DETAILED ACTION
This communication is responsive to the After Final Response filed on 04/26/2021. 
Claims 21, 33 and 40 have been amended.
Claims 1-20 had been previously canceled.
Claims 21-45 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Arguments
Applicant Argument:
(A) On pages 7-12 of the Applicant’s argument, see Remarks, filed 04/26/2021, with respect to the rejection of claim 21, 23-24, 27-28, 32-33 and 40 under 35 USC § 102(a)(1) as being anticipated by Zhu (US Pat. 8,838,992 B2) has been fully considered and is persuasive.  Therefore, the rejection has been withdrawn.  However, upon further 

Applicant Argument:
(B) On page 10 of the Applicant Remarks, the Applicant argues that the rejection of claims 22, 25-26, 34-36 and 41-43 under 35 U.S.C. 103 as being unpatentable over Zhu in view of their respective secondary references, i.e., Kejriwal (US Pat. 8,789,178), Tyagi (US Pat. 9,419,991) and Dewey (US Pat. 8,201,245) should be reconsidered and allowed because the cited secondary references do not cure the deficiencies of Zhu.  

Examiner Response:
In response to the Applicant’s argument that the rejection of claims 22, 25-26, 34-36 and 41-43 under 35 U.S.C. 103 as being unpatentable over Zhu in view of the cited secondary records moot for the same reasons outlined in the Examiner’s response to Applicant’s argument (A) above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 23-24, 29-30, 32-33, 37-38, 40 and 44 are rejected under 35 U.S.C. 103 as being unpatentable over Green et al. (US Pat. 8,997,233 B2 filed 04/13/2011) in view of Tyagi (US Pat. 9,419,991 B2 filed 09/30/2014).
As to claim 21, Green discloses:
“A method, comprising:
receiving, via a network, data comprising one or more scripts, wherein the data is intended for a user device” (Green, col. 3 lines 1-5, col. 7 lines 45-48 and col. 8 lines 1-6; original source file 102 (received via client session with web server) containing a script is checked for malware using static signatures 106);
“determining, based on execution of at least a portion of the one or more scripts, one or more features associated with the one or more scripts” (Green, figs., 1 and 2, col. 3 lines 8-16 and col. 5 lines 32-37; emulation decision logic 108 decides whether to perform emulation, which may be explicitly specified for the particular script, or may be based on the statistics/heuristics, i.e., based on the presence and frequency of incidence of certain language and runtime features; when invoked/run, the script emulator parses the script and forms a suitable data structure such as an AST (abstract syntax tree), which is evaluated against generic and static signatures, i.e., multistage signature matching at different points or at the end of emulation, for malicious content);
“determining, based the one or more features, that the one or more scripts are associated with one or more malicious behaviors” (Green, col. 3 lines 44-53; re-run logic 116 determines whether a further iteration is to be performed, e.g., based on processing a simplified script or one or more retrieved parameters, with each subsequent iteration corresponding to a more and more simplified (e.g., more de-obfuscated) sub-script until malware is detected or the re-run logic decides that no further scanning is to be performed).
Green does not explicitly disclose:
“sending, based on the one or more malicious behaviors and to the user device, a message indicating that the one or more scripts comprise malign content.”
However, Tyagi discloses:
“sending, based on the one or more malicious behaviors and to the user device, a message indicating that the one or more scripts comprise malign content” (Tyagi, fig. 4, col. 9 lines 61-64; network device 230 may notify a user about the detection of a malicious script, e.g., through an e-mail, log entry, and/or other message meant for access by/display to a user/device).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green with Tyagi, in order to provide a mechanism for alerting a user to a malicious script detection that may be embedded in a document, or webpage accessed during a network communication session, thereby preventing the further spread of the malicious script by refusing to route data which contains the malicious script (Tyagi, col. 3 lines 59-64).   

As to claim 23, Green and Tyagi disclosed the invention of claim 21.  Green further discloses: 
“wherein the portion comprises one or more combined segments of the one or more scripts” (Green, col. 2 lines 32-46 and col. 5 lines 1-8; the script (some or all, referred to herein as a script "sample") is processed into a more generic ("decrypted") version that can be scanned for generic malware signatures, e.g., generic detection of less-frequently changing malicious payload underneath).

As to claim 24, Green and Tyagi disclosed the invention of claim 21.  Green further discloses: 
“wherein execution of the portion provides an indication of a same function as execution of the one or more scripts by the user device” (Green, col. 2 lines 32-46; same as above).

As to claim 29, Green and Tyagi disclosed the invention of claim 21.  Green does not explicitly disclose:
“generating, based on removal of format inconsistencies or obfuscated code from the one or more scripts, the portion.”
However, Tyagi discloses:
“generating, based on removal of format inconsistencies or obfuscated code from the one or more scripts, the portion” (Tyagi, col. 3 lines 19-30; mitigating the threat posed by a malicious script by [i]ntercepting script-containing data sent over a network to an end-point device associated with the user, normalizing and de-obfuscating the script contained within the data, comparing the normalized/de-obfuscated script to a regular expression signature associated with a malicious script).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green with Tyagi, in order to provide for the mitigation of threats posed by a malicious scripts sent to end-

As to claim 30, Green and Tyagi disclosed the invention of claim 21. Green does not explicitly disclose:
“wherein the one or more features comprise at least one of: 
an obfuscated variable name, a number of updates to a variable name exceeding a first threshold, an obfuscated Uniform Resource Locator (URL) protocol, an obfuscated scripting language keyword, an obfuscated scripting language reserved word, or entropy of a string exceeding a second threshold.”
However, Tyagi discloses:
“wherein the one or more features comprise at least one of: 
an obfuscated variable name, a number of updates to a variable name exceeding a first threshold, an obfuscated Uniform Resource Locator (URL) protocol, an obfuscated scripting language keyword, an obfuscated scripting language reserved word, or entropy of a string exceeding a second threshold.” (Tyagi, fig. 4, col. 7 lines 20-36; network device 230 may determine whether to perform dynamic de-obfuscation based on [a] condition or a set of conditions associated with performing dynamic de-obfuscation, e.g., analyzing new scripts to determine whether the new scripts are malicious; a condition may include a level and/or indicia of obfuscation--such as satisfying an obfuscation level threshold based on a heuristic algorithm or based on a preliminary signature matching).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green with Tyagi, in order to provide for the mitigation of threats posed by a malicious scripts sent to end-point devices associated with a user, by normalizing and de-obfuscating the script data, comparing the normalized/de-obfuscated script to a regular expression signature associated with a malicious script, and preventing scripts from being delivered to end-point devices if the script matches a malicious signature (Tyagi, col. 3 lines 19-30).

As to claim 32, Green and Tyagi disclosed the invention of claim 21.  Green does not explicitly disclose: 
“wherein the one or more scripts comprise executable data that is written in a scripting language.”
However, Tyagi discloses:
“wherein the one or more scripts comprise executable data that is written in a scripting language” (Tyagi, col. 2 lines 42-44; numerous computing environments employ scripted languages, such as JavaScript, ECMAScript, VBScript, Python, Perl, PHP, etc., to provide functionality).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green with Tyagi, in order to mitigate the potential exploitation of any vulnerabilities in a device's software and/or hardware that automatically executes during a seemingly innocuous activity, e.g., 

As to claim 33, claim 33 represents a device for processing executable instructions that are substantively similar in scope to the invention of claim 21.  Claim 33 is therefore rejected for the same reasons outlined in the rejection of claim 21 above.

As to claim 37, claim 37 is substantively similar in scope to the invention of claim 29.  Claim 37 is therefore rejected for the same reasons outlined in the rejection of claim 29 above.

As to claim 38, claim 38 is substantively similar in scope to the invention of claim 30.  Claim 38 is therefore rejected for the same reasons outlined in the rejection of claim 30 above.

As to claim 40, claim 40 represents a computer-readable medium that stores processor executable code that are substantively similar in scope to the invention of claim 21.  Claim 40 is therefore rejected for the same reasons outlined in the rejection of claim 21 above.

As to claim 44, claim 44 is substantively similar in scope to the invention of claim 30.  Claim 44 is therefore rejected for the same reasons outlined in the rejection of claim 30 above.
Claims 22, 25-26, 34-36 and 41-43 are rejected under 35 U.S.C. 103 as being unpatentable over Green in view of Tyagi in further view of Kejriwal et al. (US Pat. 8,789,178 B2 filed 11/24/2011).
As to claim 22, Green and Tyagi disclosed the invention of claim 21.  Green does not explicitly disclose:
“wherein the portion is associated with one or more security conditions comprising at least one of: 
redirecting a browser of the user device, or access to an operating system of the user device.”
However, Kejriwal discloses:
“wherein the portion is associated with one or more security conditions comprising at least one of: 
redirecting a browser of the user device, or access to an operating system of the user device” (Kejriwal, fig. 5 steps 477-479, col. 6 lines 25-27 and 36-40; inferring malicious script activity includes memory manipulation and redirection of the client’s browser away from original website) .
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Kejriwal to detect and prevent a client’s browser based malicious JavaScript contents and identify websites that attempt to download malicious JavaScripts that could compromise a client’s computer (Kejriwal, col. 1 lines 27-30).


“wherein the one or more malicious behaviors indicate one or more effects of the user device executing the one or more scripts.”
However, Kejriwal discloses:
“wherein the one or more malicious behaviors indicate one or more effects of the user device executing the one or more scripts” (Kejriwal, col. 2 line 34 – col. 3 line 10;
Javascript code that executes in a browser without user activity may exhibit hostile behavior, i.e., dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the website, operating an eval function on an argument which is resolved into shell code, etc.)
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Kejriwal to detect and prevent a client’s browser based malicious JavaScript contents and identify websites that attempt to download malicious JavaScripts that could compromise a client’s computer (Kejriwal, col. 1 lines 27-30).



“wherein the one or more malicious behaviors comprise at least one of: 
redirecting a browser of the user device to a website, causing the user device to download malicious software, or causing the user device to communicate with a computing device.”
However, Kejriwal discloses:
“wherein the one or more malicious behaviors comprise at least one of: 
redirecting a browser of the user device to a website, causing the user device to download malicious software, or causing the user device to communicate with a computing device” (Kejriwal, col. 2 line 34 – col. 3 line 10; Javascript code that executes in a browser without user activity may exhibit hostile behavior, i.e., dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the website, operating an eval function on an argument which is resolved into shell code, etc.)
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Kejriwal to detect and prevent a client’s browser based malicious JavaScript contents and identify websites that attempt to download malicious JavaScripts that could compromise a client’s computer (Kejriwal, col. 1 lines 27-30).



As to claim 35, claim 35 is substantively similar in scope to the invention of claim 25.  Claim 35 is therefore rejected for the same reasons outlined in the rejection of claim 25 above.

As to claim 36, claim 36 is substantively similar in scope to the invention of claim 26.  Claim 36 is therefore rejected for the same reasons outlined in the rejection of claim 26 above.

As to claim 41, claim 41is substantively similar in scope to the invention of claim 22.  Claim 41 is therefore rejected for the same reasons outlined in the rejection of claim 22 above.

As to claim 42, claim 42 is substantively similar in scope to the invention of claim 25.  Claim 42 is therefore rejected for the same reasons outlined in the rejection of claim 25 above.

As to claim 43, claim 43 is substantively similar in scope to the invention of claim 26.  Claim 43 is therefore rejected for the same reasons outlined in the rejection of claim 26 above.
Claims 27-28 are rejected under 35 U.S.C. 103 as being unpatentable over Green in view of Tyagi in further view of Gaustad (US Pat. 10,817,603 B2, Priority Provisional Application 628551,532 filed 08/29/2017)
As to claim 27, Green and Tyagi disclosed the invention of claim 21.  Green does not explicitly disclose:
“wherein the determining, that the one or more scripts are associated with the one or more malicious behaviors, is further based on a machine learning model.”
However, Gaustad discloses:
“wherein the determining, that the one or more scripts are associated with the one or more malicious behaviors, is further based on a machine learning model” (Gaustad, col. 9 lines 46-53; classification engine 110 can use machine learning techniques, i.e., clustering, neural networks, decision trees, etc., to classify the scripting document 108 as either benign or malicious based on the feature data, scoring data, and/or feature indices from the training data 106 and the document 108).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Gaustad in order to provide a classification engine 110 that can use training data, i.e., document data, document designations as known-benign or known-malicious, and frequency data, scoring data, and/or feature index, to classify a document 108 as malicious or benign (Gaustad, col. 9 lines 39-46). 



“wherein the machine learning model is based on at least one of: 
a support vector machine, a Bayesian belief network, a neural network, or a decision tree.”
“wherein the machine learning model is based on at least one of: 
a support vector machine, a Bayesian belief network, a neural network, or a decision tree (Gaustad, col. 9 lines 46-53).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Gaustad in order to provide a classification engine 110 that can use training data, i.e., document data, document designations as known-benign or known-malicious, and frequency data, scoring data, and/or feature index, to classify a document 108 as malicious or benign (Gaustad, col. 9 lines 39-46).

Claims 31, 39 and 45 are rejected under 35 U.S.C. 103 as being unpatentable over Green in view of Tyagi in further view of Dewey et al. (US Pat. 8,201,245 B2 filed 12/05/2007).
As to claim 31, Green and Tyagi disclosed the invention of claim 21. Green does not explicitly disclose:
“wherein the execution comprises executing one or more branches associated with the portion to cause evaluation of the portion to true and false cases.”
However, Dewey discloses:
(Dewey, fig. 4, steps 90-114; col. 6 lines 24-36; if detector 45 identifies any malicious script code or other malicious program code in the revised program code, e.g., decision 110, yes branch, detector 45 takes appropriate action (step 112); if detector 45 does not identify any malicious program code in the revised program code, e.g., decision 110, no branch, then detector 45 returns to the program step in the execution engine 44 just after the hooking/jump step 50 to execute the revised program code, step 114).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the technical features of Green and Tyagi with Dewey in order to detect obfuscated malicious code embedded in an HTML or its associated files that otherwise might not be detected prior to execution by a web browser (Dewey, col. 2 lines 1-9).

As to claim 39, claim 39 is substantively similar in scope to the invention of claim 31.  Claim 39 is therefore rejected for the same reasons outlined in the rejection of claim 31 above.

As to claim 45, claim 45 is substantively similar in scope to the invention of claim 31.  Claim 45 is therefore rejected for the same reasons outlined in the rejection of claim 31 above.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to /FELICIANO S MEJIA/ whose telephone number is (571)270-5994.  The examiner can normally be reached on 8:30am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/FELICIANO S. MEJIA
Examiner
Art Unit 2492




/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492