DETAILED ACTION
Claims 1-20 are presented for examination.



Information Disclosure Statement
The information disclosure statement (IDS) submitted on05/04/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.


Drawings
The drawings filed on 01/16/2020 are accepted by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



The examiner considers claim 11 invoking 112(b) having “an executable evaluation module” performing functional limitations. However the claim is rejected under 112 (b) as being indefinite because there is no corresponding structure disclosed for the recited modules in the specification. 
Dependent claims inherit the deficiencies of the above independent claims 6 and 11 and therefore are rejected under 35 U.S.C. 112(b) by virtue of their dependency.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

1.	Claims 1-4, 6, 8-14, 16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over David et al. (US Pub No. 10,484,419, hereinafter “Davis”) in view of Sundaram et al. (US Pub No. 2012/0215853, hereinafter “Sundaram”).

Regarding claim 1, Davis does disclose, a method of generating a similarity hash for an executable, comprising: extracting a plurality of characteristics for one or more classes in the executable (David, (col. 5 lines 59 – col. 6 lines 1-2), at least one of the code fragments extracted from the first software module in step 200 may comprise executable code. Extracting the code fragments in step 200 may comprise parsing section headers of the first software module to identify one or more raw data sections comprising executable code. One or more specified field characteristics may be utilized to identify the one or more raw data sections comprising executable code. The one or more specified field characteristics may comprise at least one of one or more specified section flags and one or more fields specifying offsets to a starting address for code execution; (David, (col. 2 lines 41-43), where software modules, such as executables (EXEs)); transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes (David, (col. 6 lines 3-5), the process continues with step 202, computing fingerprints of the code fragments extracted from the first software module); and transforming the set of class fingerprint strings into a hash string [using minwise hashing] (David, (col. 6 lines 3-14), the process continues with step 202, computing fingerprints of the code fragments extracted from the first software module. In step 204, a similarity score is determined based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments extracted from at least a second software module. The second software module is classified as a given software module type, such as malware or adware. Each of the fingerprints, for code fragments extracted from both the first software module and the second software module, may be computed by application of a fuzzy hash function to individual ones of the code fragments), such that a difference between hash strings for different executables is representative of the degree of difference between the executables (David, (col. 7 lines 53-59), (40) software module similarity techniques are utilized wherein executable code is extracted from a software module, followed by fingerprinting of each executable fragment separately. Similarity between two software modules may thus be estimated by comparing the similarities of fingerprints for executable code fragments of the software modules. Such estimated similarity may be used to classify unknown software modules).  
David does not explicitly but the analogous art Sundaram discloses, transforming fingerprint into a hash using minwise hashing (Sundaram, (para. [0070]), the minwise hashing procedure described above may be available for calculating fingerprints).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Davis by including transforming fingerprint into a hash using minwise hashing taught by Sundaram for the advantage of preventing unwanted communications from being delivered and/or clogging up a communication pipeline (Sundaram, (para. [0016])).

Regarding claim 2, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 1, wherein the class characteristics are derived from class definitions (David, (col. 6 lines 51-55), Classifying the first software module in step 206 may further include classifying the first software module as having the common functional attributes of the given hash table responsive to the table similarity score for the given hash table exceeding a threshold number of similar fingerprints).  

Regarding claim 3, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 2, wherein the class characteristics are derived from class definition data comprising one or more of access flags, superclass name, implemented interfaces, annotations, class data, and static values (David, (col. 5 lines 59 – col. 6 lines 1-2), at least one of the code fragments extracted from the first software module in step 200 may comprise executable code. Extracting the code fragments in step 200 may comprise parsing section headers of the first software module to identify one or more raw data sections comprising executable code. One or more specified field characteristics may be utilized to identify the one or more raw data sections comprising executable code. The one or more specified field characteristics may comprise at least one of one or more specified section flags and one or more fields specifying offsets to a starting address for code execution).  

Regarding claim 4, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 3, wherein the one or more fingerprint strings comprises one or more string characters representing each of the one or more class definition data types (David, (col. 2 lines 41-50), software modules, such as executables (EXEs) and dynamic link library (DLL) modules or DLLs, may be malicious. Malicious software modules include but are not limited to malware and adware. While various embodiments are described below in the context of classifying EXEs, embodiments are not limited solely to classifying these types of software modules. The techniques described below in the context of EXE software modules may be adapted for use with other types of software modules such as DLLs or more generally other types of files that are potentially malicious).
  
Regarding claim 6, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 1, wherein transforming the set of class fingerprint strings into a hash string using minwise hashing comprises using weighted b-bit minwise hashing (Sundaram, (para. [0029]), the fingerprinting component 104 can generate fingerprints for use in determining a similarity measure between known and unknown communications using a minwise hashing calculation. Minwise hashing of an embodiment involves generating sets of hash values based on word units of electronic communications, and using selected hash values from the sets for comparison operations. B-bit minwise hashing includes a comparison of a number of truncated of bits of the selected values).  

Regarding claim 8, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 1, further comprising comparing the hash string with a second hash string from a second executable to determine the similarity between the executable and the second executable (David, (col. 7 lines 9-15), the similarity score determined in step 204 is based on a weighted sum of fragment similarity scores for extracted code fragments of the first software module with fingerprints that match a fingerprint of an extracted code fragment of the second software module, wherein the weights assigned to each of the fragment scores are based on the lengths of the extracted code fragments).  

Regarding claim 9, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 8, wherein comparing the hash string with the hash string from a second executable comprises calculating a Hamming distance between the hash string and the second hash string (Sundaram, (para. [0070]), other variations on the minwise hashing procedure described above may be available for calculating fingerprints. Another option could be to use other known methods for calculating a resemblance, such as "Locality Sensitive Hashing" (LSH) methods. These can include the 1-bit methods known as sign random projections (or simhash), and the Hamming distance LSH algorithm.).  

Regarding claim 10, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 8, further comprising determining whether the executable and the second executable are likely related based on the determined similarity between the executable and the second executable (David, (col. 7 lines 9-15), the similarity score determined in step 204 is based on a weighted sum of fragment similarity scores for extracted code fragments of the first software module with fingerprints that match a fingerprint of an extracted code fragment of the second software module, wherein the weights assigned to each of the fragment scores are based on the lengths of the extracted code fragments).  

Regarding claim 11, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.

Regarding claim 12, the substance of the claimed invention is similar to that of claim 2. Accordingly, this claim is rejected under the same rationale.

Regarding claim 13, the substance of the claimed invention is similar to that of claim 3. Accordingly, this claim is rejected under the same rationale.

Regarding claim 14, the substance of the claimed invention is similar to that of claim 4. Accordingly, this claim is rejected under the same rationale.

Regarding claim 16, the substance of the claimed invention is similar to that of claim 6. Accordingly, this claim is rejected under the same rationale.

Regarding claim 18, the substance of the claimed invention is similar to that of claim 8. Accordingly, this claim is rejected under the same rationale.

Regarding claim 19, the substance of the claimed invention is similar to that of claim 9. Accordingly, this claim is rejected under the same rationale.

Regarding claim 20, the substance of the claimed invention is similar to that of claim 10. Accordingly, this claim is rejected under the same rationale.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly 

2.	Claims 5, 7, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over xxxx et al. (US Pub No. xxxxx, hereinafter “xxxx”) in view of Herberg et al. (US Pub No. 2016/0098284, hereinafter “Herberg”).

Regarding claim 5, the combination of Davis-Sundaram does disclose the method of generating a similarity hash for an executable of claim 1. 
Davis-Sundaram does not explicitly disclose but the analogous art Herberg discloses, wherein the executable comprises a Dalvik (DEX) executable (Herberg, (para. [0105]), the JAVA class 404 may be compiled into an executable library. The executable library may be formatted in class selector (.class) or as object files (.o), for instance. The executable library is represented in FIG. 4 by item 406. An executable library 406 may be prepared for a specific platform. In a process of preparing the executable library 406 for a specific platform, the executable library may be formatted in Dalvik Executable Format (.dex), dynamic-link library (.dll), or shared library (.so), for instance).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Davis-Sundaram by including xxxxxx taught by Herberg for the advantage of providing a platform that integrates a new, unknown, and non-standard device to a network without interfering with a user experience and without recompiling, reinstalling, or restarting an application controlling the devices (Herberg, (para. [0023])).

Regarding claim 7, the combination of Davis-Sundaram-Herberg does disclose the method of generating a similarity hash for an executable of claim 1, wherein the executable is a Java executable (Herberg, (para. [0105]), the JAVA class 404 may be compiled into an executable library. The executable library may be formatted in class selector (.class) or as object files (.o), for instance. The executable library is represented in FIG. 4 by item 406. An executable library 406 may be prepared for a specific platform. In a process of preparing the executable library 406 for a specific platform, the executable library may be formatted in Dalvik Executable Format (.dex), dynamic-link library (.dll), or shared library (.so), for instance).  


Regarding claim 15, the substance of the claimed invention is similar to that of claim 5. Accordingly, this claim is rejected under the same rationale.


Regarding claim 17, the substance of the claimed invention is similar to that of claim 7. Accordingly, this claim is rejected under the same rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI	whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST.    If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeffrey L. Nickerson can be reach on (469) 295-9235. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from their Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. should you have 

/MORSHED MEHEDI/Primary Examiner, Art Unit 2432