DETAILED ACTION
The following is final office action in response to applicant’s amendments filed on 01/19/2021 for response of office action mailed on 11/04/2020. Claim 1, 8, 15, and 23-28 are amended. No claim is added. Claims 10, 12, and 21 were previously cancelled. Therefore claims 1-9, 11, 13-20, and 22-28 are now pending.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments to claim 1, 8, 15 and 23-28, filed on 01/19/2021, with respect to rejection under 35 U.S.C 103 have been fully considered. 
Regarding arguments on claim 1 on page 10-12, applicant amended the claim 1 with new limitation: hook an attack code detection program to a key data processing point of the target process when the key data processing point is detected during decrypting the external input data to enable the target process to invoke and start an attack code detection process on decrypted external input data, wherein the key data processing point is at least one of a memory allocation action or a memory access action, for the target process to perform script decrypting on the external input data, and wherein the key data processing point is when shellcode in the external input data is decrypted into a final state. The other independent claims 8 and 15 have a similar added limitation. Applicant’s amendment to claims, filed on 01/19/2021, necessitated the new ground(s) of rejection presented in this office action. Hence, Applicant’s arguments with respect to rejection of claims 1, 8 and 15 along with all the claims depending therefrom have been considered but are moot in view of the new ground(s) of rejection. Egele et al. “Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks” is being introduced to address the newly added limitations.
Applicant presents no further arguments.
For the above reasons, it is believed that the rejections should be sustained. Accordingly, THIS
ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is reminded of the extension of time policy as
set forth in 37 CFR 1.136(a).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1-5, 8, 9, 11, 13, 15-18, 20 and 23-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Egele et al. (“Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks”, hereinafter Egele).
Regarding claim 1 and 15, Egele teaches an apparatus for detecting a buffer overflow attack (Egele: Page 1, Abstract: To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack; Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap; Page 17, para. 04: Our system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed), comprising: a memory configured to store instructions; and a processor coupled to the memory and configured to execute the instructions stored in the memory to: obtain external input data for a target process (Egele: Page 12, Para. 04: All measurements have been carried out on a machine with an Intel Core 2 Duo processor running at 2.66 GHz and 4 GB of main memory), obtain external input data for a target process; wherein the external input data comprises encrypted data (Egele: Page 4, Para. 05: our high-interaction client honeypot visited the URL http://www.thewebleaders.com. This page contained an iframe that loaded the script presented in Listing 1.1 (browser is target process, external input data is website URL); Page 4, Para. 06: The most noticeable property of the script is that it uses obfuscated variable and function names to make it difficult for a human analyst to understand the script’s purpose. Manual analysis reveals that the function defined in Line 1 serves as a decryption routine); hook an attack code detection program when the key data processing point is detected during decrypting the external input data to enable the target process to invoke and start an attack code detection process on decrypted external input data (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created; Page 15, Para. 01: Most malicious scripts are encrypted in some way; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text….decryption is automatically handled by the interpreter….. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 17, Para. 04-05: Our system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed. More precisely, our system traces all string objects that are created during run-time); wherein the key data processing point is at least one of a memory allocation action or a memory access action for the target process to perform script decrypting on the external input data (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created. (Note: memory allocation is needed when string variables are created); Page 6, Para. 02: we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter); and wherein the key data processing point is when shellcode in the external input data is decrypted into a final state (Egele: Page 15, Para. 01: Most malicious scripts are encrypted in some way. The attackers’ motivation to disguise malicious scripts is obviously the intention to encumber the analysis of such scripts. Encryption is a straightforward approach to do so; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 6, Para. 02: drive-by downloads that target memory corruption vulnerabilities have to prepare the environment before they can successfully launch their exploits. To this end, they use client-side script code to allocate (often large numbers of) strings that are filled with x86 (shell)code. The key idea of our detection approach targets precisely this behavior. More specifically, to detect drive-by downloads that exploit memory corruption vulnerabilities, we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode. Of course, all checks occur before a vulnerability can be abused to redirect control flow to the shellcode. When our system detects that a script creates a string that contains shellcode, the execution of the script is stopped); determine that the target process decrypts the external input data according to the invocation of the attack code detection process by the target process (Egele: Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior); and detect an attack code on the decrypted external input data during the attack code detection process, wherein the attack code is a code used for performing an overflow attack on a buffer (Egele:  Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 6, Para. 02: drive-by downloads that target memory corruption vulnerabilities have to prepare the environment before they can successfully launch their exploits. To this end, they use client-side script code to allocate (often large numbers of) strings that are filled with x86 (shell) code. The key idea of our detection approach targets precisely this behavior. More specifically, to detect drive-by downloads that exploit memory corruption vulnerabilities, we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode. Of course, all checks occur before a vulnerability can be abused to redirect control flow to the shellcode. When our system detects that a script creates a string that contains shellcode, the execution of the script is stopped; Page 2, Para. 02: These vulnerabilities include buffer overflows, memory corruption issues, and pointer overwrites). 
Regarding claim 2, 9 and 16, Egele teaches the apparatus of claim 1. In addition, Egele further teach wherein when determining that the target process decrypts the external input data according to the invocation of the attack code detection process by the target process, the processor is further configured to execute the instructions stored in the memory to: detect a memory allocation action (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created (note: memory allocation and access are we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter); and perform script decrypting on the external input data (Egele: Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior). 	 
Regarding claim 3, 11 and 17, Egele teaches the apparatus of claim 1. In addition, Egele further teach wherein when determining that the target process decrypts the external input data according to invocation of the attack code detection process by the target process, the processor is further To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created (note: memory allocation and access are needed when string variables are created); Page 6, Para. 02: we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter); and perform script decrypting on the external input data (Egele: Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior).  
Regarding claim 4, 5, 13 and 18, Egele teaches the method of claim 1. In addition, Egele further teaches wherein the processor is further configured to execute the instructions stored in the memory to: perform matching between the decrypted external input data and a rule for the attack code after decrypting; and determine that the attack code exists in the decrypted external input data when the decrypted external input data matches with the rule (Egele:  Page 7, Para. 02: we added code to all points in the interpreter where string variables are created. These points were found at three locations: one for the allocation of global string variables, one for local string variables, and one for strings that are properties (members) of objects. The code that we added simply keeps track of the start address of a new string variable and its length. Here, it is important to recall that strings in JavaScript are immutable. As a result, whenever a character in a string is modified, or when two strings are concatenated, the resulting string is created in a new memory area. Thus, string manipulation is automatically handled by the code introduced for creating a new string variable; Page 7, Para. 06: To recognize shellcode in a string (character buffer), libemu checks, starting from each character, whether there is a sequence of valid instructions of sufficient length. When such an instruction sequence is found, libemu reports shellcode. Since most bytes can be disassembled to valid x86 instructions, libemu also uses a number of heuristics to discriminate random instructions from actual shellcode. We currently use a value of 32 bytes as the threshold for the minimal length of a shellcode sequence). 
Regarding claim 8, Egele teaches anon-transitory computer readable medium storing computer executable instructions that when executed in a computer, performs: running an application program to generate a target process (Egele: Page 6, para. 03: The prototype implementation of our detection technique was implemented and integrated into the Mozilla Firefox browser and SpiderMonkey, its JavaScript engine. We chose Firefox as our prototype platform as this is an open source browser; Page 17, para. 04: Our system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed); obtaining external input data for a target process; wherein the external input data comprises encrypted data (Page 4, Para. 05: our high-interaction client honeypot visited the URL http://www.thewebleaders.com. This page contained an iframe that loaded the script presented in Listing 1.1 (browser is target process, external input data is website URL); Page 4, Para. 06: The most noticeable property of the script is that it uses obfuscated variable and function names to make it difficult for a human analyst to understand the script’s purpose. Manual analysis reveals that the function defined in Line 1 serves as a decryption routine); hooking an attack code detection program to a key data processing point of the target process when the key data processing point is detected during decrypting the external input data to enable the target process to invoke and start an attack code detection process on decrypted external input data (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created; Page 15, Para. 01: Most malicious scripts are encrypted in some way; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text….decryption is automatically handled by the interpreter….. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 17, Para. 04-05: Our system is integrated into the web browser where it monitors JavaScript code that is downloaded and executed. More precisely, our system traces all string objects that are created during run-time); wherein the key data processing point is at least one of a memory allocation action or a memory access action for the target process to perform script decrypting on the external input data (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created. (Note: memory allocation is needed when string variables are created); Page 6, Para. 02: we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter); and wherein the key data processing point is when shellcode in the external input data is decrypted into a final state (Egele: Page 15, Para. 01: Most malicious scripts are encrypted in some way. The attackers’ motivation to disguise malicious scripts is obviously the intention to encumber the analysis of such scripts. Encryption is a straightforward approach to do so; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 6, Para. 02: drive-by downloads that target memory corruption vulnerabilities have to prepare the environment before they can successfully launch their exploits. To this end, they use client-side script code to allocate (often large numbers of) strings that are filled with x86 (shell)code. The key idea of our detection approach targets precisely this behavior. More specifically, to detect drive-by downloads that exploit memory corruption vulnerabilities, we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode. Of course, all checks occur before a vulnerability can be abused to redirect control flow to the shellcode. When our system detects that a script creates a string that contains shellcode, the execution of the script is stopped); determining that the target process decrypts the external input data according to the invocation of the attack code detection process by the target process (Egele: Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior); and detecting an attack code on the decrypted external input data during the attack code detection process, wherein the attack code is a code used for performing an overflow attack on a buffer (Egele:  Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter, the second case requires that the environment presents the right information for the queried value. In our evaluation dataset, many decryption keys were partly derived from the current URL of the browser. Since the scripts were hosted at a local web server, the URLs were different, thus leading to wrong decryption keys. For wrong key values, the decryption routines produce only garbage and, as a result, no malicious behavior can be observed. Since, on the other hand, the values were correct when the network traces were recorded, we modified our prototype to report the URL that was visited during the recording of the trace as the current location. This allowed the scripts to decrypt the cipher text correctly, and we were able to analyze and detect their malicious behavior; Page 6, Para. 02: drive-by downloads that target memory corruption vulnerabilities have to prepare the environment before they can successfully launch their exploits. To this end, they use client-side script code to allocate (often large numbers of) strings that are filled with x86 (shell) code. The key idea of our detection approach targets precisely this behavior. More specifically, to detect drive-by downloads that exploit memory corruption vulnerabilities, we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode. Of course, all checks occur before a vulnerability can be abused to redirect control flow to the shellcode. When our system detects that a script creates a string that contains shellcode, the execution of the script is stopped; Page 2, Para. 02: These vulnerabilities include buffer overflows, memory corruption issues, and pointer overwrites). 
Regarding claim 20, Egele teaches the method of claim 15. In addition, Egele further teaches wherein the attack code is the shellcode (Egele: Abstract: These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim’s computer; Page 2, Para. 02: These vulnerabilities include buffer overflows, memory corruption issues, and pointer overwrites). 
Regarding claim 23, 25 and 27, Egele teaches the method of claim 1. In addition, Egele further teaches wherein the key data processing point is further at least one of creating a JSString object or accessing the JSString object when shellcode in the external input data is decrypted into the final state (Egele: Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created; Page 6, Para. 03: an attacker could make use of a different language than JavaScript to deliver an exploit (and some indeed use Visual Basic Script). However, it would be straightforward to include our technique also into other script engines; Page 6, Para. 02: we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter
Regarding claim 24, 26 and 28, Egele teaches the method of claim 1. In addition, Egele further teaches wherein the key data processing point is further at least one of creating a VbsString object or accessing the VbsString object when shellcode in the external input data is decrypted into the final state (Egele: Page 11, Para. 03: The second group of attacks (with four traces) that were missed by our system are due to exploits that use Visual Basic (VB) script code to prepare the environment and launch the exploit. As mentioned previously, our current prototype only instruments the JavaScript engine. However, similar techniques could easily be added to the VB script engine; Page 6, Para. 03: an attacker could make use of a different language than JavaScript to deliver an exploit (and some indeed use Visual Basic Script). However, it would be straightforward to include our technique also into other script engines; Page 7, Para. 02: To detect the shellcode that a malicious script might construct on the heap, we have to keep track of all string variables that the program allocates. To this end, we modified the SpiderMonkey JavaScript interpreter that is embedded in Firefox. More precisely, we added code to all points in the interpreter where string variables are created; Page 6, Para. 02: we monitor all strings that are allocated by the JavaScript interpreter. These strings are checked for the presence of shellcode; Page 15, Para. 02: An encrypted script contains a decryption routine and a cipher text. During execution, the cipher text is decrypted by the routine, and the result is executed via JavaScript’s eval function. Two possibilities exist where the decryption routine derives the correct key from. (1) the key might be part of the script itself (e.g., stored in a variable), or (2) the key is dependent on the environment of the script. While in the first case, decryption is automatically handled by the interpreter). 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner 
Claim 6, 7, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Egele in view of Griffin et al. (US7962961, hereinafter Griffin). 
Regarding claim 6, 7, 14 and 19, Egele teaches the system of claim 1.
Yet, Egele does not teach wherein the processor is further configured to execute the instructions stored in the memory to output a detection log according to a result of the attack code detection process.
However, in the same field of endeavor, Griffin teaches wherein the processor is further configured to execute the instructions stored in the memory to output a detection log according to a result of the attack code detection process (Griffin: Col. 7, line 45-48: The reporting module 326 can perform additional actions such as maintaining a log of analyses performed or exploits detected by the exploit detection module 322). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Egele to include wherein the processor is further configured to execute the instructions stored in the memory to output a detection log according to a result of the attack code detection process as disclosed by Griffin. One of ordinary skill in the art would have been motivated to make this modification in order to detect buffer overflow by hooked calls as suggested by Griffin (Col. 7, line 8-15)
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Egele in view of Nanda et al. (US9230111, hereinafter, Nanda). 
Regarding claim 22, Egele teaches the apparatus of claim 1. 
Yet, Egele does not teach wherein the shellcode consists of a .pdf document or a MICROSOFT OFFICE document.
identification module 104 may be programmed to identify a document file, such as attachment 205 (e.g., a MICROSOFT WORD document) that contains an embedded macro, such as macro 207; Col. 1, line 26-28: document files may include macros that host a shellcode, which is a payload used in the exploitation of a software vulnerability). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Egele to include wherein the shellcode consists of a .pdf document or a MICROSOFT OFFICE document as disclosed by Nanda. One of ordinary skill in the art would have been motivated to make this modification in order to document files from macro threats as suggested by Nanda (Nanda: Abstract).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Oh et al, KR101181843: hooking to the functions used to restore malicious code, obfuscated javascript code which contains malicious code
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
 can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                       /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438