DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 16/805,478 filed on 2/28/2020.
Claims 1-20 have been examined and are pending in this application. 
Priority
Acknowledgment is made of Applicant’s claim for foreign priority under 35 U.S.C. 120 to parent Application No. 15/828,172, filed on 11/30/2017.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 02/28/2020, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
          The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
          Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,565,376, 1-20 of U.S. Patent No. 10,956,750, and claims 1-19 of U.S. Patent No. 10,628,586. Although the claims at issue are not identical, they are not patentably distinct from each other because claim(s) 1-20 are broader and similar in scope to claims 1-21 of U.S. Patent No. 10,565,376, 1-20 of U.S. Patent No. 10,956,750, and claims 1-19 of U.S. Patent No. 10,628,586.  If the claims in Application No. 16/805,478 are allowed, it could improperly extend the “right to exclude” for the same invention in two different Patents.
Claims 1-20 are directed to a system, a method, and a computer program product; said system, method, and computer program product are associated with the methods, systems, and computer program products claimed in claims 1-21 of U.S. Patent No. 10,565,376, 1-20 of U.S. Patent No. 10,956,750, and claims 1-19 of U.S. Patent No. 10,628,586.  
The subject matter claimed in the instant application is fully disclosed and covered in U.S. Patent No. 10,565,376, U.S. Patent No. 10,956,750, and U.S. Patent No. .  
Claim Interpretation
Regarding claim 10; Claim 10 recites the limitation “perform another snapshot of all of the plurality of pages in memory associated with the process at subsequent time to after a predetermined period of time or after a system call event if any return address in a call stack points to a memory address that has changed since the initial snapshot” (Emphasis Added).  The aforementioned limitations are preceded by the term ‘if’.  Claim scope is not limited by claim language that suggests or makes optional but does not require the steps to be performed, or by claim language that does not limit a claim to a particular structure (See MPEP 2111.04 [R-08.2017]). Accordingly, the limitation(s) is merely capable of performing the recited or desired functions of “perform another snapshot of all of the plurality of pages in memory associated with the process at subsequent time to after a predetermined period of time or after a system call event”.  In the event that the claimed condition for performing a contingent step is not satisfied, then the performance recited by the step need not be carried out in order for the claimed method to be performed (See MPEP 2111.04 II. [R-08.2017]).  
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim(s) 18-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claim 18, claim 18 is rejected under 35 U.S.C. 101 because the claim(s) is directed to non-statutory subject matter. Claim 18 recites “tangible computer readable storage medium”. However, there is no further discussion in the specification as “tangible computer-readable storage medium” can be any means that include propagate and transmission signals, which are non-eligible subject matter under 35 U.S.C. 101.
This issue is raised as the disclosure of the invention recites non-limiting examples of media. Yet, the disclosure does not expressly exclude a broad, albeit reasonable interpretation of one or more computer-readable storage media as comprising signals. The broadest and reasonable interpretation of one or more computer-readable storage media comprises signals.  It has been noted that the ordinary and customary meaning of “computer readable storage medium” to a person of ordinary skill in the art was broad enough to encompass both non-transitory and transitory media. (See Ex Parte Mewherter (Appeal 2012-007692) (Precedential)).      
Transitory, propagating signals such as carrier waves are not within any of the four statutory categories (process, machine, manufacture or composition of matter). Therefore, a claim directed to computer instructions embodied in a signal is not statutory under 35 U.S.C. 101. In re Nuijten, 500 F.3d 1346, 1354 (Fed. Cir. 2007).  As a result, the claims are directed to non-statutory subject matter. The Examiner respectfully suggests that the claims be amended to recite either “a non-transitory computer readable storage medium”, “a non-transient computer readable storage medium”, or “a computer readable storage device” to make the claim statutory under 35 USC 101.
Regarding claim(s) 19-20; Claims 19-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter under the same rational as independent claim 18.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1-5, 8-10, and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Peinado et al. (US 2011/0265182; Hereinafter “Peinado”) in view of Kim et al. (US 2017/0103202; Hereinafter “Kim”) and further in view of Ikuse et al. (US 10,397,261).
Regarding claim 1, Peinado teaches a system (Peinado: Fig. 3, Para. [0020]), comprising:
a processor configured to (Peinado: Fig. 3):
monitor changes in memory during execution of a malware sample in a computing environment (Peinado: Para. [0025], A software environment can be an environment where computer code can be loaded and executed. Examples of software environments include environments such as an operating system kernel with a support environment (e.g., drivers), a browser environment, a virtual machine environment (e.g. Java), middle ware servers, and other software environments that execute code loaded from external sources that can be compromised. Para. [0045], Para. [0046], A common task in detecting unknown or analyzing known kernel mode malware is to identify all the function pointers manipulated by the malware. The ideal way to do this is to inspect the values of all function pointers in the kernel and determine if they point to legitimate targets. Para. [0053]);
detect a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment (Peinado: Para. [0058], In the case of the application software level (e.g., browsers, etc.), the function pointers and return addresses that can be checked at the operating system level may also be checked for each application thread. Furthermore, system calls and similar function calls can be considered "instructions" that are available to applications. So, any system calls provided by the operating system can be analyzed to determine if they have the property of changing the control flow to a target address that is not entirely (or is not) specified in the parameters of the system call itself. If the system call has this property, then the system call can be analyzed in detail. Para. [0023]-[0024] ); and
a memory coupled to the processor and configured to provide the processor with instructions (Peinado: Fig. 3, Para. [0020], The raw memory snapshot 118 can contain a snapshot of the operating system kernel executing on a computing device 120. Taking a snapshot of memory from a virtual machine can be easier because the snapshot can be taken without stopping the execution of the virtual machine in memory because execution of the virtual machine can be temporarily suspended and the snapshot can be).
Peinado does not explicitly teach perform dynamic analysis of a malware sample for detecting malware via scanning for dynamically generated function pointers in memory.
In an analogous art, Kim, in combination with Peinado, teaches a system and method wherein perform dynamic analysis of a malware sample for detecting malware via scanning for dynamically generated function pointers in memory (Kim: Para. [0102], Here, the behavior-based malware detection technique corresponds to a dynamic analysis method, and may use a scheme for hooking an API function in a user mode and a kernel mode or a scheme for monitoring an event notification routine automatically called by the system when a specific event occurs, in an analysis environment in order to detect a change in an OS. Here, based on the corresponding information, the sequence of execution of executable files may be entirely stored as a log. Further, the extent of similarity of the form of execution of the executable file to the form of execution of malicious code is measured. If the corresponding executable file is diagnosed as malicious code, the system may be recovered in the reverse direction of the sequence in which the files are executed, based on log values. Para. [0014]-[0015], Para. [0053]-[0054]).
(Kim: Para. [0008]). 
Peinado, in combination with Kim, does not explicitly teach generate an interface that includes a graphical visualization of a plurality of pages in memory associated with a process launched during execution of the malware sample in a computing environment, wherein the graphical visualization of the plurality of pages in memory indicates detection of the dynamically generated function pointer associated with one or more of the plurality of pages in memory that were modified during execution of the malware sample. 
In an analogous art, Ikuse teaches a system and method wherein generate an interface that includes a graphical visualization of a plurality of pages in memory associated with a process launched during execution of the malware sample in a computing environment (Ikuse: Fig. 3-5, Col. 4, Lines 45-67, Specifically, the instruction monitoring unit 13a performs monitoring by assigning a tag to a file of the malware 11, and in the case where the malware 11 calls the data receiving API that is a monitoring target API, and assigns a tag that can uniquely identify a transmission source of the data to data related to the API after enabling a monitoring target flag, and acquires log data by tracking propagation of the data assigned with the tag. Col. 5, Lines 35-67, The creating unit 15 creates, by using log data acquired by the instruction monitoring unit 13a, a dependency relation graph that is a digraph in which the malware 11, download data, and communication destination are set as the nodes and a dependency relation of each node is set as an edge. Here, note that each node in the dependency relation graph is to have a node having granularity in which existing maliciousness information can be mapped. Col. 6, Lines 1-67), wherein the graphical visualization of the plurality of pages in memory indicates detection of the dynamically generated function pointer associated with one or more of the plurality of pages in memory that were modified during (Ikuse: Fig. 3-5, Col. 4, Lines 53-67, the instruction monitoring unit 13a acquires a value of an instruction pointer register while analyzing the malware 11, and makes an inquiry to the data flow analyzing unit 13b regarding whether a memory region indicated by the instruction pointer register is assigned with a monitoring target tag. Then, in the case where the monitoring target tag is set for the data as a result of the inquiry, the instruction monitoring unit 13a determines the instruction as the monitoring target. . Col. 5, Lines 35-67, The creating unit 15 creates, by using log data acquired by the instruction monitoring unit 13a, a dependency relation graph that is a digraph in which the malware 11, download data, and communication destination are set as the nodes and a dependency relation of each node is set as an edge. Here, note that each node in the dependency relation graph is to have a node having granularity in which existing maliciousness information can be mapped. Col. 6, Lines 1-67).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Ikuse with the system and method of Peinado and Kim to include generate an interface that includes a graphical visualization of a plurality of pages in memory associated with a process launched during execution of the malware sample in a computing environment, wherein the graphical visualization of the plurality of pages in memory indicates detection of the dynamically generated function pointer associated with one or more of the plurality of pages in memory that were modified during execution of the malware sample because this functionality provides for dynamic analysis and detection of malware through visualization of malicious executables with pointers and mapped graphs (Ikuse: Col. 2, Lines 32-67). 
Regarding claim 2, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein the computing environment comprises a virtual machine instance (Peinado: Para. [0025], Examples of software environments include environments such as an operating system kernel with a support environment (e.g., drivers), a browser environment, a virtual machine environment (e.g. Java), middle ware servers, and other software environments that execute code loaded from external sources that can be compromised. An application level system can also use the present technology to analyze and/or protect against code that is loaded into a complex application environment.).
Regarding claim 3, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein the processor is further configured to: identify, in the interface, one or more of the following:
a system call event detected during execution of the malware sample in the computing environment; a time associated with a snapshot of the memory generated during the execution of the malware sample; and a type of memory associated with the one or more of the plurality of pages in memory that were modified during execution of the malware sample (Ikuse: Col. 3, Lines 61-67, A malware execution environment unit 10a of the identifying device 10 is formed of the malware 11, guest OS 12, and virtual computer 13. The guest OS 12 is the environment to perform dynamic analysis for the malware 11. Furthermore, the malware 11 is executed on the guest OS 12 and executes an instruction such as calling an application programming interface (API) and issuing a system call. Col. 4, Lines 45-67).
Regarding claim 4, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein an output of the monitored changes in memory after a system call event during execution of the malware sample for a predetermined period of time in the computing environment is reassembled and analyzed to identify a potential malware binary (Kim: Para. [0107], a file in which malicious code is present is collected from any one of the hypervisor area and the virtual host area, and the collected file may be stored. Para. [0121 Para. [0090]-[0093] [under BRI, collected/recovered file meets reassembled limitation] Para. [0114], Furthermore, an executable file in a virtual machine may be continuously monitored, and the main body of a malicious file or a related file, which is required in order to investigate and analyze infringement incidents, may be automatically collected as evidence within a short period of time. [under BRI, short period of time meets predetermined time limitation], Para. [0174]), and wherein the potential malware binary is submitted for dynamic analysis and/or static analysis (Kim: Para. [0102], Para. [0014]-[0015], Para. [0053]-[0054]).
Regarding claim 5, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein a plurality of pages in memory associated with a process launched by executing the malware sample are identified and monitored for changes after one or more system call events during execution of the malware sample for a predetermined period of time in the computing environment (Ikuse: Col. 11, Lines 25-55, After finishing the processing in Step S115, Step S118, or Step S120, the instruction monitoring unit 13a determines whether a predetermined time has passed (Step S121), and in the case of determining that the predetermined time has not passed (Step S121 No), the processing returns to Step S104 Furthermore, in the case of determining that the predetermined time has passed (Step S121 Yes), the instruction monitoring unit 13a finishes the processing.).
Regarding claim 8, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein the processor is further configured to:
identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment (Peinado: Para. [0025], a method for malware investigation by analyzing computer memory in a computing device. An initial operation is performing static analysis on code for a software environment to form an extended type graph, as in block 210. A software environment can be an environment where computer code can be loaded and executed.); and
perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time t0 and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment (Peinado: Para. [0028], A raw memory snapshot of the computer memory can be obtained at runtime, as in block 220. The raw memory snapshot can include the software environment executing on the computing device. The raw memory snapshot is taken at runtime because this is when the dynamic data structures exist. Para. [0059], Para. [0061], At runtime, the virtual machine monitor (VMM) then takes memory snapshots of the running virtual machines (VM) based on some policy. For instance, one snapshot an hour may be taken. It is straight-forward to take a coherent memory snapshot from a running virtual machine without interrupting the virtual machine. The system then performs the steps described previously on the memory snapshot and evaluates the memory which includes testing the function pointers and the other possible tests described. If this test fails, the virtual machine from which the snapshot was taken can be considered to be compromised, and the administrator can take appropriate action. Para. [0050]).
Regarding claim 9, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein the processor is further configured to:
identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment (Peinado: Para. [0025], a method for malware investigation by analyzing computer memory in a computing device. An initial operation is performing static analysis on code for a software environment to form an extended type graph, as in block 210. A software environment can be an environment where computer code can be loaded and executed.);
perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time to and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment (Peinado: Para. [0028], A raw memory snapshot of the computer memory can be obtained at runtime, as in block 220. The raw memory snapshot can include the software environment executing on the computing device. The raw memory snapshot is taken at runtime because this is when the dynamic data structures exist. Para. [0059], Para. [0061], At runtime, the virtual machine monitor (VMM) then takes memory snapshots of the running virtual machines (VM) based on some policy. For instance, one snapshot an hour may be taken. It is straight-forward to take a coherent memory snapshot from a running virtual machine without interrupting the virtual machine. The system then performs the steps described previously on the memory snapshot and evaluates the memory which includes testing the function pointers and the other possible tests described. If this test fails, the virtual machine from which the snapshot was taken can be considered to be compromised, and the administrator can take appropriate action. Para. [0050]); and
(Peinado: Para. [0061], At runtime, the virtual machine monitor (VMM) then takes memory snapshots of the running virtual machines (VM) based on some policy. For instance, one snapshot an hour may be taken. It is straight-forward to take a coherent memory snapshot from a running virtual machine without interrupting the virtual machine. The system then performs the steps described previously on the memory snapshot and evaluates the memory which includes testing the function pointers and the other possible tests described. If this test fails, the virtual machine from which the snapshot was taken can be considered to be compromised, and the administrator can take appropriate action. [a final snapshot may be taken after an hour] Para. [0050]).
Regarding claim 10, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1, wherein the processor is further configured to:
identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment (Peinado: Para. [0025], a method for malware investigation by analyzing computer memory in a computing device. An initial operation is performing static analysis on code for a software environment to form an extended type graph, as in block 210. A software environment can be an environment where computer code can be loaded and executed.);
perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time to and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment (Peinado: Para. [0028], A raw memory snapshot of the computer memory can be obtained at runtime, as in block 220. The raw memory snapshot can include the software environment executing on the computing device. The raw memory snapshot is taken at runtime because this is when the dynamic data structures exist. Para. [0059], Para. [0061], At runtime, the virtual machine monitor (VMM) then takes memory snapshots of the running virtual machines (VM) based on some policy. For instance, one snapshot an hour may be taken. It is straight-forward to take a coherent memory snapshot from a running virtual machine without interrupting the virtual machine. The system then performs the steps described previously on the memory snapshot and evaluates the memory which includes testing the function pointers and the other possible tests described. If this test fails, the virtual machine from which the snapshot was taken can be considered to be compromised, and the administrator can take appropriate action. Para. [0050]); and
perform another snapshot of all of the plurality of pages in memory associated with the process at subsequent time tn after a predetermined period of time or after a system call event if any return address in a call stack points to a memory address that has changed since the initial snapshot (Peinado: Para. [0061], At runtime, the virtual machine monitor (VMM) then takes memory snapshots of the running virtual machines (VM) based on some policy. For instance, one snapshot an hour may be taken. It is straight-forward to take a coherent memory snapshot from a running virtual machine without interrupting the virtual machine. The system then performs the steps described previously on the memory snapshot and evaluates the memory which includes testing the function pointers and the other possible tests described. If this test fails, the virtual machine from which the snapshot was taken can be considered to be compromised, and the administrator can take appropriate action. [a subsequent snapshot may be taken every hour] Para. [0050]) if any return address in a call stack points to a memory address that has changed since the initial snapshot (Peinado: Para. [0057], the memory locations that can be used as return addresses may also be checked. This includes (a) finding all threads, (b) finding all the stacks of each thread and (c) finding the return addresses on each stack. The first two tasks can be accomplished using the memory analysis phase. Para. [0058]).
Regarding claims 12-15, claims 12-15 are rejected under the same rational as claims 1-4, respectively.
Regarding claims 16-17, claims 16-17 are rejected under the same rational as claims 4-5, respectively.
Regarding claims 18-20, claims 18-20 are rejected under the same rational as claims 1-3, respectively.

Claim(s) 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Peinado et al. (US 2011/0265182; Hereinafter “Peinado”) in view of Kim et al. (US 2017/0103202; Hereinafter “Kim”) in view of Ikuse et al. (US 10,397,261) and further in view of Weinstein et al. (US 9,584,541; Hereinafter “Weinstein”).
Regarding claim 6, Peinado, in combination with Kim and Ikuse, teaches the system recited in claim 1. Peinado, in combination with Kim and Ikuse, does not explicitly teach wherein the processor is further configured to: receive a plurality of malware samples; and deduplicate the plurality of malware samples. 
In an analogous art, Weinstein teaches a system and method wherein receive a plurality of malware samples; and deduplicate the plurality of malware samples (Weinstein: Col. 8, Lines 55-67, Continuing on with 310, for the group of identified or known threats, the CTIA system can identify a group of all samples of malware, each represented by for example a SHA256 hash, which have been detected as specified threat at 310. For example, the CTIA system can count a total number of hashes (representing all samples of malware) for later IOC grouping. The CTIA system can then compile a collective and deduplicated group of all IOCs from each sample of malware represented by a hash SHA256 at 312, and compile a group of IOCs that reaches a relevance threshold to the threat, e.g., IOCs from the collective and deduplicated group that are seen in at least a threshold percentage (e.g., 50%, 70%, 80%, 90%, etc.) of the samples of malware related to the threat at 314, and send an output message including the group of relevant IOCs at 325.)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Weinstein with the system and method of Peinado, Kim, and Ikuse, to include wherein receive a plurality of malware samples; and deduplicate the plurality of malware samples because this functionality provides identification of potentially identifiable threats from malware samples (Weinstein: Col. 8, Lines 55-67). 
Regarding claim 7, Peinado, in combination with Kim and Ikuse, teaches wherein the system recited in claim 1, wherein the processor is further configured to: and execute the first malware sample in the computing environment (Peinado: Para. [0045], Para. [0046], A common task in detecting unknown or analyzing known kernel mode malware is to identify all the function pointers manipulated by the malware. The ideal way to do this is to inspect the values of all function pointers in the kernel and determine if they point to legitimate targets. Para. [0053]). 
Peinado, in combination with Kim and Ikuse, does not explicitly teach receive a plurality of malware samples; deduplicate the plurality of malware samples to output a first malware sample. 
In an analogous art, Weinstein teaches a system and method wherein receive a plurality of malware samples; deduplicate the plurality of malware samples to output a first malware sample (Weinstein: Col. 8, Lines 55-67, Continuing on with 310, for the group of identified or known threats, the CTIA system can identify a group of all samples of malware, each represented by for example a SHA256 hash, which have been detected as specified threat at 310. For example, the CTIA system can count a total number of hashes (representing all samples of malware) for later IOC grouping. The CTIA system can then compile a collective and deduplicated group of all IOCs from each sample of malware represented by a hash SHA256 at 312, and compile a group of IOCs that reaches a relevance threshold to the threat, e.g., IOCs from the collective and deduplicated group that are seen in at least a threshold percentage (e.g., 50%, 70%, 80%, 90%, etc.) of the samples of malware related to the threat at 314, and send an output message including the group of relevant IOCs at 325.)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Weinstein with the system and method of Peinado to include receive a plurality of malware samples; deduplicate the plurality of malware samples to output a first malware sample by modifying the external code that is feed into the software environment, as taught in Peinado, to include an identified malware sample from a group of deduplicated malware samples, as taught in Weinstein. Such a modification is the result of combining prior art 
Allowable Subject Matter
Regarding claim 11, claim 11 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached at (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status 

/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437