DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Claims 1-2, 9-12, 16 and 22 have been amended. Claims 1-22 are currently pending.

Response to Arguments
Applicant’s arguments with respect to claim 1 have been considered but are moot in view of new grounds of rejections. Applicant’s other arguments are based on Applicant's arguments against claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3 and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz et al.,US-20180129807-A1 (hereinafter “Azarafrooz ‘807”) in view of Garyali et al., US- 20070240136-A1 (hereinafter “Garyali ‘136”). 
Per claim 1 (independent):
Azarafrooz ‘807 discloses: A security enhancement method performed using an electronic device, the security enhancement method comprising: (FIG. 1, [0041], “Another method of shellcode obfuscation is to encrypt the shellcode. Encrypted shellcode requires a decoding routing appended to the shellcode to provide instructions on how to decrypt the shellcode at run time … to avoid detection by standard malware detectors, the decoders associated with encrypted shellcodes can have mutated internal bodies” [Emphasis added.]; FIG. 2A, [0045], “The binary disassembler 106 can be configured to assign mnemonics 206 to elements 208 defined by the binary form 202 of the computer file” [Emphasis added.]; [0050], “Training the code analyzer 108 can refer to generating one or more machine-learning models from sample data. For example, a plurality of computer files can be introduced to the code analyzer 108. The computer files can be a mixture of benign computer files containing no malware and computer files containing malware, including shellcode … The machine-learning models of the code analyzer 108 can recognize the probabilistic distribution patterns of code in normal benign computer files as well as the probabilistic distribution patterns of code in shellcode” [Emphasis added.] where encrypted shellcodes are detected by the shellcode detector 114 of FIG. 1. In particular, the analysis is based on the code analyzer 108 (encryption code identification) which is trained by the mnemonics 206 obtained from the computer file (executable code) with the binary disassembler 106.); determining, by using the encryption code identification model, whether the loading of the executable code into the memory is allowed; and when the loading of the executable code is not allowed, blocking the loading of the executable code into the memory Training the code analyzer 108 can refer to generating one or more machine-learning models from sample data. For example, a plurality of computer files can be introduced to the code analyzer 108. The computer files can be a mixture of benign computer files containing no malware and computer files containing malware, including shellcode … The machine-learning models of the code analyzer 108 can recognize the probabilistic distribution patterns of code in normal benign computer files as well as the probabilistic distribution patterns of code in shellcode” [Emphasis added.]; [0092], “In response to a determination, by the shellcode detector 114, that the computer file contains shellcode, the computer system 102 can be configured to prohibit execution or further execution of the computer file. In some variations, the computer system 102 can be configured to transmit the computer file to a sandbox environment for additional analysis” [Emphasis added.] where the shellcode detector 114 determines whether the computer file is to be executed or not based on the analysis result of the code analyzer 108 (encryption code identification model).).
Azarafrooz ‘807 does not disclose but Garyali ‘136 discloses: holding loading of executable code into a memory; when the loading of the executable code is allowed, loading the executable code into the memory (FIG. 5, [0088], “generate code in the form of .NET assemblies (.dll files), and download the assemblies into the execution environment 200 of the controller 104a” [Emphasis added.]; [0090], “A request to download the generated program code is received at step 504.”; [0092], “The ofiline verification tool analyzes the generated program code at step 508.”; [0093], “The ofiline verification tool determines if any anomalies are found in the generated program code at step 510”; [0094], “If no anomalies are found in the generated program code, the generated program code is downloaded to a controller at step 516 … include the process builder downloading the verified function block algorithm into the memory 107 of the controller 104a.” [Emphasis added.] where a download request for a generated program code (executable code) such as .dll files is performed. Then, if no anomalies are 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 with a download of a generated program code into a memory via an anomaly detection as taught by Garyali ‘136 because it would give a user an opportunity to correct a program code by re-verifying the program code if anomalies are found [0093].

Per claim 2 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: The security enhancement method of claim 1, further comprising: extracting feature data from the executable code; and inputting the feature data into the encryption code identification model (FIG. 2A, [0049], “The machine-learning models selected for use by the code analyzer 108 can be configured to devise complex models and algorithms that lend themselves to determining the typical distribution of mnemonics 206 within benign computer files as well as the typical distribution of mnemonics 206 within malware embedded in computer files as shellcode” [Emphasis added.] where the mnemonics 206 (feature data) are fed into the machine-learning models of the code analyzer 108 (encryption code identification model) for determining the typical distribution of the mnemonics obtained from the computer files (executable code).).

Per claim 3 (dependent on claim 2):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
The security enhancement method of claim 2, wherein the feature data comprises a call sequence of a mathematical function or a logical function that is repeatedly called during execution of the executable code ([0013], “the machine-learning model can be assumptionless as to a form of and as to a frequency distribution of one or more mnemonics within the sequence of instructions, based on observed distributions of the one or more mnemonics in a first section of the sequence of instructions … a prediction of the frequency distribution of the one or more mnemonics in a second section of the sequence of instructions.” [Emphasis added.] where the machine-learning model would be trained based on the frequency of mnemonics (e.g. commands in the assembly language) in the sequence of instructions.).

Per claim 16 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 17 (dependent on claim 16):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: The electronic device of claim 16, wherein the plurality of instructions further comprise: an instruction to execute the executable code in a security environment; wherein the security environment is a sandbox environment, and the result of execution of the executable code does not affect system resources outside of the sandbox environment ([0055], “the computer system 102 can be configured to generate mnemonic-specific models for each type of mnemonic. Using mnemonic-specific models allows for the testing of the instruction sequence of suspected shellcode in isolation, independent from the rest of the benign functions contained in the computer file” [Emphasis added.]); an instruction to input a value into the encryption code identification model based on a result of the execution of the executable code ([0041], “Another method of shellcode obfuscation is to encrypt the shellcode. Encrypted shellcode requires a decoding routing appended to the shellcode to provide instructions on how to decrypt the shellcode at run time … to avoid detection by standard malware detectors, the decoders associated with encrypted shellcodes can have mutated internal bodies” [Emphasis added.]; [0047], “The code analyzer 108 can include a mnemonic detector 110. The mnemonic detector 110 can be configured to read the code 204 of the computer file and determine individual mnemonics, or tags, within the code 204 of the computer file. As used herein mnemonics may be referred to as tags” [Emphasis added.] where the code of the encrypted shellcode is read into the code analyzer 108 (encryption code identification) in the form of mnemonics.).

Claim(s) 4  is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136  as applied to claim 2 above, and further in view of Liu et al., US-20120180126-A1 (hereinafter “Liu ‘126”) and N. Patel, A. Sasan and H. Homayoun, "Analyzing hardware based malware detectors," 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC), Austin, TX, 2017, pp. 1-6 (hereinafter “Patel ‘2017”).
Per claim 4 (dependent on claim 2):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but Liu ‘126 discloses: The security enhancement method of claim 2, wherein the feature data comprises power consumption data related to power consumption of a central processing unit (CPU) during execution of the executable code, and wherein the power consumption data includes power consumption of the CPU is equal to or greater than a threshold ([0027], “based on a power model, may calculate how much power could have been consumed due to services 150 and compares calculated power usage against measured power consumption. The comparison result may indicate whether abnormal power draining has occurred. If the difference exceeds a threshold, some embodiments of the present invention may raise an alarm indicating the existence of potential malware” [Emphasis added.]; FIG. 2, [0029], “The power model … a User-Centric Power Model, Data Collector and/or a Malware Detector 240” [Emphasis added.]; [0038], “a user-centric model may need to model the power consumption of common types of user operations on mobile devices in different environments. (1) Calling … (2) Messaging … (3) Emailing … (4) Document processing …”; [0040], “[Symbol font/0x44]P represents the power consumption”; [0043], “Neural Network: … Neural networks may be used for non-linear statistical data modeling” [Emphasis added.] where power consumption data (feature data) measured based on the functions of an app on a mobile device is given as input data for training the user-centric power model 220 (upon the neural network) that depends on the collected power consumption [Symbol font/0x44]P. Moreover, if the power consumption exceeds a threshold, the app may be a potential malware.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 with the power model for the detection of a malware via a threshold as taught by Liu ‘126 because it would alleviate the security concerns that exploit the vulnerabilities of mobile devices specially associated with overcharging, battery exhaustion etc. [0005].
Azarafrooz ‘807 in view of Garyali ‘136 and Liu ‘126 does not disclose but Patel ‘2017 discloses: the power consumption data includes a number of CPU operation cycles ([Abstract], “Hardware based detectors rely on Machine Learning (ML) classiﬁers to detect malware-like execution pattern based on Hardware Performance Counters (HPC) information at run-time.” [Emphasis added.]; FIG. 2, FIG. 3, 3. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 and Liu ‘126 with the cpu-cycles for one of inputs to a ML classifier as taught by Patel ‘2017 because it would improve the detection accuracy since the cpu operation cycles accurately estimate a complexity of operations.

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136   as applied to claim 1 above, and further in view of Mann, US-19514309-B1 (hereinafter “Mann ‘309”).
Per claim 5 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: The security enhancement method of claim 1, wherein, when output data of the encryption code identification model indicates that ([0050], “Training the code analyzer 108 can refer to generating one or more machine-learning models from sample data. For example, a plurality of computer files can be introduced to the code analyzer 108. The computer files can be a mixture of benign computer files containing no malware and computer files containing malware, including shellcode … The machine-learning models of the code analyzer 108 can recognize the probabilistic distribution patterns of code in normal benign computer files as well as the probabilistic distribution patterns of code in shellcode” [Emphasis added.]; [0092], “In response to a determination, by the shellcode detector 114, that the computer file contains shellcode, the computer system 102 can be configured to prohibit execution or further execution of the computer file. In some variations, the computer system 102 can be configured to transmit the computer file to a sandbox environment for additional analysis” [Emphasis added.] where the shellcode detector 114 determines whether the computer file is to be executed or not based on the analysis result of the code analyzer 108 (encryption code identification model).).
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but Mann ‘309 discloses: indicates that encryption code is detected or not in the executable code (FIG. 3, [Col. 5], ll. 1-5, “for protecting files from malicious encryption attempts. The steps shown in FIG. 3 may be performed by any suitable computer-executable code and/or computing system” [Emphasis added.]; [Col. 6], ll. 14-22, “At step 306, one or more of the systems described herein may determine, based on the characteristic of the attempt to alter the file, that the attempt to alter the file represents a malicious attempt by a third party to encrypt the file” [Emphasis added.]; [Col. 8], ll. 9-35, “at step 308 one or more of the systems described herein may perform a security action in response to determining that the attempt to alter the file represents a malicious attempt by the third party to encrypt the file … security module 110 may perform the security action by blocking the malicious attempt by the third party to encrypt the file” [Emphasis added.] where based on the determination that the attempt to alter a file is to encrypt the file by a third party in a malicious way, the security module 110 may block the attempt by the third party to encrypt the file.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 with the performance of the security action based on the detection of a malicious attempt to encrypt a file as .

Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136  as applied to claim 1 above, and further in view of Meckl, US-10447671-B1 (hereinafter “Meckl ‘671”) and LEE et al., US-20130219498-A1 (hereinafter “LEE ‘498”).
Per claim 6 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: The security enhancement method of claim 1, wherein, when output data of the encryption code identification model indicates that [0050], “Training the code analyzer 108 can refer to generating one or more machine-learning models from sample data. For example, a plurality of computer files can be introduced to the code analyzer 108. The computer files can be a mixture of benign computer files containing no malware and computer files containing malware, including shellcode … The machine-learning models of the code analyzer 108 can recognize the probabilistic distribution patterns of code in normal benign computer files as well as the probabilistic distribution patterns of code in shellcode” [Emphasis added.]; [0092], “In response to a determination, by the shellcode detector 114, that the computer file contains shellcode, the computer system 102 can be configured to prohibit execution or further execution of the computer file. In some variations, the computer system 102 can be configured to transmit the computer file to a sandbox environment for additional analysis” [Emphasis added.] where the shellcode detector 114 determines whether the computer file is to be executed or not based on the analysis result of the code analyzer 108 (encryption code identification model).).
encryption code is detected in the executable code (FIG. 5, [Col. 10], ll. 14-[Col. 11], ll.12, “the systems described herein may detect an unknown, potentially suspicious application … At step 504, the systems described herein may monitor the execution of the unknown 25 application to determine if the unknown application loads cryptographic libraries into memory … If the unknown application does load one or more known cryptographic libraries, at step 506, the systems described herein may hook API calls made to the cryptographic library by the unknown application … In some examples, a user may discover encrypted files and then alert the systems described herein that the unknown application is ransomware” [Emphasis added.] where the systems determine that the unknown application loads known cryptographic libraries (encryption code) into memory.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 with the hooking of API calls to the cryptographic libraries called by an application for determining whether the application is ransomware as taught by Meckl ‘671 because it would enable the user to recover the unencrypted data from the encrypted data produced by the untrusted application using the key captured by the decryption-facilitation code [Col. 1].
Azarafrooz ‘807 in view of Garyali ‘136 and Meckl ‘671 does not disclose but LEE ‘498 discloses: when an installation record of an application including the executable code is not found, the loading of the executable code is not allowed (FIG. 5, “The basic information of the mobile terminal collected at step S205 includes at least one piece of information about the system of the mobile terminal 100, a list of applications installed, a list of applications being run, the numbers of SMS transmissions and calls, records of downloads of applications,” [Emphasis added.]; [0101], “If an application installed or being run in the mobile terminal 100 is not an application installed by the user at steps S230 and S240, it is suspected that an abnormality has occurred in the corresponding application at step S290” [Emphasis a response from the server 200 at step S340, and, if it is determined based on the response received at step S340 that the application having an abnormality is malicious at step S350, removes the malicious application at step S360, and terminates the corresponding process” [Emphasis added.] where if the application which is to be detected for an abnormality is not an application installed by the user at S230 and S240, the application would be sent to the server for an analyzation and removed (and terminated) based on the response from the server.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 and Meckl ‘671 with the installation history for the detection of abnormality as taught by LEE ‘498 because it would detect the abnormality of user applications more efficiently by considering the user’s installation history.

Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136 as applied to claim 1 above, and further in view of Pedersen et al., US-20080091677 -A1 (hereinafter “Pedersen ‘677”).
Per claim 8 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
	Azarafrooz ‘807 discloses: r([0041], “Another method of shellcode obfuscation is to encrypt the shellcode. Encrypted shellcode requires a decoding routing appended to the shellcode to provide instructions on how to decrypt the shellcode at run time … to avoid detection The code analyzer 108 can include a mnemonic detector 110. The mnemonic detector 110 can be configured to read the code 204 of the computer file and determine individual mnemonics, or tags, within the code 204 of the computer file. As used herein mnemonics may be referred to as tags” [Emphasis added.]; [0092], “In response to a determination, by the shellcode detector 114, that the computer file contains shellcode, the computer system 102 can be configured to prohibit execution or further execution of the computer file. In some variations, the computer system 102 can be configured to transmit the computer file to a sandbox environment for additional analysis” [Emphasis added.] where the shellcode detector 114 determines whether the computer file is to be executed or not based on the analysis result of the code analyzer 108 (encryption code identification model). In particular, the code analyzer 108 is trained by reading the mnemonics of the code (information of encryption algorithm) from the computer file (executable code).)
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but Pedersen ‘677 discloses: receiving vulnerability information of an encryption algorithm from an external device and storing the vulnerability information in a vulnerability list, wherein, when output data of  ([0040], “The export compliance system 20 … examined content 25, which may be any sort of content … The comparison content 30 may be accessed directly, or may be processed in or stored in the form of comparison data 35. Such comparison data 35 may include a database or other collection of information that describes, or is generated from or derived from the content … The comparison data 35 also may include … version control and/or content management information, build information … code structure information, mathematical operations used, license information, and so on ” [Emphasis added.]; [0045], “the examination subsystem may identify a number of content files that match with content files that include or use encryption algorithms. The identification presents this comparison files 30 … used for comparison with the examined files 25, to see whether there are any portions of the examined files that are similar to any portions of the comparison files … publicly available files, files within a company's own possession, or files provided by a third party for comparison” [Emphasis added.]; [0053], “a region of interest in an examined file …to provide a user of the export compliance system with an indication about which portion of an examined file is similar to a comparison file. Such an indication may include specification of the location and size of the matching portions of the examined and comparison file … The indication may also include any other useful information about the comparison file … security problems and/or vulnerabilities, later available versions, available modifications.” [Emphasis added.] where the export client system compares the examined files 25 (executable code) with the comparison files 30 (vulnerability list) obtained from the comparison data 35 (database) which may be publicly available files or files provided by a third party (external device). Furthermore, the comparison files include information about code structure information, mathematical operations used, security problems and vulnerabilities etc., including encryption algorithms. Finally, the method identifies whether the examined file uses the determined algorithm that is subject to export control.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 with the content identification for the export controls via the comparison data that includes encryption algorithms and vulnerabilities as taught by Pedersen ‘677 because it would efficiently apply the export controls to the software product that specially includes encryption technology [0002-0004].

Claim(s) 9  is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136 as applied to claim 1 above, and further in view of Woodworth, JR, US-20190044958-A1 (hereinafter “Woodworth ‘958”).
Per claim 9 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but Woodworth ‘958 discloses: The security enhancement method of claim 1, further comprising determining whether to perform the holding based on at least one of whether the executable code is included in a white list, a frequency of execution of the executable code, or a period of time that has elapsed since an installation or an update of an application that includes the executable code ([0009], “A system for protecting a computer from malicious software is described. The system uses one or more whitelist of trusted programs in a super-shield to determine if a program is safe to run. As new software is introduced, downloaded and run (attempted) by users, execution is prevented until it is verified that the new software is absent of malware, as the new software is not listed in the whitelist of trusted programs” [Emphasis added.]; [0011], “If the executable is not found in the respective whitelist, the executable, metadata of the executable, or all or a portion of the executable is forwarded to a server (remote system), analyzed using heuristics, and a determination is made as to whether the executable contains malicious software or not (e.g., is malicious)” [Emphasis added.] where an executable would be analyzed only if the executable is not included in the whitelist.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Azarafrooz ‘807 in view of Garyali ‘136 with the analyzation of executables based on the whitelist as taught by Woodworth ‘958 because it would .

Claim(s) 10 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136  as applied to claim 1 and 16 above, and further in view of LEE ‘498.
Per claim 10 (dependent on claim 1):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but LEE ‘498 discloses: The security enhancement method of claim 1, further comprising determining whether to perform the holding based on whether there is an installation history of an application including the executable code (FIG. 5, “The basic information of the mobile terminal collected at step S205 includes at least one piece of information about the system of the mobile terminal 100, a list of applications installed, a list of applications being run, the numbers of SMS transmissions and calls, records of downloads of applications,” [Emphasis added.]; [0101], “If an application installed or being run in the mobile terminal 100 is not an application installed by the user at steps S230 and S240, it is suspected that an abnormality has occurred in the corresponding application at step S290” [Emphasis added.]; [0111], “Accordingly, the mobile terminal 100 receives a response from the server 200 at step S340, and, if it is determined based on the response received at step S340 that the application having an abnormality is malicious at step S350, removes the malicious application at step S360, and terminates the corresponding process” [Emphasis added.] where if the application which is to be detected for an abnormality is not an application installed by the user at S230 and S240, the application would be sent to the server for an analyzation and removed (and terminated) based on the response from the server.).

Per claim 20 (dependent on claim 16):
Azarafrooz ‘807 in view of Garyali ‘136 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: wherein the plurality of instructions further comprise an installation function, and wherein the installation function comprises: an instruction to execute the executable code of in a security environment ([0055], “the computer system 102 can be configured to generate mnemonic-specific models for each type of mnemonic. Using mnemonic-specific models allows for the testing of the instruction sequence of suspected shellcode in isolation, independent from the rest of the benign functions contained in the computer file” [Emphasis added.]); an instruction to extract feature data of the executable code based on a result of the execution, an instruction to input the feature data into the encryption code identification model ([0041], “Another method of shellcode obfuscation is to encrypt the shellcode. Encrypted shellcode requires a decoding routing appended to the shellcode to provide instructions on how to decrypt the shellcode at run time … to avoid detection by standard malware detectors, the decoders associated with encrypted shellcodes can have mutated internal bodies” [Emphasis added.]; FIG. 2A, [0049], “The machine-learning models selected for use by the code analyzer 108 can be configured to devise complex models and algorithms that lend themselves to determining the typical distribution of mnemonics 206 within benign computer files as well as the typical distribution of mnemonics 206 within malware embedded in computer files as shellcode” [Emphasis added.] where the mnemonics 206 (feature data) are fed into the machine-learning models of the code analyzer 108 (encryption code identification model) for determining the typical distribution of the mnemonics obtained from the computer files (executable code).); an instruction to determine whether the executable code has passed a security test based on output data of the encryption code identification model ([0092], “In response to a determination, by the shellcode detector 114, that the computer file contains shellcode, the computer system 102 can be configured to prohibit execution or further execution of the computer file. In some variations, the computer system 102 can be configured to transmit the computer file to a sandbox environment for additional analysis” [Emphasis added.] where the shellcode detector 114 determines (security test) whether the computer file (executable code) is to be executed or not based on the analysis result of the code analyzer 108 (encryption code identification model).).
Azarafrooz ‘807 in view of Garyali ‘136 does not disclose but LEE ‘498 discloses: an instruction to uninstall the application when the security test is not passed ([0111], “Accordingly, the mobile terminal 100 receives a response from the server 200 at step S340, and, if it is determined based on the response received at step S340 that the application having an abnormality is malicious at step S350, removes the malicious application at step S360, and terminates the corresponding process” [Emphasis added.]).

Claim(s) 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Azarafrooz ‘807 in view of Garyali ‘136 and LEE ‘498  as applied to claim 20 above, and further in view of Liu ‘126 and Patel ‘2017.
Per claim 21 (dependent on claim 20):
Azarafrooz ‘807 in view of Garyali ‘136 and LEE ‘498 discloses the elements detailed in the rejection of claim 20 above, incorporated herein by reference.
Azarafrooz ‘807 discloses: The electronic device of claim 20, wherein the installation function further comprises: the encryption code identification model (FIG. 1, [0041], “Another method of shellcode obfuscation is to encrypt the shellcode. Encrypted shellcode requires a decoding routing appended to the shellcode to provide instructions on how to decrypt the shellcode at run time … to avoid detection by standard malware detectors, the decoders associated with encrypted shellcodes can have mutated internal bodies” [Emphasis added.]; FIG. 2A, [0045], “The binary disassembler 106 can be configured to assign mnemonics 206 to elements 208 defined by the binary form 202 of the computer Training the code analyzer 108 can refer to generating one or more machine-learning models from sample data. For example, a plurality of computer files can be introduced to the code analyzer 108. The computer files can be a mixture of benign computer files containing no malware and computer files containing malware, including shellcode … The machine-learning models of the code analyzer 108 can recognize the probabilistic distribution patterns of code in normal benign computer files as well as the probabilistic distribution patterns of code in shellcode” [Emphasis added.] where encrypted shellcodes are detected by the shellcode detector 114 of FIG. 1. In particular, the analysis is based on the code analyzer 108 (encryption code identification) which is trained by the mnemonics 206 obtained from the computer file (executable code) with the binary disassembler 106.).
Azarafrooz ‘807 in view of Garyali ‘136 and LEE ‘498 does not disclose but Patel ‘2017 discloses: an instruction to count a number of operation cycles of the processor during the execution the executable code ([Abstract], “Hardware based detectors rely on Machine Learning (ML) classiﬁers to detect malware-like execution pattern based on Hardware Performance Counters (HPC) information at run-time.” [Emphasis added.]; FIG. 2, FIG. 3, 3. DATA COLLECTION AND DATA SET, “We are using 52 benign applications and 57 malware applications for performance counters data collection … All collected events are transformed into vectors with events as columns as shown in Figure 3” where the cpu-cycles measured from applications are given in FIG. 3 as a column in the input vectors for the malware ML classifier.).
Azarafrooz ‘807 in view of Garyali ‘136 and LEE ‘498 and Patel ‘2017 does not disclose but Liu ‘126 discloses: an instruction to input  ([0027], “based on a power model, may calculate how much power could have been consumed due to services 150 and compares calculated power usage against measured power consumption. The comparison result may indicate whether abnormal power draining has occurred. If the difference exceeds a threshold, some embodiments of the present invention may indicating the existence of potential malware” [Emphasis added.]; FIG. 2, [0029], “The power model … a User-Centric Power Model, Data Collector and/or a Malware Detector 240” [Emphasis added.]; [0038], “a user-centric model may need to model the power consumption of common types of user operations on mobile devices in different environments. (1) Calling … (2) Messaging … (3) Emailing … (4) Document processing …”; [0040], “[Symbol font/0x44]P represents the power consumption”; [0043], “Neural Network: … Neural networks may be used for non-linear statistical data modeling” [Emphasis added.] where power consumption data (feature data) measured based on the functions of an app on a mobile device is given as input data for training the user-centric power model 220 (upon the neural network) that depends on the collected power consumption [Symbol font/0x44]P. Moreover, if the power consumption exceeds a threshold, the app may be a potential malware.).

Allowable Subject Matter
Claim(s) 7, 18-19 and 22 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims contain the following underlined features which, when combined with other features of the claim, prior art of record failed to anticipate or render obvious at the time of instant invention was filed:
Per claim 7 (dependent on claim 1):
The security enhancement method of claim 1, further comprising: when installing an application including the executable code, obtaining available encryption algorithms from permission information included in an installation package of the application; and matching and storing identification information of the application and the available encryption algorithms in an access list, wherein, when output data of the encryption code identification model identifies an encryption algorithm that is not in the access list, the loading of the executable code is not allowed.

Per claim 18 (dependent on claim 16):
The electronic device of claim 16, wherein the storage further is further configured to store an access list including available encryption algorithms obtained from permission information included in an installation package of the application, and wherein the plurality of instructions further comprise an instruction to determine whether output data of the encryption code identification model identifies an encryption algorithm that is not in the access list.

Per claim 19 (dependent on claim 16):
The electronic device of claim 16, further comprising: a network interface configured to receive a vulnerability list including information about a vulnerability of an encryption algorithm that is received from an external device via the network interface, wherein the plurality of instructions further comprise an instruction to determine whether output data of the encryption code identification model identifies a vulnerability in the vulnerability list.

Per claim 22 (dependent on claim 16):
The electronic device of claim 16, wherein the plurality of instructions further comprise a function to perform a security audit on the application without user input, wherein the function to perform the security audit comprises: an instruction to input the executable code into the encryption code identification model and determine whether the executable code has passed a security test based on output data of the encryption code identification model, an instruction to perform a predefined process when the security test is not passed, and an instruction to record a security pass in a log of the application when the security test is passed, and wherein the plurality of instructions further comprise an instruction to determine whether to perform the instruction to hook the loading of the executable code based on whether there is the security test passed within a time period.

Claim(s) 11-15 is/are allowed.
The claims contain the following underlined features which, when combined with other features of the claim, prior art of record failed to anticipate or render obvious at the time of instant invention was filed:
Per claim 11 (independent):
A security enhancement method performed using an electronic device, the security enhancement method comprising: 
when installing an application, obtaining available encryption algorithms from permission information included in an installation package of the application; 
matching and storing identification information of the application and the available encryption algorithms in an access list; 
inputting executable code of the application into an encryption code identification model; 
determining whether the executable code passes a security test based on output data of the encryption code identification model; and 
when the security test fails, performing a designated process on the application.,_ 
wherein the determining comprises, when the output data of the encryption code identification model identifies an encryption algorithm that is not in the access list, determining that the executable code fails the security test.

Per claim 12 (independent):
A security enhancement method performed using an electronic device, the security enhancement method comprising:
obtaining available encryption algorithms from perrmssion information included in an installation package of an application;
matching and storing identification information of the application and the available encryption algorithms in an access list;
performing, on a first type of application, a security audit at a first frequency, without user manipulation for executing the first type of application; and
performing, on a second type of application, the security audit at a second frequency, without user manipulation for executing the second type of application,
wherein the security audit comprises:
inputting an executable code of the application to an encryption code identification model, and
determining whether the executable code has passed a security test, based on whether output data of the encryption code identification model identifies an encryption algorithm that is not in the access list.

Per claim 13 (independent):
A security enhancement method performed using an electronic device, the security enhancement method comprising: 
obtaining available encryption algorithms and accessible objects from permission information included in an installation package of an application; 
matching and storing identification information of the application, the available encryption algorithms, and the accessible objects in an access list; 
detecting an instruction to encrypt an object using an encryption algorithm of an encryption application programming interface (API), the encryption API being provided by an operating system installed on the electronic device; 
determining, based on the access list, whether the encryption algorithm and the object can access the encryption API based on access rights of an application; and 
when the encryption algorithm or the object cannot access the encryption API, blocking the instruction.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491