Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This action is responsive to application filed on 3/18/2019. Claims 1 and 15 are independents. Claims 1-20 are currently pending.

Objections
Claims 1-4, 7, 10 and 11 are objected. Examiner suggests amend them as shown below:
1. A method of detecting a threat against a computer system, the method comprising:
a) monitoring installation and operation of multiple different versions of [[the]] a same application in [[a]] the computer system;
b) analysing evolutionary changes between [[the]] behaviours of the different versions of the same application;
c) detecting and monitoring a new version of the same application in [[a]] the computer system;
d) monitoring [[the]] behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on [[the]] basis of the analysis; and
the one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

2. The method according to claim 1, wherein analysing the evolutionary changes of the behaviours comprises analysing evolutionary changes of [[the]] behaviours of subsequent versions of the same application.

3. The method according to claim 1, the method further comprising creating and storing representations of the expected behaviors of the monitored application on the basis of the analysis.

4. The method according to claim 1, wherein the step of detecting one or more procedures that do not match the expected behaviours of the monitored application further comprises comparing the behaviour of the monitored application to [[the]] stored representations of expected behaviours.

7. The method according to claim 6, wherein the characteristic and/or expected actions include one or more of:
API calls and/or API call parameters made by the monitored application, information made available to plugins of the monitored application, actions relating to browser extensions, file access operations performed by the monitored application, network operations performed by the monitored monitored application, error conditions relating to the monitored application.

	10. The method according to claim 1, wherein the step of identifying the monitored application as malicious or suspicious is further based on [[the]] a difference in version numbers of the different versions of the same application, wherein [[the]] an expected amount of change in behaviour is related to [[the]] an amount of change in version numbers.

	11. The method according to claim 1, wherein the step of identifying the monitored application as malicious or suspicious further comprises:
	determining which already analysed version of the same application is most similar with the new version of the same application by comparing [[the]] codes of the different versions of the same application with the new version of the same application;
	determining a version delta value between the most similar version and the new version on the basis of the comparison;
	identifying the monitored application as suspicious or malicious, if the version delta value is subtle and the behavioural difference is substantial;
	identifying the monitored application as unknown, if the version delta value is substantial and the behavioural difference is substantial; and
	 identifying the monitored application as normal, if both the version delta value and the behavioural difference is subtle or the version delta value is substantial and the behavioural difference is subtle.
	
	The same amendment is recommended to the corresponding claims in the group of “computer system” claims.


Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-10, 15-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid et al. (US 9626509 B1), hereinafter Khalid, in view of Chen et al. (CN 107967208 B), hereinafter Chen.

 Regarding claims 1, 15 and 21, Khalid teaches a method of detecting a threat against a computer system (FIG. 2), the method comprising:
a) monitoring installation (FIG. 2 and col7 ln37-67, at block 201, processing logic installs and configures multiple versions of a SW application (e.g., Microsoft Office or Adobe Acrobat) within a single VM that is hosted by a guest OS) and operation of multiple different versions of the same application in a computer system (FIG. 2 and col7 ln37-67,[[a]]t block 202, in response to receiving a malicious content suspect associated with the SW application, processing logic identifies and launchesa VM having multiple versions of the SW application installed therein);
b) analysing evolutionary changes between the behaviours of the different versions of the same application (FIG. 2 and col7 ln37-67, At block 203, for each of the versions of the SW application, processing logic invokes the corresponding version to access and test, preferably concurrently, the malicious content suspect therein);
d) monitoring the behavior of the computer system to detect one or more procedures of the monitored application (FIG. 2 and col7 ln37-67, At block 204, processing logic monitors the behavior of the malicious content suspect processed with the corresponding version or versions of the SW application to identify anomalous behavior indicative of a malicious attack. At block 206, the processing logic stores information describing any detected anomalous behaviors, and, associated therewith, the version identifier (e.g., version number and, where applicable, service pack number) corresponding to each of the versions of the software application and the operating system whose execution resulted in the anomalous behavior) on the basis of the analysis (col10 ln1-19, the heuristic module 860 may examine the metadata or attributes of the captured content and/or the code image (e.g., a binary image of an executable) to determine whether a certain portion of the captured content matches a predetermined pattern or signature that is associated with a particular type of malicious content); and
e) upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious (FIG. 2 and col7 ln37-67, At block 208, processing logic declares any identified attack incident and may issue an alert, which in some embodiments, contains or references threat data, including, for example, the version number or numbers of the SW application having a potential security vulnerability so that remedial action may be taken).
Khalid does not explicitly disclose c) detecting and monitoring a new version of the same application in a computer system; and detect one or more procedures that do not match expected behaviors of the monitored application. However, in an analogous art, Chen teaches c) detecting and monitoring a new version of the same application in a computer system (FIG. 1 and p. 1/8, 1) acquiring a source code of a historical version and a source code of a version to be tested [interpreted as a new version] of the same software); and detect one or more procedures that do not match expected behaviors of the monitored application 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set; 5) training the deep neural network model by using a training set to perform feature merging, and then calculating the correlation and sequencing by using the deep neural network model for the mode in the test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance(Chen p. 3/8).

 Regarding claims 2 and 16, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Chen further teaches wherein
analysing evolutionary changes of the behaviours comprises analysing evolutionary changes of the behaviours of subsequent versions of the same application (FIG. 1 and para. 0008-0013, 1) acquiring a source code of a historical version and a source code of a version to be tested [interpreted as subsequent versions] of the same software; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 3, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein creating and storing representations of expected behaviors of the monitored application on the basis of the analysis (FIG. 2 and col7 ln37-67, At block 206, the processing logic stores information describing any detected anomalous behaviors, and, associated therewith, the version identifier (e.g., version number and, where applicable, service pack number) corresponding to each of the versions of the software application and the operating system whose execution resulted in the anomalous behavior).

 Regarding claim 4, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Chen further teaches wherein the step of
detecting one or more procedures that do not match the expected behaviours of the monitored application further comprises comparing the behaviour of the monitored application to the stored representations of expected behaviours (p. 3/8, 3) extracting relevant characteristics of the resource sensitive code mode; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claims 5 and 18, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Khalid further teaches generating behavioural data for the analysis by executing multiple different versions of the same application on physical machines, on separate test machines or by a virtualization system (FIG. 2 and col7 ln37-67, At block 202, in response to receiving a malicious content suspect associated with the SW application, processing logic identifies and launches a VM having multiple versions of the SW application installed therein. At block 203, for each of the versions of the SW application, processing logic invokes the corresponding version to access and test, preferably concurrently, the malicious content suspect therein. At block 204, processing logic monitors the behavior of the malicious content suspect processed with the corresponding version or versions of the SW application to identify anomalous behavior indicative of a malicious attack. col8 ln60-67, malicious network content detection system 825 may be configured to inspect exchanges of network content over the communication network 820, identify suspicious network content, and analyze the suspicious network content using a virtual machine to detect malicious network content).
In addition, Chen teaches executing multiple different versions of the same application during normal usage (p. 3/8, 1) acquiring a source code of a historical version and a source code of a version to be tested of the same software; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 6, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Chen further teaches wherein each procedure of the one or more procedures of the monitored application is identified by a characteristic action and one or more expected actions (p. 3/8, 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set; 5) training the deep neural network model by using a training set to perform feature merging, and then calculating the correlation and sequencing by using the deep neural network model for the mode in the test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 7, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein the characteristic and/or expected actions include one or more of: API calls and/or API call parameters made by the running application, information made available to plugins of the running application, actions relating to browser extensions, file access operations performed by the running application, network operations performed by the running application, encrypted communications sent by the running application, error conditions relating to the running application (col10 ln20-33, When a characteristic of the packet, such as a sequence of characters or keyword, is identified that meets the conditions of a heuristic, a suspicious characteristic of the network content is identified ... the characteristic may be determined as a result of an analysis across multiple packets comprising the network content. col8 ln34-55, Network content may include any data transmitted over a network (i.e., network data). Network data may include text, software, images, audio, or other digital data. An example of network content includes web content, or any network data that may be transmitted using a Hypertext Transfer Protocol (HTTP), Hypertext Markup Language (HTML) protocol, or be transmitted in a manner suitable for display on a Web browser software application).
In addition, Chen teaches (p. 3/8, packaging each type of the Python according to abstract syntax defined in a Python standard library, wherein each type has a mapping table which contains the internal attribute name or the API interface name of the type).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 8, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein said procedures include any one or more of: establishment of a secure session, communication over a secure session, file operations, registry operations, memory operations, network operations (col8 ln34-55, An example of network content includes web content, or any network data that may be transmitted using a Hypertext Transfer Protocol (HTTP), Hypertext Markup Language (HTML) protocol, or be transmitted in a manner suitable for display on a Web browser software application. Another example of network content includes email messages, which may be transmitted using an email protocol such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), or Internet Message Access Protocol (IMAP4). A further example of network content includes Instant Messages, which may be transmitted using an Instant Messaging protocol such as Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP). In addition, network content may include any network data that is transferred using other data transfer protocols, such as File Transfer Protocol (FTP)).

 Regarding claim 9, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein the step of identifying the monitored application as malicious or suspicious is based on at least one of: fulfilling predetermined rules (col10 ln1-19, the heuristic module 860 may examine the metadata or attributes of the captured content and/or the code image (e.g., a binary image of an executable) to determine whether a certain portion of the captured content matches a predetermined pattern or signature that is associated with a particular type of malicious content).
In addition, Chen teaches identifying the monitored application as malicious or suspicious is based on machine learning approach used, a decision making logic using the behavioural data as input (p. 3/8, 5) training the deep neural network model [machine learning] by using a training set to perform feature merging, and then calculating the correlation and sequencing by using the deep neural network model for the mode in the test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claims 10 and 19, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Chen further teaches wherein the step of identifying the monitored application as malicious or suspicious is further based on the difference in version numbers of the different versions of the same application, wherein the expected amount of change in behaviour is related to the amount of change in version numbers (p. 4/8, feature combination based on the deep neural network, and adopts a standard metric value to measure the correlation level between the code to be tested and the defect code in the historical version, thereby being capable of positioning the resource sensitive defect code block to be deep into the basic statement level).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 17, the combination of Khalid and Chen teaches all of the limitations of claim 15, as described above. Khalid further teaches wherein the processor is further configured to cause the system to perform: creating and storing representations of expected behaviors of the monitored application on the basis of the analysis (FIG. 2 and col7 ln37-67, At block 206, the processing logic stores information describing any detected anomalous behaviors, and, associated therewith, the version identifier (e.g., version number and, where applicable, service pack number) corresponding to each of the versions of the software application and the operating system whose execution resulted in the anomalous behavior).
In addition, Chen teaches to cause the system to perform the step of detecting one or more procedures that do not match the expected behaviours of the monitored application by comparing the behaviour of the monitored application to the stored representations of expected behaviours (p. 3/8, 3) extracting relevant characteristics of the resource sensitive code mode; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid in view of Chen, as applied in the claims above, further in view of Singh et al. (US 20160285914 A1), hereinafter Singh.

 Regarding claim 13, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above.
The combination of Khalid and Chen does not explicitly disclose upon identifying the monitored application as malicious or suspicious, the method further comprises handling the monitored application by one or more of: terminating a process of the monitored application, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the monitored application and performing a further malware scan on the monitored application. However, in an analogous art, Singh teaches upon identifying the monitored application as malicious or suspicious, the method further comprises handling the monitored application by one or more of: terminating a process of the monitored application, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the monitored application and performing a further malware scan on the monitored application (FIG. 4A and para. 0065, When the object is determined to be malicious based on pre-processing (yes at block 402), actions are performed to handle the malicious object (block 403). Examples of actions performed to handle a malicious object include, ... , (ii) a network administrator and/or an expert network analyst, uploading information associated with the malicious object to the cloud services and/or (iii) preventing the object from being received and/or processed by a client device, if possible).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid, Chen and Singh because a virtualized malware detection system that improves exploit detection and/or visual representation of the detection of the suspected exploit and/or malware (Singh para. 0014).

 Regarding claim 14, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above.
The combination of Khalid and Chen does not explicitly disclose upon identifying the monitored application as malicious or suspicious, further comprising at least one of: sending from a client computer to a server details of the characteristic action and other actions taken on the client computer; sending from the server to client computer an indication as to whether or not the monitored application is malicious or suspicious; sending from the server to the client computer instructions for handling the monitored application; prompting the client computer to kill and/or remove the monitored application; storing information indicating the monitored application. However, in an analogous art, Singh teaches upon identifying the monitored application as malicious or suspicious, further comprising at least one of: sending from a client computer to a server details of the characteristic action and other actions taken on the client computer; sending from the server to client computer an indication as to whether or not the monitored application is malicious or suspicious; sending from the server to the client computer instructions for handling the monitored application; prompting the client computer to kill and/or remove the monitored application; storing information indicating the monitored application (FIG. 4A and para. 0065, When the object is determined to be malicious based on pre-processing (yes at block 402), actions are performed to handle the malicious object (block 403). Examples of actions performed to handle a malicious object include, ... , (ii) a network administrator and/or an expert network analyst, uploading information associated with the malicious object to the cloud services and/or (iii) preventing the object from being received and/or processed by a client device, if possible).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid, Chen and Singh because a virtualized malware detection system that improves exploit detection and/or visual representation of the detection of the suspected exploit and/or malware (Singh para. 0014).

Allowable Subject Matter
Claims 11, 12 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcoming double patenting rejection of claims.

Reference Cited Not Used
The closest art Huang et al. (US 9117079 B1) teaches a method of malicious action detection and is implemented as following: A single virtual machine is implemented upon a computer and an operating system executes within this virtual machine. A sample file suspected of being malware is received and any number of versions of the software application corresponding to the sample file are installed. Each version of the software application is executed within the operating system, each version opening the sample file. Behavior of each version and of the sample file is collected while each version is executing. A score indicating malicious behavior for each version with respect to the sample file is determined and reported. The versions may execute serially in the happening system, each version terminating before the next version begins executing. Or, all versions may execute concurrently within the operating system. Files and registries are hidden to facilitate installation. System information is changed to facilitate execution. 
The closest art Amin et al. (US 10025927 B1) teaches a method of selecting a subset of set of versions of software application that are concurrently installed within a virtual machine by logic being executed by a processor of a data processing system (201). Set of software application versions of the subset of set of versions of the software application are processed to access a potentially malicious content within a virtual machine without switching to another virtual machine. Behaviors of the potentially malicious content are monitored (204) during processing by the set of software application versions of the subset of the set of versions of the software application to detect behaviors associated with a malicious attack. Information associated with the detected behaviors that are associated with the malicious attack is stored (206). An alert is issued (208) with respect to the malicious attack

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437