Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 06-30-2020 has been considered. Please see attached PTO-1449. 
Objection
	Claims 14 and 18 are objected to for the following informalities:
	Claim 14 is missing a period (.) at the end of the claim. Appropriate correction is required.
	Claim 18 recites a semicolon (:) at the end of the claim. The semicolon needs to be replaced with a period (.).  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.




CLAIM INTERPRETATION
	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
	The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation are: “Semantic Indexer”, “Procedure Database” and “signature generator” recited in claims 1 and 2.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Paragraph 31-32 of the specification recites corresponding structures of these limitations.
 If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the 

Claim Rejections - 35 USC § 102
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


	Claims 1-9, 11, 12, 16 and 18-20 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Sun et al. (US Publication No. 2019/0073476).
	As per claim 1, Sun discloses a method for creating and detecting a signature for a collection of one or more malware comprising (abstract): providing a system comprising: a Semantic Indexer  (paragraph  [0051]; claim 36, a system comprising a function similarity analyzer useable to query and store characteristic values (Indexer) in a function semantics database); a Procedure Database (claim 36, a database comprising one or more function entries (Procedure) ); and a Signature Generator (claim 34, a malware signature generator); wherein the Semantic Indexer populates the Procedure Database (paragraph [0051, function similarity analyzer (Semantic Indexer) stores (populates) the function characteristic value in the function semantics database (Procedure Database));wherein the Procedure Database stores two or more semantically similar procedures (paragraph [0051], [0056] , function semantics database (Procedure Database) that includes functions of known malware families (semantically similar procedures)); wherein the Signature Generator generates signatures for the one or more malware (para [0024]; claim 34, a malware signature generator automatically generate signatures for unknown incoming files (malware)); computing semantic indexes for procedures of one or more programs (paragraph [0064]; claims 30, providing function characteristic values that can be queried (semantic indexes) for function entries (procedures of programs)), and storing said procedures in the  paragraph  [0054], function entries (storing said procedures) in the function semantics database (procedure Database)); collecting a set of all procedures in the collection of the one or more malware for which to create signatures (paragraph [0054], assigning weight values (to create signatures) to function entries in the database (all procedures in the collection) indicating reliability as an identifier of respective malware families (collection of the malware)); partitioning the set of all procedures of the one or more malware into groups of semantically similar procedures (para [0054], determining the family (partitioning into groups) based on a measure of resemblance to each malware family variant (semantically similar procedures) to which the unknown file has the greatest probability of belonging (partitioning all procedures of the malware)); removing from the partition the groups of semantically similar procedures that are not good candidates for creating signatures (para [0054], ensuring common library functions do not contribute to classification (removing from the partition the groups of semantically similar procedures) by setting weight values to zero (that are not good candidates for creating signatures)]); constructing a signature for each of the groups of semantically similar procedures remaining in the partition (paragraph  [0054], consequently querying the function semantics database (semantically similar procedures remaining in the partition) to obtain a score (a signature) that provides a measure of resemblance to each known malware family variant (each of the groups of semantically similar procedures)); and combining the signatures of the selected semantically similar procedures to construct the signature of the one or more malware (paragraph [0054], determining the top score of the obtained scores ( combining the signatures of the selected semantically similar procedures to construct the signature) that identifies the family to which the unknown file has the greatest probability of belonging for the malware family variant (the malware)).
	As per claim 2, Sun furthermore discloses, wherein the method for computing semantic indexes for procedures of one or more programs comprises: disassembling the program (claim 21, “disassembling the unknown file”); breaking the disassembled program into one or more procedures (claim 21, “disassembling the unknown file to obtain one or more disassembled functions” (procedures));
claim 21,  each of the one or more disassembled functions comprising a block of assembly code(breaking into blocks of code) such that said blocks do not overlap in memory (paragraph [0057], function referenced by CALL instruction and end with a RET instruction (block do not overlap in memory)); computing a semantics of each said block of code (paragraph [0057], identifying the semantic characteristics for the closed block of code); 
computing the semantic index for each procedure (paragraph [0064] and claim 30, providing function characteristic value that can be quired (semantic index) for the function entries (procedure));
 storing a procedure information record in the Procedure Database (paragraph [0054], function entries are stored in the function semantics database); and assigning a tag to each procedure identifying the procedure as malicious or benign (paragraph [0064], provided a designation(tag) for each function characteristics value (each procedure) indicating that a function is unique enough to reliably represent some pattern that is associated with malware files( identifying the procedure as malicious) or devoid of malware (benign)); wherein each semantic index in the Procedure Database maintains one or more procedure records (claim 23, value usable to query a function semantic database comprising one or more function entries (procedure records)).
	As per claim 3, Sun furthermore discloses, wherein the semantic index is computed using the canonical representation of the semantics of the one or more blocks of the procedure (paragraph [0057] and [0064], function characteristic value is provided with a designation good for signature (GFS) indicating the function is unique enough to reliably represent some pattern (using the canonical representation of the semantics) from the close block of the function (procedure)).
	As per claim 4, Sun furthermore discloses wherein the each procedure information record (paragraph [0054], function entries (each procedure information record) corresponding to the closed block of code) comprises, for each block of code: a start address for the block of code (paragraph [0057]assembly code for the closed block including a CALL instruction (start address); an end address for the block of code (paragraph [0057,]the RET instruction (end address)); the instructions in the
paragraph [0057], the closed block of code in assembly code format (instructions)); and the semantics of the block of code (paragraph [0057], identifying the semantic characteristics of a function using the closed block of code for signature generation; para (0057]).
	As per claim 5, Sun furthermore discloses wherein groups of semantically similar procedures that may appear in benign-ware are not good candidates for creating signatures (paragraph [0054], for common library functions (groups of semantically similar procedures that may appear in benign-ware), assigning weight values set to zero so they do not contribute to classification (not good candidates for creating signatures).
	As per claim 6, Sun furthermore discloses wherein the group of semantically similar procedures is a good candidate for creating signatures (paragraph [0054], [0064], determining the family based on a measure of resemblance to each malware family variant (the group of semantically similar procedures) to which the unknown file has the greatest probability of belonging, using a designation of good for signature/GFS (a good candidate for creating signatures)); if the size of the procedure selected is appropriately sized (paragraph [0052]. [0064], based on some pattern (the size) of the function (procedure selected) determined by obtaining a sequence of opcode bytes (appropriately sized)).
	As per claim 7, Sun furthermore discloses wherein the size of the procedure is measured according to the number of bytes in the procedure's code (paragraph [0052] for each instruction of the function, obtaining a sequence of opcode bytes (measured according to the number of bytes in the procedure's code)).
	As per claim 8, Sun furthermore discloses wherein the size of the procedure is measured according to the number of machine instructions contained in the procedure's code (paragraph [0052], obtaining a sequence of opcode bytes (size of the procedure is measured) for each instruction of the procedure (instructions contained in the procedure's code)).
	As per claim 9, Sun furthermore discloses wherein the size of the procedure is measured according to the number of blocks of code in the procedure (paragraph [0052], [0057], obtaining a sequence of opcode bytes (size of the procedure is measured) for each instruction of the procedure found in a closed block (the number of blocks of code) representing the function (procedure).
	As per claim 11, Sun furthermore discloses wherein a group of semantically similar procedures is a good candidate for creating signatures (paragraph [0054], [0064], determining the family based on a measure of resemblance to each malware family variant (the group of semantically similar procedures) to which the unknown file has the greatest probability of belonging, using a designation of good for signature/GFS (a good candidate for creating signatures) or not good for signature/NFS) if the group covers a certain minimum percentage of the one or more malware for which signature is being created (paragraph [0066], if the not good for signature function in the section of the file from which a signature prospect is extracted is below an acceptable threshold (covers a certain minimum percentage of the malware), the signature can also be considered satisfactory and not cause false positives).
	As per claim 12, Sun furthermore discloses wherein a group of semantically similar procedures is a good candidate for creating signatures (paragraph [0054], [0064], determining the family based on a measure of resemblance to each malware family variant (the group of semantically similar procedures) to which the unknown file has the greatest probability of belonging, using a designation of good for signature/GFS (a good candidate for creating signatures) or not good for signature/NFS); if the group of semantically similar procedures is not highly correlated to a group of semantically similar procedures already selected ( (paragraph [0066], if a section of the file (the group of semantically similar procedures) from which a signature prospect is extracted does not contain an NFS function identified in files devoid of malware (not highly correlated to a group of semantically similar procedures already
selected)).
	As per claim 16, Sun furthermore discloses wherein a signature of malware is constructed ( paragraph [0061], generating malware signatures for the newly classified files); by constructing one or more rules as follows: of a subset of one or more of the procedure signatures, any one must appear; of a subset of one or more of the procedure signatures, all must appear; or of a subset of one or more of the procedure signatures, at least a certain proportion must appear; or any combination of these criteria paragraph [0066]), signatures for NFS functions can be examined in order to identify signatures that are satisfactory for use in virus detection (constructing a rule as follows), if the NFS function percentage in the section of the file from which a signature prospect is extracted (subset of procedure signatures) is below an acceptable threshold (a certain proportion must appear)).
	As per claim 18, Sun furthermore  discloses wherein groups of semantically similar procedures that may appear in benign-ware are not good candidates for creating signatures ( paragraph [0054], for common library functions (groups of semantically similar procedures that may appear in benign-ware), assigning weight values set to zero so they do not contribute to classification (not good candidates for creating signatures); and wherein a group of semantically similar procedures may occur in benign-ware if one or more procedure in the group is known to belong to a benign program (paragraph [0066], if the NFS functions (one or more procedure in the group) is devoid of malware (known to belong to a benign program)).
	As per claim 19, Sun furthermore discloses wherein groups of semantically similar procedures that may appear in benign-ware are not good candidates for creating signatures (paragraph [0054], for common library functions (groups of semantically similar procedures that may appear in benign-ware), assigning weight values set to zero so they do not contribute to classification (not good candidates for creating signatures)); and wherein a group of semantically similar procedures may occur in benign-ware if one or more procedures in the group has a name that indicates it may be benign (paragraph  [0058], [0064), [0066], based on patterns associated with certain files, NFS functions (a group of semantically similar procedures) can be identified in files that are devoid of malware (occur in benign-ware), where such patterns associated with the files (procedures in the group) are characterized based on sequences of characters such as names used for classification (a name that indicates it may be benign)).
	As per claim 20, Sun furthermore  discloses wherein groups of semantically similar procedures that may appear in benign-ware are not good candidates for creating signatures (paragraph [0054], for common library functions (groups of semantically similar procedures that may appear in benign-ware), assigning weight values set to zero so they do not contribute to classification (not good candidates for creating signatures); and wherein a group of semantically similar procedures may occur in benign-ware if the Procedure Database contains a very high number of procedures semantically similar to the group (paragraph [0054], [0058], [0064], (0066] based on patterns associated with certain files, NFS functions (a group of semantically similar procedures) can be identified in files that are devoid of malware (occur in benign-ware), based on the function semantics database (Procedure Database) being queried to examine functions assigned weight values that indicate the reliability of the function as an identifier, with a top score identifying the family to which the unknown file has the greatest probability of belonging (contains a very high number of procedures semantically similar to the group).
Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Sun, et al., in view of Stahlberg (US Publication No US 2011/0041179).
	As per claim 10, Sun discloses all limitation of claim as applied to claim 6 above. Sun does not explicitly disclose, wherein a machine learning system is trained to identify whether the procedure is malware or benign. However, in an analogous art Stahlberg discloses a machine learning system is trained to identify whether the procedure is malware or benign (paragraph [0097], [0098], classification of the code (identify the procedure) as either malware or benign using heuristic analysis based on machine learning). 
	It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to modify the teaching of Sun to include a machine learning system is trained to .

	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Sun, et al., in view of Tzadikario et al., (US Publication No.  2006/0107321).
	As per claim 13, Sun discloses all limitations of claim as applied to claim 1 above. Sun furthermore discloses, wherein a method for automatically constructing a signature for a group of one or more semantically similar procedures comprises creating a signature for the group of one or more similar procedures (paragraph [0054], consequently querying the function semantics database (a group of semantically similar procedures) to obtain a score (constructing a signature) that provide a measure of resemblance (creating a signature) to each known malware family variant (the group of one or more similar procedures). 
	Sun does not explicitly disclose constructing a regular expression for each procedure in the group of one or more procedures; creating a single regular expression for the entire group of one or more procedures. However, in an analogous art, Tzadikario discloses constructing a regular expression for each procedure in the group of one or more procedures (abstract and paragraph [0016], extracting (constructing) a regular expression that matches a portion of attack sequences (the group of procedures)
); creating a single regular expression for the entire group of one or more procedures (paragraph [0060], generating a current regular expression (single) to calculate alignment scores for arbitrarily selected sequences from the input set (entire group of procedures)). 
	It would have been obvious to one of ordinary skill in the art, at the time the invention was made, to modify the teaching of Sun to include constructing a regular expression for each procedure in the group of one or more procedures; creating a single regular expression for the entire group of one or more procedures as disclosed by TZADIKARIO, for the benefit of using regular expressions to formulate worm signatures that can readily identify malicious sequences even if their payloads are not identical to a single
string).
Allowable Subject Matter
Claims 14-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcoming the 112 (b) rejection of claims.
The following is an examiner’s statement of reasons for allowance:
	Prior arts of record do not disclose the following limitation of claim:
	“constructing a regular expression for each procedure in the group, comprising: collecting all blocks of code in the group of semantically similar procedures; partitioning the collection of blocks of code into groups of semantically similar blocks of code; constructing a block signature for each group of semantically similar blocks of code; generating a unique identifier for each group of semantically similar blocks of code and assigning the identifier to each block in the group; creating a regular expression sequence of block identifiers for each procedure in the group of one or more semantically similar procedures, comprising block identifiers in the sequence sorted on the memory address of the blocks; creating a single regular expression for the entire group of one or more procedures, comprising: creating a union of all procedure regular expressions; and minimizing said union of all procedure regular expressions; and creating a signature for the group of similar procedures, comprising constructing a procedure signature by replacing each block identifier with block signature of the corresponding group of similar block of code” (as claimed in claim 14).
References Cited, Not Used
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Schmuger et al. , US Publication No. 2019/0228151, discloses a  technique for detecting malware involved loading known malware information, finding a string in the known malware information, saving the string in a first database, identifying a first contiguous string block from the known malware information, assigning a confidence indicator to the first contiguous string block, attempting to find the first contiguous string block in a second database containing one or more contiguous string blocks extracted from known malware, and labelling the first contiguous string block, responsive to a 
	Howard et al. US Pub No. 2019/0199736, discloses, methods and systems for Predictive Malware Defense (PMD) are described. The systems and methods can utilize advanced machine-learning (ML) techniques to generate malware defenses preemptively. Embodiments of PMD can utilize models, which are trained on features extracted from malware families, to predict possible courses of malware evolution. PMD captures these predicted future evolutions in signatures of as yet unseen malware variants to function as a malware vaccine. These signatures of predicted future malware “evolutions” can be added to the training set of a machine-learning (ML) based malware detection and/or mitigation system so that it can detect these new variants as they arrive.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/ALI S ABYANEH/Primary Examiner, Art Unit 2437