DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

3. Claim(s) 1, 2, 5, 8-11, 14 and 17-20 are rejected under 35 U.S.C. 102(a) (2) as being anticipated by Aziz (US Pat.No.10, 893,059).

4.  Regarding claims 1,10 and 19 Aziz teaches a method, an apparatus and a non-transitory, computer readable medium comprising: obtaining, by a device, execution records regarding executions of a plurality of binaries, wherein the execution records comprise command line arguments used during the executions (Col.2, lines.21-43, lines.56-67 ; Col.3, lines.1-16 teaches a malware detection system (MDS) operating at the periphery of a network determines an object contained in network traffic entering the network is likely malicious by analyzing the traffic and in particular the object. To verify the cyber-attack identified by the MDS, an endpoint device (e.g., the endpoint device receiving the network traffic containing malicious object) will monitor the processing of the object during execution to identify characteristics and behaviors to enhance the MDS/SLE (security logic engine) determination of maliciousness. The endpoint device processes, e.g., loads the object and executes the object [command line argument 

  determining, by the device, measures of similarity between the executions of the binaries based on their command line arguments; clustering, by the device, the executions into clusters based on the determined measures of similarity (Col.7, lines.23-56; Col.15, lines.10-51 teaches the correlation engine will correlate the feature sets received from the endpoint device and the malware detection system (MDS) to determine whether the endpoint observed the same or similar features to those monitored in the MDS on which its classification decision was based, and will also correlate those feature sets with features exhibited by known malware and/or malware families. In so doing, the correlation engine will apply correlation rules to determine whether the feature sets separately (or those common features of the feature sets) indicate or verify the object as malware. Col.15, lines.57-67; Col.16, lines.1-33 teaches the determination of the risk level of the object processed by the malware detection system MDS and observed by the endpoint device will be based on monitored events used by the correlation engine, inter alia, (i) the location from where the object originate, (ii) the processed object spawned a new process, and (iii) actions taken by received objects during processing (e.g., executable code contained in objects attempts to execute a callback [command line argument]). The security logic engine (SLE) will classify/cluster the object as malicious, suspicious, or benign in response to a score generated by the scorer based on the determined risk level); 

and flagging, by the device, the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware (Col.4, lines.33-42 and Col.10, lines.7-21 teaches identifying if the objects match known indicators of malware. The MDS or SLE will provide the 
Col.4, lines.21-29 ; Col.5, lines.2-17 teaches the SLE will issue an alert [flag herein] over the network, for example, an email, text or other communication signal, to a security administrator based on verification of a cyber-attack. The alert will include information providing an assessment of the risk posed by the cyber-attack, information regarding the features of malware involved in the cyber-attack, identification of the endpoint device or devices involved in the attack, and related information such as the software executing on the endpoint device found to be affected or vulnerable).

 5. Regarding claims 2, 11 Aziz teaches the method, the apparatus further comprising: providing, by the device and via a network, data regarding the indicator of compromise to a monitoring agent executed by a client, wherein the monitoring agent uses the indicator of compromise to detect malware on the client (Col.4, lines.33-42 and Col.10, lines.7-21 teaches the monitor agent uses the indicator of compromise to detect malware on the client device).

6. Regarding claims 5,14 and 20 Aziz teaches the method, the apparatus and the non-transitory, computer readable medium wherein obtaining the execution records comprises: receiving, at the device, the execution records from one or more monitoring agents executed by one or more clients at which the binaries are executed (Col.10, lines.36-67 teaches execution of binary files).

7. Regarding claims 8, 17 Aziz teaches the method, the apparatus, wherein flagging the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: selecting the particular cluster for the flagging, based on the 

8. Regarding claims 9,18 Aziz teaches the method, further comprising: preventing, by the device, use of the indicator of compromise for detection of malware, when the indicator of compromise triggers a threshold amount of binaries to be deemed as malware (Col.4, lines.33-46 and Col.10, lines.7-21 teaches the indicator of compromise is triggered when the threat level exceeds a threshold).

Claim Rejections - 35 USC § 103
9. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

10. Claims 3, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz (US Pat.No.10, 893,059) as applied to claims 1, 10 above and in view of Xu (US Pub.No.2019/0104139).

 11. Regarding claims 3,12 Aziz teaches all the above claimed limitations but does not expressly teach the method, the apparatus wherein determining the measures of similarity between the executions of the binaries comprises: assigning term frequency-inverse document frequency scores to the command line arguments.


Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Aziz to include assigning term frequency-inverse document frequency scores to the command line arguments as taught by Xu since such a setup would yield a predictable result to identify malware in the communication.

12. Claims 4, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz (US Pat.No.10, 893,059) as applied to claims 1, 10 above and in view of Su (US Pub.No.2011/0103711).

  13. Regarding claims 4 ,13 Aziz teaches all the above claimed limitations but does not expressly teach the method, the apparatus wherein clustering, by the device, the executions into clusters based on the determined measures of similarity comprises: applying parallel label propagation to the command line arguments, to perform graph clustering on the command line arguments.

  Su teaches applying parallel label propagation to the command line arguments, to perform graph clustering on the command line arguments (Para: 0036 teaches applying parallel label propagation).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Aziz to include applying parallel label propagation to the command line arguments, to perform graph clustering on the command line arguments as taught by Su since such a setup would yield a predictable result of determine malicious node. 

s 6, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz (US Pat.No.10, 893,059) as applied to claims 1, 10 above and in view of Krasser (US Pub.No.2011/0162070).

 15. Regarding claims 6, 15 Aziz teaches all the above claimed limitations but does not expressly teach the method, the apparatus wherein flagging the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: filtering out at least one of the clusters based on the filtered cluster being associated with a benign binary or a binary with high prevalence of execution by a set of clients.

Krasser teaches filtering out at least one of the clusters based on the filtered cluster being associated with a benign binary or a binary with high prevalence of execution by a set of clients (Para: 0009, 0013, 0015 and claims 1, 6 teaches filtering the binary files).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Aziz to include filtering out at least one of the clusters based on the filtered cluster being associated with a benign binary or a binary with high prevalence of execution by a set of clients as taught by Krasser since such a setup would yield a predictable result of determining whether the file is benign or malicious.

16. Claims 7, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz (US Pat.No.10, 893,059) as applied to claims 1, 10 above and in view of Avasarala (US Pub.No.2014/0090061).

17. Regarding claims 7, 16 Aziz teaches all the above claimed limitations but does not expressly teach the method, the apparatus wherein, wherein flagging the command line arguments for a 

Avasarala teaches selecting the particular cluster for the flagging, based on the number of unique binaries associated with the particular cluster (Para: 0018-0019 and Para: 0039 teaches flagging a selected cluster of binary files).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Aziz to include selecting the particular cluster for the flagging, based on the number of unique binaries associated with the particular cluster as taught by Avasarala since such a setup would yield a predictable result of identifying an unknown file as malware or not.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DEREENA T CATTUNGAL/            Primary Examiner, Art Unit 2431