Notice of Pre-AIA  or AIA  Status
DETAILED ACTION
This office action is in response to the application filed on 01/16/2019. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application No. RU2018101763 filed in Russia on 01/17/2018. It is noted that the applicant has filed a certified copy of the application as required by 37 CFR 1.55.  

Notes on Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder claim 1, “communication module is further configured to” in claim 2, “the filtering module is configured to” in claims 3-4, 9, 11 and 13,  “the filtering module is further configured to” in claims 5-8, 10, 12 and  14,  “the system monitoring module is further configured to” in claim 15 and 17, “the system monitoring module is configured to” in claim 16 and “the server monitoring system module is further configured to” in claim 18.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claims 1-18 are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
	The following is a quotation of 35 U.S.C. 112(b)

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph
Claim 1 and 19 recites the term "the status parameters".  There is insufficient antecedent basis for this limitation in the claim.

Claim 18 recites the term "the server monitoring system module".  There is insufficient antecedent basis for this limitation in the claim.

Claim 20 recites the term "the server processor".  There is insufficient antecedent basis for this limitation in the claim.

Claims 2-18 and 20, dependent claims are rejected based on their dependency respectively from the rejected claims 1 and 19.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):


The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 20 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends, claim 19.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Objections
Claims 1, 4, 6, 9, 11, 13, 15 and  19  are objected to because of the following informalities:
 Claims 1 and 19 recite “the changes in the set of status parameters using a set of the 20analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters” should be “the changes in the set of the status parameters using a set of the 20analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of the status parameters”. 
 Appropriate correction is required.
Claims 4, 6, 9, 11, 13 and 15 are missing “and” before the last limitation recited in each of those claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 1-2 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz et al. (U.S Pub No. 2013/0227691 A1, referred to as Aziz) in view of Zakorzhevsky et al. (U.S Pat No. 2015/0356291 A1, referred to as Zakorzhevsky).
 
Regarding claims  1 and 19, Aziz teaches:
A server for determining malicious files in network traffic (Aziz: Fig. 1, Item 110 (server); ¶ 0031, the server comprising: 
a communication module configured to receive the network traffic from a data communication network (Aziz: Fig. 9, Item 920 (a communication module); ¶ 0112; Fig. 6, Step 604; ¶ 0092, “At step 604, the controller 110 may receive data stored on the one or more portable data storage devices 105 forwarded by the security appliance 130 over the communication network 120.”),
(Aziz: Fig. 4, Items 410, 430 (filtering module); ¶ 0061- ¶ 0062; ¶ 0075- ¶ 0076, and to execute: 
retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file (Aziz: Fig. 6, Steps 608-610; ¶ 0093- ¶ 0095),
a system monitoring module configured to connect to the filtering module to 10receive the at least one suspicious file (Aziz: Fig. 4, Item 415 (system monitoring module); ¶ 0071- ¶ 0074;  Fig. 6, Step 612; ¶ 0095, “at step 612, the controller 110 may configure a virtual machine to receive and safely execute the suspected data in a simulated real-life environment.”).
Aziz does not explicitly disclose, however Zakorzhevsky teaches: 
running the at least one suspicious file in at least one virtual machine, the at least one virtual machine being associated with a set of the status parameters (Zakorzhevsky: ¶ 0015,  “selecting, based on at least the file format of the suspicious file, a configuration (set of the status parameters) of a virtual machine for analyzing a maliciousness of the suspicious file by at least: selecting a program associated with the file format of the suspicious file, opening the suspicious file using the associated program in the virtual machine”; Fig. 4, Step 470, 480; ¶ 0048, “in step 470, the system selects an appropriate configuration of an antivirus machine based on the format of the file. In step 480, the system opens and/or executes the file in the virtual machine 150”), 
(Zakorzhevsky: ¶ 0015, “collecting data of at least one activity on the virtual machine”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Aziz by Zakorzhevsky to select a program associated with the file format of the suspicious file, open the suspicious file using the associated program in the virtual machine, collect data of at least one activity on the virtual machine, and analyze the data to determine the maliciousness of the suspicious file. (Zakorzhevsky: ¶ 0015).
Zakorzhevsky does not explicitly disclose, however Aziz further teaches:
processing module (Aziz: Fig. 4, Item 430 (processor module); ¶ 0075- ¶ 0076, configured: 
to connect to the system monitoring module to receive the changes in the set of status parameters, and to analyze the changes in the set of status parameters using a set of the 20analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file (Aziz: Fig. 6, Steps, 614, 616, 618; ¶ 0095, “The method 600 continues to analyze the response  of the virtual machine (receive the changes in the set of status parameters) to identify malware at step 614. At step 616 it may be determined whether the data includes malware”).

Regarding claim 2, the combination of Aziz and Zakorzhevsky teaches all the features of claim 1, as outlined above.
Aziz teaches:
wherein the communication module is further configured to connect to at least one of the network traffic capturing devices that are part of the data 25communication network (Aziz: Fig. 1, Item 130 (network traffic capturing device); ¶ 0033).

Regarding claim 18, the combination of Aziz and Zakorzhevsky teaches all the features of claim 1, as outlined above.
Aziz teaches: 
wherein, in response to classifying the at least one suspicious file as the malicious file, the server monitoring system module is further configured to execute one of: issuing an alert message, blocking the malicious file, 15blocking a source associated with the malicious file, adding the malicious file into a malicious file database, generating a behavioral report for the malicious file (Aziz: Fig. 1, Item 110; ¶ 0035, “If malware is detected, the controller 110 may report the threat.” (issuing an alert message); Fig. 6, Step 620; ¶ 0095, “If malware is found, at step 620, the security appliance 130 may provide a warning signal. For example, a pattern of beeps and/or flashes may indicate a security threat.”).

Regarding claim 20, the combination of Aziz and Zakorzhevsky teaches all the features of claim 19, as outlined above.
Aziz teaches: 
A computer-readable medium for long-term data storing that stores computer- readable instructions that, when executed by the server processor (Aziz: Fig. 9, Items 900, 905, 910; ¶ 0108- ¶ 0110), cause execution of the 5method according to claim 19 (EN: rejected under the same reasoning as the method of claim 19). 

Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable Aziz in view of Zakorzhevsky and further in view of Barker (U.S Patent No.  8,683,595 B1, referred to as Barker).

Regarding claim 3, the combination of Aziz and Zakorzhevsky teaches all the features of claim 1, as outlined above.
Aziz does not explicitly disclose, however Baker teaches: 
wherein, in order to execute analyzing the plurality of files in order to detect at least one suspicious file, the filtering module is configured to check whether a format of a given one of the plurality of files is suspicious such that the given file is classified as one of (i) a trusted file if its format is not suspicious and (ii) as a 5suspicious file if its format is suspicious (Baker: Fig. 3, Step 304, C6, ls 64-67 – C7, ls 1-11).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Aziz by baker to rely on files format in order to determine that a file is formatted in a suspicious format type capable of importing potentially malicious content. (Baker: C6, ls 64-67 – C7, ls 1-11).

Regarding claim 4, the combination of Aziz and Zakorzhevsky teaches all the features of claim 3, as outlined above.
Aziz does not explicitly disclose, however Baker teaches: 

identifying the format of given one of the plurality of files (Baker: C1, ls 51-53).
receiving an indication of known harmful file formats (Baker: Fig. 4, Item 122 (known harmful file formats), C7, ls 53-63).
10determining a match of the format of given one of the plurality of files and each of the known harmful file formats (Baker: Fig. 4, Item 122 (known harmful file formats), C7, ls 53-67).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Aziz by baker to rely on files format in order to determine a suspicious file format based on comparing and matching of the file format to a list of suspicious format types. (Baker: C7, ls 53-67).

Allowable Subject Matter
Claims 5-17 would be allowable if rewritten or amended to overcome the rejections and objection set forth in this office therein, and if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.
The closest prior arts made of records are, Aziz. (U.S Pat No. 2013/0227691 A1, referred to as Aziz), Zakorzhevsky et al. (U.S Pat No. 2015/0356291 A1, referred to as Zakorzhevsky) and baker (U.S Patent No.  8,683,595 B1, referred to as Barker).

Aziz discloses systems and methods for detecting malicious content on portable data storage devices or remote network servers. A system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

Zakorzhevsky discloses systems, methods and computer program products for detection of harmful files of different formats. An example method includes: receiving a suspicious file,  determining a file format of the suspicious file, determining, using antivirus software, if the suspicious file is clean or harmful and when the antivirus software fails to determine whether the suspicious file is clean or harmful, selecting, based on at least the file format of the suspicious file, a configuration of a virtual machine for analyzing a maliciousness of the suspicious file by at least: selecting a program associated with the file format of the suspicious file, opening the suspicious file 

Baker discloses a method for detecting potentially malicious content within NFC messages may include identifying an NFC message received by a mobile device via wireless transmission from an NFC device located in proximity of the mobile device. The method may also include determining that the NFC message is formatted in a suspicious format type capable of importing potentially malicious content into the mobile device and then scanning the NFC message for potentially malicious content. 

However, regarding claim 5, the prior art of Aziz, Zakorzhevsky and Baker when taken in the context of the claim as a whole do not disclose nor suggest, “wherein, in response to identifying that the given one of the plurality of files is associated with a suspicious format, the filtering module is further configured to determine whether there is a behavioral report associated with the given one 15of the plurality of files.”.

Regarding claim 16, the prior art of Aziz, Zakorzhevsky and Baker when taken in the context of the claim as a whole do not disclose nor suggest, “wherein each of the available virtual machines is associated with a set of configuration attributes, determining a default virtual machine from the available virtual machines, based on at least one configuration attribute of the set of the configuration attributes 20matching with the at least one attribute of a given one the at least one suspicious file, starting the given one of the at least one suspicious file in the default virtual machine such that at 

Claims 6-14 depend on claim 5 and 16-17 depend on claim 15, and are of consequence identified as allowable.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408.  The examiner can normally be reached on Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HASSAN SAADOUN/           Examiner, Art Unit 2435 

/JOSEPH P HIRL/           Supervisory Patent Examiner, Art Unit 2435