DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

Claims 1-15 are rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-10 of U.S. Patent No. 10,574,630 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the patent are considered to anticipate those of instant application. For instance, refer to the exemplary claims below, where limitations of instant claim 1 are mapped to the corresponding limitations of patent claim 1. A method executed by a computer is considered to correspond to a non-transitory CRM storing instructions for executing an analogous method. Claims 2-14 are likewise rejected as below.

Instant Application
US 10,574,630 B2
1. A computer program product comprising a non-transitory computer-readable medium storing thereon a set of instructions executable by a processor, the set of instructions comprising instructions for: 

receiving checksum data about a computer object from each of plural remote computers on which the computer object is located; 


storing said checksum data in a database; and 

presenting, on a display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group of plural objects, and information relating to one or more  checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects; 

presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and 

presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.




at a base computer, receiving checksum data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed;

storing said checksum data in a database;

in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, providing by the base computer to a display, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more checksummed attributes of the second group of plural objects, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;

displaying a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and

displaying a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.


2. The method according to claim 1, wherein at least one of the first and second symbols comprises a symbol having at least one of a shape and a color different than another symbol.
4. The computer program product of claim 1, wherein the set of instructions further comprises instructions for: identifying 


refining, by the base computer, a query in accordance with said identified commonality.

4. The method of claim 1, comprising creating, by the base computer, a rule from a user query if it is determined that the query is deterministic in identifying malware.
6. The computer program product of claim 5, wherein the set of instructions further comprises instructions for: monitoring user groupings of objects along with any and all user actions taken such as classifying the objects of the second group of plural objects as being safe or unsafe; and automatically applying said groupings and actions in generating new rules for classifying objects as malware.
5. The method of claim 1, comprising:
monitoring user groupings of objects along with any and all user actions taken such as classifying the objects of the second group of plural objects as being safe or unsafe; and
automatically applying said groupings and actions in generating new rules for classifying objects as malware.
7. The computer program product of claim 5, wherein the set of instructions further comprises instructions for applying the rule to an object at a first computer.

10. The computer program product of claim 5, wherein the set of instructions further comprises instructions for sending the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer.
6. The method according to claim 5, comprising applying the rule to an object at the base computer and or sending the rule to a remote computer and applying the rule to an object at the remote computer to classify the object as safe or unsafe.
8. The computer program product of claim 7, wherein the set of instructions further comprises instructions for: storing a classification of the object as safe or unsafe according to the rule in the database.

11. The computer program product of claim 10, wherein the set of instructions further comprises instructions for: storing a classification of the object as safe or unsafe according to the rule in the database.
7. The method according to claim 6, comprising storing the classification of an object as safe or unsafe according to the rule in the database at the base computer.
9. The computer program product of claim 8, wherein the set of instructions further comprises instructions for: receiving an 

12. The computer program product of claim 11, wherein the set of instructions further comprises instructions for: receiving an indication from the remote computer that an object classified as malware by said rule is believed not to be malware; and amending or deleting the rule in accordance with said indication.


amending or deleting, by the base computer, the rule in accordance with said indication.


9. The method according to claim 1, further comprising receiving actor information pertaining to an actor object performing an act and victim information pertaining to a victim object upon which the act is being performed.
14. The computer program product of claim 1, wherein the one or more checksummed attributes correspond to an object pathname and an object filename.
10. The method according to claim 1, wherein one or more attributes correspond to an object pathname and an object filename.
15. The computer program product of claim 1, where the set of instructions further comprises instructions for displaying a third symbol, different from the first symbol and the second symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
11. The method according to claim 1, further comprising displaying a third symbol, different from the first symbol and second symbol, when one or more values of the one or more attributes is common amongst the second group of plural objects.
2. The computer program product of claim 1, wherein the information relating to the second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the objects.

14. The apparatus according to claim 13, wherein the information relating to a second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the object.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) parsing, associating, and presenting data in a particular manner. As such, the claims are drawn to the judicial exception of a mental process (i.e., concepts performed in the human mind such as an observation, evaluation, judgment, and opinion). This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea—see MPEP 2106.05(f). In this case, the claimed implementation may be performed by a human (e.g., an analyst) obtaining data (checksum data), being prompted with a set of the data, and thereafter parsing out relevant additional information for presentation (e.g., by drawing a picture or a table). The use of the computing elements as claimed could be seen as a tool which replaces pen and paper or aids each of the obtaining, prompting, and presenting. As such, the claims appear to be directed to the judicial exception itself, rather than to a practical application of the judicial exception.
Abstract idea limitations (exemplary claim 1): receiving checksum data about a computer object; presenting, in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group of plural objects, and information relating to one or more checksummed attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more checksummed 
Claim elements which may be considered to be additional elements (exemplary claim 1): A computer program product comprising a non-transitory computer-readable medium storing thereon a set of instructions executable by a processor, the set of instructions comprising instructions for:  receiving checksum data about a computer object from each of plural remote computers on which the computer object is located (i.e., the potential additional element being that of the plural remote computers having an object stored and sending data); storing said checksum data in a database; presenting, on a display (i.e., the potential additional element being that of the display on which the presenting is performed); presenting on the display (i.e., the potential additional element being that of the display on which the presenting is performed).
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because there are no additional elements recited apart from that which is required to perform the judicial exception (i.e., the claims recite stored computing instructions and a processor for implementing the judicial exception, a source from which the data is obtained, and a display which is used to display information). Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement 
Dependent claims 2-9 and 11-15 are not considered to recite additional element limitations not previously addressed, only additional abstract idea limitations. Dependent claim 10 recites sending a rule to a remote computer such that it can apply the rule to an object, which is considered to be significantly more than the judicial exception. 

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-15 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Ahuja (US 2013/0246371 A1) in view of Morris (US 2007/0016953 A1) and Thorman (US 2005/0131959 A1).

Regarding claim 1, Ahuja discloses: A computer program product comprising a non-transitory computer-readable medium storing thereon a set of instructions executable by a processor, the set of instructions comprising instructions for: 
receiving [Hash / Signature]data about a computer object from each of plural remote computers on which the computer object is located; 
Refer to at least [0029], [0031]-[0032], and [0044]-[0053] of Ahuja with respect to object capture and classification, the classification involving signatures
storing said [Hash / Signature]data in a database; and 
Refer to at least FIG. 5 and [0055]-[0063] of Ahuja with respect to storage of object data such as that of indexing and signature data. 
presenting, on a display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, 
Refer to at least [0067], [0073], and [0096] of Ahuja with respect to an initial search / query focused on specific object data. 
information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group of plural objects, and information relating to one or more [Hashed / Tagged] attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more [Hashed / Tagged] attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more [Hashed / Tagged] attributes of the second group of plural objects, 
Refer to at least the abstract, [0068], [0072], [0074], [0078], and [0101] of Ahuja with respect to automatically obtaining additionally relevant object data responsive to the initial query.
Refer to at least FIG. 9A-B with respect to an exemplary display, wherein additionally relevant results are presented to the user, organized according to their relevance and frequency. 
Refer to at least [0062]-[0063], [0086], and [0092]-[0093] of Ahuja with respect to object attributes and tagging. 
wherein information relating to another group of plural objects comprises a number of objects; 
Refer to at least [0029] and [0060] of Ahuja with respect to a plurality of exemplary objects and object types. 
Ahuja does not specify: that the object is from each of plural remote computers on which the computer object is located; checksum; checksummed; a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects; presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. However, Ahuja in view of Morris discloses: from each of plural remote computers on which the computer object is located; 
Refer to at least [0015] of Morris with respect to a base computer receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored.
checksum; checksummed; 
Refer to at least [0007] and [0088] of Morris with respect to checksums. 
a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;
Refer to at least [0080]-[0084] of Morris with respect to known safe, known malicious, and unknown objects. 

Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja to further comprise obtaining additional data (from multiple computers and of multiple different types of objects) for at least the purpose of increasing security through increased coverage. It further would have been obvious to modify the teachings to use a checksum because the substitution of one known element for another (hashes for checksums) would have yielded predictable results to one of ordinary skill in the art at the time of the invention.
Ahuja-Morris does not disclose: presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. However, Ahuja-Morris in view of Thorman discloses: presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
Refer to at least the abstract, [0020], [0024], and [0031] of Thorman with respect to information concerning the uniqueness and/or overlap of objects being indicated via color, icons, and/or other graphical means.

Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris to further include graphical representations of commonality for at least the purpose of increasing ease-of-use for an analyst as per at least [0003]-[0007] of Thorman.

Regarding claim 2, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the information relating to the second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the objects.
Refer to at least FIG. 9A-B of Ahuja with respect to an exemplary GUI.
Refer to at least FIG. 4-8 of Thorman with respect to an exemplary GUI. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale).

Regarding claim 4, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for: identifying commonality of one or more attribute values between the second group of plural objects; and refining a query in accordance with said identified commonality.
Refer to at least the abstract, [0073]-[0078], and [0101] of Ahuja with respect to iterative search queries. 

The computer program product of claim 1, wherein the set of instructions further comprises instructions for creating a rule from a user query if it is determined that the user query is deterministic in identifying malware.
Refer to at least [0077]-[0078] of Ahuja with respect to creating rules and policies from an analyst performing iterative search queries. 
Refer to at least [0110] of Morris with respect to rule creation.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 6, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale).

Regarding claim 7, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale).

Regarding claim 8, Ahuja-Morris-Thorman discloses: The computer program product of claim 7, wherein the set of instructions further comprises instructions for: storing a classification of the object as safe or unsafe according to the rule in the database.
Refer to at least [0034]-[0037] of Ahuja with respect to rule creation and object classification. 

Regarding claim 9, Ahuja-Morris-Thorman discloses: The computer program product of claim 8, wherein the set of instructions further comprises instructions for: receiving an indication from a remote computer that an object classified as malware by said rule is believed not to be malware; and amending or deleting the rule in accordance with said indication.
Refer to at least [0118] of Morris with respect to continually monitoring at remote computers and updating a classification based on newer data. 
Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Thorman to further continual monitoring and updating classifications for at least the purpose of reducing false positives and false negatives.

Regarding claim 10, Ahuja-Morris-Thorman discloses: The computer program product of claim 5, wherein the set of instructions further comprises instructions for sending the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer.
Refer to at least FIG. 3 and [0033]-[0035] of Ahuja with respect to a capture system and its capture rules; applying the rule via actions taken.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claims 11-12, they are substantially similar to claims 8-9 above, and are therefore likewise rejected for substantially the same reasons. 

Regarding claim 13, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for receiving actor information pertaining to an actor object performing an act and victim information pertaining to a victim object upon which the act is being performed.
Refer to at least FIG. 10A of Ahuja with respect to source and destination information for rules. 

The computer program product of claim 1, wherein the one or more checksummed attributes correspond to an object pathname and an object filename.
Refer to at least TABLE1-2 and [0061] of Ahuja.
Refer to at least the abstract of Morris with respect to pathname and filename.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 15, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432