DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 11-20 have been cancelled. 
Claims 1-10 have been examined. 

Election/Restrictions
Applicant’s election without traverse of claims 1-20 in the reply filed on 03/22/2021 is acknowledged.

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 07/19/2019 and 09/24/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: 
Paragraph [0109] recites: “the computing object 502d is a procedure ("generate_download_complete_value")”. According to fig. 5A, computing object 502d is a procedure named “generate_status_okay_value” and computing object 502e  is the procedure named "generate_download_complete_value" is. Paragraph [0109] is referencing the wrong computing object, i.e., instead of reciting 502e, it is reciting 502d.  Appropriate correction is required.
Paragraph [0110] recites: “the computing object 502i is a procedure ("generate_status_okay_value") that always returns the number 400”. Again, the specification is reciting the incorrect computing object. According to fig. 5A, computing object 502i is a procedure named “subtract_one” and computing object 502d is the procedure "generate_status_okay_value". Paragraph [0110] is referencing the wrong computing object, i.e., instead of reciting 502d, it is reciting 502i.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 5-7, 9 and 10 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 9087195 to Maxim Y. Golovkin (hereinafter Golovkin).
As per claim 5, Golovkin teaches:
A method of detecting malware, the method comprising: 
receiving computer code, the computer code including a code segment executable by an endpoint (Golovkin: column 5, lines 26-35: At step 301, an unoptimized executable or object software code is loaded by the antimalware program 130. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an executable or object software code includes executable code segments); 
characterizing redundancy in the code segment (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Column 6, lines 28-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation); and 
in response to characterizing the redundancy, permitting or denying execution of the computer code by the endpoint (Golovkin: column 6, lines 44-67: At step 385, the antimalware program may decide based on the degree of code obfuscation whether an additional malware analysis of the software code is necessary in accordance with one example embodiment. At step 390, the antimalware program may further analyze the software code having a significant percent of obfuscated code using conventional malware detection techniques. Column 7, lines 3-10: If a malware is detected in the optimized software code, the original software program may be classified, as viruses, worms, Trojan horses or the like, and quarantined or removed from the system at step 395).

As per claim 6, Golovkin teaches:
The method of claim 5, wherein the redundancy includes at least one of superfluous variables, superfluous function calls, superfluous structure, or superfluous flow control (Golovkin: column 1, line 60-column 2, line 2: The optimization include removing dead codes and optimizing distributed calculations, reverse operations, constant calculations, transfer instructions, memory calls, flag operations, and branch and cycle instructions. Also, column 7, lines 40-67 and column 8, lines 1-25).

As per claim 7, Golovkin teaches:
The method of claim 5, wherein characterizing the redundancy includes comparing the computer code to a compressed version of the computer code, the compressed version of the computer code having decreased redundancy, as compared to the computer code, while maintaining functionality of the computer code (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Column 6, lines 28-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation. Fig. 5, column 7, lines 40-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500, i.e., the functionality of the software code is maintained while removing dead code).

As per claim 9, Golovkin teaches:
The method of claim 5, wherein the computer code includes at least one of list-based code, structured code, object-oriented code, and aspect-oriented code (Golovkin: column 5, lines 4-6: The code may be compiled using any known compiler on computer system 100, such as Microsoft Visual C/C++ compiler or others. Column 6, lines 51-54: the antimalware program may recompile the optimized software code using C++, Java or other type of compiler and submit it for further analysis).

As per claim 10, Golovkin teaches:
The method of claim 5, wherein characterizing redundancy in the code segment includes identifying one or more subroutines in the code segment for which all results are known without external input (Golovkin: column 7, lines 10-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code because they are followed by the following MOVE operation, which erases results of the ADD and INC instructions: TABLE-US-00005 MOV ECX, EAX. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Golovkin and US 20060294503 to Henderson et al (hereinafter Henderson).
As per claim 1, Golovkin teaches:
A computer program product for detecting malware, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
receiving a script language code at a threat management facility in communication with an endpoint, the script language code including a plurality of expressions processable by an application in a run-time environment on the endpoint (Golovkin: column 5, lines 26-35: At step 301, an unoptimized executable or object software code is loaded by the antimalware program 130. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an executable or an object software code includes a plurality of expressions that are processable by an application); 
tokenizing the plurality of expressions of the script language code into computing objects (Golovkin: column 5, lines 26-35 and 55-58: At step 301, the software code may be divided into code blocks 302, 303, 304, etc.); 
compressing the computing objects into a compressed script in which redundancy is decreased relative to the script language code by removing one or more expressions from the script language code while maintaining functionality of the script language code (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Fig. 3b, column 5, lines 55-67: At step 350, the code optimizer 145 analyzes substantially in real time each code block and replaces complex assembly instructions with simple (or basic) instructions, such as ADD, SUB, MOV, OR and other basic assembly instructions. Column 6, lines 1-28: At steps 365 and 370, the optimizer 145 may analyze the data flow model, identify obfuscated codes therein, and optimize the obfuscated codes in the data flow model. Fig. 5, column 7, lines 40-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500, i.e., the functionality of the software code is maintained while removing dead code); 
determining a degree of redundancy in the script language code based on a difference between the script language code and the compressed script (Golovkin: column 6, lines 28-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation); and 
conditionally initiating a remedial action responsive to the script language code when the degree of redundancy exceeds a predetermined threshold (Golovkin: column 6, lines 44-67: At step 385, the antimalware program may decide based on the degree of code obfuscation whether an additional malware analysis of the software code is necessary in accordance with one example embodiment. At step 390, the antimalware program may further analyze the software code having a significant percent of obfuscated code using conventional malware detection techniques. Column 7, lines 3-10: If a malware is detected in the optimized software code, the original software program may be classified, as viruses, worms, Trojan horses or the like, and quarantined or removed from the system at step 395).
Golovkin teaches a software code but does not explicitly teach: a script language code. However, Henderson teaches:
a script language code (Henderson: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Henderson in the invention of Golovkin to include the above limitations. The motivation to do so would be because code coverage analysis can also be helpful in finding dormant or dead code (Henderson: [0003]).

As per claim 2, Golovkin in view of Henderson teaches:
The computer program product of claim 1, wherein the script language code includes at least one of Visual Basic for Applications (VBA) or JavaScript (Henderson: [0026]: Script languages include, but are not limited to JScript (JavaScript), Visual Basic (VB), Shell scripts, such as TCL/Tk, Perl, Python, Windows/UNIX shell scripting, and so forth).

As per claim 4, Golovkin in view of Henderson teaches:
The computer program product of claim 1, wherein the difference between the script language code and the compressed script is characteristic of obfuscation (Golovkin: Column 6, lines 1-43: At steps 365 and 370, the optimizer 145 may analyze the data flow model, identify obfuscated codes therein, and optimize the obfuscated codes in the data flow model. At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation).

As per claim 8, Golovkin does not teach: wherein the computer code includes a scripting language interpretable by an application executing on the endpoint. However, Henderson teaches:
wherein the computer code includes a scripting language interpretable by an application executing on the endpoint (Henderson: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Henderson in the invention of Golovkin to include the above limitations. The motivation to do so would be because code coverage analysis can also be helpful in finding dormant or dead code (Henderson: [0003]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Golovkin in view of Henderson as applied to claim 1 above, and further in view of applicant provided prior art US 7624449 to Frederic Perriot (hereinafter Perriot).
As per claim 3, Golovkin in view of Henderson does not teach: wherein the difference between the script language code and the compressed script is characteristic of polymorphism. However, Perriot teaches:
wherein the difference between the script language code and the compressed script is characteristic of polymorphism (Perriot: column 5, lines 41-56: In polymorphic code 10 produced by viruses, dead code is commonplace. Column 21, lines 1-33: Another use of optimization 40 is as a heuristic to detect polymorphic code 10. Most polymorphic engines 10 produce many redundant instructions, whereas a typical program has almost no dead code).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Perriot in the invention of Golovkin in view of Henderson to include the above limitations. The motivation to do so would be to provide an alternative solution entailing code optimization (simplification) techniques. Such techniques as copy propagation, constant folding, code motion, and dead-code elimination may be used instead of, or prior to, emulation or other malicious code detection techniques (Perriot: column 1, lines 22-28).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438