DETAILED ACTION
Claims 1-27 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/27/2019 and 10/23/2019 have been acknowledged and considered by the examiner.

Claim Interpretation
Regarding claims 5, 6, 9, 16, 17, 20, 24 and 25, the claims recite alternative language, i.e. using the term “or”, “one of”, and “at least one of”, and as such, the Examiner interprets certain features to not be required due to the claim language listing the features in the alternative.  The rejection below specifies the particular limitations. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 6-14 and 17-22 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U.S. 2014/0237597 A1) in view of Sawhney et al. (U.S. 2018/0300480 A1).
Regarding claims 1 and 12, Zhang discloses a computer-implemented method for detecting obfuscated code in electronic messages, the computer-implemented method comprising:

determining a file type of the attachment (PDF file) (see Zhang; paragraph 0026; Zhang discloses making a determination based on the content of information received, such as a PDF file included as the attachment.  Therefore, a determination is made on the file type in order to know it is a PDF file);
extracting one or more scripts from the attachment (PDF file) (see Zhang; paragraphs 0033 and 0045; Zhang discloses a script scan engine to scan portions of the PDF file and to extract script stream data embedded in the PDF file).
While Zhang discloses “receiving…an attachment”, such as a PDF, and “extracting one or more scripts from the attachment”, as discussed above, Zhang does not explicitly disclose computing a distance measure between selected one or more features of the extracted one or more scripts and corresponding one or more selected features of scripts of a model corpus of non-obfuscated script files; comparing the computed distance measure with a threshold; when the computed distance measure is at least as great as the threshold, determining that the extracted one or more scripts comprises obfuscated code and taking a defensive action with respect to at least the attachment; and when the computed distance measure is less than the threshold, determining that the extracted one or more scripts does not comprise obfuscated code.
In analogous art, Sawhney discloses computing a distance measure (tree edit distance) between selected one or more features of the extracted one or more scripts and corresponding one or more selected features of scripts of a model corpus of non-obfuscated script files (benign scripts) (see Sawhney; paragraphs 0010, 0030, 0032, 0035 and 0048; Sawhney discloses 
comparing the computed distance measure (tree edit distance) with a threshold (see Sawhney; paragraph 0048; Sawhney discloses a match may be some threshold of a predetermined tree edit distance); 
when the computed distance measure (tree edit distance) is at least as great as the threshold, determining that the extracted one or more scripts comprises obfuscated code (script is malicious) and taking a defensive action (e.g. blocking) with respect to at least the attachment (PDF) (see Sawhney; paragraphs 0019, 0048, 0054 and 0055; Sawhney discloses scripts being embedded in a PDF.  If there is not a match within the tree edit distance the script is classified as malicious and the policy is configured to block the malicious behavior.  The script can be in the context of email.  Further, a notification may be sent and the script is not allowed to run); and 
when the computed distance measure (tree edit distance) is less than (within) the threshold, determining that the extracted one or more scripts does not comprise obfuscated code (script is benign and not malicious) (see Sawhney; paragraph 0048; Sawhney discloses if there is a match within the predetermined tree edit distance threshold, then the script is classified as benign).

Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sawhney’s matching within a tree edit distance into the system of Zhang in order to provide the benefit of detecting malware by measuring the similarity of the PDF script with benign, non-malicious, scripts.
Further, Zhang discloses the additional limitations of claim 12, at least one processor; at least one data storage device coupled to the at least one processor; and a network interface coupled to the at least one processor and to a computer network (see Zhang; paragraph 0016; Zhang discloses a processor and memory).
Regarding claims 2 and 13, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses applying a whitelist of known, non-obfuscated scripts (scripts are benign) against the extracted one or more scripts and computing the distance measure only on those extracted scripts, if any, having no counterpart in the whitelist (see Sawhney; paragraphs 0021, 0048 and 0055; Sawhney discloses whitelisting the benign scripts.  And using the tree edit distance for comparison between the unclassified scripts and the generalized benign scripts).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12.
Regarding claims 3 and 14, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses 
Regarding claims 6 and 17, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses wherein the one or more features comprise at least one of variable names (see Sawhney; paragraph 0042; Sawhney discloses string name), function names (see Sawhney; paragraph 0037; Sawhney discloses features extracted such as a particular function call.  As such, a function name). (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “variable name” and “function name” alternatives).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12.
Regarding claims 7 and 18, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses wherein the one or more features comprise alphanumeric characters in the extracted one or more scripts (see Sawhney; paragraph 0042; Sawhney discloses string names; and Zhang; paragraph 0059; Zhang discloses a data string in the script consisting of numbers and letters).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12. 
Regarding claims 8 and 19, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses wherein the one or more features comprise special characters in the extracted one or more scripts 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12. 
Regarding claims 9 and 20, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses wherein the defensive action includes at least one of delivering the received electronic message to a predetermined folder, deleting the electronic message and/or its attachment (see Sawhney; paragraph 0048; Sawhney discloses blocking the malicious script; and Zhang; paragraph 0026; Zhang discloses discarding the PDF file), applying additional analysis to the received electronic message and delivering a sanitized version of the attachment, without the obfuscated code, to an end user. (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “deleting the electronic message and/or its attachment” alternative).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12. 
Regarding claims 10 and 21, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses performed at least in part by a Message Transfer Agent (MTA) (see Zhang; paragraphs 0022 and 0028; Zhang discloses a server is configured to pass information back and forth to the client.  The server provides email service, as such, the server acts as a message transfer agent.  Further, a trusted source that may be external or internal is used to detect malicious PDF files and importing from the source). 
Regarding claims 11 and 22, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and further the combination of Zhang and Sawhney discloses wherein when the extracted one or more scripts is determined to not comprise obfuscated code (script is malicious) (see Sawhney paragraph 0055; Sawhney discloses once determined to be benign the script engine of the web browser is configured to load, compile, and/or run script code that is retrieved), the method further comprises forwarding the electronic message and the attachment to an end user; and Zhang; paragraphs 0022 and 0038; Zhang discloses client receiving messages, such as emails, from server.  A PDF file, i.e. within the email, that did not require de-obfuscation, and as such, the scripts were not obfuscated. And the user of client will receive the email).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 12. 

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U.S. 2014/0237597 A1) in view of Sawhney et al. (U.S. 2018/0300480 A1), as applied to claims 1 and 12 above, and further in view of Stahlberg (U.S. 2011/0041179 A1) (Applicant submitted prior art, see IDS filed 10/23/2019).
Regarding claims 4 and 15, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above, and while the combination of Zhang and Sawhney discloses a computed distance of the extracted scripts, as discussed above, the combination of Zhang and Sawhney does not explicitly disclose computing a probability distribution of the one or more features of the extracted one or more scripts and wherein the computed distance measure comprises a computed distance between the computed probability distribution of the one or more 
In analogous art, Stahlberg discloses computing a probability distribution of the one or more features of the extracted one or more scripts and wherein the computed distance measure comprises a computed distance between the computed probability distribution of the one or more features of the extracted one or more scripts and a previously- computed probability distribution of the corresponding one or more selected features of the scripts of a model corpus of non-obfuscated script files (see Stahlberg; paragraphs 0029, 0046, 0097, 0101, 0102 and 0107; Stahlberg discloses measuring the difference between each of the extracted bytestrings and previously bytestrings identified.  Those extracted bytestrings remaining after any filtering, i.e. based on features, has been performed can then be used, together with their associated metadata, to develop the heuristic malware detection logic.  A probability function and probabilistic data structure is used.  Further, it is disclosed the method used for bytestrings can also be used for scripts, such as to detect script malware7).
One of ordinary skill in the art would have been motivated to combine Zhang, Sawhney and Stahlberg because they all disclose features of malware detection, and as such, are within the same environment. 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Stahlberg’s difference measuring into the combined system of Zhang and Sawhney in order to provide the benefit of enhanced filtering when detecting malware. 

Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U.S. 2014/0237597 A1) in view of Sawhney et al. (U.S. 2018/0300480 A1), as applied to claims 1 and 12 above, and further in view of Hittel (U.S. 2018/0048658 A1).
Regarding claims 5 and 16, Zhang and Sawhney disclose all the limitations of claims 1 and 12, as discussed above. The combination of Zhang and Sawhney does not explicitly disclose wherein the computed distance is one of a Jensen-Shannon distance and a Wasserstein distance.
In analogous art, Hittel discloses wherein the computed distance (similarity measure) is one of a Jensen-Shannon distance (see Hittel; paragraphs 0084 and 0085; Hittel disclose similarity measures, such as Jensen-Shannon divergence, used by the classification engine to determine whether strings in extracted content match one of the applicable content inspection rules) and a Wasserstein distance (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “Jensen-Shannon” alternative).
One of ordinary skill in the art would have been motivated to combine Zhang, Sawhney and Hittel because they all disclose features of malware detection, and as such, are within the same environment. 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Hittel’s similarity measures into the combined system of Zhang and Sawhney in order to provide the benefit of scalability by allowing a specific type of edit distance between strings to be determined and thus enhancing the malware detection.

Claims 23-27 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U.S. 2014/0237597 A1) in view of Sawhney et al. (U.S. 2018/0300480 A1) and Stahlberg (U.S. 2011/0041179 A1) (Applicant submitted prior art, see IDS filed 10/23/2019) and further in view of Hittel (U.S. 2018/0048658 A1).
Regarding claim 23, Zhang discloses a computer-implemented method of detecting obfuscated code in electronic messages, the computer-implemented method comprising:
receiving, over a computer network, an electronic message comprising an attachment (PDF file) (see Zhang; paragraphs 0018, 0022 and Figure 1; Zhang discloses a PDF file being received as an email attachment, in which an email service is provided over a network);
determining a file type of the attachment (PDF file) (see Zhang; paragraph 0026; Zhang discloses making a determination based on the content of information received, such as a PDF file included as the attachment.  Therefore, a determination is made on the file type in order to know it is a PDF file);
extracting one or more scripts from the attachment (PDF file) (see Zhang; paragraphs 0033 and 0045; Zhang discloses a script scan engine to scan portions of the PDF file and to extract script stream data embedded in the PDF file);
determine a scripting language (Javascript) of any remaining extracted scripts having no counterpart in the whitelist (see Zhang; paragraphs 0024, 0033 and 0059; Zhang discloses the PDF file detected to include JavaScript, as well as, using a white list).
While Zhang discloses “receiving…an attachment”, such as a PDF, “extracting one or more scripts from the attachment” and a “whitelist”, as discussed above, Zhang does not explicitly disclose applying a whitelist of known, non-obfuscated scripts against the extracted one or more scripts; computing a distance between selected features of the scripts and one or more corresponding features of scripts of a model corpus of non-obfuscated script files; comparing the computed distance with a threshold; when the computed distance is at least as great as the threshold, determining that the scripts comprises obfuscated code, taking a defensive 
In analogous art, Sawhney discloses applying a whitelist of known, non-obfuscated scripts (scripts are benign) against the extracted one or more scripts (see Sawhney; paragraphs 0021, 0048 and 0055; Sawhney discloses whitelisting the benign scripts.  And using the tree edit distance for comparison between the unclassified scripts and the generalized benign scripts);
computing a distance (tree edit distance) between selected features of the scripts and one or more corresponding features of scripts of a model corpus of non-obfuscated script files (benign scripts) (see Sawhney; paragraphs 0010, 0030, 0032, 0035 and 0048; Sawhney discloses extracting benign scripts and structural features from the scripts to build a plurality of generalized abstract syntax trees, i.e. ASTs, using the benign scripts.  An anti-malware policy can interact with a script engine to inspect unclassified script code that is received to determine if the script code is associated with malware or is benign.  The anti-malware policy utilizes a corpus with a specific subset of the benign scripts.  In particular, it compares the structure of the unclassified script to the generalized ASTs, which include features from the subset of benign scripts to determine a match of a tree edit distance); 
comparing the computed distance (tree edit distance) with a threshold (see Sawhney; paragraph 0048; Sawhney discloses a match may be some threshold of a predetermined tree edit distance);
when the computed distance (tree edit distance) is at least as great as the threshold, determining that the scripts comprises obfuscated code (script is malicious), taking a defensive action (e.g. blocking) with respect to at least the attachment (PDF) (see Sawhney; paragraphs 0019, 0048, 0054 and 0055; Sawhney discloses scripts being embedded in a PDF.  If there is not 
when the computed distance (tree edit distance) is less than (within) the threshold, determining that the scripts does not comprise obfuscated code (script is benign and not malicious) (see Sawhney; paragraph 0048; Sawhney discloses if there is a match within the predetermined tree edit distance threshold, then the script is classified as benign).
One of ordinary skill in the art would have been motivated to combine Zhang and Sawhney because they both disclose features of malware detection, and as such, are within the same environment. 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sawhney’s matching within a tree edit distance into the system of Zhang in order to provide the benefit of detecting malware by measuring the similarity of the PDF script with benign, non-malicious, scripts.
While Zhang and Sawhney discloses extracting scripts and comparing with a threshold, as discussed above, the combination of Zhang and Sawhney does not explicitly disclose computing a probability distribution of character unigrams of one or more selected features of the remaining extracted script or scripts; computing a distance between the computed probability distribution of character unigrams of one or more selected features of the remaining script or scripts and a probability distribution of character unigrams of one or more corresponding features of scripts of a model corpus of non-obfuscated script files.
In analogous art, Stahlberg discloses computing a probability distribution of one or more selected features of the remaining extracted script or scripts (see Stahlberg; paragraphs 0029, 
computing a distance between the computed probability distribution of one or more selected features of the remaining script or scripts and a probability distribution of one or more corresponding features of scripts of a model corpus of non-obfuscated script files (see Stahlberg; paragraphs 0029, 0046, 0067, 0093, 0101, 0102 and 0107; Stahlberg discloses measuring the difference between, i.e. “distance between”, each extracted bytestrings, i.e. “scripts”, and bytestrings that have been previously identified, i.e. “model corpus of scripts”.  The bytestrings are differentiated by determination between malware code and “clean” code, i.e. “features” compared.  A math model used to determine how close, i.e. distance, to a clean target.  Human-readable strings may be obfuscated as the malware code.  A white list, i.e. “non-obfuscated script files”, of bytestrings that are not of interest for detecting the malware is provided.  A probability function and probabilistic data structure is used.  Further, it is disclosed the method used for bytestrings can also be used for scripts, such as to detect script malware);
One of ordinary skill in the art would have been motivated to combine Zhang, Sawhney and Stahlberg because they all disclose features of malware detection, and as such, are within the same environment. 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Stahlberg’s difference measuring 
While Zhang, Sawhney and Stahlberg disclose extracting scripts, comparing with a threshold and computing a distance between probability distribution, as discussed above, the combination of Zhang, Sawhney and Stahlberg does not explicitly disclose character of unigrams.
In analogous art, Hittel disclose character of unigrams (see Hittel; paragraphs 0083 and 0084; Hittel discloses comparing the extracted content with the arguments defined in the applicable standard search pattern or the custom search pattern by using a plurality of similarity measures.  One example of similarity measure is unigram overlap. The baseline unigram approach considers two strings to be similar if they have higher Jaccard similarity than a threshold).
One of ordinary skill in the art would have been motivated to combine Zhang, Sawhney, Stahlberg and Hittel because they all disclose features of malware detection, and as such, are within the same environment. 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Hittel’s similarity measures into the combined system of Zhang, Sawhney and Stahlberg in order to provide the benefit of scalability by allowing similarity measure, between strings to be determined and thus enhancing the malware detection.
Regarding claim 24, Zhang, Sawhney, Stahlberg and Hittel discloses all the limitations of claim 23, as discussed above, and further the combination of Zhang, Sawhney, Stahlberg and Hittel discloses wherein the computed distance is one of a Jensen-Shannon distance (see Hittel; Jensen-Shannon” alternative).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 23.
Regarding claim 25, Zhang, Sawhney, Stahlberg and Hittel discloses all the limitations of claim 23, as discussed above, and further the combination of Zhang, Sawhney, Stahlberg and Hittel discloses wherein the character unigrams comprise characters of at least one of variable names (see Hittel; paragraphs 0066, 0084 and 208), function names and comments in the extracted one or more scripts. (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “variable name” alternative).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 23.
Regarding claim 26, Zhang, Sawhney, Stahlberg and Hittel discloses all the limitations of claim 23, as discussed above, and further the combination of Zhang, Sawhney, Stahlberg and Hittel discloses wherein the character unigrams comprise alphanumeric characters in the extracted one or more scripts (see Hittel; paragraphs 0071 and 0084; Hittel discloses string fields with corresponding values, such as numbers, arrays and objects, i.e. alphanumeric characters. The unigram overlap is used against strings).

Regarding claim 27, Zhang, Sawhney, Stahlberg and Hittel discloses all the limitations of claim 23, as discussed above, and further the combination of Zhang, Sawhney, Stahlberg and Hittel discloses wherein the character unigrams comprise special characters in the extracted one or more scripts (see Hittel; paragraphs 0071 and 0084; Hittel discloses string fields with corresponding values, such as numbers, arrays and objects, i.e. special characters. The unigram overlap is used against strings).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 23.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Yu (U.S. 2005/0262210 A1) discloses edit distance is used in obfuscation index calculations.
Steele (U.S. 2005/0289221 A1) discloses restricting access to email attachments.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.A.C/Examiner, Art Unit 2443                                                                                                                                                                                                        11/18/2021

/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2443