DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 2/25/2019 and 7/09/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 11 is objected to because of the following informalities:
Claims 11 recites “a central node having a processing configured”, which should be amended to “a central node having a processor .
Appropriate correction is required.

Duplicate Claims
Applicant is advised that should claim 9 be found allowable, claim 20 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because they are directed to a “system” comprising of a “collection node” and a “central node”. These nodes further include a “processor”. A processor may be interpreted as software. One known definition of a processor is described in IEEE 100: The Authoritative Dictionary of IEEE Standards Terms (7th Ed.) as a computer program that translates or interprets instructions. There are no definitions presented in the claims or specifications that explicitly limits a “node” or a “processor” as only hardware. Thus, the system is a software system containing. Software per se is not patentable subject matter

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3, 4, 6-11, 13, 14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Klein (hereinafter, “Klein”), US 2018/0113920 in view of Ramanan et al. (hereinafter, “Ramanan”), US 2015/0180997.
As per claim 1: Klein discloses: A non-transitory computer-readable medium comprising instructions which, when executed by a computer system, cause the computer system to carry out a method for artifact metadata extraction and analysis including steps of (a computer-implemented method for extracting data for analysis [Klein, ¶4]): collecting an artifact from a source (receiving a container by a recursive extraction framework [Klein, ¶31]); (determine a primary format of the container [Klein, ¶32]); recursively extracting embedded artifacts and metadata contained in the artifact; testing to determine whether the artifact has been broken down into minimal constituent elements; continuing to recursively extract one or more embedded artifacts and metadata if is determined that the artifact has not been broken down into minimal constituent elements (the recursive extraction framework extracts nested/embedded data within the container until extraction is no longer possible after a particular data has already been performed [Klein, ¶¶33, 36]); analyzing all artifacts, embedded artifacts, and metadata, once extraction has been completed (the extracted data is subjected to analysis [Klein, ¶¶25, 29]),  (storing extracted data and metadata associated with the extracted data in a driver 206 of the recursive extraction framework [Klein, ¶39; Fig. 2]).
Klein is directed to extracting digital data for forensic analysis [Klein, ¶23]. Klein does not explicitly state that the analysis is malware analysis as recited in the strikethrough claimed limitations. However, Ramanan is directed to analogous art of deconstructing a software object into portions for malicious code scanning [Ramanan, ¶37]. Therefore, Ramanan discloses: determining whether the artifact has been previously analyzed (receiving an object, generating a signature, and determining if the signature matches a signature in the local cache analyzing…for malicious content…and triggering a security action if it is determined, by the analysis step, that any of the original artifact, one or more embedded artifacts and metadata extracted from the artifact contain malicious content (scanning the object and updating the local cache with scan results to either whitelist or blacklist the object [Ramanan, ¶68; Fig. 6(618) & (620)]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement Klein’s recursive data extraction method for malware analysis. Klein does not explicitly limit what type of “analysis” can be done to the extracted data. Malware warfare was known to be a constant battle between attackers developing harder-to-detect malicious software and organizations countering it. Forensic analysis of malware would have been a practical application to better understand how malware operates and to create better mitigation tools against them.

As per claim 3: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: further comprising instructions which, when executed by a computer system, cause the computer system to carry out the step of identifying a type of the embedded artifact directly after the embedded artifact is extracted (one or more extractors are designated to extractor specific types of data [Klein, ¶¶30, 39]).

As per claim 4: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: wherein the artifacts, embedded artifact and meta data are analyzed using a plurality of distinct analysis modules (scanning objects (e.g. extracted data in 

As per claim 6: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: further comprising instructions which, when executed by a computer system, cause the computer system to carry out the step of generating a hash of the artifact (generating a signature of the object using any known hash algorithms [Ramanan, ¶62]).

As per claim 7: Klein in view of Ramanan disclose all limitations of claim 6. Furthermore, Klein in view of Ramanan disclose: wherein the step of determining whether the artifact has been previously analyzed includes looking up the hash in memory storage (using the object’s signature to determine if the signature is already stored in the local cache to determine if it was previously scanned and classified [Ramanan, ¶63]).

As per claim 8: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: wherein the artifact is a file (the container can be any data or information, such as a digital file [Klein, ¶24]).

As per claims 9 and 20: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: wherein the artifact is a byte-stream (byte-streams represent digital data in byte form as conventionally understood in the art; in [Klein, 

As per claim 10: Klein in view of Ramanan disclose all limitations of claim 1. Furthermore, Klein in view of Ramanan disclose: wherein the step of testing whether the artifact has been broken down into minimal constituent elements includes comparing results of an extraction step with results of a previous extraction step, a comparison match indicating that the artifact has been fully broken down (comparing extracted data from previous extracted data to determine if has been already extracted [Klein, ¶39]).

As per claim 11: Claim 11 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 11. Claim 11 is directed to a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 1.

As per claim 13: Claim 12 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 11 are equally applicable to claim 13 and rejected for the same reasons.

As per claim 14: Claim 14 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 11 are equally applicable to claim 14 and rejected for the same reasons.

As per claim 16: Claim 16 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 6. Therefore, the arguments set forth above with respect to claims 6 and 11 are equally applicable to claim 16 and rejected for the same reasons.

As per claim 17: Claim 17 incorporates all limitations of claim 16 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 7. Therefore, the arguments set forth above with respect to claims 7 and 16 are equally applicable to claim 17 and rejected for the same reasons.

As per claim 18: Claim 18 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 8. Therefore, the arguments set forth above 

As per claim 19: Claim 19 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 10. Therefore, the arguments set forth above with respect to claims 10 and 11 are equally applicable to claim 19 and rejected for the same reasons.

Claims 2 are 12 are rejected under 35 U.S.C. 103 as being unpatentable over Klein in view of Ramanan and in further view of Van Brabant (hereinafter, “Van”), US 2005/0149749.
As per claim 2: Klein in view of Ramanan disclose all limitations of claim 1. Klein in view of Ramanan do not disclose the limitations of claim 2. However, Van is directed to analogous art for scanning files for malicious content, such as viruses [Van, ¶2]. Therefore, Klein in view of Ramanan and Van disclose: further comprising instructions which, when executed by a computer system, cause the computer system to carry out the step of queuing the artifact after it is determined that the artifact has not been previously analyzed (a file server is programmed to receive on-demand anti-virus scan requests and puts them into a queue [Van, ¶15]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a queue for the objects that were not scanned yet in the modified system of Klein in view of Ramanan. A queue would have 

As per claim 12: Claim 12 incorporates all limitations of claim 11 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 11 are equally applicable to claim 12 and rejected for the same reasons.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Klein in view of Ramanan and in further view of Cavazos (hereinafter, “Cavazos”), US 2017/0068816.
As per claim 5: Klein in view of Ramanan disclose all limitations of claim 4. Furthermore, Klein in view of Ramanan disclose: wherein the analysis modules include a signature matching module (signature-based heuristics [Ramanan, ¶37]), a heuristic matching module (behavior-based heuristics [Ramanan, ¶37]), 
Klein in view of Ramanan do not disclose modules using “machine learning” and “deep learning module”. However, Cavazos is directed to analogous art of detecting malware using machine learning techniques [Cavazos, ¶4]. Cavazos discloses building a malware detection model by applying a machine learning algorithm (“machine learning”), such as a deep neural network (“deep learning”) algorithm to a set of known malware and goodware binary executables.


As per claim 15: Claim 15 incorporates all limitations of claim 14 and is a system comprising of nodes executing program code corresponding to the instructions of the non-transitory computer-readable medium of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 14 are equally applicable to claim 15 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 6,952,776: Discloses extracting features from an object for virus scanning. No virus detection is performed if the object has not been changed since a last scan.
US 2015/0248556: Discloses disassembling a firmware binary image and classifying its file types for malware evaluation.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453.  The examiner can normally be reached on Mon - Thurs: 10am-7pm ET.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        5-27-2021