DETAILED ACTION

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06 October 2021 has been entered.
By the above submission, Claims 1, 2, 11, 12, 14, 17-19, 22, and 23 have been amended.  Claim 10 has been canceled.  No new claims have been added.  Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are currently pending in the present application.

Response to Arguments

Applicant's arguments filed 06 October 2021 have been fully considered but they are not persuasive.
Regarding the rejection of Claims 1-4, 6, 7, 10-12, 14, 17-19, 22, and 23 under 35 U.S.C. 103 as unpatentable over Sun et al, US Patent Application Publication 2008/0127336, in view of Tuvell et al, US Patent Application Publication 2007/0240222, and Borthakur et al, US Patent Application Publication 2018/0324198, and with particular reference to amended independent Claim 1, Applicant argues that each of 
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.

Specification

The objection to the specification for failure to provide proper antecedent basis for the claimed subject matter is NOT withdrawn, because the amendments to the claims have raised new issues, as detailed below.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:  Claim 1 has been amended to recite “assigning a confidence indicator to the signature, [wherein] the confidence indicator [is] based on a number of samples compared and found not to indicate malware, a prevalence of component strings, and how long the first contiguous string block has been in use for malware detection”, and Claim 14 has been amended to recite a similar limitation.  Although the original disclosure describes a confidence indicator for a block or label, there is not clear antecedent basis for a confidence indicator for the signature that is based on the recited factors.  For further detail, see below regarding the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.

Claim Objections

Claims 1 and 14 are objected to because of the following informalities:  
Claim 1 ends with two periods.  One period should be deleted.
Claim 14 ends with two periods.  One period should be deleted.
Appropriate correction is required.

Claim Rejections - 35 USC § 112

The rejections of Claim 10 under 35 U.S.C. 112(a) for failure to comply with the written description requirement and under 35 U.S.C. 112(b) as indefinite are moot in light of the cancellation of the claim.  The rejections of Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 under 35 U.S.C. 112(a) and (b) are NOT withdrawn because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below, and as generally noted in the advisory action mailed 20 October 2021.

The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  
Independent Claim 1 has been amended to recite “assigning a confidence indicator to the signature, [wherein] the confidence indicator [is] based on a number of samples compared and found not to indicate malware, a prevalence of component strings, and how long the first contiguous string block has been in use for malware detection”, and independent Claim 14 has been amended to recite a similar limitation.  Although the original disclosure describes a confidence indicator for a block or label (see previous Claims 2 and 10), there is not clear written description of a confidence indicator for the signature that is based on the number of samples not indicating malware, prevalence of component strings, or how long the block has been in use for malware detection.  Further, Applicant has not pointed out where the amended claims are supported.  See MPEP § 2163.04.  Therefore, the is not clear written description of the claimed subject matter in the specification.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to 
Claim 1 recites “determining if the first contiguous string block is found in a second database containing one or more contiguous string blocks extracted from known malware” in lines 11-12.  However, this determination is not used elsewhere in the claim, which amounts to a gap in the claim.  The claim further recites “the confidence indicator based on a number of samples…” in lines 22-23.  This is grammatically unclear as to how it relates to the remainder of the claim limitation, although it appears that this may be intended to be a “wherein” clause or similar.  The above ambiguities render the claim indefinite.
Claim 2 recites “a confidence indicator” in line 2.  It is not clear whether this is intended to refer to the same confidence indicator assigned in Claim 1 or to a distinct indicator.  Claim 2 further recites “the first wildcarded contiguous string block” in lines 2-3.  Although Claim 1 recited a wildcarded contiguous string block, there is not clear antecedent basis for this block being a first block.  Claim 2 additionally recites “the confidence indicator” in line 3; however, if the indicator in line 2 is distinct from the indicator in Claim 1, then it is not clear to which indicator this is intended to refer.  Claim 2 further recites “the label” in line 3.  There is insufficient antecedent basis for this limitation in the claims.  The claim also recites “the first contiguous string block” in line 4.  It is not clear whether this refers to the first contiguous string block or the first wildcarded contiguous string block.

Claim 12 recites “a confidence indicator” in lines 2-3.  It is not clear whether this is intended to refer to the same confidence indicator assigned in Claim 1 or to a distinct indicator.  Claim 12 further recites “the label applied to the first contiguous string block” in lines 3-4.  There is insufficient antecedent basis for this limitation in the claims.
Claim 14 recites that the processor executes instructions to “determine if the first string is found in a second database containing one or more strings extracted from known malware” in lines 11-12.  However, this determination is not used elsewhere in the claim, which amounts to a gap in the claim.  The claim further recites “the signature” in line 13 and “the first contiguous string block” in line 15.  There is insufficient antecedent basis for these limitations in the claim.  The claim additionally recites “the confidence indicator based on a number of samples…” in lines 13-14.  This is grammatically unclear as to how it relates to the remainder of the claim limitation, although it appears that this may be intended to be a “wherein” clause or similar.  The above ambiguities render the claim indefinite.
Claim 22 recites “the processor circuitry” in line 2 and “the first wildcarded string” in lines 4-5.  There is insufficient antecedent basis for these limitations in the claims.
Claim 23 recites “the processor circuitry” in line 2.  There is insufficient antecedent basis for this limitation in the claims.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by any general purpose computer.
Claim 14 recites an apparatus that comprises a memory, instructions, and a processor “to execute the instructions to” perform various functions.  This only requires an intended use or capability of the processor to perform the claimed functions.  Any general purpose computer includes a memory and a processor, and is capable of being programmed to perform the claimed functions.  Therefore, without reciting particular configuration or programming of the apparatus or components thereof, Claim 14 is anticipated by any general purpose computer.  Claims 18 and 19 do not provide any other structural or functional limitations, and Claims 17, 22, and 23 only recite further intended uses or capabilities of the apparatus, and therefore, the dependent claims are also anticipated by any general purpose computer for similar reasons.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Sun et al, US Patent Application Publication 2008/0127336, in view of Tuvell et al, US Patent Application Publication 2007/0240222, and Borthakur et al, US Patent Application Publication 2018/0324198.
In reference to Claim 1, Sun discloses a method that includes identifying a first contiguous string block in malware information stored in a first database (paragraphs 030, 0042-0043, 0057, and 0062) and assigning a ranking score (paragraph 0057); determining if the first string block is found in a second database containing contiguous string blocks extracted from known malware (paragraphs 0029, 0043, 0047, 0057, and 0066); forming a signature for a malware family that includes a plurality of contiguous string blocks (paragraphs 0043-0044, malware type or family; see also paragraphs 0047, 0051, 0053-0054, and 0058); and generating a confidence indicator (paragraph 0053).  However, Sun does not explicitly disclose assigning the ranking based on a sum of sample counts, nor does Sun explicitly disclose the use of wildcarding.

However, neither Sun nor Tuvell explicitly discloses assigning a ranking score based on proximity of strings.  Borthakur discloses a method that includes ranking scores for results based both on a sample count for strings and on proximity of strings within a result (see paragraph 0081) and further discloses a confidence indicator based on a number of samples and prevalence of component strings and time (see paragraph 0081).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the method of Sun and 
In reference to Claims 2 and 3, Sun, Tuvell, and Borthakur further disclose using a wildcard to capture changes due to polymorphic malware that subtly changes specific features (see Tuvell, paragraphs 0166-0175).
In reference to Claim 4, Sun, Tuvell, and Borthakur further disclose labeling the second block with the same label as the first block (Sun, paragraphs 0043-0044).
In reference to Claim 6, Sun, Tuvell, and Borthakur further disclose saving the first block if the first block meets a threshold of dissimilarity with the second database (see Sun, paragraph 0057).
In reference to Claim 7, Sun, Tuvell, and Borthakur further disclose ranking the blocks in the second database based on number of times they appear, location or proximity, or a specific value (see Sun, paragraph 0053; see also Tuvell, paragraphs 0047-0050, and Borthakur, paragraph 0081).
In reference to Claim 11, Sun, Tuvell, and Borthakur further disclose scanning files and comparing the files to the first block and determining whether a threshold of similarity is met (Sun, paragraphs 0043-0044; see also paragraphs 0047, 0051, 0053-0054, and 0058; see also Borthakur, paragraph 0081).
In reference to Claim 12, Sun, Tuvell, and Borthakur further disclose a suspicion value (see Sun, paragraphs 0043-0044).



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For 

/Zachary A. Davis/Primary Examiner, Art Unit 2492