DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the amendments filed on November 8, 2021 for application 16/606,156.  Claims 1, 3-4, 6, 10, 12-13, 15, and 19, and claims 1-20 remain pending in the application.
Response to Arguments
	The Examiner has fully considered the Applicant’s arguments filed on November 8, 2021, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 11 of the Remarks that concerns the objections to the drawings, the amendments to Figs. 4 and 6 cure the issues, and the objections are withdrawn.
	Regarding the Applicant’s response at pages 12-14 of the Remarks that concerns the interpretation of the claims under § 112(f) and the corresponding rejection under § 112(b), the amendment to the claims that replaces “deobfuscator” with “deobfuscation code” cures the attendant issues.  Accordingly, the claims will not be interpreted under § 112(f), and the § 112(b) rejection is withdrawn.
	Regarding the Applicant’s response at pages 14-15 of the Remarks that concerns the § 101 rejection of claims 19 and 20, the Examiner respectfully concludes that the Applicant’s response is not persuasive and the § 101 rejection is maintained.  In the response, the Applicant cites ¶ [0121] of the specification that states, “Such are distinguished from and non-overlapping with communication media (do not include communication media).  Communication media embodies computer-readable instructions….” (emphasis retained).  The Applicant further contends, “In view of the foregoing, the term “computer-readable storage medium” cannot possibly encompass communication media such as signals or carrier waves or transitory signals, as the Specification explicitly precludes such an interpretation.” (emphasis retained). 
	The Examiner respectfully rejects the Applicant’s argument because the specification states that “computer-readable storage media” are “non-overlapping” with “communication media [that] embodies computer-readable instructions.”  Yet, claim 19 specifically states, “A computer-readable storage medium having program instructions recorded there on….” (emphasis added).  Accordingly, although the specification claims that there is no “overlap” between “computer-readable storage medium” and “computer readable instructions”/”program instructions,” such overlap clearly exists within claim 19.  Thus, interpreting the claims in light of the specification is meaningless in view of this inconsistency, and the § 101 rejection is maintained for the specification fails to establish that the computer-readable storage medium can only be non-transitory.  As noted in the Office Action of August 6, 2021 at page 8, the Examiner maintains that “this rejection can be overcome by simply amending claim 19 to recite, ‘A non-transitory computer-readable storage medium….’”  
	Regarding the Applicant’s response at pages 15-17 of the Remarks that concerns the § 103 rejection of independent claims 1, 10, and 19, the Examiner respectfully concludes that the Applicant’s response is not persuasive, and the § 103 
The Examiner relied upon Thomas to teach the limitation of malware that “has accessed a particular region of memory designated as being non-accessible.”  See Office Action p. 11-12.  In contrast to the Applicant’s contention, Thomas at ¶ [0023] teaches “the capability to determine changes made to physical memory (RAM) as a result of executing malware,” which squarely addresses the claim limitation of malware that “has accessed a particular region of memory.”  
However, ¶ [0023] of Thomas is silent to memory “designated as being non-accessible.”  This limitation is broad, as the claim is silent as to what makes the memory “non-accessible” and how it is “designated.”  (Indeed, the Examiner now questions whether the claim is worded correctly, as the claim states the “code has accessed” memory that is supposedly “non-accessible” in accordance with its “designat[ion]” – i.e., the memory is “non-accessible,” yet it is stilled “accessed.”)  Given the breadth of this limitation, the Examiner cited Thomas at ¶¶ [0083]-[0090] to teach this aspect of the limitation where malware accesses protected memory (i.e., “page protection”), which 
	Regarding the Applicant’s response at pages 17-18 of the Remarks that concerns the § 103 rejection of the remaining dependent claims 2-9, 11-18, and 20, the arguments for patentability rest upon the patentability of the independent claims 1, 10, and 19.  Because the Examiner concludes that the independent claims are not patentable over the prior art of record, the dependent claims are similarly not allowable.  
In view of the above, the § 103 rejection of claims 1-20 is maintained.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved Or more succinctly, move numbered material first, lettered material last.)
A.	Claims 1-4 and 6-9 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada et al. (US 2016/0381043, “Yamada”) in view of Thomas et al. (US 2012/0079596, “Thomas”).
Regarding Claim 1
Yamada discloses
A method performed by a computing device for identifying malicious code  (Fig. 8, ¶ [0059], “Turning to FIG. 8, FIG. 8 is an example flowchart illustrating possible operations of a flow 800 that may be associated with detecting shellcode [that acts as malicious code],” and “At 804, the system determines if self-modifying code is detected.”),
the malicious code (Fig. 8, ¶ [0059]) comprising deobfuscation code configured to deobfuscate (Fig. 1, ¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code, to detect the self-decrypting code sequence [acting as deobfuscation code configured to deobfuscate via decrypting code], allow antivirus software to dynamically apply signature based methods, and identify malware after the decryption of the obfuscated malware code.”) an obfuscated portion of the malicious code (¶ [0024], “Obfuscated malware or shellcode is typically encrypted and needs to be self-decrypted prior to the execution. This self-decrypting process of the malware code begins with a GetPC or GetEIP operation,…”),
to generate a deobfuscated portion during execution of the deobfuscated code (¶ [0024], i.e., the “obfuscated malware” is “self-decrypted” to obtain deobfuscation code execut[ed] in order to generate a deobfuscated portion via “unpacking (decompression) and self-decrypting (decoding) operations”),
the method (Fig. 8, ¶ [0059]) comprising:
1 …;
suspending execution of the deobfuscated portion of the malicious code in response to the detecting (¶ [0024], “ The process can involve self-modifying code operations modifying a number of bytes in its code prior to the malware code execution,” which acts to thereby suspend execution of the “malware code”); and
obtaining a snapshot of runtime characteristics of at least one of the deobfuscated code or the deobfuscated portion of the malicious code in response to the suspending (¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code;” and ¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods [to create a snapshot] to de-obfuscated malware code [as a runtime characteristic] for finding the known malware signatures.”),
wherein one or more indicators of compromise that indicate the presence of the malicious code on the computing device (¶ [0036], i.e., “known malware signatures” indicate the presence of the malicious code) are automatically determined based on an analysis of the snapshot (¶ [0024], “…to detect the self-decrypting code sequence, allow antivirus software to dynamically apply signature based methods, and identify malware after the decryption of the obfuscated malware code,” i.e., this occurs automatically and without the intervention of an administrator), and
wherein one or more signatures are determined based on the automatically determined one or more indicators of compromise (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding the known malware signatures.”),
the one or more signatures being utilized for subsequent detection of malicious code (¶ [0036], “…known malware signature,” i.e., “known” indicates a previous detection and characterization to create a “signature” that is then utilized for subsequent detection of malicious code).
Yamada doesn’t disclose
1 detecting that the deobfuscated portion of the malicious code has accessed a particular region of memory designated as being non-accessible;
Thomas, however, discloses
1 detecting that the deobfuscated portion (Yamada ¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code…”) of the malicious code (Yamada ¶ [0059]) has accessed a particular region of memory designated as being non-accessible (¶ [0023], “Additionally, the embodiments described herein include the capability to determine changes made to physical memory (RAM) as a result of executing malware;” and ¶¶ [0083]-[0090], i.e., the protection of memory making it non-accessible);
                Regarding the combination of Yamada and Thomas, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the detection system of Yamada to have included the memory feature of Thomas. One of ordinary skill in the art would have been motivated 
 Regarding Claim 2
Yamada in view of Thomas (“Yamada-Thomas”) discloses the method of claim 1, and Yamada further discloses
wherein the automatically determined one or more indicators of compromise (¶¶ [0024], [0036]) comprise one or more dynamic indicators of compromise (Fig. 2, ¶ [0048], “Execution profiling binary translation module 124 can be configured to run within a target application process space along with security module 114 and can be loaded dynamically by security module 114 to enable dynamic behavioral monitoring [to automatically determine … dynamic indicators of compromise] of the execution of an application.”) that include:
an access caused by the deobfuscated portion to one or more resources of an operating system executing on the computing device (¶ [0053], “The profiling and monitoring can start upon a particular event or when an address or area of memory [that represents a resource] is accessed”), the one or more resources comprising:
at least one file or directory of a file system maintained by the operating system or an application programming interface (API) for accessing the file system;
at least one registry key or value of a registry maintained by the operating system or an API for accessing the registry;
at least one of a process or thread maintained by the operating system or an API for manipulating at least one of the process or thread (Fig. 2, ¶¶ [0048]-[0049], “Binary translation system layer 132 can be configured to provide virtualize operating system interfaces such as system calls, exceptions, asynchronous callbacks, process and thread creations, etc.;” see also ¶ [0049], “Execution profiling module 126 can be configured to communicate with security module 114 and expose execution application program interfaces (APIs),” noting only one limitation need be met with the claim limitation of one or more resources comprising);
one or more explicitly-loaded modules or an API for explicitly loading the modules;
one or more delay-loaded modules or an API for delay-loading the modules;
one or more APIs for accessing one or more user privileges or profiles;
one or more mutexes maintained by the operating system or an API for accessing the one or more mutexes;
one or more environment variables maintained by the operating system or an API for accessing the one or more environment variables;
one or more APIs for performing one or more cryptographic primitives; or
network activity caused by the deobfuscated portion and performed by the computing device or an API for performing the network activity or for accessing network parameters utilized for performing the network activity; and
a change in entropy of one or more code sections of the memory after execution of the deobfuscated portion of the malicious code.
Regarding Claim 3
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
wherein the automatically determined one or more indicators of compromise (¶¶ [0024], [0036]) comprise one or more static indicators of compromise (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding the known malware signatures;” see also Thomas ¶ [0021], “The product also performs a variety of dynamic and static analysis techniques to determine exactly what the malware does while running and its full range of capabilities,” and ¶ [0029], “The system performs an initial static analysis on the file or files [encompassing malware code] and then dispatches the file or files to a physical machine, virtual machine, or emulator for dynamic analysis”) 
that include at least one string, metadata or byte sequence associated with at least one of the deobfuscation code or the deobfuscated portion (¶ [0036], where the “de-obfuscated malware code” consists of a byte sequence associated with … deobfuscated portion).
Regarding Claim 4
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
determining a deobfuscation scheme utilized by the deobfuscation code (¶ [0024], “This self-decrypting process of the malware code begins with a GetPC or GetEIP operation [that acts as part of the obfuscation scheme], which is used to locate the address of the obfuscated malware code body.”) 
to generate the deobfuscated portion of the malicious code based on the analyzing (¶ [0024], “Once the address of the obfuscated code is known with the GetPC operation, the malware performs unpacking (decompression) and self-decrypting (decoding) operations from the discovered GetPC address.”).
Regarding Claim 6
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
wherein the obfuscated portion of the malicious code is encrypted, and wherein the deobfuscation code is configured to decrypt the obfuscated portion (¶ [0024], “Obfuscated malware or shellcode is typically encrypted and needs to be self-decrypted [via the deobfuscation code] prior to the execution.”).
Regarding Claim 7
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
determining an invariant portion of the malicious code that remains unchanged across multiple executions of the malicious code (¶ [0024], “The process can involve self-modifying code operations modifying a number of bytes in its code prior to the malware code execution,” with the non-modified bytes in the code comprising an invariant portion of the malicious code),
wherein the one or more signatures is based on the invariant portion of the malicious code (¶ [0022], “The obfuscation techniques are known to be effective in bypassing signature based antivirus detection techniques,” and ¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code, to detect the self-decrypting code sequence, allow antivirus software to dynamically apply signature based methods,” i.e., the system of Yamada .
Regarding Claim 8
Yamada-Thomas discloses the method of claim 3, and Yamada further discloses
wherein the one or more signatures comprise the one or more static indicators of compromise (¶ [0022], “The obfuscation techniques are known to be effective in bypassing [static] signature based antivirus detection techniques,” and ¶ [0024], “allow antivirus software to dynamically apply signature based methods,” i.e., the signatures are static indicators of compromise that are incorporated into a dynamic process).
Regarding Claim 9
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
wherein the runtime characteristics (¶ [0024]) comprise at least one of:
Thomas further discloses
register values at the time of suspending of a particular thread associated with the malicious code;
a number of sequential function calls that occurred prior to suspending of a particular thread associated with the malicious code;
a listing of library modules loaded at the time of the suspending;
a listing of file handles opened at the time of the suspending; or
at least a partial memory dump at the time of the suspending (¶ [0023], “Embodiments utilize one or more advanced memory forensics platforms and ancillary software including databases to compute the difference between the baseline memory dump and the “infected” memory dump,” and “The forensics/analysis capability described herein suspended]) to detect attempts for malware to hide in the stealthiest ways.”).
	Regarding the combination of Yamada and Thomas, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the detection system of Yamada to have included the runtime-characteristic feature of Thomas. One of ordinary skill in the art would have been motivated to incorporate the runtime-characteristic feature of Thomas because Thomas teaches that by analyzing memory dumps, “malicious behaviors are detected that conventional approaches cannot detect (such as the API hooks mentioned above), thus providing a more comprehensive and accurate report on the malware.”  See Thomas ¶ [0023].
Regarding Claims 10-11 and 19-20
With respect to claims 10-11 and 19-20, a corresponding reasoning as given earlier for claims 1-2 applies, mutatis mutandis, to the subject matter of claims 10-11 and 19-20. Therefore, claims 10-11 and 19-20 are rejected, for similar reasons, under the grounds set forth for claims 1-2.
 Regarding Claims 12-13 and 15-18
With respect to claims 12-13 and 15-18, a corresponding reasoning as given earlier for claims 3-4 and 6-9 applies, mutatis mutandis, to the subject matter of claims 12-13 and 15-18. Therefore, claims 12-13 and 15-18 are rejected, for similar reasons, under the grounds set forth for claims 3-4 and 6-9.
B.	Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada in view of Thomas, and further in view of Yavo (US 2018/0253549, “Yavo”).
Regarding Claim 5
Yamada-Thomas discloses the method of claim 1, and Yamada further discloses
wherein the malicious code is…1 (¶ [0024])
Yamada-Thomas doesn’t disclose
1 …Just-in-Time compiled shellcode.
Yavo, however, discloses
1 …Just-in-Time compiled shellcode (¶ [0011], “Having no code generation privileges, the ability of the attacker, using the JIT executing process, to exploit and generate malicious code within the processing environment may be significantly reduced.”).
Regarding the combination of Yamada-Thomas and Yavo, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the detection system of Yamada-Thomas to have included the JIT feature of Yavo. One of ordinary skill in the art would have been motivated to incorporate the JIT feature of Yavo because Yamada discusses the detection of shellcode, see Yamada ¶ [0018] (stating “communication system 100 can be configured for detecting shellcode…”), Yavo discusses an attacker using JIT code, see Yavo ¶ [0011], and Yavo discloses a detection system where “the ability of the attacker, using the JIT executing process, to exploit and generate malicious code within the processing environment may be significantly reduced.”  See Yavo ¶ [0011].   
Regarding Claim 14
With respect to dependent claim 14, a corresponding reasoning as given earlier for dependent claim 5 applies, mutatis mutandis, to the subject matter of claim 14. Therefore, claim 14 is rejected, for similar reasons, under the grounds set forth for claim 5. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491