DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 6-9, 14-15 and 20-31 have been examined. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/30/2021 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/02/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Claims 1, 9 and 15 have been amended.
Applicant’s arguments with respect to claim(s) 1, 9 and 15 regarding the new limitations: “determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 6-9, 14-15 and 20-31 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3-10 and 12-20 of copending Application No. 16/246955 in view of US 20180351969 to MacLeod et al (hereinafter MacLeod). 
Instant application
Copending Application No. 16/246955
1. (Currently Amended) A method, comprising: 




parsing, by a processor, a graphics file to determine a location of a graphics file signature in the graphics file; 










determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature; and 
in response to the determining that there is embedded data after the graphics file signature, removing, by the processor, the embedded data from the graphics file.
1. (Currently Amended) A method to improve detection of steganography data embedded in a portable network graphics file, the method comprising: 
detecting, by a hardware processor, the portable network graphics file; 
parsing the portable network graphics file to determine whether first eight bytes of the portable network graphics file in a header of the portable network graphics file is a portable network graphics signature; 
in response to determining in response to determining that the first eight bytes of the header of the portable network graphics file is not the portable network graphics signature, determining a location of the portable network graphics signature; and 
if there is embedded data before the location the portable network graphics signature, 


then removing the embedded data from the portable network graphics file, and 


subsequent to the removing of the embedded data from the portable network graphics file, setting a flag to indicate that the embedded data in the portable network graphics file has been removed


Co-pending application 16/246955 teaches determining if there is embedded data before the location of the graphics file signature but does not teach determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature. However, MacLeod teaches: 
determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature (MacLeod: [0119] In one embodiment, the location of IMAGE SECTION HEADER is determined using the size of the IMAGE_NT_HEADERS32. For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file, i.e., it is determined that there is embedded data at the end of the file which is a location that is after the location at which the file signature is located. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of MacLeod in the invention of Co-pending application 16/246955 to include the above limitations. The motivation to do so would be to provide real-time detection of and protection from steganography in a kernel mode (MacLeod: [0028]).

Instant application
Co-pending application 16/246955
7. (Previously Presented) The method of claim 1, further comprising determining, by a processor, to scan the graphics file for potential steganographic content, wherein the determining includes determining whether at least one of a plurality of steganographic criteria is satisfied.

8. (Currently Amended) The method of claim 7, wherein the plurality of steganographic criteria includes at least one of: a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been downloaded; 

a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been replicated; 




a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been backed up; or 




a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been restored.
5. (Original) The method of claim 4, wherein the determining whether to analyze the portable network graphics file for potential steganography includes determining whether at least one of a plurality of stenograhic criteria is satisfied.


6. (Original) The method of claim 5, wherein one of the stenographic criteria is satisfied when a field associated with the portable network graphics file indicates that the portable network graphics file has been modified after the portable network graphics file has been downloaded.
8. (Original) The method of claim 5, wherein one of the stenographic criteria is satisfied when a field associated with the portable network graphics file indicates that the portable network graphics file has been modified after the portable network graphics file has been replicated.
7. (Original) The method of claim 5, wherein one of the stenographic criteria is satisfied when a field associated with the portable network graphics file indicates that the portable network graphics file has been modified after the portable network graphics file has been backed up.
9. (Original) The method of claim 5, wherein one of the stenographic criteria is satisfied when a field associated with the portable network graphics file indicates that the portable network graphics file has been modified after the portable network graphics file has been restored.


Similarly, the rest of the independent and dependent claims of the instant application are analogous to the rest of the independent and dependent claims of the co-pending application 16/246955.
This is a provisional nonstatutory double patenting rejection.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 7, 9, 15, 24 and 28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by applicant provided prior art US 20180351969 to MacLeod et al (hereinafter MacLeod).
As per claims 1, 9 and 15, MacLeod teaches:
A method, comprising: 
parsing, by a processor, a graphics file to determine a location of a graphics file signature in the graphics file (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. [0058]: The malware analytics module 140 may retrieve a magic number from the header. Typically, the magic number is a short sequence of bytes (e.g., 4 bytes long) placed at the beginning of the file. For example, for a portable executable (PE) file, the hex signature may be "4D 5A" and the magic number may be "MZ." The malware analytics module 140 may verify the magic number to obtain the pointer to the section header of the file. [0117]: Additional instructions may be executed to determine what format the file might be such as … GIF, JPG, PNG and so forth. Once the magic number is verified, a pointer to a section header is obtained. Since the DOS magic number is verified, the e_lfanew member may be used to create a pointer to the Windows PE header. The IMAGE_NT_HEADERS32 pointer is calculated by adding the size of the memory buffer to the e_lfanew value. The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h."); 
determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature (MacLeod: [0119] In one embodiment, the location of IMAGE SECTION HEADER is determined using the size of the IMAGE_NT_HEADERS32. For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file, i.e., it is determined that there is embedded data at the end of the file which is a location that is after the location at which the file signature is located. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted); and 
in response to the determining that there is embedded data after the graphics file signature, removing, by the processor, the embedded data from the graphics file (MacLeod: [0122]: In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. The return code indicates that data has been appended so a defined policy may be executed, such as isolate, delete or strip off the appended data. The steganography detection analytics involve performing statistical functions (entropy, Chi-Square, etc.) on the file. The analytics performed depend on the file type. If a GIF file, hidden data concealed in a ZIP file is searched for).

As per claims 7, 24 and 28, MacLeod teaches:
The method of claim 1, further comprising determining, by a processor, to scan the graphics file for potential steganographic content, wherein the determining includes determining whether at least one of a plurality of steganographic criteria is satisfied (MacLeod: [0119]: For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. Also, [0060]).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 6, 14, 20-22, 26 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod and prior art of record FILE SIGNATURES TABLE by Gary C. Kessler (hereinafter Kessler).
As per claims 6, 14 and 20, MacLeod does not teach: wherein the graphics file comprises a portable network graphics (PNG) file, and wherein the graphics files signature comprises hexadecimal values comprising "00 00 00 00 49 45 4E 44 AE 42 60 82". However, Kessler teaches: 
wherein the graphics file comprises a portable network graphics (PNG) file, and wherein the graphics files signature comprises hexadecimal values comprising "00 00 00 00 49 45 4E 44 AE 42 60 82" (Kessler: page 1: paragraph 2: Interpret the table as the magic number generally indicating the file type. Page 39: PNG Portable Network Graphics file - Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚ ...).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kessler in the invention of MacLeod to include the above limitations. All the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time of the invention (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

As per claim 21, MacLeod teaches:
The method of claim 1, wherein the step of determining, by the processor, whether there is embedded data in the graphics file after the graphics file signature comprises determining whether there is embedded data in the graphics file after a post-fix graphics file signature (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. The metadata may also be present in other areas, e.g., at the end of the file, depending on the file format or the type of data contained. [0117]: The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file.).
MacLeod does not explicitly teach a post-fix graphics file signature. However, Kessler teaches:
a post-fix graphics file signature (Kessler: page 1: paragraph 2: Interpret the table as the magic number generally indicating the file type. Page 39: PNG Portable Network Graphics file - Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚ ...).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kessler in the invention of MacLeod to include the above limitations. All the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time of the invention (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

As per claim 22, MacLeod in view of Kessler teaches:
The method of claim 21, wherein the step of determining whether there is embedded data in the graphics file after a post-fix graphics file signature comprises determining whether there is embedded data in the graphics file after a post-fix graphics file signature at an end of a body of the graphics file (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. The metadata may also be present in other areas, e.g., at the end of the file, depending on the file format or the type of data contained. [0117]: The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. Kessler: page 1: paragraph 2: Interpret the table as the magic number generally indicating the file type. Page 39: PNG Portable Network Graphics file - Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚ ...)).

As per claims 26 and 30, MacLeod teaches:
The information handling system of claim 9, wherein the step of determining whether there is embedded data in the graphics file after the graphics file signature comprises determining whether there is embedded data in the graphics file after a post-fix graphics file signature at an end of a body of the graphics file (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. The metadata may also be present in other areas, e.g., at the end of the file, depending on the file format or the type of data contained. [0117]: The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file.).
MacLeod does not teach explicitly a post-fix graphics file signature at an end of a body of the graphics file. However, Kessler teaches:
a post-fix graphics file signature at an end of a body of the graphics file (Kessler: page 1: paragraph 2: Interpret the table as the magic number generally indicating the file type. Page 39: PNG Portable Network Graphics file - Trailer: 49 45 4E 44 AE 42 60 82 (IEND®B`‚ ...).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kessler in the invention of MacLeod to include the above limitations. All the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time of the invention (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claims 8, 25 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod and prior art of record US 20180349400 to Boutnaru (hereinafter Boutnaru).
As per claims 8, 25 and 29, MacLeod does not teach the limitations of claims. However, Boutnaru teaches:
wherein the plurality of steganographic criteria includes at least one of: a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been downloaded; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been replicated; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been backed up; or a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been restored (Boutnaru: [0033]. [0039]: the file may be a file that the system has applied steganography (or multiple iterations and/or different steganography) over at some point in time. The system may check whether the file has been altered through checksums and/or hash values to determine whether the file has been altered. If the file has not been altered the system may allow the file through, otherwise the system may continue to operation 306. [0040]: At operation 306, the system may detect the steganography method used on the file. [0048] Process 300 may include operation 309, wherein the system may apply the generated obscuring algorithm of operation 308 onto the received file. The system may then allow the file modified at operation 308 through at operation 303. The modified file having sufficiently obscured the data hidden in the file by applying the obscuring methods generated at operation 308. Additionally, in some examples, the system may maintain records of files that have gone through the obscuring processes in operation 309. In some examples, the records may be a checksum and/or a hash of the file (field associated with the file). The hash could identify the file and/or ensure that the file has not changed since the last time the system applied obscuring steganography).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Boutnaru in the invention of MacLeod to include the above limitations. The motivation to do so would be to prevent hidden messages from being passed through steganography techniques by implementing a jumbling technique (Boutnaru: [0009]).

Claims 23, 27 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod and prior art of record US 20040145661 to Murakami et al (hereinafter Murakami).
As per claims 23, 27 and 31, MacLeod does not teach: determining a hash of the embedded data after removing the embedded data from the graphics file. However, Murakami teaches:  
further comprising: determining a hash of the embedded data after removing the embedded data from the graphics file (Murakami: [0156] When the public key used in tampered position detection is correct, the decryption unit 404 checks the value of check bits which form the watermark information w (when the check bits represent a Hash value of a 2D feature image, a Hash value is calculated from the 2D feature image contained in the watermark information w, and is compared with the check bits in the watermark information w to determine whether or not they match).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murakami in the invention of MacLeod to include the above limitations. The motivation to do so would be to detect the tampered position or the presence/absence of tampering from an image (Murakami: [0001]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20160283746 to Boshoff et al: A method to detect a plurality of steganography based information embedded in a multimedia file associated with an online computer environment is provided. The method may include detecting the multimedia file entering or exiting an online environment associated with a network or an organization. The method may also include comparing a stored hashed version of the detected multimedia file to the detected version of the multimedia file. The method may also include comparing a stored perceptual hashed version of the detected multimedia file to the detected version of the multimedia file based on the detected multimedia file not matching the stored hashed version of the detected multimedia file. The method may further include assigning a flag attribute to the detected multimedia file based on the detected multimedia file matching the stored perceptual hashed version of the detected multimedia file.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438