DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 08/16/2021 have been fully considered but they are not persuasive.
RemarksApplicant Asserts:  In the Office Action, Claims 1-20 are rejected and remain pending. Claims 1, 2, 9, 10, and 17 are amended. Dependent claims 21, 22, and 23 are new. Support for the amended and added claims can be found at least in paragraphs [0009], [0013], and [0014] of the Applicant’s Specification as filed. No new matter is introduced. Based on this Response, Applicant respectfully requests allowance of the pending claims. A request for AFCP 2.0 is filed with this Response.Examiner Response:  The Examiner thanks applicant representative for working to advance the prosecution of this application.  The amended and new claims are alleged to have support at the cited locations of   [0009], [0013], and [0014] of the Applicant’s Specification as filed. The amendments to independent claims 1, 9, and 17 are directed to the generating raw text from a file.  Specifically, the amendments (underlined) cite:
extracting [[or]] and generating raw text from the file, the generating comprising
detecting an image file type in response to a user interface locking event or a change in
desktop wallpaper, extracting a plurality of text images from the file, and converting the
text images to raw text using optical character recognition processes;


[0009] The disclosed embodiments accurately identify a file as ransomware much more
quickly than in the prior art. Ransom note 105 can be differentiated from typical text documents found on computing devices with a high degree of accuracy through an approach that involves sentiment analysis applied to classifying tokenized and lemmatized text data. A framework for obtaining file creation events on a computing device is utilized to obtain a constant stream of files to classify. In instances when a file is deemed to be a ransom note, the source process is suspended and the user is alerted to the anomalous activity.

[0013] In the fifth step (step 505) scoring engine 514 generates score 560 based on vector set 550 by using a model trained on such features.

[0014] In the sixth step (step 506), score 560 is compared to pre-selected threshold 570. If score 560 is greater than or equal to threshold 570, then raw text 520 can be deemed to be a ransom note 105 (step 507). In that instance, protective action will be taken (step 508), which can include framework 510 suspending the source process that created or modified file 103. A
message can be generated to alert the user that a ransomware process was detected on the host and suspended. If score 560 is less than threshold 570 in step 506, then raw text is deemed benign (step 509) and no protective action is taken.It is further noted that the as filed specification renumbers the specification such that the Detailed Description of the Invention begins with [0001] the same as Priority Claim [0001].  As such the cited [0013 and 0014] are directed to prior art drawings.
In either case, the Examiner does not deem the cited portions of the as filed specification supporting applicant amendments and would consider such amendments as new matter.
Examiner InterviewApplicant Asserts: Applicant thanks Examiner Jones for conducting a telephonic interview on
August 3, 2021 with Applicant’s representatives. During the interview, Examiner and

Applicant’s representatives proposed amendments to the claims. Examiner requested
clarification of claim language for the proposed amendments to claim 1 and suggested
combining elements of proposed claims to overcome the § 103 rejections for the cited
prior art.
Examiner Response:  The Examiner Interview Summary of 08/09/2021 fairly characterizes the Examiner’s position regarding the proposed amendments.  The Examiner stated the amendments would be considered in light of the prior art and support in the specification.  The parties worked to ensure clarity of the record regarding what is claimed.  For example, applicant amends to require the “extraction or generation of a file type” but the claim only extracts from the file.  There appears no support for how the file type provides data other than classification.
35 U.S.C. § 103 Rejection
Applicant Asserts: Without conceding to the validity of these rejections and in order to expedite prosecution of this case, Applicant has amended claim 1 to clarify the scope of the claimed inventions. Independent claim 1 is amended to recite a structure for performing the clamed function as follows:
A method of determining that a file received by a computing device comprises malicious code, the method comprising: extracting and generating raw text from the file, the generating comprising detecting an image file type in response to a user interface locking event or a change in desktop wallpaper, extracting a plurality of text images from the file, and converting the text images to raw text using optical character recognition processes; analyzing the raw text to generate a result comprising a vector set; taking protective action the protective action comprising automatically suspending a process in real-time that caused the file change event.
Leidner fails to disclose or suggest all elements of amended independent claim 1, which requires, in-part, detecting an image file type in response to a user interface locking event or a Examiner Response:  Respectfully, the Examiner does not agree with the characterization of the prior art of record by applicant representative.  For example, applicant asserts Leidner does not teach taking a protective action if the score exceeds a threshold but at [0114] Leidner clearly discloses application of a risk-based threshold parameter.  The Examiner deems application of a threshold parameter a security protection action. New Claims 21-23Applicant Asserts: Leidner fails to disclose or suggest all elements of amended independent claim 1, which requires, in-part, detecting an image file type in response to a user interface locking event or a change in desktop wallpaper. Leidner also fails to disclose taking protective action ... the protective action comprising automatically suspending a process in real-time that caused the file change event. (Emphasis added).

Examiner Response:  The Examiner does not find support for claims 21-23 in the as filed specification.  The response as provided above in the Remarks section apply here.
It appears the amended portion of the claims is more supported at location [0026] of the instant specification.  The Examiner finds clarity in the cited section [0026] regarding the claimed ‘file type’ Amended claim 1 identifies the file type, then identifies the file and extracts data from the file.  Unlike the as filed specification at [0026] there is no linking between the identification of the file type and extraction of data from “the file” in the amended claims 1, 9, and 17.  It is for at 

AFCP 2.0 SearchAn abbreviated search was conducted based on the amended claims 1, 9, and 17.  Although the cited as filed specification does not support the amendments the Examiner finds additional prior art that applicant is urged to consider in the course of prosecuting this application before the Office.

Yang et al, US 20160321453 A1 illustrates a Figure 2 and discloses at least at location [0066] With reference to FIG. 2, the device comprises a file acquiring unit 201, a decompiling unit 202, an extracting unit 203, and a detecting unit 204. [0067] Wherein: [0068] the file acquiring unit 201 configured to acquire a virtual machine executable file of an application from an application layer of an intelligent terminal operating system; [0069] a decompiling unit 202 configured to decompile the virtual machine executable file to obtain a decompiled function information structure; [0070] an extracting unit 203 configured to parse the decompiled function information structure to extract a function calling sequence in the decompiled function information structure.

Poret al, US 20150135262 A1 illustrates a Figure 5 and discloses at least at location [0097] a flowchart of a process of detecting and/or preventing malwares based on scores of events, processes, host activities and/or environment activities.
/WILLIAM B JONES/Examiner, Art Unit 2491