Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the Amendment filed on 03/10/2021.
Claims 1-20 are under examination.
 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 10,395,034 and claims 1-7 of U.S. Patent No. 9,734,335. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is fully disclosed in the 
A method comprising: identifying, by a set of processors, a first location in a storage that is a store for a set of data based, at least in part, on a first section of code in a program; determining, by the set of processors, that a second section of code in the program attempts to access the first location; injecting, by the set of processors, a set of instrumentation code into the program according to a dynamic tracing framework; determining, by the set of processors, the instrumentation code executes; examining, by the set of processors, the first section of code and a set of subsequent instructions in the program, wherein the set of subsequent instructions references the first location; scanning, by the set of processors, the first location for a set of threats; determining, by the set of processors, the set of threats exist; and taking, by the set of processors, a defensive measure.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9, 11-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pike (us 2008/0216175 A1), Christodorescu et al. (US 2010/0011441 A1), Schuba et al. (US .
Regarding claim 1, Pike discloses A method comprising: setting up a probe to monitor an program while permitting the program to execute; determining the probe is triggered by a first section of caide in the program requesting a set of data; identifying, by a set of processors, a first location in a storage that is a store for a set of data [par. 0042, “At least one suitable point is selected for initially labeling information as "tainted", par. 0045, “when information destined for a location (e.g., location 294) in memory 213 is initially characterized as tainted, a store 222 of tainted locations is updated and memory subsystems associated with memory 213 are configured to trigger an action in circumstances consistent with use or propagation of the tainted information. Typically, store 222 includes an identification of locations that are considered to be tainted”]; determining a second section of code in the program attempts to access the first location [par. 0045, “we configure (281) subsystems associated with memory 213 to trigger an action if and when a tainted memory location is accessed”, par. 0063, “instruction sequences are augmented to check and propagate taint status of accessed storage and, in the case of restricted uses, to trigger appropriate action... Once labeling point 311 initially characterizes an input as tainted, instrumented execution is triggered (381) for a relevant set of executable code. While the relevant set is, in general, situation- and perhaps implementation-dependent, it is often possible to identify a code base to which a tainted input is supplied”]; injecting a set of instrumentation code into the program [[according to a dynamic tracing framework]] [par. 0023, “certain implementations may employ runtime binary translation or dynamic recompilation of selected portions of existing code deployments as an efficient instrumented mode execution mechanism”, par. 0057, “instrumented execution modes dynamically augment the functionality of executable/executing code and may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc.”, par. 0065, “a sequence that includes a first instruction (e.g., use 331) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 394 to memory location 396 or register 315). The additional instructions interact with store 322 to check and propagate taint status” par. 0082, ”dynamically augmented code is executed (551A) as an instrumented mode computation 550A corresponding to the base computation 550 which includes the triggering instruction”]; determining the instrumentation code executes; scanning the first location for a threat [par. 0121, “In general, a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0122, “Certain instructions (e.g., control transfer instructions that use tainted data as a branch target or return address) cause an evaluation of control block 612 or 792 based on the current tainted locations in store 822. When a branch instruction 833 references a register (815) that contains a branch target or return address for the control transfer instruction control block 612 or 792 is evaluated and a taint exit event 834 may be triggered. Following remediation, control block 612 or 792 is evaluated again and execution of the instructions may resume in the guest privilege mode”].
Pike does not explicitly disclose the program is an encrypted program.
However, Christodorescu et al. in the field relates to a computer program for detecting malicious computer programs (malware) teaches the program is encrypted [par. 0015, “the present invention may provide a malware normalization program that monitors memory locations written to during execution of a suspect program. Execution by the suspect program of the "written to" memory locations is used to trigger an analysis of the suspect program against malware signatures based on an assumption that any encrypted or compressed code is not decrypted or uncompressed”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Christodorescu et al. into the teaching of Pike with the motivation of providing a malware normalizer that may be part of a malware detection system that permits practical detection of encrypted and/or compressed malware programs as taught by Christodorescu et al. [Christodorescu et al.: par. 0022].
They do not explicitly disclose injecting the set of instrumentation code into the program according to a dynamic tracing framework, wherein the dynamic tracing framework comprises steps performed by the probe.
However, Schuba et al. in the field relates to techniques for instrumenting programs to facilitate detection of anomalous and/or malicious behavior teaches injecting the set of instrumentation code into the program according to a dynamic tracing framework, wherein the dynamic tracing framework comprises steps performed by the probe [par. 0015, “We employ a dynamic tracing environment called DTRACE (available from Sun Microsystems, Inc. with implementations of the SOLARIS 10 Operating Environment) to dynamically instrument code in ways previously not achievable and exploit certain dynamically introduced instrumentation to facilitate signature-oriented and/or anomaly-oriented intrusion detection strategies described herein”, par. 0022, “In any case, based on the illustration, persons of ordinary skill in the art will appreciate a wide variety of similar intrusion detection strategies that can be developed using an efficient, low-impact and dynamically introducible kernel-level tracing facility such as dtrace to appropriately instrument code. Probe Introduction and Use”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Schuba et al. into the teaching of Pike and Christodorescu et al. with the motivation that is able to identify operation of the exploit as taught by Schuba et al. [Schuba et al.: par. 0026].
They do not explicitly disclose the dynamic tracing framework comprises steps performed by a tracing tool.
However, Lam et al. teaches the dynamic tracing framework comprises steps performed by a tracing tool [col. 3, lines 10-16, “To demonstrate the usefulness of the GIFT framework, we build a tool based on GIFT called Aussum, which could automatically instrument arbitrary network applications to track the provenance of information objects and enable selective sandboxing on the execution of application programs when they operate on information objects from suspicious sources”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lam et al. into the teaching  as taught by Lam et al. [Lam et al.: col. 2, lines 29-31].
 Regarding claim 2, the rejection of claim 1 is incorporated. Pike further discloses examining, by the set of processors, the first section of code and a set of subsequent instructions in the program, wherein the set of subsequent instructions references the first location [par. 0121, “In general, a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0122, “Certain instructions (e.g., control transfer instructions that use tainted data as a branch target or return address) cause an evaluation of control block 612 or 792 based on the current tainted locations in store 822. When a branch instruction 833 references a register (815) that contains a branch target or return address for the control transfer instruction control block 612 or 792 is evaluated and a taint exit event 834 may be triggered. Following remediation, control block 612 or 792 is evaluated again and execution of the instructions may resume in the guest privilege mode”]; determining, by the set of processors, the instrumentation code is triggered by a second section of code in the program; determining, by the set of processors, a second location where the first section of code will store a set of data requested in the set of data requests; and marking, by the set of processors, the second location [par. 0045, “when information destined for a location (e.g., location 294) in memory 213 is initially characterized as tainted, a store 222 of tainted locations is updated and memory subsystems associated with memory 213 are configured to trigger an action in circumstances consistent with use or propagation of the tainted information... In general, we use any of a variety of techniques, including unmapping a corresponding memory page, marking a page as non-readable and/or non-writable, truncating a data segment or setting a breakpoint or watch point”, par. 0121, “a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0122, “Certain instructions (e.g., control transfer instructions that use tainted data as a branch target or return address) cause an evaluation of control block 612 or 792 based on the current tainted locations in store 822”].
Regarding claim 3, the rejection of claim 2 is incorporated. Pike further discloses the set of subsequent instructions reference the second location [par. 0045, “when information destined for a location (e.g., location 294) in memory 213 is initially characterized as tainted, a store 222 of tainted locations is updated and memory subsystems associated with memory 213 are configured to trigger an action in circumstances consistent with use or propagation of the tainted information... In general, we use any of a variety of techniques, including unmapping a corresponding memory page, marking a page as non-readable and/or non-writable, truncating a data segment or setting a breakpoint or watch point”, par. 0121, “a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0122, “Certain instructions (e.g., control transfer instructions that use tainted data as a branch target or return address) cause an evaluation of control block 612 or 792 based on the current tainted locations in store 822”].
Regarding claim 4, the rejection of claim 2 is incorporated. Pike further discloses scanning the first location for the set of threats further includes scanning, by the set of processors, the second location for the set of threats [par. 0045, “when information destined for a location (e.g., location 294) in memory 213 is initially characterized as tainted, a store 222 of tainted locations is updated and memory subsystems associated with memory 213 are configured to trigger an action in circumstances consistent with use or propagation of the tainted information... In general, we use any of a variety of techniques, including unmapping a corresponding memory page, marking a page as non-readable and/or non-writable, truncating a data segment or setting a breakpoint or watch point”, par. 0121, “a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0122, “Certain instructions (e.g., control transfer instructions that use tainted data as a branch target or return address) cause an evaluation of control block 612 or 792 based on the current tainted locations in store 822”].
Regarding claim 5, the rejection of claim 1 is incorporated. Pike further discloses tracking, by the set of processors, responsive to marking the first location, the first location [par. 0121, “In general, a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815)”, par. 0084, propagation vectors, par. 0057, “handler 221 initiates an instrumented execution mode 223 that facilitates taint tracking at least while register storage contains tainted data. In general, instrumented execution modes dynamically augment the functionality of executable/executing code and may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc.].
Regarding claim 6, the rejection of claim 1 is incorporated. Pike further discloses (i) the set of data is requested in a set of data requests from the program [par. 0045, “when information destined for a location (e.g., location 294) in memory 213 is initially characterized as tainted, a store 222 of tainted locations is updated and memory subsystems associated with memory 213 are configured to trigger an action in circumstances consistent with use or propagation of the tainted information. Typically, store 222 includes an identification of locations that are considered to be tainted”].
Regarding claim 7, the rejection of claim 1 is incorporated. Pike further discloses the set of instrumentation code (i) is a dynamic binary instrumentation, (ii) is injected subsequent to the second section of code in an instruction execution stream, and (iii) does not modify the second section of code [par. 0023, “certain implementations may employ runtime binary translation or dynamic recompilation of selected portions of existing code deployments as an efficient instrumented mode execution mechanism”, par. 0057, “instrumented execution modes dynamically augment the functionality of executable/executing code and may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc.”, par. 0065, “a sequence that includes a first instruction (e.g., use 331) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 394 to memory location 396 or register 315). The additional instructions interact with store 322 to check and propagate taint status” par. 0082, ”dynamically augmented code is executed (551A) as an instrumented mode computation 550A corresponding to the base computation 550 which includes the triggering instruction”].
Regarding claim 9, the rejection of claim 1 is incorporated. Pike further discloses tracking, by the set of computer processors, a flow of the set of data [par. 0121, “In general, a sequence that includes a first instruction (e.g., use 831) that copies data without modification is augmented with additional instructions (or other functionality) to propagate taint status from the source to the destination of the first instruction (e.g., from memory location 894 to memory location 896 or register 815). The additional instructions interact with store 822 to check and propagate taint status.” par. 0084, propagation vectors, par. 0057, “handler 221 initiates an instrumented execution mode 223 that facilitates taint tracking at least while register storage contains tainted data. In general, instrumented execution modes dynamically augment the functionality of executable/executing code and may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc.]
Regarding claim 11, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.

Claims 8 and 18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pike (us 2008/0216175 A1), Christodorescu et al. (US 2010/0011441 A1), Schuba et al. (US 2007/0107058 A1) and Lam et al. (2006 22nd Annual Computer Security Applications Conference (ACSAC'06)) as applied to claims 1-7, 9, 11-17 and 19-20 above, and further in view of Kramer et al. (US 2006/0130141 A1).
Regarding claim 8, the rejection of claim 1 is incorporated.
Pike discloses scanning the first location for the set of threats.
Pike and Schuba et al. do not explicitly disclose scanning the first location for the set of threats employs signature analysis.
However Kramer et al. in the field relates to removing active malware from a computer teaches scanning the first location for the set of threats employs signature analysis [par. 0034, “When the active malware-scanning engine 406 scans data mapped in memory, the malware signatures in the database 412 are referenced for a match”]
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Kramer et al. into the teaching of Pike, Christodorescu et al., Schuba et al. and Lam et al. with the motivation that by analyzing only specific locations on a computer, the scanning engine is able to identify malware much faster than existing antivirus software as taught by Kramer et al. [Kramer et al.: par. 0031].
Regarding claim 18, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.

Claims 10 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pike (us 2008/0216175 A1), Christodorescu et al. (US 2010/0011441 A1), Schuba et al. (US 2007/0107058 A1) and Lam et al. (2006 22nd Annual Computer Security Applications Conference (ACSAC'06)) as applied to claims 1-7, 9, 11-17 and 19-20 above, and further in view of Ray et al. (US 2006/02000863 A1).
Regarding claim 10, the rejection of claim 6 is incorporated.
Pike discloses tracking the flow of the set of data.
Pike,  Schuba et al. and Christodorescu et al. do not explicitly disclose tracking the flow of the set of data further includes: maintaining, by the set of processors, a set of indicators in a page table entry associated with the first location.
However Ray et al. in the field relates to protection of computing devices against malware teaches tracking the flow of the set of data further includes: maintaining, by the set of processors, a set of indicators in a page table entry associated with the first location [par. 0015, “In instances when a page is not in a safe state, the access bits associated with the page are set so that if the process attempts to access the page, the page fault handler is invoked... If the scan engine does not identify malware, the page table access bits that define the access rights of the process to the page, including the ability of the process to execute information on the page, will be modified. In some instances, the process may access the page without the page fault handler being invoked and an additional scan for malware being performed.”]
Christodorescu et al., Schuba et al. and Lam et al. with the motivation of using the page table access bits to indicate pages are not safe and may cause a scan engine to perform a scan if the computing device may be exposed to the effects of malware as taught by Ray et al. [Ray et al.: par. 0015].


Response to Arguments
Applicant’s arguments, filed on 03/10/2021, with respect to rejection under 35 USC § 103 have been considered but are moot in view of the new ground(s) of rejection.
On page 10 of the Remarks, Applicant further argues that “Christodorescu clearly is required to not only decrypt the encrypted malware but to also to remove "semantically identified nonfunctional code added to disguise the malware." As such, the combination of Pike, Schuba, and Christodorescu does not render the claimed features as obvious when those features are viewed as a whole.
In response, the Examiner respectfully disagrees.  Christodorescu discloses a malware normalizer that may be part of a malware detection system that permits practical detection of encrypted and/or compressed malware programs. The detection of compressed or encrypted malware relies on an insight that a packed or encrypted program can be inferred by detection of a suspect program's execution of data previously written by the suspect program. Before the effective filing date of the claimed invention, it would have been obvious to a person having  as taught by Christodorescu et al. [Christodorescu et al.: par. 0022].


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20130312103 A1	Detecting exploitable bugs in binary code
US 8381192 B1		Software testing using taint analysis and execution path alteration
US 8584241 B1		Computer forensic system
US 7958558 B1		Computational system including mechanisms for tracking propagation of information with aging
US 20040030912 A1	Systems and methods for the prevention of unauthorized use and manipulation of digital content
US 20120255018 A1	System and method for securing memory and storage of an electronic device with a below-operating system security agent
US 20060130141 A1	System and method of efficiently identifying and removing active malware from a computer
US 20100011441 A1	System for malware normalization and detection

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM TO 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/JASON CHIANG/Primary Examiner, Art Unit 2431