Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7-24-2019 and 5-17-2021 were in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a trace processor to process…, a fingerprint extractor to extract, a fingerprint clusterer to… classify, a fingerprint classifier to,… classify” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim limitation “a trace processor to process…, a fingerprint extractor to extract, a fingerprint clusterer to… classify, a fingerprint classifier to,… classify” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function.  There does not appear with clear definition in specification whether the above place holders and their corresponding functionalities either are implemented using hardware, software or a combination thereof.  Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Therefore claims 2 – 8 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davis et al (US 10484419), hereafter Dav and Rostami-Hesarsorkh et al (US 10230749), hereafter Ros.
Claim 1: Dav teaches an apparatus comprising (Fig. 5): a trace processor to process events in a processor trace to capture application execution behavior corresponding to processor control flow associated with the events; (C9L32-39: different inputs fed to a binary file such as a portable executable (PE) files will result in different execution paths, the totality of all possible execution paths are encoded in executable code fragments of the binary... and capturing the most "essential" components of each binary);
a fingerprint extractor to extract a first fingerprint from the captured application execution behavior and performance monitor information; (C1L34-37: extracting one or more code fragments from a first software module and computing fingerprints of the code fragments extracted from the first software module);
a fingerprint clusterer to, in a training mode, when the first fingerprint and a second fingerprint are compared and determined to be within a similarity threshold based on a distance metric, cluster the first fingerprint and the second fingerprint into a cluster of fingerprints to be stored in a fingerprint database with a classification; (C4L44-49: fingerprint comparison module is configured to determine a similarity score based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments (i.e., second) extracted from at least a second software module (C6L32-36) similarity score... having a distance to one or more of the fingerprints in the first hash table less than a threshold distance and (C8L48-49) cluster the binary files or otherwise determine similarity between different binary files and (C4L53-55) is further configured to classify the first software module as the given software module type based on the similarity score and (C2L39-40) an attack database stores information relating to previously classified software modules);
Dav is silent on and a fingerprint classifier to, in a deployed mode, classify a third fingerprint, the fingerprint classifier to classify the third fingerprint with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold, the fingerprint classifier to trigger a remedial action when the classification is malicious.
But analogous art Ros teaches and a fingerprint classifier to, in a deployed mode, classify a third fingerprint, the fingerprint classifier to classify the third fingerprint with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold, the fingerprint classifier to trigger a remedial action when the classification is malicious. (C12L2-6: dynamic analysis results includes one or more of: observed behavior started a process, spawned new processes etc. (i.e., third fingerprint) and (C57L50-58) selecting one or more features from the automated malware analysis results of malware samples and assigning a value to each indicator... comparing the assigned values of the array between two samples and calculating a distance between the two samples; and clustering the samples within a defined threshold of distance, wherein (C57L37-39) clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output and (C48L46-54) determining whether any of the distinct lines are suspicious is performed, if a line/sub-line is determined to be associated with malware, it is deemed a high-risk artifact and is made actionable. An action is performed based on a high-risk artifact).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of classify another fingerprint and initiate remedial measures as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 9: Dav teaches a non-transitory computer readable storage medium comprising computer readable instructions that, when executed, cause at least one processor to at least (Fig. 5): process events in a processor trace to capture application execution behavior corresponding to processor control flow associated with the events; extract a first fingerprint from the captured application execution behavior and performance monitor information; in a training mode, when the first fingerprint and a second fingerprint are determined to be within a similarity threshold based on a distance metric, cluster the first fingerprint and the second fingerprint to form a cluster of fingerprints to be stored in a fingerprint database with a classification; (C9L32-39: different inputs fed to a binary file such as a portable executable (PE) files will result in different execution paths, the totality of all possible execution paths are encoded in executable code fragments of the binary... and capturing the most "essential" components of each binary; C1L34-37: extracting one or more code fragments from a first software module and computing fingerprints of the code fragments extracted from the first software module; C4L44-49: fingerprint comparison module is configured to determine a similarity score based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments (i.e., second) extracted from at least a second software module (C6L32-36) similarity score... having a distance to one or more of the fingerprints in the first hash table less than a threshold distance and (C8L48-49) cluster the binary files or otherwise determine similarity between different binary files and (C4L53-55) is further configured to classify the first software module as the given software module type based on the similarity score and (C2L39-40) an attack database stores information relating to previously classified software modules);
Dav is silent on in a deployed mode, classify a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and trigger a remedial action when the classification is malicious.
But analogous art Ros teaches in a deployed mode, classify a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and trigger a remedial action when the classification is malicious. (C12L2-6: dynamic analysis results includes one or more of: observed behavior started a process, spawned new processes etc. (i.e., third fingerprint) and (C57L50-58) selecting one or more features from the automated malware analysis results of malware samples and assigning a value to each indicator... comparing the assigned values of the array between two samples and calculating a distance between the two samples; and clustering the samples within a defined threshold of distance, wherein (C57L37-39) clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output and (C48L46-54) determining whether any of the distinct lines are suspicious is performed, if a line/sub-line is determined to be associated with malware, it is deemed a high-risk artifact and is made actionable. An action is performed based on a high-risk artifact).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of classify another fingerprint and initiate remedial measures as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 17: Dav teaches a method comprising: processing, by executing an instruction with at least one processor, events for an application in a processor trace to capture application execution behavior corresponding to processor control flow associated with the events; extracting, by executing an instruction with the at least one processor, a first fingerprint from the captured application execution behavior and performance monitor information; in a training mode, when the first fingerprint and a second fingerprint are determined to be within a similarity threshold based on a distance metric, clustering, by executing an instruction with the at least one processor, the first fingerprint and the second fingerprint to form a cluster of fingerprints to be stored in a fingerprint database with a classification; (C9L32-39: different inputs fed to a binary file such as a portable executable (PE) files will result in different execution paths, the totality of all possible execution paths are encoded in executable code fragments of the binary... and capturing the most "essential" components of each binary; C1L34-37: extracting one or more code fragments from a first software module and computing fingerprints of the code fragments extracted from the first software module; C4L44-49: fingerprint comparison module is configured to determine a similarity score based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments (i.e., second) extracted from at least a second software module (C6L32-36) similarity score... having a distance to one or more of the fingerprints in the first hash table less than a threshold distance and (C8L48-49) cluster the binary files or otherwise determine similarity between different binary files and (C4L53-55) is further configured to classify the first software module as the given software module type based on the similarity score and (C2L39-40) an attack database stores information relating to previously classified software modules);
Dav is silent on in a deployed mode, classifying, by executing an instruction with the at least one processor, a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and triggering, by executing an instruction with the at least one processor, a remedial action when the classification is malicious.
But analogous art Ros teaches in a deployed mode, classifying, by executing an instruction with the at least one processor, a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and triggering, by executing an instruction with the at least one processor, a remedial action when the classification is malicious. (C12L2-6: dynamic analysis results includes one or more of: observed behavior started a process, spawned new processes etc. (i.e., third fingerprint) and (C57L50-58) selecting one or more features from the automated malware analysis results of malware samples and assigning a value to each indicator... comparing the assigned values of the array between two samples and calculating a distance between the two samples; and clustering the samples within a defined threshold of distance, wherein (C57L37-39) clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output and (C48L46-54) determining whether any of the distinct lines are suspicious is performed, if a line/sub-line is determined to be associated with malware, it is deemed a high-risk artifact and is made actionable. An action is performed based on a high-risk artifact).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of classify another fingerprint and initiate remedial measures as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 25: Dav teaches a apparatus comprising: memory including machine reachable instructions; and at least one processor to execute the instructions to (Fig. 5): process events for an application in a processor trace to capture application execution behavior corresponding to processor control flow associated with the events; extract a first fingerprint from the captured application execution behavior and performance monitor information; in a training mode, when the first fingerprint and a second fingerprint are determined to be within a similarity threshold based on a distance metric, cluster the first fingerprint and the second fingerprint to be stored in a fingerprint database with a classification; (C9L32-39: different inputs fed to a binary file such as a portable executable (PE) files will result in different execution paths, the totality of all possible execution paths are encoded in executable code fragments of the binary... and capturing the most "essential" components of each binary; C1L34-37: extracting one or more code fragments from a first software module and computing fingerprints of the code fragments extracted from the first software module; C4L44-49: fingerprint comparison module is configured to determine a similarity score based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments (i.e., second) extracted from at least a second software module (C6L32-36) similarity score... having a distance to one or more of the fingerprints in the first hash table less than a threshold distance and (C8L48-49) cluster the binary files or otherwise determine similarity between different binary files and (C4L53-55) is further configured to classify the first software module as the given software module type based on the similarity score and (C2L39-40) an attack database stores information relating to previously classified software modules);
Dav is silent on in a deployed mode, classify a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and trigger a remedial action when the classification is malicious
But analogous art Ros teaches in a deployed mode, classify a third fingerprint, the third fingerprint to be classified with the classification associated with the cluster of fingerprints when a comparison of the third fingerprint to the cluster of fingerprints from the fingerprint database using the distance metric is within the similarity threshold; and trigger a remedial action when the classification is malicious. (C12L2-6: dynamic analysis results includes one or more of: observed behavior started a process, spawned new processes etc. (i.e., third fingerprint) and (C57L50-58) selecting one or more features from the automated malware analysis results of malware samples and assigning a value to each indicator... comparing the assigned values of the array between two samples and calculating a distance between the two samples; and clustering the samples within a defined threshold of distance, wherein (C57L37-39) clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output and (C48L46-54) determining whether any of the distinct lines are suspicious is performed, if a line/sub-line is determined to be associated with malware, it is deemed a high-risk artifact and is made actionable. An action is performed based on a high-risk artifact).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of classify another fingerprint and initiate remedial measures as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 2: the combination of Dav and Ros teaches the apparatus of claim 1, wherein the captured application execution behavior includes i) target address information including points of control transfer within the application's address space, and ii) application programming interface (API) call sequences. (Dav: C5,6L66-67, 1-2: one or more specified field characteristics may comprise at least one of one or more specified section flags and one or more fields specifying offsets to a starting address for code execution. C10L6-8: dynamically load most of the APIs that a PE file can call during the course of its execution, thus creating a very short import API table).
Claim 3: the combination of Dav and Ros teaches the apparatus of claim 2, wherein the captured application execution behavior further includes at least one of dynamic linked library execution, just in time code execution, or shell code execution. (Dav: C7L32-33: Analysis of software modules such as binary files, including EXEs and DLLs).
Claim 4: the combination of Dav and Ros teaches the apparatus of claim 1, wherein the performance monitor information includes performance monitor unit counter values. (Ros: C6L45-47: line/sub-line counts can be performed on the malware analysis sample results to provide a statistical view of the malware analysis results data (C29L8-9) line counts for the consumed automated malware analysis results are determined).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of performance values as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 5: the combination of Dav and Ros teaches the apparatus of claim 1, wherein the fingerprint extractor is to calculate a first histogram of the captured application execution behavior and a second histogram of the performance monitor information and form the first fingerprint from the first histogram and the second histogram. (Ros: C35L41-50: the dashboard displays a malware download sessions histogram. The malware download sessions histogram displays the malware sessions for samples detected for the first time in the selected time range. Sessions with known malware and (C63,64L66-67,1-2) k-means++ clustering process in combination with the decision tree-based clustering process to verify / complement identification of malware groups/families).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of having histograms for application fingerprints as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 6: the combination of Dav and Ros teaches the apparatus of claim 1, wherein the distance metric includes at least one of a Jaccard distance, a Hamming distance, a Euclidean distance, or a Cosine similarity. (Ros: C56L14-17: comparing documents is performed using similarity document algorithms, such as Cosine Similarity, Jaccard Similarity Index, SimHash, and/or another similarity document algorithm).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of distance metrics as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 7: the combination of Dav and Ros teaches the apparatus of claim 1, further including a telemetry analyzer to gather crowd telemetry from a plurality of systems to verify or change the classification. (Dav: C10,11L66-67,1-8: Fuzzy hashing is used to classify unknown software modules as potentially malicious based on similarity to known malware or adware and are classified as any designated type by comparison to known software modules or exemplary executable code fragments contained in known software modules of the designated type and (C9L2-4) Experiments on sample data confirm these expectations, where almost all fuzzy hash similarities of executable code were equal to 0 or 100).
Claim 8: the combination of Dav and Ros teaches the apparatus of claim 7, wherein the telemetry analyzer is to update the fingerprint database based on a change in the classification. (Ros: C29L14-24: the performance of the data ingestion processes any new and/or updated malware sample analysis results from the automated malware analysis system to determine verdicts and/or verdict changes for every line associated with a given sample (a line includes an observation that was identified during the static or dynamic malware analysis, such as a call to a given API, a request for a given URL, a call to a given library etc.) to determine if the sample is malware, benign, or grayware).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of update fingerprint database as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 10: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 9, wherein the instructions, when executed, cause the at least one processor to capture application execution behavior including i) target address information including points of control transfer within the application's address space, and ii) application programming interface (API) call sequences. (Dav: C5,6L66-67, 1-2: one or more specified field characteristics may comprise at least one of one or more specified section flags and one or more fields specifying offsets to a starting address for code execution. C10L6-8: dynamically load most of the APIs that a PE file can call during the course of its execution, thus creating a very short import API table).
Claim 11: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 10, wherein the instructions, when executed, cause the at least one processor to capture application execution behavior including at least one of dynamic linked library execution, just in time code execution, or shell code execution. (Dav: C7L32-33: Analysis of software modules such as binary files, including EXEs and DLLs).
Claim 12: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 9, wherein the performance monitor information includes performance monitor unit counter values. (Ros: C6L45-47: line/sub-line counts can be performed on the malware analysis sample results to provide a statistical view of the malware analysis results data (C29L8-9) line counts for the consumed automated malware analysis results are determined).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of performance values as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 13: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 9, wherein the instructions, when executed, cause the at least one processor to calculate a first histogram of the captured application execution behavior and a second histogram of the performance monitor information and form the first fingerprint from the first histogram and the second histogram. (Ros: C35L41-50: the dashboard displays a malware download sessions histogram. The malware download sessions histogram displays the malware sessions for samples detected for the first time in the selected time range. Sessions with known malware and (C63,64L66-67,1-2) k-means++ clustering process in combination with the decision tree-based clustering process to verify / complement identification of malware groups/families).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of having histograms for application fingerprints as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 14: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 9, wherein the distance metric includes at least one of a Jaccard distance, a Hamming distance, a Euclidean distance, or a Cosine similarity. (Ros: C56L14-17: comparing documents is performed using similarity document algorithms, such as Cosine Similarity, Jaccard Similarity Index, SimHash, and/or another similarity document algorithm).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of distance metrics as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 15: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 9, wherein the instructions, when executed, cause the at least one processor to gather crowd telemetry from a plurality of systems to verify or change the classification. (Dav: C10,11L66-67,1-8: Fuzzy hashing is used to classify unknown software modules as potentially malicious based on similarity to known malware or adware and are classified as any designated type by comparison to known software modules or exemplary executable code fragments contained in known software modules of the designated type and (C9L2-4) Experiments on sample data confirm these expectations, where almost all fuzzy hash similarities of executable code were equal to 0 or 100).
Claim 16: the combination of Dav and Ros teaches the non-transitory computer readable storage medium of claim 15, wherein the instructions, when executed, cause the at least one processor to update the fingerprint database based on a change in the classification. (Ros: C29L14-24: the performance of the data ingestion processes any new and/or updated malware sample analysis results from the automated malware analysis system to determine verdicts and/or verdict changes for every line associated with a given sample (a line includes an observation that was identified during the static or dynamic malware analysis, such as a call to a given API, a request for a given URL, a call to a given library etc.) to determine if the sample is malware, benign, or grayware).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of update fingerprint database as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 18: the combination of Dav and Ros teaches the method of claim 17, further including capturing application execution behavior including i) target address information including points of control transfer within the application's address space, and ii) application programming interface (API) call sequences. (Dav: C5,6L66-67, 1-2: one or more specified field characteristics may comprise at least one of one or more specified section flags and one or more fields specifying offsets to a starting address for code execution. C10L6-8: dynamically load most of the APIs that a PE file can call during the course of its execution, thus creating a very short import API table).
Claim 19: the combination of Dav and Ros teaches the method of claim 18, further including capturing application execution behavior including at least one of dynamic linked library execution, just in time code execution, or shell code execution. (Dav: C7L32-33: Analysis of software modules such as binary files, including EXEs and DLLs).
Claim 20: the combination of Dav and Ros teaches the method of claim 17, wherein the performance monitor information includes performance monitor unit counter values. (Ros: C6L45-47: line/sub-line counts can be performed on the malware analysis sample results to provide a statistical view of the malware analysis results data (C29L8-9) line counts for the consumed automated malware analysis results are determined).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of performance values as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 21: the combination of Dav and Ros teaches the method of claim 17, further including calculating a first histogram of the captured application execution behavior and a second histogram of the performance monitor information and forming the first fingerprint from the first histogram and the second histogram. (Ros: C35L41-50: the dashboard displays a malware download sessions histogram. The malware download sessions histogram displays the malware sessions for samples detected for the first time in the selected time range. Sessions with known malware and (C63,64L66-67,1-2) k-means++ clustering process in combination with the decision tree-based clustering process to verify / complement identification of malware groups/families).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of having histograms for application fingerprints as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 22: the combination of Dav and Ros teaches the method of claim 17, wherein the distance metric includes at least one of a Jaccard distance, a Hamming distance, a Euclidean distance, or a Cosine similarity. (Ros: C56L14-17: comparing documents is performed using similarity document algorithms, such as Cosine Similarity, Jaccard Similarity Index, SimHash, and/or another similarity document algorithm).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of distance metrics as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).
Claim 23: the combination of Dav and Ros teaches the method of claim 17, further including gathering crowd telemetry from a plurality of systems to verify or change the classification. (Dav: C10,11 L66-67,1-8: Fuzzy hashing is used to classify unknown software modules as potentially malicious based on similarity to known malware or adware and are classified as any designated type by comparison to known software modules or exemplary executable code fragments contained in known software modules of the designated type and (C9L2-4) Experiments on sample data confirm these expectations, where almost all fuzzy hash similarities of executable code were equal to 0 or 100).
Claim 24: the combination of Dav and Ros teaches the method of claim 23, further including updating the fingerprint database based on a change in the classification. (Ros: C29L14-24: the performance of the data ingestion processes any new and/or updated malware sample analysis results from the automated malware analysis system to determine verdicts and/or verdict changes for every line associated with a given sample (a line includes an observation that was identified during the static or dynamic malware analysis, such as a call to a given API, a request for a given URL, a call to a given library etc.) to determine if the sample is malware, benign, or grayware).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dav to include the idea of update fingerprint database as taught by Ros so that to effectively and efficiently perform appropriate actions to mitigate the security threat (C41L13-14).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.