DETAILED ACTION
	Claims 1-10, 17 and 21-30 are pending. Claims 11-16 and 18-20 were canceled and claims 31-32 are new. Claims 1, 8, 10, 17, 24-26 and 30 are amended. This is in response to Applicant’s arguments and amendments filed on March 30, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Authorization
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Bob Rapp #65,977 on June 4, 2021.

Claim Amendment
1. (Currently amended) A method for identifying malware based on an analysis of dynamic binary instrumentation (DBI) framework state information, the method comprising:
receiving program code included in a data set after a first processor has added an identifier to metadata of the data set indicating that the program code in the data set 
identifying that the metadata of the data set includes the malware program code identifier; 
rendering the program code active by removing the one or more instructions;
loading the program code and a set of observation instructions of a DBI framework into at least a portion of a memory for execution; 
observing one or more actions performed during the execution of the program code that was loaded in the portion of the memory by executing the set of observation instructions of the DBI framework;  
associating the one or more actions with the DBI framework state information;
identifying that the program code is malicious based on an identification that the DBI framework state information corresponds to a malicious program code behavior based on allocation of additional memory by the program code; and
performing a corrective action based on the identification that the program code is malicious. 

2. (previously presented) The method of claim 1, wherein the first processor executes instructions to:
identify that the data set includes the program code;
allow instructions of the program code to be executed out of the memory by a processor;

analyze data associated with the one or more observation instructions, wherein the program code is identified as having performed a suspicious activity;
classify the data set as possibly including the malicious program code based on the identified suspicious activity; and
perform at least one action based on the classification.

3. (previously presented) The method of claim 2, wherein the at least one action includes modifying the data set to include the classification and storing the modified data set.

4. (previously presented) The method of claim 3, wherein the modification of the data set includes adding the classification to the metadata of the data set.

5. (previously presented) The method of claim 2, wherein the first processor is located at a first computer system that is physically separate from a second computer that receives the program code included in the data set. 

6. (previously presented) The method of claim 1, further comprising executing additional instructions by a virtual set of operating system software. 



8. (previously presented) The method of claim 1, further comprising monitoring the program code via a background process that polls memory locations separate from a main execution path of the program code.

9. (previously presented) The method of claim 1, further comprising associating the portion of the memory with a first set of contextual information and associating a set of analysis code with a second set of contextual information.

10. (currently amended) A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor for implementing a method for identifying that malware based on an analysis of dynamic binary instrumentation (DBI) framework state information the method comprising:  
	receiving program code included in a data set after a first processor has added an identifier to metadata of the data set indicating that the program code in the data set is suspected of being malware, wherein the program code is rendered inactive by way of 
identifying that the metadata of the data set includes the malware program code identifier; 

loading the program code and a set of observation instructions of a DBI framework into at least a portion of a memory for execution; 
observing one or more actions performed during the execution of the program code that was loaded in the portion of the memory by executing the set of observation instructions of the DBI framework;
associating the one or more actions with the DBI framework state information;
identifying that the program code is malicious based on an identification that the DBI framework state information corresponds to a malicious program code behavior based on allocation of additional memory by the program code; and
performing a corrective action based on the identification that the program code is malicious. 

11. - 16. (Cancelled)
 
17. (Currently amended) An apparatus for identifying malware based on an analysis of dynamic binary instrumentation (DBI) framework state information, the apparatus comprising:
a memory;  
a network interface that receives program code included in a data set after an identifier has been added to metadata of the data set, the identifier indicating that the program code is suspected of being malware, wherein the program code has been rendered inactive by inserting one or more instructions into the program code that result 
a hardware processor that executes instructions out of the memory, wherein the processor executes the instructions to:
identify that the metadata of the data set includes the malware program code identifier, 
render the program code active by removing the one or more instructions, 
load the program code and a set of observation instructions of a DBI framework into at least a portion of a memory for execution, 
observe one or more actions performed during the execution of the program code that was loaded in the portion of the memory by executing the set of observation instructions,
associate the one or more actions with the DBI framework state information,
identify that the program code is malicious based on an identification that the DBI framework state information corresponds to a malicious program code behavior based on allocation of additional memory by the program code; and
perform a corrective action based on the identification that the program code is malicious. 

18. - 20. (cancelled)



22. (previously presented) The method of claim 21, further comprising identifying that the observation information includes at least one of content of a register, a program code process parameter, content of one or more specified memory locations, memory state data, or memory allocation data.

23. (previously presented) The method of claim 21, further comprising identifying from the observation information that at least one operating system (OS) loader instruction has been executed to load data into the portion of the memory.

24. (previously presented) The method of claim 21, further comprising identifying from the observation information that the program code has been loaded into the portion of the memory.

25. (previously presented) The method of claim 21, further comprising identifying from the observation information that data included in the program code has been decrypted.



27. (previously presented) The method of claim 21, further comprising identifying from the observation information that a boot block has been written to.

28. (previously presented) The method of claim 21, further comprising identifying from the observation information that a system registry has been updated.

29. (previously presented) The method of claim 21, further comprising identifying from the observation information that file system data has been changed.

30 - 31. (cancelled) 

32. (previously presented) The method of claim 1, wherein the first processor is located at a firewall and the suspect program code is rendered active by a second processor located at an analysis computer.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Applicant agrees to amend for allowance since there is no art singly or in combination teaches using DBI framework for analysis of suspected program code 
observe one or more actions performed during the execution of the program code that was loaded in the portion of the memory by executing the set of observation instructions, associate the one or more actions with the DBI framework state information, identify that the program code is malicious based on an identification that the DBI framework state information corresponds to a malicious program code behavior based on allocation of additional memory by the program code. Therefore, claims 1, 10 and 17 are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TRI M TRAN/Primary Examiner, Art Unit 2494