PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office
    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov






BEFORE THE BOARD OF PATENT APPEALS 
AND INTERFERENCES






Application Number: 15/799,575
Filing Date: October 31, 2017
Appellant: Ming Sum Sam NG, et al.
 



______________
Timothy B. Kang 
Registration No. 46,423
For Appellant





EXAMINER’S ANSWER 




(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated June 18, 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument
	Appellants’ arguments filed November 3, 2021 have been fully considered but are not persuasive.  It is respectfully submitted that the rejections are proper and should be maintained for the reasons that follow.
A.  Appellant’s arguments (Brief, pages 8-17) have been fully considered and are addressed below.
	Appellant argues in substance, that “A. The rejection of claims 1, 3, 7-18, and 18-20 under 35 U.S.C. § 103(a) as being unpatentable over Wyatt in view of Muthurajan should be reversed.
The test for determining if a claim is rendered obvious by one or more references for purposes of a rejection under 35 U.S.C. § 103 is set forth in KSR International Co. v. Teleflex fac., 550 US. 398, 82 USPQ2Zd 1385 (2007):
“Under § 103, the scope and content of the prior art are to be determined; differences between the prior art and the claims at issue are to be ascertained; and the 
According to the Examination Guidelines for Determining Obviousness Under 35 U.S.C. 103 in view of KSR International Co. v. Teleflex Inc., Federal Register, Vol. 72, No. 195, 57526, 57529 (October 10, 2007), once the Graham factual inquiries are resolved, there must be a determination of whether the claims would have been obvious to one of ordinary skill in the art based on any one of the following proper rationales:
(A) Combining prior art elements according to known methods to yield predictable results; (B) Simple substitution of one known element for another to obtain predictable results; (C) Use of known technique to improve similar devices (methods, or products} in the same way; (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) “Obvious to try’’-—choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of if for use in either the same field or a different one based on design incentives or other market forces if the variations would have been predictable to one of ordinary skill in the art; (G) Some teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art KSR International Co. v. Teleflex Inc., 550 U.S, 398, 82 USPO2d 1385 (2007).
Furthermore, as set forth in KSA International Co. v. Teleflex Inc., quoting from In re Kahn, 441 F.3d 977, 988 (CA Fed. 2006), “[R]ejections on obviousness grounds cannot be sustained by mere conclusory statements; instead, there must be some articulated reasonings with some rational underpinning to support the legal conclusion of obviousness.” Furthermore, as set forth in MPEP 2143.03, to ascertain the differences between the prior art and the claims at issue, “[a]ll claim limitations must be considered” because “all words in a claim must be considered in judging the patentability of that claim against the prior art.” In re Wilson, 424 F 2d 1382, 1385.”

The Examiner disagrees with the assessment of proper rationales presented, as option (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results use is presented in the Final rejection dated 06/18/2021. 
Examiner presented rational underpinning of Wyatt and Muthurajan prior art references, which are from the same field of endeavor of G06F21 as the invention, which is from the security arrangements for protecting computers, components thereof, programs or data against unauthorised activity.
Wyatt invention compares applications and assesses differences by determining which applications are legitimate through processes of degrees of similarity, correlating applications, ordered searching, and comparing updated counter variables [Wyatt, paras 0009-0012] to determine attacks. Wyatt also states one skilled in the art will appreciate hashing algorithms to transform an arbitrary amount of data, as well as receiving identifying information or metadata for a data object to determine if the data object is undesirable or malicious indicating potential attack or counterfeits [Wyatt, paras 0009, 0037, 0054-0055, 0092, 0125, and 0131].
Muthurajan invention provides application test using attack suggestions to determine attack surface(s) in this invention where the scanner can check the hash of code against previously attacked code to determine if code is vulnerable [Muthurajan, 0060]. In this instance, the scanner is analogous to the web server 110 of the instant invention. In this instance, the scanner is analogous to the web server 110 of the instant invention.
Further, all words of the claim limitations were considered when examining/judging the patentability of the invention. Lastly, Applicant does not present which “words” in particular of the claim limitations were not considered. Thus, Examiner asserts Wyatt and Muthurajan are proper in determining obviousness.

Claims 1, 3, 7-15 and 18-20 
Claims 1, 3, 7-15 and 18-20 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Wyatt in view of Muthurajan. This rejection should be reversed for at least the following reasons.
Independent Claim 1: 
Independent claim | recites, inter alia, 

compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces, 
determine a subset of attack surfaces of the web application corresponding to the subset of hash values that do not match the historical data of attack surfaces, 
scan only the subset of attack surfaces of the web application executed on the web server. (Emphasis added)
In setting forth the rejection of independent claim 1, the Examiner asserts that Wyatt discloses the features recited above, in paragraphs [0293]-[0295] and [0283]-[0284]. Final Office Action, pages 15-16. 
In paragraphs [0293]-[0295], Wyatt generally discusses comparing hash values of the contents of a downloaded application to hash values of the stored applications. If the hash values match, the system determines that the downloaded application has been previously retrieved. If the hash values do not match, the system determines that the downloaded application has not been previously retrieved. 
As such, if the hash values do not match historical data, Wyatt determines that the downloaded application has not been retrieved. However, if the hash values do not match, Wyatt does not scan only the attack surfaces whose hash values do not match the historical data. 
Moreover, Wyatt discusses comparing the hash values of the contents of a downloaded application to hash values of the stored applications. However, Wyatt does only those attack surfaces whose hash values do not match the historical data of attack surfaces, as recited in independent claim 1,
Under the “Response to Arguments” section of the Final Office Action, on page 7, the Examiner argues that, based on the specification of the present application, the “downloaded application contents” of Wyatt are the same as the “attack surfaces” of the web application recited in claim 1, and the “stored applications” of Wyatt are the same as the “historical data of attack surfaces” as recited in independent claim 1. 
However, the MPEP Section 2111 indicates that “Claims must be given their broadest reasonable interpretation in light of the specification.” 
In this case, the specification of the present application defines an “attack surface” in paragraph [0011] as follows:
As used herein, an “attack surface” refers to an element or function of an application that is exposed to users and is potentially vulnerable to a malicious attack, For example, an attack surface could be a hyperlink, an argument, an object that retrieves or uses data, and so forth. 



As Applicant cited from specification para 0011, an attack surface refers to "...an element or function of an application that is exposed to users...a hyperlink, an argument, an object that retrieves or uses data and so forth." As such is not a specific type of element in an application. The invention further describes in para 0011, an example of a provider allowing a retail company to provide a web application (i.e. software application) to allow users to purchase products using a web browser via a network. The automated testing performed on software applications periodically modifies and corrects errors identified. Hence, a hyperlink, an argument, an object can arguably be analogous to downloaded applications; in particular qualifying as "an object" when interpreted broadly.
Wyatt also performs a comparable examining/testing measure by first determining if an entry in the listing was previously retrieved; note that the same downloaded application is compared to the same application program [0291]. In a specific implementation, the operations of comparing the hash values of the downloaded applications to the hash values of the stored applications [0293].
Hence, the first limitation of claim 1: "compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces;"
Therefore, the Applicant attempts to make a distinction between "downloaded applications" including all and not directed to only attack surfaces of the downloaded applications. Examiner disagrees with this assertion and argues that these downloaded applications regardless of some or all; the downloaded applications analogous to an object(s), are indeed vulnerable to malicious attack when downloaded to a client computer. 
 
As a result, Wyatt may compare the hash values of the contents of a downloaded
application to the hash values of the stored applications in order to determine whether the downloaded application has been previously retrieved, but Wyatt does not compare the hash values of the attack surfaces of a web application to the historical data of attack surfaces in order to determine which attack surfaces of the web application have not been scanned.
Therefore, Wyatt fails to teach or suggest, “compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces” and “determine a subset of attack surfaces of the web application corresponding to the subset of hash values that do not match the historical data of attack surfaces,” as recited in independent claim 1.

Again, as presented above Wyatt teaches, the first limitation of claim 1: "compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces." Applicant's assertion of Wyatt comparing the downloaded applications to the hash values of the attack web surfaces as presented above on p. 9 showing how an element of the web application, in this case: an object [specification, para 0011]. 
This Vulnerability scanning of attack surfaces invention uses a method of determining whether to scan each hash value generated based on one or the plurality of attacks surface based on the plurality of hash values, at an attack server, to determine vulnerability to malicious attack [specification, Abstract and 0011].  
The attack surface data 130 may include the hash values. “In some implementations, the scanner 124 of the attack server 120 may compare the attack surface data 130 to the history data 128 to determine a subset of attack surfaces to scan. The scanner 124 may then perform a scan 134 of the determined subset of attack surfaces. Thus, in some examples, the scanner 124 may scan only new attack surfaces, or ...” [specification, 0018]. In the case of the claims, the scanner 124 scans only new attack surfaces, as presented in the last limitation: “scan only the subset of attack surfaces of the web application executed on the web server.” Hence, this subset of attack surfaces of the application executed can be interpreted as a new surface. 
For example, a data object that is a file on a filesystem may be identified by a hash of its contents. When the data object is first installed on a mobile communication device 101, the database may contain no data for the data object. Because there is no identifying information for the data object, the mobile communication device 101 recognizes the data object as new and transmits application data for the data object to server 151 indicating that the object is new...In this case, the mobile communication device 101 can report to the server that the data object identified by the file location and/or previous content hash has been updated and report the new content hash of the file [Wyatt, 0061].
In essence, the claim limitation “... and determining the subset of attack surfaces to scan...” presents sequentially or chronologically, the next step or order in performing the analysis; which merely has been interpreted to be the outcome or result after the comparison of plurality of hash values to historical data of attack surfaces take place. Therefore, Wyatt teaches “compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces” and “determine a subset of attack surfaces of the web application corresponding to the subset of hash values that do not match the historical data of attack surfaces.”
Wyatt does not scan only the attack surfaces whose hash values do not match the historical data of attack surfaces. Wyatt discusses, in paragraphs [0283]-[0284], crawling a target application to identify a comprehensive collection of application objects. As such, Wyatt identifies all of the contents (i.e., a “comprehensive” collection of the application objects) of the target application. Thus, Wyatt does not crawl or scan only a subset of attack surfaces that have not been previously scanned (i.e., the attacked surfaces whose hash values did not match the historical data of attack surfaces}. Therefore, Wyatt fails to teach or suggest, “scan only the subset of attack surfaces of the web application executed on the web server,” wherein the subset of attack surfaces is “corresponding to the subset of hash values that do not match the historical data of attack surfaces” as recited in independent claim 1. 

Again, Wyatt describes an invention that utilizes a crawler program to collect and store application programs that include application binaries and associated metadata. Additionally, any analysis includes comparisons and correlations to detect and warn users about pirated or maliciously modified applications [Wyatt, para 0007]. As such, the approach to “scan only the subset of attack surfaces of the web application executed on the web server,”  "a data object that is a file on a filesystem may be identified by a hash of its contents. Because there is no identifying information for the data object, the mobile communication device 101 recognizes the data object as new and transmits application data for the data object to server 151 indicating that the object is new."  is stated in para 0061. 
More importantly, Wyatt also describes a technique for optimizing data collection. As discussed, mobile communication devices 101 will transmit some or all of the above-described data to server 151 for analysis so that server 151 can provide an assessment of the analyzed data [specifically, 0084]. 
Examiner interpreted what Wyatt describes as a comprehensive collection of the application objects, is actually a comprehensive analysis approach of how device data and application data are collected and stored. In efforts to reduce the amount of network traffic of transmitting the whole data (i.e. application files or application packages) to be analyzed, hashing the whole data results in hash (values) of the data sent to server 151. So, if server identifies a matched suspect data object per a corresponding stored definitions of recognizable, known good or known bad data objects; it terms as a comprehensive analysis. As such, when assessing the whole data; the definition information used in comparison include: hash identifiers, package names, cryptographic signers, byte sequences, patterns, or logic that is used to match data objects on a device with stored or cached assessments [Wyatt, 0053-0054 and 0132-0133].
Lastly, it appears the Applicant has misinterpreted the totality of paras 0283-0284 of the Wyatt reference, as FIG. 19 shows a flow 1905 for crawling a target application source, which is a specific implementation of an overlap crawling technique that may be used to help ensure a comprehensive collection of application objects. More particularly, an application source (e.g., a web site or application marketplace) may exhibit inconsistencies due to issues such as coherency. The same query run on two different nodes in a cluster may produce two different result sets. The overlap crawling technique shown in FIG. 19 and discussed below can help to address coherency issues. 
This additional feature of the crawling approach is to correct coherency issues and later listing reverse-chronologically ordered or sorted listing of those specific mobile applications.
As mentioned above, the claim limitation “... and determining the subset of attack surfaces to scan...” presents sequentially or chronologically, the next step or order in performing the analysis; which merely has been interpreted to be the outcome or result after the comparison of plurality of hash values to historical data of attack surfaces take place. Therefore, Wyatt teaches “compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces” and “determine a subset of attack surfaces of the web application corresponding to the subset of hash values that do not match the historical data of attack surfaces,”
Therefore, Wyatt teaches to “scan only the subset of attack surfaces of the web application executed on the web server,” wherein the subset of attack surfaces is “corresponding to the subset of hash values that do not match the historical data of attack surfaces”



However, there is no correlation between the attack surface of a web application
mentioned in Muthurajan and the contents of a downloaded application discussed in Wyatt. As such, there is no obvious reason or motivation for one skilled in the art to substitute “contents of a downloaded application” of Wyatt with the “attack surfaces of a web application” of Muthurajan in order to achieve “compare the plurality of hash values of the plurality of attack surlaces to historical data of attack surfaces” as recited in independent claim 1.
Moreover, neither Wyatt nor Muthurajan discloses historical data of attack surfaces. Thus, if Wyatt and Muthurajan were combined, the combination of Wyatt and Muthurajan would still fail to teach the “historical data of attack surfaces” as recited in claim 1.
As a result, if Wyatt and Muthurajan were somehow combined, as proposed by the Examiner, the proposed combination would still fail to teach or suggest, “compare the plurality of hash values of the plurality of attack surfaces to historical data of attack surfaces to identify a subset of hash values that do not match the historical data of attack surfaces,” “determine a subset of attack surfaces of the web application corresponding to the subset of hash values that do not match the historical data of attack surfaces,” and “scan only the subset of attack surfaces of the web application executed on the web server,” wherein the subset of attack surfaces is“ corresponding to 
It appears that the Applicant is interpreting the observer 144 function of the server 140. Examiner disagrees as there is a correlation between the attack surface of a web application mentioned in Muthurajan and the contents of a downloaded application of Wyatt. As the instant invention, Muthurajan describes a client-server configuration where the computing device 110, analogous to client, contains a security test engine 120 includes: a crawl engine 122, trace engine 124 and attack engine 126, as shown in Fig 1. The Application Under Test (AUT) 142; where in the crawl phase the crawl engine 122 of the computing device 110 crawls the AUT 142, which allows the security test engine 120 to be able to identify an attack surface. While the server 140 may include an application under test 142, an observer 144, and rules 146; the security test engine 120 can send a request to the observer 144 for a list of suggestions that it supports. The observer 144 can return the list of types/categories of suggestions supported. For example, when identifying the attack surface; the attack surface information can be fetched [Muthurajan, paras 0014-0016]. Therefore, the observer assists in identifying attack surface information; allowing the observer to guide the computing device to confirming pieces of information are known to the observer that will expose important information to the vulnerability. And not that of an amount of time to attack an attack surface of a web application during testing [Muthurajan, para 0010]. As such, the received suggestion responses from the observer 250 based on trace of parameters; where attack suggestions can include a list of vulnerabilities associated with particular types of functions used during the probe
As previously stated, an attack surface refers to "...an element or function of an application that is exposed to users...a hyperlink, an argument, an object that retrieves or uses data and so forth." As such is not a specific type of element in an application. The invention further describes in para 0011, an example of a provider allowing a retail company to provide a web application (i.e. software application) to allow users to purchase products using a web browser via a network. The automated testing performed on software applications periodically modifies and corrects errors identified. Hence, a hyperlink, an argument, an object can arguably be analogous to downloaded applications; in particular qualifying as "an object" when interpreted broadly.
Moreover, the download applications are vulnerable attack surfaces that are vulnerable to exposure and as such correlate. Wyatt states "In a step 1730, the crawler retrieves, gets, obtains, fetches, or downloads and stores an application program, associated metadata, or both from the source. Data may be extracted from the downloaded application objects and stored in a database. In a specific implementation, each application is uniquely identified using a package name or some other mechanism such as a hash of the application contents” [Wyatt, 0253]. 
In response to Applicant's argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, both Wyatt and Muthurajan are from the same field of endeavor – Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity; as well as Monitoring users, programs or devices.
Therefore, both Wyatt and Muthurajan discloses historical data of attack surfaces. Thus, if Wyatt and Muthurajan were combined, the combination of Wyatt and Muthurajan would still fail to teach the “historical data of attack surfaces” as recited in claim 1.

Independent claim 1 also recites, 
in response to identifying a vulnerable attack surface based on the scanning of the subset of attack surfaces, perform a predefined mitigation action on the vulnerable attack surface. 

The Examiner asserts that Wyatt discloses the features recited above, in paragraph [0065]. 

Final Office Action, page 16.

However, detecting a change in the assessment for a data object, as mentioned in Wyatt, does not include identifying a vulnerable attack surface in the web application. A change in the assessment of the data object does not automatically mean the data object is vulnerable to a malicious attack, Thus, the phrase “if server 151 detects a change in assessment for a previously analyzed data object” in Wyatt is not the same as “in response to identifying a vulnerable attack surface based on the scanning of the subset of attack surfaces” as recited in independent claim 1. As such, Wyatt does not perform a mitigation action in response to identifying a vulnerable attack surface, as recited in claim 1. Therefore, Wyatt fails to teach or suggest, “in response to identifying a vulnerable attack surface based on the scanning of the subset of attack surfaces, perform a predefined mitigation action on the vulnerable attack surface,” as recited in independent claim 1. 
 	Therefore, it is respectfully requested that the rejection of independent claim 1 be reversed and this claim be allowed.

Examiner disagrees with the argument of "...detecting a change in the assessment for a data object, as mentioned in Wyatt, does not include identifying a vulnerable attack surface in the web application...;" when the change is an indication, good or bad, that must be addressed and a potentially malicious or vulnerable attack surface exist.  This is significant enough to be broadly interpreted as "identifying a vulnerable attack surface"
Wyatt describes changes to assessment of a data object change, as discussed above, a data object represents a collective body of application objects, as previously discussed. As such, when assessing the whole data; the definition information used in comparison include: hash identifiers, package names, cryptographic signers, byte sequences, patterns, or logic that is used to match data objects on a device with stored or cached assessments [Wyatt, 0053-0054 and 0132-0133]. Since the determination of a subset is merely been interpreted to be the outcome or result, after the comparison of plurality of hash values to historical data of attack surfaces take place. Additionally, in performing this assessment is a mitigation action to thwart potential vulnerable attack surfaces.
Moreover, another observation in the interpretation is that the assessment performs “identification information and remediation information for the data object” [Wyatt, para 0143].
Therefore, Wyatt teaches “in response to identifying a vulnerable attack surface based on the scanning of the subset of attack surfaces, perform a predefined mitigation action on the vulnerable attack surface.” As such, Wyatt is maintained to reject this claim 1 limitation.



Independent Claims 9 and 15: 
Independent claims 9 and 15 recite features similar to those recited in independent claim 1 as discussed above. Thus, independent claims 9 and 15 are also believed to be allowable for similar reasons as set forth above for independent claim 1. It is therefore respectfully requested that the rejection of independent claims 9 and 15 be withdrawn, and these claims be allowed.  
Claims 9 and 15 also have similar concept as independent claim 1, the Examiner elaborates above regarding prima facie obvious in using the rejection where Wyatt and Muthurajan references were applied. As such, the rejection of the independent claims 9 and 15, respectively, will be maintained.

Dependent Claims 3, 7, 8, 10-14, and 18-20: 
Claims 3, 7, 8, 10-14, and 18-20 are dependent from one of independent claims 1, 9, and 13, Thus, they are also believed to be allowable for at least the are reasons as set forth above for independent claims 1,9, and 15. It is therefore respectfully requested that the rejection of claims 3, 7, 8, 10-14, and 18-20 be reversed, and these dependent claims be allowed.  
Claims  3, 7, 8, 10-14, and 18-20   depend on independent claims 1, 9, and 13 as such the rejections apply and are maintained for claims 1, 9, and 13 respectively.

Dependent Claims 8 and 10: 
The rejection of claims 8 and 10 should be reversed for at least the following reasons. Claim 8 recites, 
incrementing, by the attack server, a counter for each of the subset of hash values that do not match the historical data of attach surfaces; and 
in response to a determination that the counter exceeds a count threshold, attacking the subset of attack surfaces of the web application associated with the subset of hash values. 

In the rejection of claim 8, the Examiner asserts that Wyatt discloses the features recited above, in paragraphs [0293], [0294], [0297], and [0299]. Final Office Action, page 20.
However, in those paragraphs, Wyatt generally discusses that, if an application has been previously retrieved, an overlap counter variable tracks a number of occurrences where an application found during a current crawl is the same application from a previous crawl of the application source.
As such, the counter of Wyatt pertains to when the application was previously retrieved, i.e., when the hash value of the application matches the stored applications, which is opposite to the recitation in claim 8, “for each of the subset of hash values that do not match the historical data of attach surfaces”. In other words, the counter variable of Wyatt does not increment for each hash value that does not match historical data, Therefore, Wyatt fails to teach or suggest, “incrementing, by the attack server, a counter 
Furthermore, in paragraph [0299], Wyatt states, in relevant parts, “if the overlap counter variable is greater than or equal to the overlap threshold, a determination is made that all application programs at the source have been previously retrieved and remaining entries are not examined.”
As such, in Wyatt, when the counter exceeds the threshold, the system of Wyatt determines that all of the application programs have been previously retrieved and the remaining entries are not examined. Thus, when the counter exceeds the threshold, the system of Wyatt does not attack any attack surfaces. In fact, Wyatt indicates that “the remaining entries are not examined”. Accordingly, Wyatt does not perform any examination on the entries, let alone performing an attack on the attack surfaces. Therefore, Wyatt fails to teach or suggest, “in response to a determination that the counter exceeds a count threshold, attacking the subset of attack surfaces of the web application associated with the subset of hash values,” as recited in claim 8.
Claim 10 recites similar features as claim 8. Thus, the arguments against the rejection of claim 8 as discussed above also apply to claim 10. 

Examiner disagrees with the Applicant's arguments with respect to Wyatt teachings of "...is opposite to the recitation in claim 8, “for each of the subset of hash values that do not match the historical data of attach surfaces”. In other words, the counter variable of Wyatt does not increment for each hash value that does not match historical data...” 
It appears that Applicant misinterpreted the function of the specific implementation of an overlap crawling technique that may be used to help ensure a comprehensive collection of application objects. More particularly, an application source (e.g., a web site or application marketplace) may exhibit inconsistencies due to issues such as coherency. The same query run on two different nodes in a cluster may produce two different result sets. The overlap crawling technique shown in FIG. 19 and discussed below can help to address coherency issues [Wyatt, para 0283]. 
Wyatt discusses the crawler program comparison capability at step 1930 to determine whether a remaining entry, next to the entry, in the listing should be examined. At step 1940, alternatively, based on the comparison, a determination may be made that there may be applications at the source that have not been previously retrieved and a remaining, next, or adjacent entry may be examined (step 1940). As shown by loop 1945, the process iterates or repeats until, based on the comparison of the updated overlap counter variable and the threshold overlap value, [Wyatt, para 0293]. Hence, if not previously received that is an indication that there is not a match with previous crawls and in this implementation; the overlap counter is incremented regardless of the remaining entries not be examined. Further, crawlers can run or execute at desired frequencies to determine if downloaded application programs are illegitimate; hence attacking the system. Lastly, the inference engine can make an assessment that the illegitimate application may have been a repackaged application that include malware and other undesirable code [Wyatt, paras 0297 and 0309-0310]. Therefore, Wyatt suggests that illegitimate code with malicious code indeed attacks the computing system. 

B, The rejection of claims 2, 4-6, 16, and 17 under 35 U.S.C. § 103(a) as being
unpatentable over Wyatt in view of Muthurajan, and further in view of Williams should be reversed.
Claims 2, 4-6, 16, and 17 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Wyatt in view Muthurajan, and further in view of Williams.
Claims 2, 4-6, 16, and 17 are dependent from one of independent claims 1, 9, and 15. Thus, they are also believed to be allowable over Wyatt and Muthurajan for at least the same reasons as independent claims 1, 9, and 15. In addition, Williams fails to cure the deficiencies of Wyatt and Muthurajan. It is therefore respectfully requested that the rejection of claims 2, 4-6, 16, and 17 be reversed, and these claims be allowed.
Per dependencies on independent claims 1, 9, and 15; 103(a) rejections to claims 2, 4-6, 1 and 17 will be maintained.

For the above reasons, it is believed that the rejections should be sustained.

Respectfully submitted,

/Sakinah White Taylor/           Examiner, Art Unit 2497      
          




Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.