DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Double Patenting Rejections
The Examiner agrees with the Applicant’s request to hold the double patenting rejections in abeyance until agreement on the scope of allowable claims.

Rejections Under 35 U.S.C. §102
Applicant's arguments filed on 11/30/2021 have been fully considered but they are not persuasive. Applicant argues that “Aziz describes a virtual machine that is configured to mimic a destination device, where the configuration may be based on a source device (Aziz, ¶ 0177, ¶ 0161). A configuration based on a source device does not teach or suggest the configuration data including a property associated with the second device, the usage indicated in the property, the property to include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file of claim 1” (see Remarks, page 1).
The Examiner respectfully disagrees. Aziz clearly teaches the configuration data including a property associated with the second device, the usage indicated in the property, the property to include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file (see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710. In one example, the scheduler 735 configures the characteristics of the virtual machine to mimic only those features of the destination device 710 that are affected by the network data copied by the tap 715. The scheduler 735 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. Such features of the destination device 710 can include ports that are to receive the network data, select device drivers that are to respond to the network data and any other devices coupled to or contained within the destination device 710 that can respond to the network data. In other embodiments, the heuristic module 730 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. The heuristic module 730 can then transmit the features of the destination device to the scheduler 735”. And see [0161] and Fig. 7: “the optional fingerprint module 740 passively determines a software profile of the network data to assist the scheduler 735 in the retrieval and/or configuration of the virtual machine. The software profile may comprise the operating system (e.g., Linux RH6.2) of the source device 705 that generated the network data. The determination can be based on analysis of the protocol information of the network data. In an example, the optional fingerprint module 740 determines that the software profile of network data is Windows XP, SP1”. The Examiner interprets “Windows XP, SP1” as a patch identifier for the following reason: The evidential reference entitled “Windows XP” from Wikipedia teaches that “Service Pack 1 (SP1) for Windows XP was released on September 9, 2002. It contained over 300 minor, post-RTM bug fixes, along with all security patches released since the original release of XP” in page 7, the penultimate paragraph).


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 3 of U.S. Patent No. 9,306,796 in view of Aziz (US Pub. No. 2007/0250930). 
Claim 3 of U.S. Patent No. 9,306,796 recites A computer readable storage disk or storage device, comprising instructions that, when executed, cause a programmable device to at least (see claim 1: “A computer program product embodied on a non-transitory computer readable medium, comprising:”): 
request configuration data associated with usage of a second device during execution of the data in the virtual environment, the configuration data including a property associated with the second device, the usage indicated in the property (see claim 2: “wherein the virtual environment is dynamically configured by sending a request from the first device to the second device”. And see claim 3: “wherein the virtual environment is dynamically configured by receiving information on the at least one property at the first device from the second device, in response to the request”); 
configure the virtual environment on the programmable device while the data is executed in the virtual environment based on the configuration data received in response to the request (see claim 3: “wherein the virtual environment is dynamically configured by receiving information on the at least one property at the first device from the second device, in response to the request”); 
identify malware in the data utilizing the configured virtual environment (see claim 1: “computer code for identifying unwanted data, utilizing the virtual environment”).

The computer program product of Claim 3 of U.S. Patent No. 9,306,796 differs from claim 1 of the instant application in that it fails to disclose instructions that, when executed, cause a programmable device to execute data in a virtual environment operating on the programmable device; and in response to identifying the malware, prevent transmission of the data. The computer program product of Claim 3 of U.S. Patent No. 9,306,796 also differs from claim 1 of the instant application in that 
In the same field of endeavor, Aziz teaches instructions that, when executed, cause a programmable device to execute data (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. … In some embodiments, the analysis environment 750 performs dynamic taint analysis to identify unauthorized activity (dynamic taint analysis is further described in FIG. 12.)”. And see [0200]: “In one example of dynamic taint analysis, all input data from untrusted or otherwise unknown sources are flagged. Program execution of programs with flagged input data is then monitored to track how the flagged data propagates (i.e., what other data becomes tainted) and to check when the flagged data is used in dangerous ways”. The Examiner interprets “execution of programs with flagged input data” as to “execute data”) in a virtual environment operating on the programmable device (see [0150] and Fig. 7: “The controller 725 can comprise … a scheduler 735, a fingerprint module 740, a virtual machine pool 745, an analysis environment 750”. And see [0167]: “FIG. 8 depicts an analysis environment 750, in accordance with one embodiment of the present invention. The analysis environment 750 comprises a replayer 805, a virtual switch 810, and a virtual machine 815”. And see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine”. The Examiner interprets the virtual machine 815 contained in the analysis environment 750 and controller 725 as "a virtual environment operating on the programmable device"); and 
in response to identifying the malware, prevent transmission of the data (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. If the virtual machine 815 crashes, performs illegal operations, performs abnormally, or allows access of data to an unauthorized computer user, the analysis environment 750 can react. …In one example, the analysis environment 750 can stop accepting the network data or data flows from the source device 705”).
Aziz further teaches the property to include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file (see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710. In one example, the scheduler 735 configures the characteristics of the virtual machine to mimic only those features of the destination device 710 that are affected by the network data copied by the tap 715. The scheduler 735 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. Such features of the destination device 710 can include ports that are to receive the network data, select device drivers that are to respond to the network data and any other devices coupled to or contained within the destination device 710 that can respond to the network data. In other embodiments, the heuristic module 730 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. The heuristic module 730 can then transmit the features of the destination device to the scheduler 735”. And see [0161] and Fig. 7: “the optional fingerprint module 740 passively determines a software profile of the network data to assist the scheduler 735 in the retrieval and/or configuration of the virtual machine. The software profile may comprise the operating system (e.g., Linux RH6.2) of the source device 705 that generated the network data. The determination can be based on analysis of the protocol information of the network data. In an example, the optional fingerprint module 740 determines that the software profile of network data is Windows XP, SP1”. The Examiner interprets “Windows XP, SP1” as a patch identifier for the following reason: The evidential reference entitled “Windows XP” from Wikipedia teaches that “Service Pack 1 (SP1) for Windows XP was patches released since the original release of XP” in page 7, the penultimate paragraph).

Both Claim 3 of U.S. Patent No. 9,306,796 and Aziz teach configuring a virtual environment located on a first device based on a property of a second device in order to identify malware using the virtual environment. Therefore it would have been obvious to modify the computer program product of Claim 3 of U.S. Patent No. 9,306,796 by including instructions that, when executed, cause a programmable device to execute data in a virtual environment operating on the programmable device; and in response to identifying the malware, prevent transmission of the data, as taught by Aziz. It would have been obvious because doing so predictably achieves the commonly understood benefit of preventing the propagation of malware in a network. Additionally, it would have been obvious to modify the computer program product of Claim 3 of U.S. Patent No. 9,306,796 by letting the property of the second device used to configure the virtual environment located on the first device include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file, as taught by Aziz. It would have been obvious because Aziz teaches that “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710” (see [0159]).


Claims of the Instant Application
Claims of U.S. Patent No. 9,306,796
Claims of the Instant Application
Claims of U.S. Patent No. 9,306,796
1
3
7
15
3
8
8
16
4
9
9
18
5
10
18
20
6
14




	

Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,348,742. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 1 is generic to all that is recited in claim 1 of U.S. Patent No. 10,348,742. That is, claim 1 of U.S. Patent No. 10,348,742 falls entirely within the scope of claim 1 or, in other words, claim 1 is anticipated by claim 1 of U.S. Patent No. 10,348,742.
Claim 1 of the Instant Applicant recites 
claim 1 of U.S. Patent No. 10,348,742 recites
A computer readable storage disk or storage device, comprising instructions that, when executed, cause a programmable device to at least:
“A computer readable storage disk or storage device, comprising instructions that, when executed, cause a programmable device to at least:”
execute data in a virtual environment operating on the programmable device;
“execute data in a virtual environment operating on the programmable device;”
request configuration data associated with usage of a second device during execution of the data in the virtual environment, the configuration data including a property associated with the second device, the usage indicated in the property, the property to include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file;
“request configuration data associated with usage of a second device during execution of the data in the virtual environment, the configuration data including a property associated with an operating system of the second device, the usage indicated in a setting on the second device, the setting identified in contents of a registry file;”
configure the virtual environment on the programmable device while the data is executed in the virtual environment based on the configuration data received in response to the request;
“configure the virtual environment on the programmable device while the data is executed in the virtual environment based on the configuration data received in response to the request;”
identify malware in the data utilizing the configured virtual environment; and
“identify malware in the data utilizing the configured virtual environment; and”
in response to identifying the malware, prevent transmission of the data.
“in response to identifying the malware, prevent transmission of the data.”



Similarly, the following claims are rejected on the ground of nonstatutory double patenting as being unpatentable over the following corresponding claims of U.S. Patent No. 10,348,742.
Claims of the Instant Application
Claims of U.S. Patent No. 10,348,742
Claims of the Instant Application
Claims of U.S. Patent No. 10,348,742
1
1
12
12
3
3
13
13
4
4
14
14
5
5
15
15
6
6
16
16
7
7
17
17
8
8
18
19
9
9
19
20
10
10
20
22
11
9
21
23


22
24



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


Claims 1-5, 7-14, and 16-22 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Aziz (US 2007/0250930), in view of the evidential reference entitled “Windows XP” from Wikipedia,  further in view of Choi (KR 20030023934), and further in view of Romm (US 2005/0246704).

Regarding claims 1, 9 and 18, Aziz teaches A computer readable storage disk or storage device, comprising instructions that, when executed, cause a programmable device (see Fig.7 and [0150]:  “The controller 725 can be any digital device”. The Examiner interprets the controller 725 as a “programmable device”) to at least:
execute data (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. … In some embodiments, the analysis environment 750 performs dynamic taint analysis to identify unauthorized activity (dynamic taint analysis is further described in FIG. 12.)”. And see [0200]: “In one example of dynamic taint analysis, all input data from untrusted or otherwise unknown sources are flagged. Program execution of programs with flagged input data is then monitored to track how the flagged data propagates (i.e., what other data becomes tainted) and to check when the flagged data is used in dangerous ways”. The Examiner interprets “execution of programs with flagged input data” as to “execute data”) in a virtual environment operating on the programmable device (see [0150] and Fig. 7: “The controller 725 can comprise … a scheduler 735, a fingerprint module 740, a virtual machine pool The Examiner interprets the virtual machine 815 contained in the analysis environment 750 and controller 725 as "a virtual environment operating on the programmable device");
obtain (emphasis added to show the difference between the teaching of the reference and the claim) configuration data associated with usage of a second device, the configuration data including a property associated with the second device (see [0159] and Fig.7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710”. The Examiner interprets “the destination device 710” as a “second device”. The Examiner interprets “the pertinent performance characteristics of the destination device 710” as “configuration data  associated with a second device, the configuration data including a property associated with the second device”. Aziz inherently teaches the controller 725 obtaining “the pertinent performance characteristics of the destination device 710” because otherwise controller 725 cannot “configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710”),
the usage indicated in the property, the property to include at least one of a patch identifier, mapped local and/or remote drives, a binary representation of an object, or a setting identified in contents of a registry file (see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710. In one example, the scheduler 735 configures the characteristics of the virtual machine to mimic only those features of the destination device 710 that are affected by the network data copied by the tap 715. The scheduler 735 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. Such features of the  the heuristic module 730 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. The heuristic module 730 can then transmit the features of the destination device to the scheduler 735”. And see [0161] and Fig. 7: “the optional fingerprint module 740 passively determines a software profile of the network data to assist the scheduler 735 in the retrieval and/or configuration of the virtual machine. The software profile may comprise the operating system (e.g., Linux RH6.2) of the source device 705 that generated the network data. The determination can be based on analysis of the protocol information of the network data. In an example, the optional fingerprint module 740 determines that the software profile of network data is Windows XP, SP1”. The Examiner interprets “Windows XP, SP1” as a patch identifier for the following reason: The evidential reference entitled “Windows XP” from Wikipedia teaches that “Service Pack 1 (SP1) for Windows XP was released on September 9, 2002. It contained over 300 minor, post-RTM bug fixes, along with all security patches released since the original release of XP” in page 7, the penultimate paragraph);
configure the virtual environment on the programmable device while the data is executed in the virtual environment based on the configuration data obtained (emphasis added to show the difference between the teaching of the reference and the claim) (see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710. In one example, the scheduler 735 configures the characteristics of the virtual machine to mimic only those features of the destination device 710 that are affected by the network data copied by the tap 715. The scheduler 735 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the The replayer 805 is configured to simulate the source device 705 transmitting the network data and the virtual machine 815 is configured to mimic the features of the destination device 710 that is affected by the network data”);
identify malware in the data utilizing the configured virtual environment (see [0163]: “The analysis environment 750 simulates transmission of the network data between the source device 705 and the destination device 710 to analyze the effects of the network data upon the destination device 710. The analysis environment 750 can identify the effects of malware or illegitimate computer users (e.g., a hacker, computer cracker, or other computer user) by analyzing the simulation of the effects of the network data upon the destination device 710 that is carried out on the virtual machine”); and
in response to identifying the malware, prevent transmission of the data (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. If the virtual machine 815 crashes, performs illegal operations, performs abnormally, or allows access of data to an unauthorized computer user, the analysis environment 750 can react. …In one example, the analysis environment 750 can transmit a command to the destination device 710 to stop accepting the network data or data flows from the source device 705”).


Aziz fails to teach that the controller 725 (“the programmable device”) obtains the configuration data associated with the destination device 710 (“the second device”) by requesting the configuration data. 
	However, Choi (KR 20030023934) teaches that a first device obtains configuration data including a property associated with an operating system of a second device from the second device by requesting the configuration data and receiving the configuration data in response to the request (see the abstract obtained from Espacenet: “If the administration system [a first device] requests version information of an OS(Operating System) or an application program executed in the mobile communication system [a second device], the mobile communication system receives the request of version information of the OS or the application program from the administration system(S4)”).
Before the time of the invention, it would have been obvious to one of ordinary skill in the art to improve the readable storage disk or storage device of Aziz by letting the controller 725 of Aziz (“the programmable device”) obtain configuration data including a property associated with an operating system of the destination device 710 (“the second device”) from the second device by requesting the configuration data and receiving the configuration data in response to the request, as taught by Choi. It would have been obvious because doing so achieves the commonly understood benefit of obtaining data on demand.

Aziz modified in view of Choi fails to teach that the configuration data associated with a second device is requested during execution of the data in the virtual environment. 
In the same field of endeavor, Romm (US 2005/0246704) teaches requesting configuration data associated with a device during execution of data (see abstract: “A method for running a software application on a computer having an operating system that provides a local database containing consistent configuration data to be accessed by programs running on the computer. The method includes providing a file containing further configuration data required by the application, which further data are not stored in the local database. A request by the application to access the local database is intercepted, and an item of the further configuration data is returned from the file to the application, responsive to the request”. The Examiner interprets “programs running on the computer” as executed “data”).
during execution of the data, as similarly taught by Romm. It would have been obvious because doing so achieves the commonly understood benefit of minimizing the requested configuration data by only requesting configuration data that are needed by the data being executed. When the above modification is made, Aziz modified in view of Choi and Romm would teach instructions that, when executed, cause a programmable device to… request configuration data associated with usage of a second device during execution of the data in the virtual environment.

Regarding claims 2, 10 and 19, Aziz further teaches wherein the virtual environment is automatically configured (see [0069]: “the virtual systems include VM software profiles and the controller 115 automatically updates the VM software profiles to be representative of the communication network 130”).

Regarding claims 3, 12 and 20, Aziz further teaches wherein the virtual environment includes at least one of a virtual machine, an emulator and a sandbox (see [0150] and Fig. 7: “The controller 725 can comprise … a scheduler 735, a fingerprint module 740, a virtual machine pool 745, an analysis environment 750”. And see [0167]: “FIG. 8 depicts an analysis environment 750, in accordance with one embodiment of the present invention. The analysis environment 750 comprises a replayer 805, a virtual switch 810, and a virtual machine 815”. And see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine”. The Examiner interprets the virtual machine 815 contained in the analysis environment 750 and controller 725 as a "virtual environment").

Regarding claims 4, 13 and 21, Aziz further teaches wherein the virtual environment includes a virtual replica of the second device (see [0159]: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710”).

Regarding claims 5 and 14, Aziz further teaches wherein the instructions, when executed, cause the programmable device to identify the malware utilizing an analysis of data performed in the virtual environment (see [0163]: “The analysis environment 750 simulates transmission of the network data between the source device 705 and the destination device 710 to analyze the effects of the network data upon the destination device 710. The analysis environment 750 can identify the effects of malware or illegitimate computer users (e.g., a hacker, computer cracker, or other computer user) by analyzing the simulation of the effects of the network data upon the destination device 710 that is carried out on the virtual machine”).

Regarding claims 7, 16 and 22, Aziz further teaches wherein the instructions, when executed, cause the programmable device to perform a responsive action in response to identification of the malware (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. If the virtual machine 815 crashes, performs illegal operations, performs abnormally, or allows access of data to an unauthorized computer user, the analysis environment 750 can react”).

Regarding claims 8 and 17, Aziz further teaches wherein the responsive action includes blocking the malware (see [0170]: “As the analysis environment 750 simulates the transmission of the network data, behavior of the virtual machine 815 can be closely monitored for unauthorized activity. If the virtual machine 815 crashes, performs illegal operations, performs abnormally, or allows access of data to an unauthorized computer user, the analysis environment 750 can react. …In one example, the analysis environment 750 can transmit a command to the destination device 710 to stop accepting the network data or data flows from the source device 705”).

Regarding claim 11, Aziz further teaches wherein configuring the virtual environment includes configuring the virtual environment based on the operating system of the second device and at least one property of the second device, including configuring at least one of a list of hardware, a list of software, a patch identifier, and a binary representation of software (see [0159] and Fig. 7: “The scheduler 735 can retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the destination device 710. In one example, the scheduler 735 configures the characteristics of the virtual machine to mimic only those features of the destination device 710 that are affected by the network data copied by the tap 715. The scheduler 735 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. Such features of the destination device 710 can include ports that are to receive the network data, select device drivers that are to respond to the network data and any other devices coupled to or contained within the destination device 710 that can respond to the network data. In other embodiments, the heuristic module 730 can determine the features of the destination device 710 that are affected by the network data by receiving and analyzing the network data from the tap 715. The heuristic module 730 can then transmit the features of the destination device to the scheduler 735”. And see [0161] and Fig. 7: “the optional fingerprint module 740 passively determines a software profile of the network data to assist the scheduler 735 in the retrieval and/or configuration of the virtual machine. The software profile may comprise the operating system (e.g., Linux RH6.2) of the source device 705 that generated the network data. The determination can be based on analysis of the protocol information of the network data. In an example, the optional fingerprint module 740 determines that the software profile of network data is Windows XP, SP1”. The Examiner interprets “Windows XP, SP1” as the operating system of the second device and a patch identifier for the following reason: The evidential reference entitled “Windows XP” from Wikipedia teaches that “Service Pack 1 (SP1) for Windows XP was released on September 9, 2002. It contained over 300 minor, post-RTM bug fixes, along with all security patches released since the original release of XP” in page 7, the penultimate paragraph).

Claims 6 and 15 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Aziz (US 2007/0250930), in view of the evidential reference entitled “Windows XP” from Wikipedia, further in view of Choi (KR 20030023934), further in view of Romm (US 2005/0246704), and further in view of Ferrie (US 7,664,626).

Regarding claims 6 and 15, Aziz modified in view of Choi and Romm fails to teach wherein the instructions, when executed, cause the programmable device to identify, utilizing a hierarchical data structure, the malware by analyzing data in the virtual environment.
In the same field of endeavor, Ferrie teaches wherein the instructions, when executed, cause the programmable device to identify, utilizing a hierarchical data structure, the malware by analyzing data in the virtual environment (see col. 5, line 66-col. 6, line 30 and Fig. 2A: “the existence of these core, non-variable behaviors, is used by the method and apparatus for ambiguous-state support in virtual machine emulators, as described herein, to perform a core, or baseline, emulation using a core emulation model for all versions, variations, or generations of a given computer system component, thereby capturing the core, non-variable behaviors. Then, using the method and apparatus for ambiguous-state support in virtual machine emulators, as described herein, when ambiguous behavior, i.e., version variable behavior, is detected, i.e., at the occurrence/request/trigger of a version variable behavior by the suspect application, a copy of the emulation state up to the point of the occurrence of the version variable behavior is made (209 in FIG. 2A, 219 in FIG. 2B1, 227 in FIG. 2B2, and 241 in FIG. 2C). In one embodiment, once the copy is made, the method and apparatus for ambiguous-state support in virtual machine emulators described herein branches (214/215 in FIG. 2A, 222/223 in FIG. 2B1, 228/229 in FIG. 2B2, and 248/249 in FIG. 2C) the process for ambiguous-state support in virtual machine emulators at the point of version variable behavior detection (210 in FIG. 2A, 220 in FIG. 2B1, 230 in FIG. 2B2, and 250 in FIG. 2C) where the ambiguous behavior, i.e., version variable behavior, was each branch, the original branch and the version variable behavior branch, is then emulated with its own emulation model, with the version variable behavior branch being emulated in a version specific emulation model, and only being emulated from the point of ambiguity, i.e., from the version variable behavior branch point, also called the version variable behavior detection point, (210 in FIG. 2A, 220 in FIG. 2B1, 230 in FIG. 2B2, and 250 in FIG. 2C), forward”. The Examiner interprets a core emulation model and branch emulation models as a hierarchical data structure).
Before the time of the invention, it would have been obvious to one of ordinary skill in the art to improve the computer readable storage disk or storage device of Aziz modified in view of Choi and Romm by letting the instructions, when executed, cause the programmable device to identify, utilizing a hierarchical data structure, the malware by analyzing data in the virtual environment, as taught by Ferrie. It would have been obvious because Ferries teaches doing so achieves the following benefit: “different versions, variations, or generations of a given computer system component are supported in a single emulation, up to the point where version variable behavior is detected. Consequently, the core or non-variable behaviors that typically constitute the vast majority of behaviors associated with any given version, variation, or generation of a given computer component are emulated in a single emulation iteration. Then, according to one embodiment, only the relatively few version variable behaviors associated with specific individual versions, variations, or generations of a given computer system component are run as separate, or version variable behavior branched, emulations. Consequently, according to one embodiment of a method and apparatus for ambiguous-state support in virtual machine emulators, as described herein, only one complete emulation is actually run from beginning to end, using minimal resources and time, while still providing protection for multiple versions, variations, or generations of a given computer system component” (see col. 4, line 64-col. 5, line 15).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        

/HENRY TSANG/Primary Examiner, Art Unit 2495