DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Claim Rejection Under 35 U.S.C. 103
1). Applicant’s argument that none of the applied references discloses “determine a first attribute of a plurality of attributes identified from the executable unpacked in the first computing environment by detecting initiation of the executable in the second computing environment” (see Remarks, page 2, ¶ 2) was considered, but is moot in view of new rejections made below in response to the latest amendments by applicant.
2). Applicant argues that none of the applied references (U.S. Patent No. 8,918,881 to Bettini and U.S. Publication No. 2019/0318089 Al by Wang) discloses “identifying the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment"  (see Remarks, page 2, ¶ 2).
The Examiner respectfully disagrees. Wang clearly teaches identifying the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment (see [0041] and Figs. 1A and 1B: “A safeguard client in a terminal includes a monitoring unit, an interception unit, a collection unit, a local detection unit, and a communication unit. With reference to FIG. 1B, the monitoring unit detects a suspicious operation of a program in the terminal, collects (by using the collection unit) attribute data related to the program”. And see [0042]: “related attribute data (by using the collection unit) is submitted to (by using the communication unit) to a cloud server. The cloud server calculates an attribute in each dimension (performing calculation by using an attribute calculation unit), performs detection (implemented by using the local detection unit) The Examiner interprets the server of Fig. 1A as a first computing environment. The Examiner further interprets the terminal containing the client of Fig. 1A as the second computing environment.
And see [0129]: “If the operation object of the suspicious behavior is not a targeted monitored object, attribute data of the program is collected, and detecting the program by matching the malicious program signature database of the terminal with an attribute in each dimension of the program is tried first. For example, attribute data in a plurality of dimensions of the program, such as a digital signature of the program, the MD5 of the program, PE file information, program information, and another attribute, are matched with attributes in corresponding dimensions in the malicious program signature database sequentially or in parallel”. And see [0130]: “For example, the attribute data in a plurality of dimensions of the program is uploaded to the cloud server in a form of a Hash table, and in the Hash table, storage locations of different attributes can be directly calculated according to keywords and mapping relationships of the attributes, thereby implementing efficient searching”. And see [0132]: “the terminal uploads the attribute data of the program to the cloud server, and invokes a malicious program detection service in the cloud server to detect whether the program is a malicious program”. The Examiner interprets “attribute data in a plurality of dimensions of the program, such as … PE file information, program information” in the terminal taught in [0129] as the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment because Applicant stated the following in the Remarks (page 3, ¶ 1): “Applicant's amended claim 1, which will monitor the ultimate environment in which the application will execute while that environment is executing the actual executable in question to determine an attribute. For instance, Applicant's originally filed specification includes examples such as ‘a process of the executable’, ‘additional code loaded into the executable,’ ‘one or more executable binaries or libraries’, ‘one or more binary or dynamic libraries’, and ‘dynamic link files’”. In other words, because Applicant defines “a process of the executable” and “one or more executable binaries” in the originally filed specification as an example of the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment, the Examiner interprets “attribute data in a plurality of dimensions of the program, such as … PE file information, program information” in the terminal taught in [0129], which is similar to “one or more executable binaries” and “a process of the executable”, respectfully, in the originally filed specification, as the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment ).

Claim Objections
Claim 1 is objected to because of the following informalities:  claim 1 filed on 8/30/2021 contains “determine that an identifier for the executable is not included in a database of indexed executables; 
determine, responsive to determining that the identifier is not included, a plurality of attributes identified from the executable unpacked in the first computing environment”. However, in the claim 1 filed on 2/2/2022, the above underlined limitations are missing. For the purpose of examination, the Examiner assumes that claim 1 filed on 2/2/2022 contains the above underlined limitations.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 9, 11-14, 16, 19, 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Bettini (US 8,918,881) in view of Wang (US 2019/0318089), and further in view of  Lowry (US 2019/0034623).

Regarding claims 1 and 11, Bettini teaches A method for determining a likelihood that an executable comprises malware (see title and Figs. 1, 3: “System For Providing Off-device Anti-malware Protection For E.g. Android-based Tablet Computer, Has Processor Determining Whether Applications Identified In Software Inventory Are Associated With Malware, And Memory Coupled To Processor”. The Examiner interprets an application as an executable), the method comprising: 
identifying, by one or more processors (see title and Figs. 1, 3: “System For Providing Off-device Anti-malware Protection For E.g. Android-based Tablet Computer, Has Processor Determining Whether Applications Identified In Software Inventory Are Associated With Malware, And Memory Coupled To Processor”. And see col. 18, lines 14 and 15 and Fig. 3: “The platform 302 includes one or more processors 304”), an executable unpacked (see col. 12, lines 20 and 21: “the platform can decrypt the encrypted app using pure software decryption”. Because encryption is one form of packing, the Examiner interprets decrypting as unpacking. And see col. 11, lines 41- 67) in a first computing environment to be executed in a second computing environment (see col. 6, lines 50-62 and Fig. 1: “a apps for enterprise mobile devices, including smart phones 120, tablets 122, and/or other mobile devices 124 (e.g., laptops, etc.)”. The Examiner interprets a platform 116 as a first computing environment. The Examiner further interprets mobile devices 120/122/124 as a second computing environment. The Examiner further interprets “apps for enterprise mobile devices, including smart phones 120, tablets 122, and/or other mobile devices 124 (e.g., laptops, etc.)” as an executable … to be executed in a second computing environment.  And see col. 7, line 65-col. 8, line 5 and Fig. 1: “an enterprise app store (e.g., enterprise app store 118 as shown in FIG. 1, which can be implemented using a commercially available MDM solution) can communicate with a cloud service/web platform for quantifying the risks of apps for mobile devices (e.g., platform 116 as shown in FIG. 1) using a web service (e.g., RESTful web API or REST API) to communicate an app (e.g., one or more apps for the enterprise app store) that is to be automatically analyzed for a risk assessment by the cloud service/platform”. The Examiner interprets platform 116 receiving from an enterprise app store 118 an app that is to be analyzed for a risk assessment as identify… an executable unpacked in a first computing environment to be executed in a second computing environment); 
determining, by the one or more processors, that an identifier for the executable is not included in a database of indexed executables (see claim 15: “for each app included in the software inventory for the mobile device, perform the following: determine whether the app is stored in a global app cache by querying the app cache for a match based on a unique identifier of the app, wherein the global app cache includes risk scores for previously analyzed applications based on the enterprise policy; and if the app is not stored in the global app cache, then upload the app from an app store to determine whether the app is associated with malware based on the enterprise policy”. And see col. 8, lines 10-17: “At 202, in response to the app query, a pre-screen analysis phase is performed that includes checking an app cache (e.g., a cache that includes information for apps that were previously analyzed by the platform). In some embodiments, if the platform has already analyzed that app (e.g., that particular version of the app), then the previously determined risk score (e.g., app reputation score and possible additional data) is returned”. And see col. 8, lines 22-26: “after uploading an application (e.g., an App container) using the Rest API, an application ID number is returned”. And see col. 8, lines 37-64: “the returned app ID can be used for subsequent queries based on the app ID, such as for reports based on one or more provided App IDs… querying (e.g., using the Rest API) the platform to find applications that have already been analyzed by the platform and are stored in the global app cache (e.g., app cache 128 as shown in FIG. 1) are supported (e.g., comparing an app file hash to hash stored in the global app cache, querying by the app name, and/or using various other techniques)… in many cases the app will already be part of the app cache (e.g., app cache 128 as shown in FIG. 1) and already analyzed. In some embodiments, to check if the app is already in the app cache, all that is needed is a hash of the application (e.g., using a hashing algorithm, such as MD5, SHA-1, SHA-256, or another hashing algorithm) to query the app cache for a match.” And see col. 8, line 65-col. 9, line 10: “an app query specifies one or more of the following: …app hash (e.g., such as MD5, SHA-1, SHA-256, or another hashing algorithm), …, item ID (e.g., iOS 9-digit number specific to iOS apps, Android Market asset ID for Android apps)”. And see col. 10, lines 8-12: “if the app already exists in the app cache (i.e., there is a match to the query of the app cache), then the pre-existing app ID will be returned. Otherwise, that is, if the app cache check does not result in a match or hit, then processing continues to stage 204”. The Examiner interprets “a hash of the application” as an identifier for the executable because a hash of the application uniquely identifies the application and col. 8, lines 37-64 teaches that the app ID and an app file hash can be used to query the platform to find applications that have already been analyzed by the platform. The Examiner further interprets “if the app cache check does not result in a match or hit” taught in col. 10, lines 8-12 as determine that an identifier for the executable is not included in a database of indexed executables); 
determining, by the one or more processors, responsive to determining that the identifier is not included, a remainder of the plurality of attributes identified from the executable (see col. 10, lines 8-12 and 17-27: “if the app already exists in the app cache (i.e., there is a match to the query of the app cache), then the pre-existing app ID will be returned. Otherwise, that is, if the app cache check does not result in a match or hit, then processing continues to stage 204… At 204, metadata associated with the app is extracted. In particular, metadata associated with the app can include information that is important for assessing the overall risk(s) associated with the app. For example, this phase can include parsing an XML file associated with the app that hosts general app information. Metadata associated with the app that can be analyzed includes app permissions, intents, services, and receivers. In particular, this phase can include mapping out app permissions, file and version name, app author, app ID, package name, and/or various other attributes and/or metadata associated with the app”. And see col. 21, lines 45-57. And see col. 23, line 14-28: “behaviors and/or attributes that such a policy can look for include the following: whether the app tracks a user's location (e.g., an enterprise may choose to prevent executives or sales persons from using apps with such attributes);…whether the app uses excessive power usage (e.g., based on monitored testing as compared with other apps, such as comparable categories of apps); and/or various other behaviors and/or attributes”. And see claim 15: “for each app included in the software inventory for the mobile device, perform the following: determine whether the app is stored in a global app cache by querying the app cache for a match based on a unique identifier of the app, wherein the global app cache includes risk scores for previously analyzed applications based on the enterprise policy; and if the app is not stored in the global app cache, then upload the app from an app store to determine whether the app is associated with malware based  unpacked in the first computing environment (see col. 12, lines 20 and 21: “the platform can decrypt the encrypted app using pure software decryption”. Because encryption is one form of packing, the Examiner interprets decrypting as unpacking. And see col. 11, lines 41- 67), 
generating, by the one or more processors, according to the determined plurality of attributes, one or more scores indicative of a likelihood that the executable comprises malware (see col. 14, lines 46-58 and Fig. 2: “At 216, a rule set analysis is performed to provide a malware detection phase and a behavior-based analysis phase. In some embodiments, a malware detection phase and a behavior-based analysis phase are performed using a malware detection engine and a behavior-based analysis engine (e.g., malware detection engine 112 and behavior-based analysis engine 114 as shown in FIG. 1). In some embodiments, the behavior-based analysis phase includes running data extracted over each phase of analysis through an extensive set of behavioral rules. The behavior-based analysis phase can be used to determine if the app includes previously known malware, exhibits new malware behaviors, and/or if the app otherwise poses a risk, (e.g., privacy, security, or other risks)”. And see col. 15, lines 6-17 and Fig. 2: “At 218, an app risk assessment report is generated based on the risk assessment for the analyzed app or a bulk set of apps. …In some embodiments, the app risk assessment includes various summary findings as well as supporting data. For example, the app risk assessment can include an app reputation score and/or other relevant or supporting data”. And see col. 19, lines 1-14: “the detailed report 502 is generated by the platform for quantifying risks of apps for mobile devices and can be accessed using a web browser. As shown, the detailed report 502 provides the output of a report generated for an "Actions" app for an iOS phone/tablet, which has been analyzed by the platform and includes a star rating for the app (e.g., 4 stars as shown), with selectable tabs that include Details, Rating, and Inspection. As shown, the Inspection tab is selected and shows the details of the Inspection Report (e.g., reporting a total score of 87/100, including detailed scores for malware behaviors of 100/100”); 
storing, by the one or more processors, in the database of indexed executables, the identifier for the executable in association with the one or more scores (see claim 15: “for each app included in the software inventory for the mobile device, perform the following: determine whether the app is stored in a global app cache by querying the app cache for a match based on a unique identifier of the app, wherein the global app cache includes risk scores for previously analyzed applications based on the enterprise policy; and if the app is not stored in the global app cache, then upload the app from an app store to determine whether the app is associated with malware based on the enterprise policy , wherein risk score results for the first app are stored in the global app cache”. And see col. 8, lines 10-17: “At 202, in response to the app query, a pre-screen analysis phase is performed that includes checking an app cache (e.g., a cache that includes information for apps that were previously analyzed by the platform). In some embodiments, if the platform has already analyzed that app (e.g., that particular version of the app), then the previously determined risk score (e.g., app reputation score and possible additional data) is returned”. And see col. 18, lines 46-51: “the platform 302 includes a reports data store 312 (e.g., database) for storing reports generated by the platform based on analysis of apps for various users or customers”. And see col. 7, lines 26-31); and 
performing, by the one or more processors, an action to manage operation of the executable in the second computing environment according to the generated one or more scores (see col. 5, lines 30-40: “off-device anti-malware protection for mobile devices further includes sending results of determining whether one or more of the plurality of applications identified in the software inventory are associated with malware based on the policy to a mobile device management (MDM) service, in which the MDM service enforces the policy by performing an action (e.g., uninstalling/removing, disabling, sending a warning to a user and/or to information technology (IT) for the enterprise) or performing some other corrective or responsive action(s) with respect to one or more applications on the mobile device that were identified as being associated with malware based on the policy”. And see col. 22, lines .

Bettini fails to teach determining, by the one or more processors, a first attribute of a plurality of attributes identified from the executable unpacked in the first computing environment by …identifying the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment.

In the same field of endeavor, Wang teaches determining, by the one or more processors, a first attribute of a plurality of attributes identified from the executable unpacked in the first computing environment by … identifying the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment (see [0041] and Figs. 1A and 1B: “A safeguard client in a terminal includes a monitoring unit, an interception unit, a collection unit, a local detection unit, and a communication unit. With reference to FIG. 1B, the monitoring unit detects a suspicious operation of a program in the terminal, collects (by using the collection unit) attribute data related to the program”. And see [0042]: “related attribute data (by using the collection unit) is submitted to (by using the communication unit) to a cloud server. The cloud server calculates an attribute in each dimension (performing calculation by using an attribute calculation unit), performs detection (implemented by using the local detection unit) based on a malicious program signature database (usually, bigger than the malicious program signature database of the terminal, so that the detection is more comprehensive)”. The Examiner interprets the server of Fig. 1A as a first computing environment. The Examiner further interprets the terminal containing the client of Fig. 1A as the second computing environment.
attribute data of the program is collected, and detecting the program by matching the malicious program signature database of the terminal with an attribute in each dimension of the program is tried first. For example, attribute data in a plurality of dimensions of the program, such as a digital signature of the program, the MD5 of the program, PE file information, program information, and another attribute, are matched with attributes in corresponding dimensions in the malicious program signature database sequentially or in parallel”. And see [0130]: “For example, the attribute data in a plurality of dimensions of the program is uploaded to the cloud server in a form of a Hash table, and in the Hash table, storage locations of different attributes can be directly calculated according to keywords and mapping relationships of the attributes, thereby implementing efficient searching”. And see [0132]: “the terminal uploads the attribute data of the program to the cloud server, and invokes a malicious program detection service in the cloud server to detect whether the program is a malicious program”. The Examiner interprets “attribute data in a plurality of dimensions of the program, such as … PE file information, program information” in the terminal taught in [0129] as the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment because Applicant stated the following in the Remarks (page 3, ¶ 1): “Applicant's amended claim 1, which will monitor the ultimate environment in which the application will execute while that environment is executing the actual executable in question to determine an attribute. For instance, Applicant's originally filed specification includes examples such as ‘a process of the executable’, ‘additional code loaded into the executable,’ ‘one or more executable binaries or libraries’, ‘one or more binary or dynamic libraries’, and ‘dynamic link files’”. In other words, because Applicant defines “a process of the executable” and “one or more executable binaries” in the originally filed specification as an example of the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment, the Examiner interprets “attribute data in a plurality of dimensions of the program, such as … PE file information, program information” in the terminal taught in [0129], which is similar to “one or more executable binaries” and “a process of the executable”, respectfully, in the originally filed specification, as the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment).

Both Bettini and Wang teach a first computing environment determining a likelihood that an executable to be executed in a second computing environment comprises malware according to a plurality of attributes of the executable. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Bettini by adding the step of determining, by the one or more processors, a first attribute of a plurality of attributes identified from the executable unpacked in the first computing environment by … identifying the first attribute as a characteristic of the second computing environment while the executable is executing in the second computing environment taught by Wang. It would have been obvious because doing so predictably achieves the commonly understood benefit of obtaining the first attribute of the executable.

Bettini fails to teach “determining, by the one or more processors, a corresponding weight to assign to each of the plurality of attributes, each of the plurality of attributes indicative of a level of risk for the second computing environment”. Bettini also fails to teach that the one or more scores indicative of a likelihood that the executable comprises malware is generated according to the corresponding weights.
In the same field of endeavor, Wang teaches determining, by the one or more processors, a corresponding weight to assign to each of the plurality of attributes (see [0152]: “The intermediate layer is an information processing layer, is responsible for information conversion, that is, converting an attribute of a sample to an attribute weight”. And see [0154], [0155] and Fig. 7B: “The machine learning model learns by training distribution of attributes of the prior malicious program in different dimensions. For example, for attributes in each dimension, a malicious program has a quantity of attributes in the corresponding dimension, and the quantity represents a degree of association between the attributes in the dimension and the malicious program. Therefore, the attribute is in positive correlation to the weight. When there is an error because an actually output attribute weight is inconsistent with an actual attribute weight of a sample, a BP stage of the error is entered, the error passes through the output layer, and weights of respective neurons in the intermediate layer ate corrected in a descending manner by error gradient, and are propagated backward layer by layer to the intermediate layer. The cyclic information forward propagation and error BP process is a process of continuously adjusting weights of neurons of the intermediate layer and is also a learning or training process of a BP neural network. This process is repeatedly performed until an error output by the network is reduced to an acceptable degree or a preset quantity of times of learning is reached”. The Examiner interprets the weight distribution machine learning model continuously adjusting attribute weights “until an error output by the network is reduced to an acceptable degree or a preset quantity of times of learning is reached” as determining, by the one or more processors, a corresponding weight to assign to each of the plurality of attributes, as recited by claim 1. And see [0153], [0156], [0148] and Fig. 7B),
each of the plurality of attributes indicative of a level of risk for the second computing environment (see [0132]: “Because local storage space of the terminal used for storing the malicious program signature database is limited, the malicious program signature database usually preferentially stores attributes of malicious programs having a high threat level”. The Examiner interprets attributes of malicious programs having threat levels as each of the plurality of attributes indicative of a level of risk for the second computing environment), 
generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware (see [0156] and Fig. 7A: “The detection unit has performance of detecting a program based on attributes in respective dimensions of the to-be-detected program and attribute weights corresponding to the attributes in the corresponding dimensions, including detecting whether the program is a malicious program and a corresponding threat level when the program is a malicious program”. And see [0163] and Fig. 7A: “the decision unit linearly obtains a sum of attribute weights output by calculation units, where a value of the sum is in positive correlation to a probability that the program is a malicious program, and determines that the program is a malicious program if the sum exceeds a sum prior value (a sum threshold). For example, a threat level of a to-be-detected program is decided based on a value by which the sum exceeds the sum prior value and correspondences between different values and threat levels”. The Examiner interprets the sum “in positive correlation to a probability that the program is a malicious program” as one or more scores indicative of a likelihood that the executable comprises malware).

Both Bettini and Wang teach generating a score indicative of a likelihood that the executable comprises malware according to the plurality of attributes of the executable. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Bettini by adding the step of determining a corresponding weight to assign to each of the plurality of attributes, each of the plurality of attributes indicative of a level of risk for the second computing environment and letting the one or more scores indicative of a likelihood that the executable comprises malware be also generated according to the corresponding weights, as taught by Wang. It would have been obvious because Wang teaches in [0148]: “a weight is used for representing a degree of association between an attribute in a corresponding dimension and a malicious program, and if an 

Bettini modified in view of Wang fails to teach that the determining a first attribute of a plurality of attributes identified from the executable is by detecting initiation of the executable in the … computing environment.
In the same field of endeavor, Lowry teaches determining,…, a first attribute of a plurality of attributes identified from the executable… by detecting initiation of the executable in the …computing environment (see [0019]: “A client service executing on a device registers a driver into an operating system of the device to monitor processes, wherein the driver is configured to receive notifications from the operating system of processes started or terminated on the device. An attribute data writer is executed on the devices, wherein the attribute data writer is in communication with the driver to receive notifications from the driver of processes started on the device. The attribute data writer receives a process ID from the driver for a process of an application detected by the driver as starting on the device, and the attribute data writer launches an injector program and injects an attribute data writer library into the process of the application corresponding to the process ID. The attribute data writer library classifies the application into a plurality of classes and causes the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Bettini modified in view of Wang by letting the determining a first attribute of a plurality of attributes identified from the executable be by detecting initiation of the executable in the computing environment, as taught by Lowry. It would have been obvious because detecting initiation of the executable in the computing environment when determining a plurality of 

Regarding claims 2 and 12, Bettini further teaches wherein the one or more scores are indicative of a likelihood of falsely identifying that the executable comprises malware (see col. 19, lines 1-14: “the detailed report 502 is generated by the platform for quantifying risks of apps for mobile devices …. As shown, the detailed report 502 provides the output of a report generated for an "Actions" app for an iOS phone/tablet, which has been analyzed by the platform and includes a star rating for the app (e.g., 4 stars as shown), with selectable tabs that include Details, Rating, and Inspection. As shown, the Inspection tab is selected and shows the details of the Inspection Report (e.g., reporting a total score of 87/100, including detailed scores for malware behaviors of 100/100”. The Examiner interprets “detailed scores for malware behaviors of 100/100” as one or more scores indicative of a likelihood that the executable comprises malware. The “detailed scores for malware behaviors” of Bettini is indirectly indicative of a likelihood of falsely identifying that the executable comprises malware for the following reason: 1- detailed scores for malware behaviors = a likelihood of falsely identifying that the executable comprises malware. For example, “detailed scores for malware behaviors of 100/100” indicates that there is a 100% probability that the program identified as a malware is a malicious program and that a likelihood of falsely identifying that the executable comprises malware is 1-100%=0%).

Regarding claims 3 and 13, Bettini further teaches wherein the plurality of attributes comprises at least one of the executable: …having ability to encrypt files (see col. 12, lines 41-44: “app methods, such as encryption methods, can be analyzed for risky behaviors (e.g., using hard-coded passwords to protect private data or calling methods with risky encryption algorithms)”).

Regarding claims 4 and 14, Bettini further teaches wherein the plurality of attributes comprises the executable being able to at least one of… transmit a file out of the first computing environment (see col. 7, lines 1-6: “the platform 116 implements a holistic approach to screening apps, and can automatically analyze apps for mobile devices to determine various properties, such as one or more of the following: … data exfiltration”).

Regarding claims 6 and 16, Bettini further teaches wherein the first computing environment includes decrypted binary data of the executable unpacked in a testing computing environment (see col. 12, lines 20 and 21: “the platform can decrypt the encrypted app using pure software decryption”. Because encryption is one form of packing, the Examiner interprets decrypting as unpacking. And see col. 11, lines 41- 67) and the second computing environment includes a runtime computing environment (see col. 6, lines 50-62 and Fig. 1: “a platform 116 is provided for quantifying the risks of apps for mobile devices that is in communication with an enterprise network 126 via the Internet 130. The enterprise network 126 includes an enterprise app store 118 (e.g., an enterprise that has its own internal app store for providing apps for mobile devices used by its users, such as its employees, contractors, etc.) that provides apps for enterprise mobile devices, including smart phones 120, tablets 122, and/or other mobile devices 124 (e.g., laptops, etc.)”. The Examiner interprets a platform 116 as a first computing environment. The Examiner further interprets mobile devices 120/122/124 as a second computing environment).

Regarding claims 9 and 19, Bettini further teaches wherein the one or more processors are configured to perform the action, the action comprising … storing the one or more scores of the executable (see claim 15: “for each app included in the software inventory for the mobile device, perform the following: determine whether the app is stored in a global app cache by querying the app cache for a match based on a unique identifier of the app, wherein the global app cache includes risk scores for previously analyzed applications based on the enterprise policy; and if the app is not stored in the global app cache, then upload the app from an app store to determine whether the app is associated with malware based on the enterprise policy , wherein risk score results for the first app are stored in the global app cache”. And see col. 8, lines 10-17: “At 202, in response to the app query, a pre-screen analysis phase is performed that includes checking an app cache (e.g., a cache that includes information for apps that were previously analyzed by the platform). In some embodiments, if the platform has already analyzed that app (e.g., that particular version of the app), then the previously determined risk score (e.g., app reputation score and possible additional data) is returned”. And see col. 18, lines 46-51: “the platform 302 includes a reports data store 312 (e.g., database) for storing reports generated by the platform based on analysis of apps for various users or customers”. And see col. 7, lines 26-31).

Regarding claim 21, Bettini further teaches wherein the one or more processors are further configured to generate the identifier for the executable based at least on a hash function of decrypted binary data unpacked in the first computing environment (see col. 8, lines 37-64: “the returned app ID can be used for subsequent queries based on the app ID, such as for reports based on one or more provided App IDs… querying (e.g., using the Rest API) the platform to find applications that have already been analyzed by the platform and are stored in the global app cache (e.g., app cache 128 as shown in FIG. 1) are supported (e.g., comparing an app file hash to hash stored in the global app cache, querying by the app name, and/or using various other techniques)… in many cases the app will already be part of the app cache (e.g., app cache 128 as shown in FIG. 1) and already analyzed. In some embodiments, to check if the app is already in the app cache, all that is needed is a hash of the application (e.g., using a hashing algorithm, such as MD5, SHA-1, SHA-256, or another hashing algorithm) to query the app cache for a match.” And see col. 8, line 65-col. 9, line 10: “an app query specifies one or more of the following: …app hash (e.g., such as MD5, SHA-1, SHA-256, or another hashing algorithm), …, item ID (e.g., iOS 9-digit number specific to iOS apps, Android Market asset ID for Android apps)”. The Examiner interprets “a hash of the application” as an identifier for the executable because a hash of the application uniquely identifies the application and col. 8, lines 37-64 teaches that the app ID and an app file hash can be used to query the platform to find applications that have already been analyzed by the platform).

Regarding claim 22, Wang further teaches wherein the first attribute comprises one or more of a process of the executable, additional code loaded into the executable, one or more executable binaries, one or more executable libraries, one or more binary libraries, one or more dynamic libraries, and one or more dynamic link files (see [0129]: “If the operation object of the suspicious behavior is not a targeted monitored object, attribute data of the program is collected, and detecting the program by matching the malicious program signature database of the terminal with an attribute in each dimension of the program is tried first. For example, attribute data in a plurality of dimensions of the program, such as a digital signature of the program, the MD5 of the program, PE file information, program information, and another attribute, are matched with attributes in corresponding dimensions in the malicious program signature database sequentially or in parallel”. The Examiner interprets “attribute data in a plurality of dimensions of the program, such as … PE file information” in the terminal taught in [0129] as wherein the first attribute comprises…one or more executable binaries).

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Bettini (US 8,918,881), further in view of Wang (US 2019/0318089), further in view of  Lowry (US 2019/0034623), and further in view of Bodin (US 2018/0239903).

Regarding claims 5 and 15, Bettini modified in view of Wang and Lowry fails to teach wherein the one or more processors are further configured to assign a weight to an attribute corresponding to the use of a first API, the assigned weight being lower than one for assigning to an attribute corresponding to the use of a second API that is riskier than the first API.
In the same field of endeavor, Bodin teaches to assign a weight to an attribute corresponding to the use of a first API, the assigned weight being lower than one for assigning to an attribute corresponding to the use of a second API that is riskier than the first API (see [0053] and FIG. 2: “In the example of FIG. 2, privacy related APIs are considered to have a high threat weight of "4." Embodiments of the present invention allow a user/corporate administrator to define the severity of a potential threat from each threat category. With embodiments of the present invention, a higher threat weight can correspond to a potential threat of greater severity. Interface 200 also displays various categories of threats, which can correspond to deprecated (i.e., superseded) APIs, vulnerable APIs, social APIs, and/or privacy-related APIs, for example. Interface 200 allows users to dynamically change weights and threat categories”. And see [0051]: “The method 100, at 130, can identify any use of vulnerable APIs and/or vulnerable functions. The method 100, at 140, can assign a vulnerability index to each of the applications of the enterprise application store, based upon the scanning of each application's file. The vulnerability index can be calculated based on the number of vulnerable APIs/functions used by an application, and based on the number of times each vulnerable API/function is used”. And see [0054]).
Bettini modified in view of Wang and Lowry teaches a malware determination system that determines a weight to assign to each of a plurality of attributes indicative of risks. Bodin teaches to . 

Claims 7, 8, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bettini (US 8,918,881), further in view of Wang (US 2019/0318089), further in view of  Lowry (US 2019/0034623), and further in view of Maisel (US 2018/0203998).

Regarding claim 7, Bettini modified in view of Wang and Lowry fails to teach wherein the one or more processors are configured to evaluate the one or more scores against an assessment by a user.
In the same field of endeavor, Maisel teaches A system for determining a likelihood that an executable comprises malware, the system comprising: one or more processors configured to: determine a plurality of attributes identified from an executable in a computing environment (see [0030] and Fig. 1: “The endpoint agent 135 may classify the one or more files based on a local knowledge base that includes, for example, normal behavior, malware signatures, and/or the like”); generate, according to the determined plurality of attributes, one or more scores indicative of a likelihood that the executable comprises malware (see [0031] and Fig. 1: “the endpoint agent 135 may generate, for each file, a classification (e.g., as malicious or benign). The classification for a file may be and perform an action to manage operation of the executable, according to the generated one or more scores (see [0032] and Fig. 1: “the endpoint agent 130 may determine, based on a confidence score associated with the classification of a file, whether the file requires additional processing by the cognition engine 110. The file may require additional processing by the cognition engine 110 if the confidence score associated with the classification of the file does not exceed a threshold value. As such, the endpoint controller 130 may forward, to the cognition engine 110, the event data corresponding to the file”).
Maisel further teaches wherein the one or more processors are configured to evaluate the one or more scores (see [0031] and Fig. 1: “Thus, for each file, the endpoint agent 135 may send, to the malware classification system 100, event data that may include, for example, the file, a classification of the file (e.g., as malicious or benign) and/or a confidence score for the classification of the file”) against an assessment by a user (see [0036] and Fig. 1: “a file may require manual classification when the confidence score associated a classification of the file generated at an endpoint (e.g., by the endpoint 135) do not exceed a threshold value. As such, the cognition engine 110 may be configured to provide the contextual information, through one or more application programming interfaces, to a client device 140. The contextual information may be provided via user interfaces (e.g., graphic user interfaces) at the client device 140 such that a user at the client device 140 is able to apply the contextual information to manually classify the corresponding file. Furthermore, the user at the client device 140 may provide, via the user interfaces at the client device 140, a manual classification of the file”).


Regarding claim 8, Bettini modified in view of Wang and Lowry fails to teach wherein the one or more processors are configured to adjust, responsive to the evaluation, a mathematical function.
In the same field of endeavor, Maisel teaches wherein the one or more processors are configured to adjust, responsive to the evaluation, a mathematical function (see [0056] and Figs. 1, 3: “The malware classification system 100 may update, based at least on the manual classification of the file, the malware classifier (310). For example, the malware classification system 100 (e.g., the binary manager 120) may update, based on the manual classification of the file, a global knowledge base. The malware classification system 100 (e.g., the binary manager 120) may further generate updates for the endpoint agent 135. For example, the endpoint agent 135 may apply one or more machine learning models (e.g., neural networks) in order to classify files as malicious or benign. Thus, the binary manager 120 may generate updates that enable the machine learning models to successfully classify the same or similar files during subsequent encounters with the same or similar file”. And see [0043]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Bettini modified in view of Wang and Lowry by configuring the one or more processors to adjust, responsive to the evaluation, a mathematical function, as taught by Maisel. It would have been obvious because Maisel teaches that doing so allows 

Regarding claim 17, Bettini modified in view of Wang and Lowry fails to teach wherein the one or more processors are configured to evaluate the one or more scores against an assessment by a user.
In the same field of endeavor, Maisel teaches A system for determining a likelihood that an executable comprises malware, the system comprising: one or more processors configured to: determine a plurality of attributes identified from an executable in a computing environment (see [0030] and Fig. 1: “The endpoint agent 135 may classify the one or more files based on a local knowledge base that includes, for example, normal behavior, malware signatures, and/or the like”); generate, according to the determined plurality of attributes, one or more scores indicative of a likelihood that the executable comprises malware (see [0031] and Fig. 1: “the endpoint agent 135 may generate, for each file, a classification (e.g., as malicious or benign). The classification for a file may be expressed as and/or associated with a confidence score indicating a likelihood and/or probability of the file having a certain classification. For example, the endpoint agent 135 may generate, for a file, a confidence score having a value in the range of [-1, 1]. The file may be associated with a confidence score of -0.59, which indicates a 59% likelihood and/or probability that the file is a malicious file. Alternately, the file may be associated with a confidence score of 0.15 indicating a 15% likelihood and/or probability that the file is a benign file”); and perform an action to manage operation of the executable, according to the generated one or more scores (see [0032] and Fig. 1: “the endpoint agent 130 may determine, based on a confidence score associated with the classification of a file, whether the file requires additional processing by the cognition engine 110. The file may require additional processing by the cognition engine 110 if the confidence score associated with the classification of the .
Maisel further teaches wherein the one or more processors are configured to evaluate the one or more scores (see [0031] and Fig. 1: “Thus, for each file, the endpoint agent 135 may send, to the malware classification system 100, event data that may include, for example, the file, a classification of the file (e.g., as malicious or benign) and/or a confidence score for the classification of the file”) against an assessment by a user (see [0036] and Fig. 1: “a file may require manual classification when the confidence score associated a classification of the file generated at an endpoint (e.g., by the endpoint 135) do not exceed a threshold value. As such, the cognition engine 110 may be configured to provide the contextual information, through one or more application programming interfaces, to a client device 140. The contextual information may be provided via user interfaces (e.g., graphic user interfaces) at the client device 140 such that a user at the client device 140 is able to apply the contextual information to manually classify the corresponding file. Furthermore, the user at the client device 140 may provide, via the user interfaces at the client device 140, a manual classification of the file”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to apply the technique of configuring the one or more processors to evaluate the one or more scores against an assessment by a user taught by Maisel to improve the malware determination system of Bettini modified in view of Wang and Lowry. It would have been obvious because Maisel teaches that doing so allows the learning engine to be updated (see Maisel [0056] and Fig. 3: “The malware classification system 100 may update, based at least on the manual classification of the file, the malware classifier (310)”).

Bettini modified in view of Wang and Lowry fails to teach wherein the one or more processors are configured to adjust, responsive to the evaluation, a mathematical function.
Maisel teaches wherein the one or more processors are configured to adjust, responsive to the evaluation, a mathematical function (see [0056] and Figs. 1, 3: “The malware classification system 100 may update, based at least on the manual classification of the file, the malware classifier (310). For example, the malware classification system 100 (e.g., the binary manager 120) may update, based on the manual classification of the file, a global knowledge base. The malware classification system 100 (e.g., the binary manager 120) may further generate updates for the endpoint agent 135. For example, the endpoint agent 135 may apply one or more machine learning models (e.g., neural networks) in order to classify files as malicious or benign. Thus, the binary manager 120 may generate updates that enable the machine learning models to successfully classify the same or similar files during subsequent encounters with the same or similar file”. And see [0043]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Bettini modified in view of Wang and Lowry by configuring the one or more processors to adjust, responsive to the evaluation, a mathematical function, as taught by Maisel. It would have been obvious because Maisel teaches that doing so allows the learning engine to be updated (see Maisel [0056] and Fig. 3: “The malware classification system 100 may update, based at least on the manual classification of the file, the malware classifier (310)”).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Bettini (US 8,918,881), further in view of Wang (US 2019/0318089), further in view of  Lowry (US 2019/0034623), and further in view of Bates (US 2011/0302651).

Regarding claim 10, Bettini modified in view of Wang and Lowry fails to teach wherein the plurality of attributes comprises at least one of the executable: being associated with a standard compiler, not using an embedded uniform resource locator (URL) or an external internet protocol (IP) 
In the same field of endeavor, Bates teaches wherein the plurality of attributes comprises the executable: having a legitimate signature (see [0003]: “Typical solutions have relied on appending a digital signature to an application and having that signature verified prior to executing the application. When the user or computing system verifies the signature, it serves as an indication that the underlying application is safe to use”).
Bettini modified in view of Wang and Lowry teaches a plurality of attributes of an executable, each of the plurality of attributes indicative of a level of risk for a computing environment. Bates teaches the attribute of the executable having a legitimate signature, which is one of a finite number of attributes of an executable known to be indicative of a level of risk for a computing environment. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to try the attribute of the executable having a legitimate signature taught by Bates as one of the plurality of attributes indicative of a level of risk for a computing environment taught by Bettini modified in view of Wang and Lowry, as a person with ordinary skill has good reason to pursue the known options within his or her technical grasp.  

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495