DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 8, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa et al (PGPUB 2018/0082063), and further in view of Lawshae et al (PGPUB 2018/0173875).

Regarding Claim 15:
Kuppa teaches a system for determining existence of malware in a file (abstract, system for identifying malicious applications), the system comprising: 
one or more processors; and a non-transitory machine-readable medium having computer executable instructions stored thereon, that when executed, cause the one or more processors to (paragraph 48-51, system for detecting web shells including computer-readable medium and processor; paragraph 19, computer readable medium containing computer-executable instructions for performing a method for identifying malicious applications): 
(paragraph 45, file is received; paragraph 65, processor considers dynamic features related to suspected application; analyzing dynamic features of suspected application involve running the suspected application in a testing environment, e.g. “sandbox”; file is therefore executable); 
identify at least one of a function name, a variable name, and a method name in the executable file (paragraph 45, performing lexical analysis on a file's contents to turn its content into various syntactically meaningful tokens; then, in step 206, consider whether or not the file includes a particular string or function call based on the lexed components (i.e. function call is identified based on lexical analysis); if not, it may be concluded in step 208 that the file does not include a malicious function and is therefore not a web shell; if, on the other hand, the file does contain a string or function call of interest, the technique 200 may further analyze the call in step 210; paragraph 49, Fig. 4, lexer 306 may be configured to "lex" incoming files to break them down into individual function calls and/or language elements; Fig. 4 shows example strings including function name (“foo”) and variables (Var1), i.e. function names and variable names are identified);
determine a set of text strings in at least one of the identified at least one of a function name, a variable name, and a method name (paragraph 45, performing lexical analysis on file’s contents to turn its content into various syntactically meaningful tokens; technique considers whether or not file includes particular string or function call based on lexed components; technique considers whether lexed component string is function or merely string; paragraph 49, lexer 306 may be configured to "lex" incoming files to break them down into individual function calls and/or language elements; FIG. 4 illustrates the lexer 306 breaking a file into individual function calls and language elements; a static analysis module 402 and a dynamic analysis module 404 of the processor 308 may then parse the lexed and un-lexed versions to extract statistical features and data about the file); and 
(paragraph 64, static feature that may be analyzed and considered is the maximum string length of a suspected file; a file with string lengths above a certain length or threshold may indicate that a suspected file is a web shell, i.e. malicious application or “malware”).
Kuppa does not explicitly teach determining that the executable file potentially contains malware in response to determining that at least one text string of the set of text strings is a computer generated text string.
However, Lawshae teaches the concept of determining that an executable file potentially contains malware (abstract, identifying randomly generated character strings; paragraph 25-26, positive identification of randomly generated string indicative of malware operating on source device; positive identification of a randomly generated string in obfuscated code of a webpage may be indicative of potentially malicious software, triggering the computing device 100 to generate a security notification) in response to determining that at least one text string of a set of text strings is a computer generated text string (paragraph 7, malware randomly generates strings for use in a variety of contexts, e.g. filenames, domain names, variable names, function names, in order to avoid detection; determining whether string is randomly generated facilitates identification of malicious activity; paragraph 25-26, positive identification of randomly generated string indicative of malware operating on source device; positive identification of a randomly generated string in obfuscated code of a webpage may be indicative of potentially malicious software, triggering the computing device 100 to generate a security notification).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the determining that a text string is a computer generated text string teachings of Lawshae with the malware detection system of Kuppa, in order to combine the malware detection algorithm of Kuppa with additional methods targeting countermeasures which are employed 

Regarding Claim 1:
	This is the method claim corresponding to the system of claim 15, and is therefore rejected for corresponding reasons.

Regarding Claim 8:
	This is the non-transitory machine-readable medium claim corresponding to the system of claim 15, and is therefore rejected for corresponding reasons.

Claim(s) 2, 4, 9, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa in view of Lawshae, and further in view of Heimann et al (US 10,685,293).

Regarding Claim 16:
Kuppa in view of Lawshae teaches the system of claim 15.
Neither Kuppa nor Lawshae explicitly teaches wherein determining that at least one text string of the set of text strings is a computer generated text string comprises determining that a ratio of consonants to vowels in the at least one text string is greater than a predetermined or configurable threshold value.
However, Heimann teaches the concept wherein determining that at least one text string of the set of text strings is a computer generated text string comprises determining that a ratio of consonants to vowels in the at least one text string is greater than a predetermined or configurable threshold value (col 13 line 8-18, DomainX is analytic that detects domain generation algorithms (DGA) in DNS data, i.e. “computer generated strings”; col 13 line 35-54, domains broken down into five characteristic features, such as “consonant to vowel ratio”; col 14 line 4-9, decision tree classifier trained on the features to determine cutoff point, i.e. threshold).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the computer generated string detection teachings of Heimann with the malware detection system of Kuppa in view of Lawshae, in order to incorporate additional methods of analysis for detecting computer generated strings, such as analyzing consonant to vowel ratio, thereby improving the accuracy of detection, and minimizing false-positive and false-negative malware determinations.

Regarding Claim 2:
	This is the method claim corresponding to the system of claim 16, and is therefore rejected for corresponding reasons.

Regarding Claim 9:
	This is the non-transitory machine-readable medium claim corresponding to the system of claim 16, and is therefore rejected for corresponding reasons.

Regarding Claim 4:
Kuppa in view of Lawshae and Heimann teaches the method of claim 2.
Neither Kuppa nor Lawshae nor Heimann explicitly teaches wherein the predetermined or configurable threshold value for the ratio of consonants to vowels is 3.0.
However, Heimann does teach wherein the predetermined or configurable threshold value for the ratio of consonants to vowels falls within a range (paragraph 71, 75, “Consonant to vowel ratio”; cutoff point determined by building a receiver operating characteristic curve to choose an appropriate value to reduce false positives and false negatives in a balanced way).  Furthermore, Applicant’s specification recites a configurable threshold value of 3.0 as merely one example out of a number of possible examples (e.g. Summary of Invention, [0002] “In one embodiment, the threshold value for the ratio of consonants to vowels is 3.0, for example.”; Detailed Description, [0032] “In some embodiments, a value of three (3) can be used as the threshold value; however, it will be appreciated that other threshold values are also within the scope of the present invention.”)  Additionally, Examiner notes that the ratio of consonants to vowels in a string would fall within a range of expected non-negative values.  Therefore, a person of ordinary skill in the art, faced with the problem of determining a predetermined or configurable threshold value for the ratio of consonants to vowels in view of Heimann, would have considered a value of 3.0 as one acceptable threshold value within a range of acceptable values.

Claim(s) 3, 10-11, 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa in view of Lawshae, and further in view of Heimann and Dictionary.com (Ratio:definition, www.dictionary.com/browse/ratio, downloaded from archive.org, dated 3/16/2016).

Regarding Claim 17:
Kuppa in view of Lawshae teaches the system of claim 15.
Neither Kuppa nor Lawshae explicitly teaches wherein the computer executable instructions further comprise computer executable instructions to: 
determine a number of consonants in at least one text string of the set of text strings; 
determine a number of vowels in the at least one text string; 
divide the number of consonants by the number of vowels to determine the ratio of consonants to vowels; and 

However, Heimann teaches the concept wherein computer executable instructions further comprise computer executable instructions to: 
determine a number of consonants in at least one text string of a set of text strings (col 13 line 35-54, domains broken down into five characteristic features, such as “consonant to vowel ratio”; therefore, number of vowels and number of consonants is determined); 
determine a number of vowels in the at least one text string (col 13 line 35-54, domains broken down into five characteristic features, such as “consonant to vowel ratio”; therefore, number of vowels and number of consonants is determined); 
determine that the ratio of consonants to vowels is greater than a predetermined or configurable threshold value (col 13 line 8-18, DomainX is analytic that detects domain generation algorithms (DGA) in DNS data, i.e. “computer generated strings”; col 13 line 35-54, domains broken down into five characteristic features, such as “consonant to vowel ratio”; therefore, number of vowels and number of consonants is determined; col 14 line 4-9, decision tree classifier trained on the features to determine cutoff point, i.e. threshold).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the computer generated string detection teachings of Heimann with the malware detection system of Kuppa in view of Lawshae, in order to incorporate additional methods of analysis for detecting computer generated strings, such as analyzing consonant to vowel ratio, thereby improving the accuracy of detection, and minimizing false-positive and false-negative malware determinations.
Neither Kuppa nor Lawshae nor Heimann explicitly teaches dividing the number of consonants by the number of vowels to determine the ratio of consonants to vowels.
(page 1, definition of ratio: 1. the relation between two similar magnitudes with respect to the number of times the first contains the second: the ratio of 5 to 2, written 5:2 or 5/2); and
Heimann teaches the first number is number of consonants and the second number is number of vowels (paragraph 71, consonant to vowel ratio).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the dictionary definition of “ratio” as taught by Dictionary.com with the malware detection system of Kuppa in view of Lawshae and Heimann, as it is well known within the art that a ratio can be defined as a first value divided by a second value.  A person of ordinary skill in the art would thus be motivated to calculate a parameter for malware detection based on the common definition of said parameter.

Regarding Claim 18:
Kuppa in view of Lawshae, Heimann, and Dictionary.com teaches the system of claim 17.
Neither Kuppa nor Lawshae nor Heimann nor Dictionary.com explicitly teaches wherein the predetermined or configurable threshold value for the ratio of consonants to vowels is 3.0.
However, Heimann does teach wherein the predetermined or configurable threshold value for the ratio of consonants to vowels falls within a range (paragraph 71, 75, “Consonant to vowel ratio”; cutoff point determined by building a receiver operating characteristic curve to choose an appropriate value to reduce false positives and false negatives in a balanced way).  Furthermore, Applicant’s specification recites a configurable threshold value of 3.0 as merely one example out of a number of possible examples (e.g. Summary of Invention, [0002] “In one embodiment, the threshold value for the ratio of consonants to vowels is 3.0, for example.”; Detailed Description, [0032] “In some embodiments, 

Regarding Claim 3:
	This is the method claim corresponding to the system of claim 17, and is therefore rejected for corresponding reasons.

Regarding Claim 10-11:
	These are the non-transitory machine-readable medium claims corresponding to the system of claims 17-18, and are therefore rejected for corresponding reasons.

Claim(s) 5-6, 12-13, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa in view of Lawshae, and further in view of Hubbard et al (PGPUB 2008/0133540).

Regarding Claim 19:
Kuppa in view of Lawshae teaches the system of claim 15.
Neither Kuppa nor Lawshae explicitly teaches wherein the computer executable instructions further comprise computer executable instructions to: 

However, Hubbard teaches the concept of computer executable instructions comprising computer executable instructions to: 
determine that at least one text string of the set of text strings is a computer generated text string comprises determining that a number of consonants in a sequence uninterrupted by a vowel in the at least one text string is greater than a predetermined or configurable threshold value (paragraph 42, system for identifying and categorizing web content, including potentially executable web content and malicious content; paragraph 101, it has been found that URLs having targeted content are more likely to include machine generated, random or other strings that do not conform to word formation rules, in order to avoid such content from being easily identified by the inclusion of known (disreputable) URL strings; in addition to scanning for keywords, the URL string (or substring) may be compared to a word (or, more generally, a concatenation of one or more words) from a dictionary to help determine whether the URL string includes words or appears to be a random, machine generated, include sequences of escaped (e.g., % escaped) characters, or include long nonsense strings (e.g., www.XXXXXXxxxxxxxxxxxyyyyyyyyyyyyyyzzzzzzzzzzzzzzzzzzzzzzzz.com); in one embodiment, dictionaries for one or more languages may be used; word formation rules may be any set of rules associated with words in a particular language; for example, in one embodiment, a simple word formation rule may identify strings of consonants or vowels that exceed a specified threshold (e.g., four) in length are unlikely to be a word).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the computer generated string detection teachings of Hubbard with the malware detection system of Kuppa in view of Lawshae, in order to incorporate additional methods 

Regarding Claim 20:
Kuppa in view of Lawshae and Hubbard teaches the system of claim 19.
Neither Kuppa nor Lawshae nor Hubbard explicitly teaches wherein the predetermined or configurable threshold value for the number of consonants in a sequence uninterrupted by a vowel is 3.0.
However, Hubbard does teach the predetermined or configurable threshold value for the number of consonants in an uninterrupted sequence, and gives a value of “four” as one example of the specified threshold (paragraph 101, For example, in one embodiment, a simple word formation rule may identify strings of consonants or vowels that exceed a specified threshold (e.g., four) in length are unlikely to be a word).  Furthermore, Applicant’s specification recites a configurable threshold value of 3.0 as merely one example out of a number of possible examples (e.g. Summary of Invention, [0003] “In one embodiment, the threshold value for the number of consonants in a sequence uninterrupted by a vowel is 3.0, for example.”; Detailed Description, [0033] “In some embodiments, the threshold value can be three (3); however, it will be appreciated that other threshold values are also within the scope of the present invention.”)  Furthermore, Examiner notes that the number consonants in sequence in a string would fall within a range of expected non-negative values.  Therefore, a person of ordinary skill in the art, faced with the problem of determining a predetermined or configurable threshold value for the number of consonants in an uninterrupted sequence in view of Hubbard, would have considered a value of 3.0 as one acceptable threshold value within a range of acceptable values.

Regarding Claims 5-6:
	These are the method claims corresponding to the system of claims 19-20, and are therefore rejected for corresponding reasons.

Regarding Claim 12-13:
	These are the non-transitory machine-readable medium claims corresponding to the system of claims 19-20, and are therefore rejected for corresponding reasons.

Claim(s) 7, 14, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa in view of Lawshae, and further in view of Hubbard et al (PGPUB 2008/0133540).

Regarding Claim 21:
Kuppa in view of Lawshae teaches the system of claim 15.
Neither Kuppa nor Lawshae explicitly teaches wherein the computer executable instructions further comprise computer executable instructions to: 
perform an iteration over the set of text strings, the iteration adapted to: 
determine whether a ratio of consonants to vowels for at least one text string is greater than a predetermined or configurable first threshold value.
However, Heimann teaches the concept wherein computer executable instructions further comprise computer executable instructions to: 
perform an iteration over the set of text strings (col 13 line 8-18, DomainX analytic for detecting generated domains; col 13 line 19-34, DomainX analyzes domain using feature generation engine), the iteration adapted to: 
(col 13 line 8-18, DomainX is analytic that detects domain generation algorithms (DGA) in DNS data, i.e. “computer generated strings”; col 13 line 35-54, domains broken down into five characteristic features, such as “consonant to vowel ratio”; col 14 line 4-9, decision tree classifier trained on the features to determine cutoff point, i.e. threshold).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the computer generated string detection teachings of Heimann with the malware detection system of Kuppa in view of Lawshae, in order to incorporate additional methods of analysis for detecting computer generated strings, such as analyzing consonant to vowel ratio, thereby improving the accuracy of detection, and minimizing false-positive and false-negative malware determinations.
Neither Kuppa nor Lawshae nor Heimann explicitly teaches determining whether a number of consonants in a sequence uninterrupted by a vowel in at least one text string is greater than a predetermined or configurable second threshold value; and 
indicating that at least one text string is likely a computer generated string if either the first threshold value is exceeded or the second threshold value is exceeded.
However, Hubbard teaches the concept wherein computer executable instructions further comprise computer executable instructions to: 
perform an iteration over a set of text strings (paragraph 101, reputation scoring module 331 may be configured to associate a score with a URL based on information about the URL), the iteration adapted to: 
determine whether a number of consonants in a sequence uninterrupted by a vowel in at least one text string is greater than a predetermined or configurable second threshold value (paragraph 42, system for identifying and categorizing web content, including potentially executable web content and malicious content; paragraph 101, it has been found that URLs having targeted content are more likely to include machine generated, random or other strings that do not conform to word formation rules, in order to avoid such content from being easily identified by the inclusion of known (disreputable) URL strings; in addition to scanning for keywords, the URL string (or substring) may be compared to a word (or, more generally, a concatenation of one or more words) from a dictionary to help determine whether the URL string includes words or appears to be a random, machine generated, include sequences of escaped (e.g., % escaped) characters, or include long nonsense strings (e.g., www.XXXXXXxxxxxxxxxxxyyyyyyyyyyyyyyzzzzzzzzzzzzzzzzzzzzzzzz.com); in one embodiment, dictionaries for one or more languages may be used; word formation rules may be any set of rules associated with words in a particular language; for example, in one embodiment, a simple word formation rule may identify strings of consonants or vowels that exceed a specified threshold (e.g., four) in length are unlikely to be a word); and 
indicate that at least one text string is likely a computer generated string if either a first threshold value is exceeded or the second threshold value is exceeded (paragraph 107, URLs with scores above a threshold are identified with a category, e.g., malicious, regardless of, or in addition to, the category identified by content analysis of the web page; multiple scores associated with different categories are assigned to each URL, and the categories corresponding to each score above a given threshold are identified with the URL; multiple thresholds are employed; URLs having scores above one threshold value automatically are classified based on the score); and
Heimann teaches wherein the first threshold value is the threshold of the ratio of consonants to vowels for the at least one text string (col 13 line 8-18, col 13 line 35-54, col 14 line 4-9).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the computer generated string detection teachings of Hubbard with the malware detection system of Kuppa in view of Lawshae and Heimann, in order to incorporate 

Regarding Claim 7:
	This is the method claim corresponding to the system of claim 21, and is therefore rejected for corresponding reasons.

Regarding Claim 14:
	This is the non-transitory machine-readable medium claim corresponding to the system of claim 21, and is therefore rejected for corresponding reasons.

Response to Arguments
Applicant's arguments filed 1/10/2022 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
Applicant’s arguments:  In rejecting the claims of the present application, the examiner cites to paragraph [0049] and FIG. 4 of Kuppa as disclosing of breaking down the executable file using the "lex" feature as described in Kuppa. However, while Kuppa discloses breaking down the executable files, it does not disclose identifying at least one of a function name, variable name, and method name, and determining a set of text strings in at least one of those identified function names, variable names and method names as claimed in the present application. Kuppa merely discloses breaking apart the executable file, it does not disclose identifying a function, variable, or method name as required in the claims, nor does it disclose determining a set of text strings in those identified function name, variable in those names as required in the claims (as amended) of the present application. Similarly, Lawshea does not teach, suggest, or disclose identifying a function, variable, or method name, nor of identifying text strings in those identified names. 
 Thus, neither Kuppa nor Lawshea, nor their combination, teach, suggest, or disclose those limitations of the claimed invention. 
Furthermore, Lawshea, as cited by the examiner, discloses that searching of text is performed on the entire executable file, not on a set of identified function, variable, and method names and corresponding text strings as in the claims of the present application. Thus, even if combined with Kuppa, the system and method of the combined Kuppa and Lawshea would not perform the same functions or produce the same result as is achieved by the invention of independent claims 1, 8, and 15 of the present application.

	Examiner’s response: The Examiner disagrees.  Kuppa is explicitly directed to determining whether an isolated string is a function/variable name (e.g. paragraph 45, 49, Fig. 4), which can certainly be seen as identifying at least one of a function name, variable name, or method name.  Fig. 4 shows a code segment being broken up into variables and function names.  Furthermore, the function/variable names are determined by determining the strings which make up the function/variable name (e.g. paragraph 45, 49, Fig. 4), so Kuppa also shows that the set of text strings making up the function/variable names are determined.  Kuppa goes on to analyze the determined strings for an indication that malware is present (e.g. paragraph 64).  Therefore, Kuppa at least teaches “identifying a function, variable, or method name, nor of identifying text strings in those identified names” as in claims 1, 8, and 15 as amended.

	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.
	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491