DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 07/06/2021. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/24/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Examiner’s objections to the specification are withdrawn in light of the applicant’s amendments to paragraphs [0109] and [0110].
Claims 1, 5 and 7 have been amended.
Claims 21-30 have been newly added. 
Claims 1-10 and 21-30 have been examined. 
Applicant's arguments filed on 07/06/2021 have been fully considered but they are not persuasive. As per the applicant’s arguments that prior arts of record fail to teach the limitation: “determining a degree of redundancy in the script language code based on a quantitative difference in a number of expressions evaluated in the script language code between an original version and a compressed version containing the compressed script”, the examiner respectfully disagrees. Prior art of record Golovkin teaches: column 1, lines 57-67: The optimization include removing dead codes and optimizing distributed calculations (expressions), reverse operations (expressions), constant calculations (expressions), transfer instructions (expressions) etc. column 6, lines 10-43: In general, the optimization process involves analysis of the dependencies and interrelations between the code elements in the data flow model. The analyzed code elements include operations, such as XOR, ADD, INC, etc., and operands (expressions), i.e., the values being operated on, of one or more assembly instructions in one or more code blocks. At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation. For example, the antimalware program may compare the number of instructions in the original disassembled software code with the number of instructions in the optimized software code. Based on the degree of code obfuscation, the antimalware program can decide whether the analyzed software is malicious. For example, if the software code is heavily obfuscated, e.g., an excess of 50% of the code was obfuscated, the antimalware program declares that the software is malicious due to its apparent attempt to hide its functionality using code obfuscation. Also, column 7, line 60-column 8, line 60. Prior art of record Henderson teaches: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts.
Applicant’s arguments with respect to claim 5 regarding the new limitations: “the computer code including a segment of a script language code” and “characterizing redundancy in the code segment based on a quantitative difference in a number of expressions evaluated in the script language code between an original version and a compressed version of the computer code in which one or more expressions from the original version of the computer code is removed while maintaining functionality of the original computer code” have been considered but are moot in view of the new ground of rejection presented in the current rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 5 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 5 recites the limitation "the code segment" in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Claim 25 recites: “further comprising conditionally initiating a second remedial based on a pattern of redundancy including superfluous features in the script language code”. The examiner has not found explicit support for a second remedial action in the specification of the instant application. The examiner found support for remediation after determining that the code has superfluous features but not a second remediation after a first remediation is performed based on the degree of redundancy exceeding a predetermined threshold. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 4-10, 21 and 25-27 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 9087195 to Maxim Y. Golovkin (hereinafter Golovkin) and prior art of record US 20060294503 to Henderson et al (hereinafter Henderson).
As per claim 1, Golovkin teaches:
A computer program product for detecting malware, the computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
receiving a script language code at a threat management facility in communication with an endpoint, the script language code including a plurality of expressions processable by an application in a run-time environment on the endpoint (Golovkin: column 5, lines 26-35: At step 301, an unoptimized executable or object software code is loaded by the antimalware program 130. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an executable or an object software code includes a plurality of expressions that are processable by an application); 
tokenizing the plurality of expressions of the script language code into computing objects (Golovkin: column 5, lines 26-35 and 55-58: At step 301, the software code may be divided into code blocks 302, 303, 304, etc.); 
compressing the computing objects into a compressed script in which redundancy is decreased relative to the script language code by removing one or more expressions from the script language code while maintaining functionality of the script language code (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Fig. 3b, column 5, lines 55-67: At step 350, the code optimizer 145 analyzes substantially in real time each code block and replaces complex assembly instructions with simple (or basic) instructions, such as ADD, SUB, MOV, OR and other basic assembly instructions. Column 6, lines 1-28: At steps 365 and 370, the optimizer 145 may analyze the data flow model, identify obfuscated codes therein, and optimize the obfuscated codes in the data flow model. Fig. 5, column 7, lines 40-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500, i.e., the functionality of the software code is maintained while removing dead code); 
determining a degree of redundancy in the script language code based on a quantitative difference in a number of expressions evaluated in the script language code between an original version and a compressed version containing the compressed script (Golovkin: column 6, lines 10-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation. For example, the antimalware program may compare the number of instructions in the original disassembled software code with the number of instructions in the optimized software code. Based on the degree of code obfuscation, the antimalware program can decide whether the analyzed software is malicious. For example, if the software code is heavily obfuscated, e.g., an excess of 50% of the code was obfuscated, the antimalware program declares that the software is malicious due to its apparent attempt to hide its functionality using code obfuscation); and 
conditionally initiating a remedial action responsive to the script language code when the degree of redundancy exceeds a predetermined threshold (Golovkin: column 6, lines 44-67: At step 385, the antimalware program may decide based on the degree of code obfuscation whether an additional malware analysis of the software code is necessary in accordance with one example embodiment. At step 390, the antimalware program may further analyze the software code having a significant percent of obfuscated code using conventional malware detection techniques. Column 7, lines 3-10: If a malware is detected in the optimized software code, the original software program may be classified, as viruses, worms, Trojan horses or the like, and quarantined or removed from the system at step 395).
Golovkin teaches a software code but does not explicitly teach: a script language code. However, Henderson teaches:
a script language code (Henderson: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Henderson in the invention of Golovkin to include the above limitations. The motivation to do so would be because code coverage analysis can also be helpful in finding dormant or dead code (Henderson: [0003]).

As per claim 2, Golovkin in view of Henderson teaches:
The computer program product of claim 1, wherein the script language code includes at least one of Visual Basic for Applications (VBA) or JavaScript (Henderson: [0026]: Script languages include, but are not limited to JScript (JavaScript), Visual Basic (VB), Shell scripts, such as TCL/Tk, Perl, Python, Windows/UNIX shell scripting, and so forth).

As per claim 4, Golovkin in view of Henderson teaches:
The computer program product of claim 1, wherein the difference between the script language code and the compressed script is characteristic of obfuscation (Golovkin: Column 6, lines 1-43: At steps 365 and 370, the optimizer 145 may analyze the data flow model, identify obfuscated codes therein, and optimize the obfuscated codes in the data flow model. At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation).

As per claim 5, Golovkin teaches:
A method of detecting malware, the method comprising: 
receiving computer code, the computer code including a segment of a script language code executable by an endpoint (Golovkin: column 5, lines 26-35: At step 301, an unoptimized executable or object software code is loaded by the antimalware program 130. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an executable or object software code includes executable code segments); 
characterizing redundancy in the code segment based on a quantitative difference in a number of expressions evaluated in the script language code between an original version and a compressed version of the computer code (Golovkin: column 6, lines 10-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation. For example, the antimalware program may compare the number of instructions in the original disassembled software code with the number of instructions in the optimized software code. Based on the degree of code obfuscation, the antimalware program can decide whether the analyzed software is malicious. For example, if the software code is heavily obfuscated, e.g., an excess of 50% of the code was obfuscated, the antimalware program declares that the software is malicious due to its apparent attempt to hide its functionality using code obfuscation) in which one or more expressions from the original version of the computer code is removed while maintaining functionality of the original computer code (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Fig. 3b, column 5, lines 55-67: At step 350, the code optimizer 145 analyzes substantially in real time each code block and replaces complex assembly instructions with simple (or basic) instructions, such as ADD, SUB, MOV, OR and other basic assembly instructions. Column 6, lines 1-28: At steps 365 and 370, the optimizer 145 may analyze the data flow model, identify obfuscated codes therein, and optimize the obfuscated codes in the data flow model. Fig. 5, column 7, lines 40-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500, i.e., the functionality of the software code is maintained while removing dead code); and 
in response to characterizing the redundancy, permitting or denying execution of the computer code by the endpoint (Golovkin: column 6, lines 44-67: At step 385, the antimalware program may decide based on the degree of code obfuscation whether an additional malware analysis of the software code is necessary in accordance with one example embodiment. At step 390, the antimalware program may further analyze the software code having a significant percent of obfuscated code using conventional malware detection techniques. Column 7, lines 3-10: If a malware is detected in the optimized software code, the original software program may be classified, as viruses, worms, Trojan horses or the like, and quarantined or removed from the system at step 395).
Golovkin teaches a software code but does not explicitly teach: a script language code. However, Henderson teaches:
a script language code (Henderson: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Henderson in the invention of Golovkin to include the above limitations. The motivation to do so would be because code coverage analysis can also be helpful in finding dormant or dead code (Henderson: [0003]).

As per claim 6, Golovkin in view of Henderson teaches:
The method of claim 5, wherein the redundancy includes at least one of superfluous variables, superfluous function calls, superfluous structure, or superfluous flow control (Golovkin: column 1, line 60-column 2, line 2: The optimization include removing dead codes and optimizing distributed calculations, reverse operations, constant calculations, transfer instructions, memory calls, flag operations, and branch and cycle instructions. Also, column 7, lines 40-67 and column 8, lines 1-25).

As per claim 7, Golovkin in view of Henderson teaches:
The method of claim 5, wherein the compressed version of the computer code has decreased redundancy, as compared to the original version of the computer code, while maintaining functionality of the original version of the computer code (Golovkin: column 5, lines 31-45: As shown in step 301b-301c, code blocks are optimized sequentially (or in parallel) by the code optimizer 145. The optimized code is typically smaller in size because it contain fewer instructions and thus easier to analyze by the antimalware program 130 than the original unoptimized code. Column 6, lines 28-43: At step 380, the antimalware program compares the optimized software code provided by the optimizer 145 with the original unoptimized code to measures the degree of code obfuscation. Fig. 5, column 7, lines 40-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500, i.e., the functionality of the software code is maintained while removing dead code).

As per claim 8, Golovkin in view of Henderson teaches:
The method of claim 5, wherein the computer code includes a scripting language interpretable by an application executing on the endpoint (Henderson: [0022] According to some embodiments of the invention, code coverage analysis is performed by identifying scripts within a program, instrumenting the scripts, executing the scripts, and performing analysis of the executed scripts. [0026] The term "script", as used herein, refers to a list of commands or instructions written in a scripting language. [0037] In some embodiments, after the scripts are identified, the script(s) within a program are parsed and tokenized to identify the different components or elements of each script. In some embodiments, the scripts are parsed to identify the blocks of the scripts).

As per claim 9, Golovkin in view of Henderson teaches:
The method of claim 5, wherein the computer code includes at least one of list-based code, structured code, object-oriented code, and aspect-oriented code (Golovkin: column 5, lines 4-6: The code may be compiled using any known compiler on computer system 100, such as Microsoft Visual C/C++ compiler or others. Column 6, lines 51-54: the antimalware program may recompile the optimized software code using C++, Java or other type of compiler and submit it for further analysis).

As per claim 10, Golovkin in view of Henderson teaches:
The method of claim 5, wherein characterizing redundancy in the code segment includes identifying one or more subroutines in the code segment for which all results are known without external input (Golovkin: column 7, lines 10-63: The analysis of the dependencies and interrelations between the instructions of the model 500 indicates that the software code includes dead code 510 that does not participate in the execution of the software and merely wastes system resources. The dead code 510 corresponds to the following instructions: TABLE-US-00004 ADD ECX, 2500h INC ECX. The optimizer 145 may identify these instructions as a dead code because they are followed by the following MOVE operation, which erases results of the ADD and INC instructions: TABLE-US-00005 MOV ECX, EAX. Thus, the optimizer 145 may remove the ADD and INC instructions from data flow model 500).

As per claims 21 and 27, Golovkin in view of Henderson teaches:
The method of claim 1, wherein the plurality of expressions includes expressions in the script language code for which an output is known in response to requisite external inputs (Golovkin: column 4, line 63-column 5, line 15: FIG. 2 provides art example obfuscated software code written in C++ programming language. In particular, function DWORD contains the following obfuscated code. M[]=D; T+=M[i]; M[i]=D; T-=M[i]; The obfuscated code above is represented as the following assembly language instructions:  ADD EAX, ECX SUB EAX, ECX).

As per claim 25, Golovkin in view of Henderson teaches:
The method of claim 1, further comprising conditionally initiating a second remedial based on a pattern of redundancy including superfluous features in the script language code (Golovkin: column 6, lines 44-67: At step 385, the antimalware program may decide based on the degree of code obfuscation whether an additional malware analysis of the software code is necessary in accordance with one example embodiment. At step 390, the antimalware program may further analyze the software code having a significant percent of obfuscated code using conventional malware detection techniques. Column 7, lines 3-10: If a malware is detected in the optimized software code, the original software program may be classified, as viruses, worms, Trojan horses or the like, and quarantined or removed from the system at step 395).

As per claim 26, Golovkin in view of Henderson teaches:
The method of claim 25, wherein the pattern includes one or more of superfluous variables, superfluous statements, superfluous functions, superfluous conditional statements, superfluous structure, and superfluous flow control (Golovkin: column 1, line 60-column 2, line 2: The optimization include removing dead codes and optimizing distributed calculations, reverse operations, constant calculations, transfer instructions, memory calls, flag operations, and branch and cycle instructions. Also, column 7, lines 40-67 and column 8, lines 1-25).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Golovkin in view of Henderson as applied to claim 1 above, and further in view of applicant provided prior art US 7624449 to Frederic Perriot (hereinafter Perriot).
As per claim 3, Golovkin in view of Henderson does not teach: wherein the difference between the script language code and the compressed script is characteristic of polymorphism. However, Perriot teaches:
wherein the difference between the script language code and the compressed script is characteristic of polymorphism (Perriot: column 5, lines 41-56: In polymorphic code 10 produced by viruses, dead code is commonplace. Column 21, lines 1-33: Another use of optimization 40 is as a heuristic to detect polymorphic code 10. Most polymorphic engines 10 produce many redundant instructions, whereas a typical program has almost no dead code).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Perriot in the invention of Golovkin in view of Henderson to include the above limitations. The motivation to do so would be to provide an alternative solution entailing code optimization (simplification) techniques. Such techniques as copy propagation, constant folding, code motion, and dead-code elimination may be used instead of, or prior to, emulation or other malicious code detection techniques (Perriot: column 1, lines 22-28).

Allowable Subject Matter
Claims 22-24 and 28-30 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438