DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 
2.	Claims 1-20 are pending.  Claims 1, 8 and 16 are independent.  Claims 1, 5, 6, 8, 16 and 19 are currently amended.  Amendments to the claims are accepted.

Response to Arguments

3.	Applicant's arguments filed on 9/14/2021 have been fully considered; however, they are not persuasive.
	Applicant alleged that reference TYAGI does not disclose limitations recited in independent claims 1, 8 and 16; however, after carefully reviewing the cited reference, TYAGI discloses every limitation in independent claims 1, 8 and 16 (see rejections below).









Claim Rejections - 35 USC § 102
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

5.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

6.	Claims 1-9, 11 and 13-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Tyagi (US PG Pub. 2016/0357962).
As regarding claim 1, Tyagi discloses A method, comprising: 
obtaining, by a device, a script associated with content [para. 14 and 29-30; obtaining a script from the received data], 
wherein the script includes one or more functions that include one or more expressions [FIGS. 4, 5C and para. 56-59; the script including functions];  
parsing, by the device, the script to generate a data structure [para. 32; parsing the script], 
wherein the data structure represents a syntactic structure of the script [para. 32; generating an abstract syntax tree]; 
traversing, by the device, the data structure to determine the one or more functions [para. 36-38; tracing the normalized script to identify functions]; 
traversing, by the device and based on the one or more functions, the data structure to determine properties of the one or more expressions [para. 56-59], 
wherein a symbol table is maintained for an identifier associated with the one or
more expressions [FIG. 5B, para. 12, 37-40 and 55-59; maintaining a names of private functions and variables], 
	wherein the symbol table includes:
		a type of the identifier [FIG. 5E and para. 53; table including identifiers and types associated with the identifiers],
		information indicating whether an assigned value for the identifier
	is assigned in a loop,
		information indicating whether the assigned value is assigned by a
	non-trivial assignment call, or
		information indicating whether the identifier is self-modifying by
	referencing the identifier in an assignment of a value to the identifier, and
wherein traversing the data structure based on the one or more functions includes evaluating one or more constant sub-expressions of the one or more expressions [para. 56-59], 
wherein evaluating the one or more constant sub-expressions facilitates determining the properties of the one or more expressions [para. 56-59; a third regular expression signature (REGEX3=badsite”)]; 
analyzing, by the device, the properties of the one or more expressions to determine whether the script exhibits malicious behavior [para. 56-59]; and 
causing, by the device, an action to be performed concerning the script or the content based on determining whether the script exhibits malicious behavior [FIG. 5H and para. 13, 14, 45, and 60; deleting/quarantining the data].  

As regarding claim 2, Tyagi further discloses The method of claim 1, wherein a constant sub-expression of the one or more constant sub-expressions includes at least one of: 
a constant number value; 
a constant string value [para. 56-59; a third regular expression signature (REGEX3=badsite”)];  40PATENT Docket No. 0023-0964 
a combination of constant number values or constant string values; or 
a library function call associated with a computer language of the script that is called with at least one argument that is a constant number value, a constant string value, or a combination of constant number values or constant string values.  

As regarding claim 3, Tyagi further discloses The method of claim 1, wherein the script is: 
a JavaScript script [para. 11], 
a Visual Basic (VB) Script [para. 11], 
a Visual Basic for Applications (VBA) script, 
a Jscript script, or a PowerShell script.  
4, Tyagi further discloses The method of claim 1, wherein causing the action to be performed concerning the script or the content comprises: 
causing, based on determining that the script exhibits malicious behavior, one or more of: 
the content or script to be deleted from a source device [para. 45]; 
the content or script to be quarantined at the source device to prohibit access to the content or script [para. 45]; 
a search to be performed, via a network, for other instances of the content or script on one or more other devices and for the other instances to be deleted; 
the one or more other devices to be analyzed for malicious behavior; or 
a modification of network connectivity for the one or more other devices.  

As regarding claim 5, Tyagi further discloses The method of claim 1, wherein traversing the data structure to determine the properties of the one or more expressions comprises: 
maintaining a call stack associated with the one or more expressions [para. 37-40 and 55-59]; 
maintaining the symbol table [FIG. 5B, para. 12, para. 37-40 and 55-59]; and 
determining the properties of the one or more expressions based on information included in the symbol table [para. 37-40 and 55-59].  

As regarding claim 6, Tyagi further discloses The method of claim 5, wherein the symbol table includes information indicating at least one of: 
a scope of the identifier [para. 12 and 32], or
a reference to an assigned value of the identifier [para. 56-58]. 

As regarding claim 7, Tyagi further discloses The method of claim 1, wherein malicious behavior includes at least one of the following attributes: 
accessing a global object using a complex array access; 
calling a function by calculating a complex expression; 
decoding a string value [para. 57]; or 
calling an evaluation or execution function by performing a complex string calculation [para. 12].  

As regarding claim 8, Tyagi further discloses A device, comprising: 
one or more memories [para. 4]; and 
one or more processors [para. 4] to: 
obtain a script associated with content from a content collecting device [para. 14 and 29-30; obtaining a script from the received data], 
	wherein the script includes one or more functions that include one or more expressions [FIGS. 4, 5C and para. 56-59; the script including functions]; 
parse the script to generate a data structure [para. 32; parsing the script]; 
traverse the data structure to determine the one or more functions [para. 36-38; tracing the normalized script to identify functions]; 
traverse, based on the one or more functions, the data structure to determine one or more properties of the one or more expressions [para. 56-59],
wherein a symbol table is maintained for an identifier associated with the one or more expressions [FIG. 5B, para. 12, 37-40 and 55-59; maintaining a names of private functions and variables], 
wherein the symbol table includes:
	a type of the identifier [FIG. 5E and para. 53; table including identifiers and types associated with the identifiers],
	information indicating whether an assigned value for the identifier is assigned in a loop,
	information indicating whether the assigned value is assigned by a non-trivial assignment call, or
	information indicating whether the identifier is self-modifying by referencing the identifier in an assignment of a value to the identifier, and 
wherein traversing the data structure based on the one or more functions includes evaluating one or more constant sub-expressions of the one or more expressions [para. 56-59], 
wherein evaluating the one or more constant sub-expressions facilitates determining the one or more properties of the one or more expressions [para. 56-59; a third regular expression signature (REGEX3=badsite”)]; 
obtain information that describes one or more attributes of malicious behavior [para. 56-59]; 
analyze, based on the information, the one or more properties of the one or more expressions to determine whether the script exhibits malicious behavior [para. 56-59]; and 
cause an action to be performed concerning the script or the content based on determining whether the script exhibits malicious behavior [FIG. 5H and para. 13, 14, 45, and 60; deleting/quarantining the data].  

As regarding claim 9, Tyagi further discloses The device of claim 8, wherein the data structure is an abstract syntax tree (AST) [para. 50].  

As regarding claim 11, Tyagi further discloses The device of claim 8, wherein the one or more processors, when traversing the data structure to determine the one or more properties of the one or more expressions, are to: 
determine one or more branches associated with the one or more expressions [para. 33 and 50-51]; and 
traverse each branch of the one or more branches to determine the one or more properties of the one or more expressions [para. 33 and 50-51].  

As regarding claim 13, Tyagi further discloses The device of claim 8, wherein the one or more processors, when analyzing the one or more properties of the one or more expressions to determine whether the script exhibits malicious behavior, are to: 
determine, based on the information, that a property, of the one or more properties, corresponds to at least one attribute, of the one or more attributes, of malicious behavior [para. 50]; and  44PATENT Docket No. 0023-0964 
determine, based on the property corresponding to the at least one attribute of malicious behavior, that the script exhibits malicious behavior [para. 50].  

As regarding claim 14, Tyagi further discloses The device of claim 8, wherein the one or more processors, when analyzing the one or more properties of the one or more expressions to determine whether the script exhibits malicious behavior, are to: 
determine, based on the information, that the one or more properties do not correspond to any of the one or more attributes of malicious behavior [para. 41-43]; and 
determine, based on the one or more properties not corresponding to any attribute of malicious behavior, that the script does not exhibit malicious behavior [para. 41-43].  

As regarding claim 15, Tyagi further discloses The device of claim 8, wherein the one or more processors, when causing the action to be performed concerning the script or the content, are to: 
cause, based on determining that the script exhibits malicious behavior, the content or script to be deleted from the content collecting device [para. 45]; or 
cause, based on determining that the script does not exhibit malicious behavior, the content collecting device to send the content or script to a different device [para. 43].  

As regarding claim 16, Tyagi further discloses A non-transitory computer-readable medium storing instructions, the instructions comprising: 
one or more instructions that, when executed by one or more processors, cause the one or more processors [para. 4] to: 
obtain a script associated with content [para. 14 and 29-30; obtaining a script from the received data], 45PATENT Docket No. 0023-0964 
wherein the script includes one or more functions that include one or more expressions [FIGS. 4, 5C and para. 56-59; the script including functions]; 
allocate, after obtaining the script, a block of memory [FIG. 5C and para. 50-51]; 
parse the script to generate a data structure that can be stored in the block of memory, wherein the data structure represents a syntactic structure of at least some of the script [para. 32; parsing the script]; 
store the data structure in the block of memory [para. 32; storing data structure as node]; 
traverse the data structure to determine the one or more functions [para. 36-38; tracing the normalized script to identify functions]; 
traverse, based on the one or more functions, the data structure to determine one or more properties of the one or more expressions [para. 56-59], 
	wherein a symbol table is maintained for an identifier associated with the one or more expressions [FIG. 5B, para. 12, 37-40 and 55-59; maintaining a names of private functions and variables], 
wherein the symbol table includes:
		a type of the identifier [FIG. 5E and para. 53; table including identifiers and types associated with the identifiers],
		information indicating whether an assigned value for the identifier
	is assigned in a loop,
		information indicating whether the assigned value is assigned by a
	non-trivial assignment call, or
		information indicating whether the identifier is self-modifying by
	referencing the identifier in an assignment of a value to the identifier, and
wherein traversing the data structure based on the one or more functions includes evaluating one or more constant sub-expressions of the one or more expressions [para. 56-59], 
wherein evaluating the one or more constant sub-expressions facilitates determining the one or more properties of the one or more expressions [para. 56-59; a third regular expression signature (REGEX3=badsite”)]; 
analyze the one or more properties of the one or more expressions to determine whether the script exhibits malicious behavior [para. 56-59]; and 
cause an action to be performed concerning the script or the content based on determining whether the script exhibits malicious behavior [FIG. 5H and para. 13, 14, 45, and 60; deleting/quarantining the data].  

As regarding claim 17, Tyagi further discloses The non-transitory computer-readable medium of claim 16, wherein the one or more instructions, that cause the one or more processors to obtain the script, cause the one or more processors to: receive the script from a source device, wherein the source device has removed the script from the content [para. 14].  

As regarding claim 18, Tyagi further discloses The non-transitory computer-readable medium of claim 16, wherein the one or more instructions, that cause the one or more processors to cause the action to be performed concerning the script or the content, cause the one or more processors to: cause, based on determining that the script does not exhibit malicious behavior, a source device to send the content and script to a different device [para. 43].  

As regarding claim 19, Tyagi further discloses The non-transitory computer-readable medium of claim 16, 
wherein the one or more instructions, that cause the one or more processors to analyze the properties of the one or more expressions to determine whether the script exhibits malicious behavior, cause the one or more processors to: search the one or more symbol tables for a property, of the one or more properties, that corresponds to an attribute of malicious behavior [para. 41-43].  

As regarding claim 20, Tyagi further discloses The non-transitory computer-readable medium of claim 16, wherein the one or more instructions, that cause the one or more processors to analyze the properties of the one or more 47PATENT Docket No. 0023-0964 expressions to determine whether the script exhibits malicious behavior, cause the one or more processors to: 
identify a set of properties, of the one or more properties, wherein each property of the set of properties corresponds to one or more attributes of malicious behavior [para. 41-43]; and 
analyze the set of properties to determine whether the set of properties exhibits malicious behavior [para. 41-43].

Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

9.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable by Tyagi (US PG Pub. 2016/0357962) in view of Klein (US PG Pub. 2011/0239300).
As regarding claim 10, Tyagi does not explicitly disclose the malicious behavior is a self-modifying code behavior.  However, Klein disclose it [para. 9, 14, 51 and 66].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Tyagi’s script malicious behavior to further comprise a self-modifying code, as disclosed by Klein, as one of alternative malicious behaviors that should be detected to determine whether a script is malicious.

10.	Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable by Tyagi (US PG Pub. 2016/0357962) in view of Heil (US PG Pub. 2008/0126736).
As regarding claim 12, Tyagi discloses The device of claim 8, wherein the one or more processors, when parsing the script to generate the data structure, are to: 
allocate a block of memory to consecutively store two or more elements of the data structure [para. 32].
Tyagi does not explicitly disclose that memory associated with the two or more elements of the data structure is to be deallocated by one deallocation call.  However, Heil discloses it [para. 35, 53, and 58].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Tyagi’s parsing the script to further comprise calling deallocation routine, as disclosed by Heil, in order save memory by freeing allocated memory for reuse [abstract and para. 35 and 57].







Conclusion
Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433  

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433