DETAILED ACTION

A response was received on 13 May 2021.  By this response, Claims 1, 5, and 8-18 have been amended.  Claims 2-4, 19, and 20 have been canceled.  New Claims 21 and 22 have been added.  Claims 1, 5-18, 21, and 22 are currently pending in the present application.

Response to Arguments

Applicant’s arguments with respect to the rejections of Claims 1-20 under 35 U.S.C. 102 (see pages 24-25 of the present response) have been considered but are moot in view of the grounds of rejection set forth below.
Applicant's arguments filed 13 May 2021 have been fully considered but they are not persuasive.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 101 as directed to ineligible abstract ideas, Applicant argues that the claims do not fall within any of the categories of abstract ideas set forth in the 2019 Revised Patent Subject Matter Eligibility Guidance (pages 21-22 of the present response).  It is noted that there has been no assertion that the claims include mathematical concepts or methods of organizing human activity.  However, it is submitted that the claims nevertheless do recite abstract ideas in the mental process category.  At least the steps or functions relating to comparing source code, comparing object code, and comparing results fall within the category of mental processes, because comparisons between two things can 
Therefore, for the reasons detailed above, the Examiner maintains the rejection as set forth below.

Drawings

The objection to the drawings is withdrawn in light of the amended drawings received.



Specification

The objection to the abstract is withdrawn in light of the amendments thereto.  The objection to the disclosure for informalities is NOT withdrawn, because the amendments have raised new issues, as detailed below.
The disclosure is objected to because of the following informalities:  
The specification includes minor grammatical and other errors.  For example, in paragraph 0042, lines 1-3, the phrase “how a prior art computing device 300 on which components of the cyber-security validator 130 may be implemented” appears to be missing a verb or other predicate phrase.
Appropriate correction is required.  Applicant’s cooperation is again requested in correcting any other errors of which applicant may become aware in the specification.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required: Claim 11 has been amended to recite “stopping progression of the compilation stage” and Claim 17 has been amended to recite “ceasing to execute the first object code and the second object code”.  There is not clear antecedent basis for these limitations in the specification.  For further detail, see below regarding the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.


Claim Rejections - 35 USC § 101

The rejection of Claims 1-8 under 35 U.S.C. 101 as directed to non-statutory software per se is withdrawn in light of the amendments to the claims.  The rejection of Claims 2-4, 19, and 20 under 35 U.S.C. 101 is moot in view of the cancellation of the claims.  The rejection of Claims 1 and 5-18 under 35 U.S.C. 101 is NOT withdrawn, for the reasons detailed above, and because the amendments have raised new issues, as detailed below.
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 5-18, 21, and 22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more.
Claim 1 recites a validator having configured to store first and second computer source code, compare the first and second source code and also compare first and second compiled object code, and determine whether an attack has occurred based on results of the comparisons.  The comparison and determination are mental processes.  Comparing code could be performed by inspection and the determination of whether an attack is occurring based on the comparison is a simple binary decision described with simple criteria in the disclosure (if the first and second code are the same, there is no attack, and if they are different, there is an attack), which could be performed entirely in the mind or using pen and paper.  Mental processes are one of the groupings of abstract ideas set forth in MPEP § 2106.04(a).  See also MPEP § 2106.04(a)(2)(III).  Abstract ideas are judicial exceptions as per MPEP § 2106.04(I).  See also Alice Corporation Pty. Ltd. v. CLS Bank, International, et al, 573 U.S. 208, 100 USPQ2d 1976 (2014).
This judicial exception is not integrated into a practical application because the claim does not recite any use or significant further action with respect to the determination whether an attack has occurred or is in progress.  Although the claim recites storing the code, this step amounts to mere insignificant extra-solution activity, namely data gathering, as per MPEP § 2106.05(g).  Although the claim recites a memory and a “computing device”, this merely links the abstract ideas to a particular field of use or technical environment, as per MPEP § 2106.05(h), or alternately, these recitations do not constitute anything more than mere instructions to implement the abstract ideas on a computer, as per MPEP § 2106.05(f).  The abstract ideas are not used to improve the functioning of a computer or to transform an article.  There is no significant further step taken that results in a practical application of the abstract ideas.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception for similar reasons as detailed above with respect to the question of a practical application of the judicial exception.  Further, the step of storing the code is claimed at a high level of generality and is generally directed to receiving data over a network and storing data in memory.  These have been recognized by the courts as a well-understood, routine, and conventional function.  See MPEP § 2106.05(d)(II), citing Symantec, TLI, OIP Techs., buySAFE, and Versata.  Therefore, the claim as a whole, whether the steps are considered individually or as an ordered combination, is not directed to significantly more than the abstract idea.

Claims 9-17 are directed to methods corresponding substantially to the functions of the devices of Claims 1 and 5-8, and are directed to abstract ideas without a practical application for similar reasons as detailed above with respect to Claims 1-8.  Although the claims recite that the method is “computer-based”, this constitutes a mere instruction to implement the abstract ideas on a computer.  See MPEP § 2106.05(f).  Although Claim 17 recites “taking measures to address the cyberattack”, this does not provide a practical application because it is so broad as to encompass a simple notification message or displaying an alert to a user, which are both insignificant post-solution activity as per MPEP § 2106.05(g).  Therefore, the methods of Claims 9-17 are not directed to a practical application of the abstract ideas or to significantly more than the abstract ideas themselves.
Claim 18 is directed to a system having functionality corresponding substantially to the functionality of Claims 1 and 5-8 in different combinations, and are directed to abstract ideas without a practical application for similar reasons as detailed above with respect to Claims 1 and 5-8.  Although the claims recite a user interface and a memory this merely links the abstract ideas to a particular field of use or technical environment, as per MPEP § 2106.05(h), or alternately, these recitations do not constitute anything more than mere instructions to implement the abstract ideas on a computer, as per MPEP § 2106.05(f).  Therefore, the system of Claim 18 is not directed to a practical 
Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1, 5-18, 21, and 22 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above.  Therefore, the claimed inventions are not directed to patent eligible subject matter.

Claim Rejections - 35 USC § 112

The rejection of Claims 2-4, 19, and 20 under 35 U.S.C. 112(b) as indefinite is moot in light of the cancellation of the claims.  The rejection of Claims 1, 5-8, 10, 11, and 18 is NOT withdrawn, because the amendments have raised new issues, as detailed below. 
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 11-17 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims 
Claim 11 has been amended to recite “stopping progression of the compilation stage”.  Although Applicant states that support for this limitation is found in paragraph 0021 of the specification (see page 18 of the present response), it is noted that, although this paragraph describes stopping progression to the compilation stage, there appears to be no mention either in this paragraph or elsewhere in the specification of stopping progression of the compilation stage.  Therefore, there is not clear written description of the claimed subject matter.
Claim 17 has been amended to recite “ceasing to execute the first object code and the second object code”.  Although Applicant states that support for this limitation is found in paragraphs 0022-0024 of the specification (see page 19 of the present response), there appears to be no mention in this paragraph or elsewhere in the specification of ceasing execution of object code.  Although paragraph 0024 discusses what happens based on the comparison of the first and second results, there is no mention of ceasing execution of the object code in response to either the results being the same or different.  Therefore, there is not clear written description of the claimed subject matter.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 5-18, 21, and 22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
In Claim 1, line 18, there is not clear antecedent basis for “the cyberattack”.  This ambiguity renders the claim indefinite.
Claim 9 recites “a time of storing” in line 8.  It is not clear what is stored at this time of storing; for example, it is not clear if this refers to a time of storing the first source code, a time of storing the second source code, or a time that something else is stored.  This ambiguity renders the scope of the claim indefinite.
Claim 10 recites “comparing, at a beginning of a compilation stage, the first computer source code and the second computer source code” in lines 8-11.  It is not clear whether this comparison at a beginning of a compilation stage is distinct from the comparison prior to the compilation as recited in Claim 9.  Claim 10 further recites “a cyberattack” in line 12.  It is not clear whether this is intended to refer to the same cyberattack as recited in Claim 9 or a distinct attack.
Claim 11 recites “the cyberattack” in line 5.  If the cyberattacks in Claims 9 and 10 are distinct, then it is not clear to which attack this limitation is intended to refer.

Claim 16 recites “comparing the first result and the second result” and “determining whether the first result and the second result are different”.  These steps appear to be redundant or overlapping, since comparing, by definition, encompasses determining whether something is different or the same.
Claim 17 recites “a cyberattack” in line 3.  It is not clear whether this is intended to refer to a distinct attack from that recited in Claim 9 (and also from the attack recited in Claim 10 is those are distinct).  Claim 17 further recites “the cyberattack” in line 6.  If the cyberattacks in Claims 9, 10, and/or 17 are distinct, then it is not clear to which attack this limitation is intended to refer.
Claim 18 recites “once the source code comparison circuit determines that the first computer source code and the second computer source code are semantically equivalent” in lines 14-16.  The use of “once” makes it unclear whether this is intended as a conditional limitation (e.g. if the circuit determines that the first and second source code are semantically equivalent) or if this is intended as a timing constraint (e.g. after the circuit determines that they are semantically equivalent).  Similarly, the claim recites “once the object code circuit determines that the first object code and the second object code are not different” in lines 24-26.  The use of “once” makes it unclear whether this is intended as a conditional limitation (e.g. if the circuit determines that the first and 
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 14 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claim 14 only recites a single step of “not executing the first and second object code”.  This does not clearly further limit the subject matter of the claim from which it depends, since it does not add any additional steps to be performed in the method and does not positively and actively recite a further limitation on the method of Claim 13.
Applicant may cancel the claim, amend the claim to place the claim in proper dependent form, rewrite the claim in independent form, or present a sufficient showing that the dependent claim complies with the statutory requirements.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-18, 21, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Franz et al, US Patent 8239836, in view of Barau et al, US Patent 9600667 (cited in the previous Office action).
In reference to Claim 1, Franz discloses a computing device including a cybersecurity validator having a memory that stores first and second computer source code received via an interface (column 8, lines 54-57; Figure 1E, steps 151-152); a comparison circuit that compares the first and second source code prior to compilation to determine whether the first and second source code are semantically different (column 8, line 66-column 9, line 1; Figure 1E, steps 153-154; column 8, line 53-column 9, line 3, semantically equivalent) and if they are, determines that an attack has occurred or is in progress (column 9, lines 1-3; Figure 1E, steps 155-156); a compiler to 
Barau discloses comparing executable (i.e. object) code to determine if it has changed and to compare the results to determine if an attack has occurred (see, for example, column 9, lines 29-37).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Franz to include multiple comparisons as suggested by the combined teachings of Franz and Barau, in order to allow more attempts to detect attacks (see Barau, column 8, lines 52-57; see also column 9, lines 29-37).
In reference to Claims 5-8, Franz and Barau further disclose a processor configured to execute the first and second object code to give first and second results and a comparison circuit configured to compare the first and second results and determine if a cyberattack has occurred or is in progress if the first and second results are different and that no attack has occurred or is in progress if the first and second results are the same (Franz, column 8, line 53-column 9, line 3, detecting difference in execution; Barau, column 9, line 29-37, detecting different results of execution).

mutatis mutandis.
In reference to Claims 21 and 22, Franz and Barau further disclose source code written by humans or synthesized by a computing device (see Franz, Figure 1E).
Claim 18 is directed to systems including the validator of Claims 1 and 5-8 and its functionality, as well as an interface (column 8, lines 54-56).

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492