Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 8/24/2021. Claims 1 and 15 are independents. Claims 1-4, 7-11, 14, 15 and 18-20 are amended. Claims 1-21 are currently pending.

Response To Arguments
Objection to claims 1-4, 7, 10 and 11  is withdrawn, in view of amendment.
Applicant argued on p.10 of the Remark argues that Khalid concerns detecting malicious content intended for being processed by the SW application executed in the computer system. In other words, Khalid teaches identification of malicious data such as a PDF file, a WORD document, etc. (cf. col. 5, lines 4 to 16) that may result in malicious behaviour of the computer system when the data is being processed by the SW application executed in the computer system due to an inherent (unintentional) security vulnerability of the SW application.
Examiner respectfully disagrees. The combination of FIG. 2 and col7 ln37-67 of Khalid show that selecting, installing and configuring multiple versions of software 
Applicant argued on p.10 of the Remark argues that the claimed invention involves detection of malicious behaviour arising from execution of a certain version of the monitored application as such without consideration of possible maliciousness of data being processed by the monitored application, where the security threat arises from malicious executable code embedded to a certain version of the monitored application e.g. via the so-called supply chain attack.
Examiner respectfully disagrees. Examiner would treat this as intended use because the above feature is not inside the claimed invention.
Applicant argued on p.11 of the Remark argues that Khalid does not teach b) analysing evolutionary changes between the behaviours of the different versions of the same application.
Examiner respectfully disagrees. The combination of FIG. 2 and col7 ln37-67 of Khalid teaches the feature b). Particularly, FIG. 2 #203-#208 run each version of software and identifies threat. Since there is no specifics of how analysis of evolutionary changes is carried out and it is broad, Examiner would interpret FIG. 2 #203, for each of the versions of the SW application, processing logic invokes the corresponding version to access and test as analysis of evolutionary changes.
Applicant argued on p.11 of the Remark argues that Khalid does not teach d) monitoring behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis. 

Khalid in FIG. 2, col7 ln37-67 and col5 ln12-28 all teaches the feature e): the malicious content suspect 106 may exhibit the anomalous behavior for only a subset of the versions available for a SW application. This may be due to a security vulnerability (e.g., a programmatic feature susceptible to exploit) existing only in the subset of versions, which may occur, for example, when other versions have eliminated that feature or have been patched previously to close that security vulnerability. Accordingly, successfully detecting anomalous behavior marking a malicious attack may depend on the selection of the version or versions of the SW application to be used in testing conducted by the malicious content detection system 100.
Applicant argued on pp.12-13 of the Remark argues that Chen fails to provide any teachings that would enable the person having ordinary skill in the art bridging the gap between Khalid and the claimed invention without an inventive effort. For at least 
Examiner respectfully disagrees. Applicant’s invention is about detecting threat to computer system. Reference of Chen is about detecting defect code.in software. Defect code is a kind of threat to computer system. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to 

Claims 1-10, 15-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid et al. (US 9626509 B1), hereinafter Khalid, in view of Chen et al. (CN 107967208 B), hereinafter Chen.

 Regarding claims 1, 15 and 21, Khalid teaches a method of detecting a threat against a computer system (FIG. 2), the method comprising:
a) monitoring installation (FIG. 2 and col7 ln37-67, at block 201, processing logic installs and configures multiple versions of a SW application (e.g., Microsoft Office or Adobe Acrobat) within a single VM that is hosted by a guest OS) and operation of multiple different versions of the same application in [[a]] the computer system (FIG. 2 and col7 ln37-67,[[a]]t block 202, in response to receiving a malicious content suspect associated with the SW application, processing logic identifies and launchesa VM having multiple versions of the SW application installed therein);
b) analysing evolutionary changes between the behaviours of the different versions of the same application (FIG. 2 and col7 ln37-67, At block 203, for each of the versions of the SW application, processing logic invokes the corresponding version to access and test, preferably concurrently, the malicious content suspect therein);
d) monitoring the behavior of the computer system to detect one or more procedures of the monitored application (FIG. 2 and col7 ln37-67, At block 204, processing logic monitors the behavior of the malicious content suspect processed with 
e) upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious (FIG. 2 and col7 ln37-67, At block 208, processing logic declares any identified attack incident and may issue an alert, which in some embodiments, contains or references threat data, including, for example, the version number or numbers of the SW application having a potential security vulnerability so that remedial action may be taken).
Khalid does not explicitly disclose c) detecting and monitoring a new version of the same application in [[a]] the computer system; and detect one or more procedures that do not match expected behaviors of the monitored application. However, in an analogous art, Chen teaches c) detecting and monitoring a new version of the same application in [[a]] the computer system (FIG. 1 and p. 1/8, 1) acquiring a source code of 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance(Chen p. 3/8).

 Regarding claims 2 and 16, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Chen further teaches wherein
analysing the evolutionary changes of the behaviours comprises analysing evolutionary changes of the behaviours of subsequent versions of the same application (FIG. 1 and para. 0008-0013, 1) acquiring a source code of a historical version and a source code of a version to be tested [interpreted as subsequent versions] of the same software; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).


 Regarding claim 3, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein creating and storing representations of the expected behaviors of the monitored application on the basis of the analysis (FIG. 2 and col7 ln37-67, At block 206, the processing logic stores information describing any detected anomalous behaviors, and, associated therewith, the version identifier (e.g., version number and, where applicable, service pack number) corresponding to each of the versions of the software application and the operating system whose execution resulted in the anomalous behavior).

 Regarding claim 4, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Chen further teaches wherein the step of
detecting one or more procedures that do not match the expected behaviours of the monitored application further comprises comparing the behaviour of the monitored application to the stored representations of expected behaviours (p. 3/8, 3) extracting relevant characteristics of the resource sensitive code mode; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claims 5 and 18, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Khalid further teaches generating behavioural data for the analysis by executing multiple different versions of the same application on physical machines, on separate test machines or by a virtualization system (FIG. 2 and col7 ln37-67, At block 202, in response to receiving a malicious content suspect associated with the SW application, processing logic identifies and launches a VM having multiple versions of the SW application installed therein. At block 203, for each of the versions of the SW application, processing logic invokes the corresponding version to access and test, preferably concurrently, the malicious content suspect therein. At block 204, processing logic monitors the behavior of the malicious content suspect processed with the corresponding version or versions of the SW application to identify anomalous behavior indicative of a malicious attack. col8 ln60-67, malicious network content detection system 825 may be configured to inspect exchanges of network content over the communication network 820, identify 
In addition, Chen teaches executing multiple different versions of the same application during normal usage (p. 3/8, 1) acquiring a source code of a historical version and a source code of a version to be tested of the same software; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 6, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Chen further teaches wherein each procedure of the one or more procedures of the monitored application is identified by a characteristic action and one or more expected actions (p. 3/8, 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set; 5) training the deep neural network model by using a training set to perform feature merging, and then calculating the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 7, the combination of Khalid and Chen teaches all of the limitations of claim 6, as described above. Khalid further teaches wherein at least one of the characteristic expected actions include one or more of: API calls and/or API call parameters made by a running application, information made available to plugins of the running application, actions relating to browser extensions, file access operations performed by the running application, network operations performed by the running application, encrypted communications sent by the running application, error conditions relating to the running application (col10 ln20-33, When a characteristic of the packet, such as a sequence of characters or keyword, is identified that meets the conditions of a heuristic, a suspicious characteristic of the network content is identified ... the characteristic may be determined as a result of an analysis across multiple packets comprising the network content. col8 ln34-55, Network content may include any data transmitted over a network (i.e., network data). Network data may include text, software, images, audio, or other digital data. An example of network content includes web content, or any network data that may be transmitted using a Hypertext Transfer 
In addition, Chen teaches (p. 3/8, packaging each type of the Python according to abstract syntax defined in a Python standard library, wherein each type has a mapping table which contains the internal attribute name or the API interface name of the type).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 8, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein said procedures include any one or more of: establishment of a secure session, communication over a secure session, file operations, registry operations, memory operations, or network operations (col8 ln34-55, An example of network content includes web content, or any network data that may be transmitted using a Hypertext Transfer Protocol (HTTP), Hypertext Markup Language (HTML) protocol, or be transmitted in a manner suitable for display on a Web browser software application. Another example of network content includes email messages, which may be transmitted using an email protocol such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), or Internet Message Access Protocol (IMAP4). A 

 Regarding claim 9, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above. Khalid further teaches wherein the step of identifying the monitored application as malicious or suspicious is based on at least one of: fulfilling predetermined rules (col10 ln1-19, the heuristic module 860 may examine the metadata or attributes of the captured content and/or the code image (e.g., a binary image of an executable) to determine whether a certain portion of the captured content matches a predetermined pattern or signature that is associated with a particular type of malicious content).
In addition, Chen teaches identifying the monitored application as malicious or suspicious is based on machine learning approach used, or a decision making logic using the behavioural data as input (p. 3/8, 5) training the deep neural network model [machine learning] by using a training set to perform feature merging, and then calculating the correlation and sequencing by using the deep neural network model for the mode in the test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors 

 Regarding claims 10 and 19, the combination of Khalid and Chen teaches all of the limitations of claims 1 and 15, as described above. Chen further teaches wherein the step of identifying the monitored application as malicious or suspicious is further based on a difference in version numbers of the different versions of the same application, wherein an expected amount of change in behaviour is related to an amount of change in version numbers (p. 4/8, feature combination based on the deep neural network, and adopts a standard metric value to measure the correlation level between the code to be tested and the defect code in the historical version, thereby being capable of positioning the resource sensitive defect code block to be deep into the basic statement level).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

 Regarding claim 17, the combination of Khalid and Chen teaches all of the limitations of claim 15, as described above. Khalid further teaches wherein the processor is further configured to cause the system to perform: creating and storing representations of expected behaviors of the monitored application on the basis of the 
In addition, Chen teaches to cause the system to perform the step of detecting one or more procedures that do not match the expected behaviours of the monitored application by comparing the behaviour of the monitored application to the stored representations of expected behaviours (p. 3/8, 3) extracting relevant characteristics of the resource sensitive code mode; 4) calculating each feature similarity between the defect code mode and the safety code mode, and between the defect code mode and the code mode to be tested, generating a feature vector, and obtaining a training set and a test set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid and Chen because it reminding the resource object operation which possibly has errors according to the result of the relevance ranking, and assisting development and maintenance (Chen p. 3/8).

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid in view of Chen, as applied in the claims above, further in view of Singh et al. (US 20160285914 A1), hereinafter Singh.

 Regarding claim 13, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above.
The combination of Khalid and Chen does not explicitly disclose upon identifying the monitored application as malicious or suspicious, the method further comprises handling the monitored application by one or more of: terminating a process of the monitored application, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the monitored application and performing a further malware scan on the monitored application. However, in an analogous art, Singh teaches upon identifying the monitored application as malicious or suspicious, the method further comprises handling the monitored application by one or more of: terminating a process of the monitored application, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the monitored application and performing a further malware scan on the monitored application (FIG. 4A and para. 0065, When the object is determined to be malicious based on pre-processing (yes at block 402), actions are performed to handle the malicious object (block 403). Examples of actions performed to handle a malicious object include, ... , (ii) a network administrator and/or an expert network analyst, uploading information associated with the malicious object to the cloud services and/or (iii) preventing the object from being received and/or processed by a client device, if possible).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid, Chen and Singh because a virtualized malware detection system that improves exploit 

 Regarding claim 14, the combination of Khalid and Chen teaches all of the limitations of claim 1, as described above.
The combination of Khalid and Chen does not explicitly disclose upon identifying the monitored application as malicious or suspicious, further comprising at least one of: sending from a client computer to a server details of the characteristic action and other actions taken on the client computer; sending from the server to client computer an indication as to whether or not the monitored application is malicious or suspicious; sending from the server to the client computer instructions for handling the monitored application; prompting the client computer to kill and/or remove the monitored application; or storing information indicating the monitored application. However, in an analogous art, Singh teaches upon identifying the monitored application as malicious or suspicious, further comprising at least one of: sending from a client computer to a server details of the characteristic action and other actions taken on the client computer; sending from the server to client computer an indication as to whether or not the monitored application is malicious or suspicious; sending from the server to the client computer instructions for handling the monitored application; prompting the client computer to kill and/or remove the monitored application; or storing information indicating the monitored application (FIG. 4A and para. 0065, When the object is determined to be malicious based on pre-processing (yes at block 402), actions are performed to handle the malicious object (block 403). Examples of actions performed to 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Khalid, Chen and Singh because a virtualized malware detection system that improves exploit detection and/or visual representation of the detection of the suspected exploit and/or malware (Singh para. 0014).

Allowable Subject Matter
Claims 11, 12 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcoming double patenting rejection of claims.

Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 

/SHU CHUN GAO/Examiner, Art Unit 2437 

/MENG LI/Primary Examiner, Art Unit 2437