DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 19 October 2021 has been received and considered.
Claims 1-3, 5-10, 12-17, and 19-21 are pending.
This Action is Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 20 August 2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-10, 12-17, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Richard et al. (US 20130145471) in view of Morkovsky (US 20170085585), and further in view of Kailash et al. (US 20180124070).
As per claims 1, 8, and 15, Richard et al. discloses a system, medium, and method for detecting malicious files based on data fragments, the method comprising: extracting data fragments from a file (see paragraph [0049] obtaining the portions of the files to be compared to patterns); 
for data fragments extracted from the file, determining a category, wherein the category is selected from a list of categories that includes at least: trusted, malicious, and untrusted (see paragraphs [0050]-[0053] where the fragments are categorized as low, i.e. trusted, medium, i.e. untrusted, or high i.e. malicious); 
when a number of data fragments of the file categorized as being malicious is below a predetermined threshold, avoiding categorization of the file as malicious (see paragraphs [0026] and [0050]-[0053] where the number of fragments in each category determine its overall categorization); and 
when a number of data fragments of the file categorized as being malicious reaches or exceeds the predetermined threshold, determining whether at least one malicious file detection rule having criteria for detecting a malicious file is found; when at least one malicious file detection rule whose criteria is met is found, categorizing the file as a malicious file; and when no malicious file detection rule whose criteria is met is found, avoiding categorization of the file as a malicious file (see paragraphs [0050]-[0055] where a determination as to whether the fragments reaches or exceeds a threshold indicates the file is malicious).
While Richard et al. teaches the comparison of fragments of a file to different patterns, there lacks an explicit teaching of categorizing each fragment of the file, the category of the data fragment is determined by searching in a database of data fragments, the database comprising at least one of: a list 
However, Morkovsky teaches fragmenting and analyzing each fragment of a file as part of malware detection (see paragraphs [0006] and [0035]-[0040]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to categorize each fragment of the file in the Richard et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to use all the information within the file to make the determination thereby reducing the number of miscategorizations.
The modified Richard et al. and Morkovsky et al. system discloses when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database (see Richard et al. paragraphs [0019]-[0021] and [0050]-[0053]), but fails to explicitly disclose when the search in the database is unsuccessful, the category of the data fragment is determined as being untrusted, and when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database.
However, Kailash et al. teaches when the search in the database is unsuccessful, the category of the data fragment is determined as being untrusted, and when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database (see paragraphs [0045]-[0046] where the 
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to use the database search of Kailash et al. in the modified Richard et al. and Morkovsky system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to have the ability to categorize every type of result from the database.
As per claims 2, 9, and 16, the modified Richard et al., Morkovsky, and Kailash et al. system discloses when all of the data fragments of the file are categorized as being trusted, categorizing the file as being a trusted file (see Richard et al. paragraphs [0050]-[0053] where when all the fragments are below the threshold the result would be a categorization of a trusted file).
As per claims 3, 10, and 17, the modified Richard et al., Morkovsky, and Kailash et al. system discloses a given byte sequence coincides with the data fragment, when during a comparison of the data fragment with the given byte sequence, the substitute character coincides with any value (see Richard et al. paragraphs [0050]-[0053] where the patterns are used to determine the categorization and paragraphs [0019]-[0021] where the patterns are from a database).
As per claims 5, 12, and 19, the modified Richard et al., Morkovsky, and Kailash et al. system the at least one malicious file detection rule includes: a malicious file detection rule for detecting the file as being malicious when the number of data fragments of the file categorized as being malicious reaches or exceeds the predetermined threshold, the predetermined threshold being expressed either as a percentage of the data fragments of the file being detected as being malicious or as a number of data fragments of the file being detected as malicious (see Richard et al. paragraphs [0026] and [0050]-[0053]).
.

Response to Arguments
Applicant's arguments filed 19 October 2021 have been fully considered but they are not persuasive.  Applicant argues that Kailash et al. cannot teach the limitations of, for example claim 4 now incorporated into claim 1, because Kailash does not teach searching a database of file fragments.
It is first noted that Kailash et al. alone was not relied upon for teaching this subject matter; one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  As put forth above, Richard et al. explicitly teaches the use of a database of data fragments which identifies malicious categorization of the fragments (see paragraphs [0019]-[0021] and [0050]-[0053] where the matching of patterns requires a search of the database to find whether the patterns match or not).  Kailash et al. was merely relied upon to show the obviousness of providing different categorizations based on the results of searching the database (see paragraphs [0045]-[0046] where the content is identified as either trusted or untrusted, i.e. malicious if the signature is found, or unknown, i.e. untrusted, if the signature is not found).  When in combination with Richard et al. and Morkovsky et al. as put forth above, the search of Kailash et al. would be .
 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the references put forth on the PTO-892 form are directed to detecting malicious files by searching data fragments in a database.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/Michael Pyzocha/               Primary Examiner, Art Unit 2419