed to generate malware patterns for an antivirus, for example.] comprising:
a memory [Liu, col. 2, lines 29 – 44, The computer system 100 may have fewer or more components to meet the needs of a particular application. The computer system 100 may include one or more processors 101. The computer system 100 may have one or more buses 103 coupling its various components. The computer system 100 may include one or more user input devices 102 (e.g., keyboard, mouse), one or more data storage devices 106 (e.g., hard drive, optical disk, Universal Serial Bus memory), a display monitor 104 (e.g., liquid crystal display, flat panel monitor), a computer network interface 105 (e.g., network adapter, modem), and a main memory 108 (e.g., random access memory)]; and
a processor coupled to the memory and programmed to execute a process [Liu, col. 2, lines 51 – 52, The malware pattern generator 110 may comprise computer-processor 101.] comprising:
first acquiring a macro feature amount from a macro in a document file to which the macro is added [Liu, Figure # 2, col. 3, lines 11 – 22, In one embodiment, the sample data store 210 comprises a plurality of files obtained from user submissions, computer security vendors, honey pots, and other sources of potentially malicious data. As will be more apparent below, the computer system 100 may retrieve a file 212 from the sample data store 210, collect runtime information of an original code of the file 212 in memory, automatically extract a malware signature of the file 212 from the runtime information, and generate a pattern that incorporates the extracted malware signature.];
second acquiring a text feature amount from text in the document file [Liu, Figure # 2, col. 3, lines 34 – 39, The pre-filter 213 may generate a hash [i.e. applicant’s text feature amount] of the binary (also referred to as an "executable") of the file 212 and provide the hash to the computer system 220.];
performing clustering using the macro feature amount and the text feature amount [Liu, Figure # 2, and col. 5, lines 5 – 16, A clustering module 223 may optionally cluster identified malware signatures to determine if a malware signature [i.e. applicant’s macro feature amount] appears in a plurality of target files (see arrow 208). For example, the clustering module 223 may generate a context triggered piecewise hashing (CTPH) hash [i.e. applicant’s text feature amount] of a malware signature identified from the file 212 and compare the resulting CTPH hash to CTPH hashes of other malware signatures of the target files. This allows for determination as to whether and
selecting an analysis target document file corresponding to an analysis target based on a result of the clustering [Liu, Figure # 2, and col. 5, lines 5 – 16, A clustering module 223 may optionally cluster identified malware signatures to determine if a malware signature appears in a plurality of target files (see arrow 208). For example, the clustering module 223 may generate a context triggered piecewise hashing (CTPH) hash of a malware signature identified from the file 212 and compare the resulting CTPH hash to CTPH hashes of other malware signatures of the target files [i.e. applicant’s corresponding to an analysis target]. This allows for determination as to whether or not the malware signature extracted from the file 212 appears in more than one target file [i.e. applicant’s selecting an analysis target document file]. If so, the malware signature is most likely highly useful in identifying other malware. To generate a CTPH hash, the clustering module 208 may employ the SSDEEP CTPH hash generator, for example.];
and narrowing down the analysis target to only a representative point of a cluster [Liu, Figure # 2, and col. 5, lines 12 – 16, This allows for determination as to whether or not the malware signature extracted from the file 212 appears in more than one target file. If so, the malware signature is most likely highly useful in identifying other malware.].
Liu does not teach clearly performing said clustering based on high-speed feature extraction;
classifying similar samples into a single cluster.
However, Song does teach performing said clustering based on high-speed feature extraction [paragraph: 0005, lines 1 – 3, As another example, International Patent Application No. 2013/056315 to Vidal et al. describes a method for classifying objects from training images by extracting features, clustering the features into groups of features (visual words). Where at paragraph: 0012, lines 5 – 8, The recognition module processes one or more digital representations (e.g., images, audio, video, etc.) of objects according to an implementation of a feature extraction algorithm (e.g., SIFT, DAISY, FAST, etc.)];
classifying similar samples into a single cluster [paragraph: 0005, lines 1 – 3, As another example, International Patent Application No. 2013/056315 to Vidal et al. describes a method for classifying objects from training images by extracting features, clustering the features into groups of features (visual words)].
It would have been obvious to one of ordinary skilled in the art before the effective filing of the claimed invention to combine the teachings of Liu and Song in order for the anti-virus program that monitors and extracts suspected malware signature code from a data file for comparison to detect malware of Liu to include the use of a global signature database of Song. This would allow for a recognition of malware 
As per claim 2. Liu does teach the selection apparatus according to claim 1, wherein the first acquiring acquires the macro feature amount by analyzing an execution trace, the execution trace being profile information on the macro and acquired by executing the macro [Liu, Figure # 2, and col. 4, lines 55 – 67, Referring back to FIG. 2, the pre-filtered file 212 is received in the sandbox environment 214 (see arrow 203). There, the instrumentation module 215 inserts instrumentation code 217 into the original code 216 of the file 212 in memory to generate an instrumented code 221 (see arrow 204). The instrumented code 221 is executed, with the instrumentation code 217 collecting runtime information [i.e. applicant’s execution trace being profile information on the macro and acquired by executing the macro] therefrom. The collected runtime information is received by the sandbox environment 214 (see arrow 205). The collected runtime information may include instructions noted by the instrumentation code 217, contents of modified memory locations, number of times particular instructions are executed, etc. (see output 218). 
Then at col. 5, lines 1 – 4 of Liu, The collected runtime information may be received by the pattern creator 219 (see arrow 206), which generates a malware pattern 221 (see arrow 207) that includes a malware signature identified from the collected runtime information [i.e. applicant’s analyzing an execution trace].].
As per claim 3. Liu does teach the selection apparatus according to claim 1, wherein the first acquiring uses an emulator to execute the macro [Liu, Figure # 2, 
Then at col. 4, lines 1 – 5 of Liu, The sandbox environment 214 provides a safe computing environment where a target file, which in this example is the file 212, may be safely executed without compromising the computer system 100. The sandbox environment 114 may be implemented using the CUCKOO SANDBOX malware analysis system, for example.].
As per claim 5. Liu does teach the selection apparatus according to claim 1, wherein the performing performs multimodal clustering based on the macro feature amount and the text feature amount [Liu, col. 5, lines 7 – 14, For example, the clustering module 223 may generate a context triggered piecewise hashing (CTPH) hash of a malware signature identified from the file 212 [i.e. applicant’s macro feature amount = Liu’s signature; applicant’s text feature amount = Liu’s CTPH hash ] and compare the resulting CTPH hash to CTPH hashes of other malware signatures of other target files. 
Further at col. 6, lines 48 – 51 of Liu, When the CTPH hash comparison indicates that there are other files with the same or similar malware signature as the target file, a corresponding malware pattern that incorporates the malware signature is generated (step 410).[i.e. applicant’s performing…multimodal clustering]].
As per selection method claim # 7, which includes the same or similar claim limitations as selection apparatus claim # 1, and is similarly rejected. 

As per non- transitory computer readable recording medium claim 9, which includes the same or similar claim limitations as apparatus claim # 1, and is similarly rejected.  
***The examiner further notes that applicant’s claimed “non – transitory computer readable recording medium,” “selection program,” and “process” are taught by the prior art of Liu at Figure #4. 

Claim[s] 4, 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Liu [US PAT # 9516055] in view of Song et al. [US PGPUB # 2015/0262036], further in view of Gates et al. [US PAT # 9256748]
As per claim 4. Liu and Song do teach what is taught in the rejection of claim 1 above. 
Liu and Song do not teach clearly the selection apparatus according to claim 1, wherein the second acquiring acquires the text feature amount based on a natural language process on a word included in the document file.
However, Gates does teach the selection apparatus according to claim 1, wherein the second acquiring acquires the text feature amount based on a natural language process on a word included in the document file [Figure # 4, and col. 20, lines 29 – 42, A document may be deemed to include a false statement if a first meaning corresponding with a statement made within the document (represented as a first semantic model) conflicts with a second meaning of a reference statement (represented as a second semantic model). In one embodiment, the document may be parsed for keywords or phrases corresponding with sensitive information, confidential information, or personal information. Once the keywords or phrases have been parsed, then natural language processing techniques (e.g., natural language understanding techniques or machine reading comprehension techniques) may be applied to identify a sentence (or clause) including a keyword and to identify one or more possible semantics corresponding with the sentence. After the natural language processing techniques have been applied to the document of interest, then one or more reference documents may be analyzed in order to detect semantic discrepancies between the document and the one or more reference documents.].
It would have been obvious to one of ordinary skilled in the art before the effective filing of the claimed invention to combine the teachings of Liu as modified and Gates in order for the anti-virus program that monitors and extracts suspected malware signature code from a data file for comparison to detect malware of Liu as modified to include alerting an operator or admin personnel if a signature comparison yields a match of Gates. This would allow for the anti-virus program to receive a decision from the operator or admin to authorize mitigation of such detected malware. See col. 5, lines 19 – 28 of Gates.  
22.	As per claim 6. Liu as modified does teach the selection apparatus according to claim 2, wherein the first acquiring acquires, as the execution trace, an Application Programming Interface (API) call and an object method call [Liu, col. 4, lines 21 – 33, When a target file is executed in the virtual machine 230, the binary code of the target file, which is also referred to herein as "original code", is loaded in memory for execution as a process. The instrumentation module 215 inserts instrumentation code into the original code in memory to generate an instrumented code. The instrumentation code allows for monitoring of the process of the target file at runtime [i.e. applicant’s and an object method call]. More specifically, the instrumentation code may collect runtime information of the original code, such as the type of instructions (generic, stack operation, memory read, memory write, memory read/write) executed, instruction addresses, instruction execution counts, modified memory contents, API (application programming interface) call records [applicant’s an application programming interface (API) call], etc.], and
the second acquiring extracts features of a type of a word included in the document file and a word sequence included in the document file [Gates, Figure # 4, and col. 20, lines 29 – 42, A document may be deemed to include a false statement if a first meaning corresponding with a statement made within the document (represented as a first semantic model) conflicts with a second meaning of a reference statement (represented as a second semantic model). In one embodiment, the document may be parsed for keywords or phrases corresponding with sensitive information, confidential information, or personal information. Once the keywords or phrases have been parsed, then natural language processing techniques (e.g., natural language understanding techniques or machine reading comprehension techniques) may be applied to identify a sentence (or clause) including a keyword and to identify one or more possible semantics corresponding with the sentence. After the natural language processing techniques have been applied to the document of interest, then one or more reference documents may be analyzed in order to detect semantic discrepancies between the document and the one or more reference documents].
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT B SHAIFER HARRIMAN whose telephone number is (571)272-7910.  The examiner can normally be reached on M - F: 8am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434