Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Attorney/Agent Narendra Thappeta, on 09/27/2021.


CLAIMS:

The application claims 15-19 are newly added below.

The application claims 1, 8 and 14 are amended as follows:
Referring to claim 1: Please replace claim 1 as follows:
Claim 1 (Currently Amended): A method of detecting malware in data streams, said method comprising:
identifying a malware sub-pattern that is likely to occur at low frequencies in clean data streams known to be free from malware, said malware sub-pattern being a portion of a malware signature which is designed for investigating existence of a first malware in data streams;
 identified from among said clean data streams;
based on said checking, if there is no match with any portion of said data stream, concluding that said data stream is free of said first malware; and
based on said checking, if there is a match with a first portion of said data stream, further examining said data stream around said first portion for said malware signature, wherein said data stream is concluded to contain said first malware if said data stream around said first portion is found to match said malware signature.

Referring to claim 8: Please replace claim 8 as follows:
	Claim 8 (Currently Amended): A non-transitory machine readable medium storing one or more sequences of instructions for detecting malware in data streams, wherein execution of the one or more instructions by one or more processors contained in a digital system enables the digital system to perform the actions of:
	receiving a malware sub-pattern that is likely to occur at low frequencies in clean data streams known to be free from malware, said malware sub-pattern being a portion of a malware signature which is designed for investigating existence of a first malware in data streams;
	checking whether each portion of a data stream of interest matches said malware sub-pattern identified from among said clean data streams;
	based on said checking, if there is no match with any portion of said data stream, concluding that said data stream is free of said first malware; and
	based on said checking, if there is a match with a first portion of said data stream, further examining said data stream around said first portion for said malware signature, 

Referring to claim 14: Please replace claim 14 as follows:
Claim 14 (Currently Amended): A central server comprising:
	at least one memory unit to store instructions; and
	at least one processor to execute the instructions to cause said central server to perform the actions of:
	identifying a plurality of malware sub-patterns, wherein each of the plurality of malware sub-patterns is likely to occur at low frequencies in clean data streams known to be free from malware, said each of the plurality of malware sub-patterns being a portion of a  designed for investigating existence of a first malware in data streams
sending said plurality of malware sub-patterns to a client system,  
wherein said client system comprising corresponding memory and a corresponding processor is configured to execute instructions stored in said corresponding memory to cause the client system to perform the actions of:
receiving said plurality of malware sub-patterns from said central server;
checking whether each portion of a data stream of interest matches one or more of said plurality of malware sub-patterns identified from among said clean data streams;
based on said checking, if there is no match with any portion of said data stream, concluding that said data stream is free of said first malware; and
based on said checking, if there is a match with a first portion of said data stream, further examining said data stream around said first portion for said malware signature,
wherein said data stream is concluded to contain said first malware if said data stream around said first portion is found to match said malware signature.

Claims 15-19 are newly added as follows:
Claim 15 (New): The central server of claim 14, wherein said malware sub-pattern is a malware sub-sequence, wherein said identifying comprises:
determining respective frequencies of occurrences of clean sequences in a plurality of clean streams; and
selecting as said malware sub-sequence a portion of said malware signature matching a clean sequence with a low frequency.

Claim 16 (New): The central server of claim 15, wherein said data stream of interest is scanned for existence of a plurality of malwares, 
wherein a respective malware signature of a plurality of malware signatures is designed for investigating existence of corresponding one of said plurality of malwares,
wherein each of plurality of malware signatures is identified with a respective malware sub-sequence of a plurality of malware sub-sequences,
wherein said identifying, said checking, said concluding and said examining are performed for each malware signature of said plurality of malware signatures.

Claim 17 (New): The central server of claim 16, further comprising clustering all of said plurality of malware signatures identified with the same malware sub-sequence, wherein a first set of malware signatures are clustered with a first malware sub-sequence,
if said first malware sub-sequence does not match said first portion of said data stream in said checking, said first portion is concluded to be free of all of said first set of malware signatures; and
if said first malware sub-sequence matches said first portion of said data stream in said checking, all of first set of malware signatures are examined around said first malware sub-sequence in said data stream for a match.

Claim 18 (New): The central server of claim 17, wherein said plurality of malware sub-sequences are stored in the form of a multi-level hash, with one part of each malware sub-sequence constituting a first level of hash and another part of each malware sub-sequence constituting a second level of hash,
wherein each set of malware signatures are stored associated with the second level of hash.

Claim 19 (New): The central server of claim 14, wherein said malware signature comprises a wildcard character, wherein said malware sub-sequence is identified from the remaining portion of the malware signature not containing said wildcard character,
wherein said wildcard character is examined only when there is a match of said malware sub-sequence with said first portion.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH M JHAVERI whose telephone number is (571)270-7584.  The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFREY PWU can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433