DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-5, 7-15, and 17-20 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/09/22 has been entered.

Response to Arguments
Applicant's arguments filed on 05/09/22 have been fully considered.
In response to Applicant’s argument (page 6-7 of Remarks), Examiner acknowledged Applicant’s perspective but respectfully disagreed because the rejections were made based on a combination of Volkov and Saher (claims 1-5, 7-9, 11-15, and 17-19) instead of just Volkov and a combination of Volkov, Saher, and Bingham (claims 10 and 20) instead of just Volkov and Bingham.

Claim Objections
Claims 1, 7, 9, 11, 17, and 19 are objected to because of the following informalities:  
“each client attribute set” in line 7 of claim 1, line 2 of claim 7, line 10 of claim 11, line 1 of claim 17 should read “each of the selected plurality of client attribute sets”.
“each instance” in line 9 of claim 1, line 12 of claim 11 should read “each of the plurality of instances”.
“the sets of client attributes” in line 9 of claim 1, line 12 of claim 11 should read “the selected plurality of client attribute sets”.
“the instances” in last line of claims 9, 19 should read “the plurality of instances”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 7-9, 11-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Volkov (US 20180012021) in view of Saher (US 20150074810).

Claims 1-5 and 7-9, these claims are rejected for similar reasons as in claims 11-15 and 17-19.

Claim 11, Volkov discloses A computing device, comprising: 
a communications interface; a memory; and a processor configured to: (e.g. ¶38-39)
obtain a malware sample; (e.g. abstract, ¶13, 18: the malware application)
extract operational parameters corresponding to the malware sample; (e.g. ¶13, 75, 94-95: determine, for each given malware request: at least one malware request parameter contained therein; and an order thereof of the at least one malware request parameter. The method then groups the plurality of malware requests based on shared similar malware request parameters contained therein and order thereof and for each group of the at least one group containing at least two malware requests, generates a regular expression describing malware request parameters and order thereof of the group, which regular expression can be used as an emulator of the malware application)
configure an emulator application corresponding to the malware sample using the operational parameters; (e.g. ¶98-99, 128-129: A server-generated request is then generated based on the regular expression…Using the regular expressions, generated at the previous step, the analyzing server (109) generates server-generated requests and sends them through communication channels to at least one control centre…storing regular expressions in a template store…the malware protocol emulator (330) is executed on the server (300) which responds to emulation of protocols of interaction of malware and malware control centres from which the malware receives the instructions. Emulation is performed by sending network requests using templates to the malware control centre (103, 102) just as malware sends its requests.)
execute a plurality of instances of the configured emulator application; (e.g. abstract, ¶94, 97-99, 128-129: each instance corresponds to (i) the emulator application executing with a different regular expression of a plurality of regular expressions to emulate the malware application to generate different requests to the malware control center or (ii) the emulator application executing with different values randomly assigned to malware request parameters to emulate the malware application to send a different request of a plurality of different requests to the malware control center) 
collect output data from each of the plurality of instances; and (e.g. ¶106-107: receiving responses from the malware control center to the different requests transmitted)
generate indicators of compromise (IOCs) based on the collected output data. (e.g. ¶112-113, 115: analyzing the responses for presence of information and data characteristics of cyber attacks and saving the results obtained)
Volkov does not appear to explicitly disclose but Saher discloses select a plurality of client attribute sets from a preconfigured list of client attributes, each client attribute set including at least a geographic region and each instance having a respective one of the sets of client attributes (e.g. fig. 2D, ¶4, 13: The system utilizes a multitude of virtual private networks (VPNs) allowing a near-unlimited number of unique Internet IP addresses from all across the world to be used. These disparate IP addresses afford two primary advantages to BaitNET. One, in order to force re-infection, as many malware system will not "drop" (deploy) malware to the same IP address more than once, it is necessary to have BaitNET obfuscate its Internet presence. Two, many malware campaigns limit their targets by geo-location, which is often tracked via IP Address. E.g., Malware-infected servers often limit themselves to only infecting one (1) computer from any given masked IP address, and may limit the country of origin of the IP addresses that they will infect. BaitNET utilizes VPNs throughout the world to mimic dispersed geo-location and map out malware campaigns in different regions. Other techniques, while not proprietary to BaitNET, may also be used to emulate potential target qualification data points such as varying the language pack and keyboard language configuration on the host operating system…BaitNET, using the Capture Process, issues the URL to each of the thousands of systems, utilizing thousands of variations in configurations, and each system in turn visits the URL using disparate VPN tunnels, a mechanism of the Obfuscation Engine within BaitNET's Capture Process, from around the world to obfuscate their true geographical location as well as to explore the geo-location filtering that may be employed by the malicious URL).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Saher into the invention of Volkov for the purpose of mimicking dispersed geo-location, mapping out malware campaigns in different regions, obfuscating true geographical location as well as exploring the geo-location filtering that may be employed by the malicious URL (Saher, ¶4).

Claim 12, Volkov-Saher discloses The computing device of claim 11, wherein the processor is configured, in order to obtain the malware sample, to retrieve the malware sample from at least one preconfigured source. (Volkov, abstract, ¶13, 18)

Claim 13, Volkov-Saher discloses The computing device of claim 11, wherein the processor is configured, in order to extract the operational parameters, to: execute the malware sample in a plurality of sandbox environments to generate respective sets of sample output; and extract the operational parameters from the sets of sample output at an extraction module external to the plurality of sandbox environments. (Volkov, e.g. abstract, ¶13, 55, 68-69, 72-75, 94-95)

Claim 14, Volkov-Saher discloses The computing device of claim 13, wherein the respective sets of sample output include at least one of memory dumps, files, and network traffic. (Volkov, e.g. ¶13, 72-73)

Claim 15, Volkov-Saher discloses The computing device of claim 11, wherein the operational parameters include at least a network address of a control server corresponding to the malware sample. (Volkov, e.g. ¶100-101)

Claim 17, Volkov-Saher discloses The computing device of claim 11, wherein each client attribute set further includes at least one of a client operating system, and a client computing architecture. (Saher, e.g. fig. 2D, ¶4, 13).  Same motivation as in claim 11 would apply.

Claim 18, Volkov-Saher discloses The computing device of claim 11, wherein the processor is configured, in order to execute the plurality of instances, to route requests to the control server through a proxy interface corresponding to the geographic region. (Volkov, e.g. abstract, ¶38-39, 98-99, 128-130 and Saher, e.g. fig. 2D, ¶4, 13).  Same motivation as in claim 11 would apply.

Claim 19, Volkov-Saher discloses The computing device of claim 15, wherein the processor is further configured to: determine whether any of the plurality of instances have not received data from the control server for a predetermined period of time; and when the determination is affirmative for at least one instance, terminate the at least one instance, while continuing execution of a remainder of the instances. (Volkov, e.g. ¶103)

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Volkov (US 20180012021) in view of Saher (US 20150074810) and further in view of Bingham (US 11038906).

Claim 10, this claim is rejected for similar reason as in claim 20.

Claim 20, Volkov-Saher discloses The computing device of claim 11, (see above) and does not appear to explicitly disclose but Bingham discloses wherein the processor is further configured to: determine whether the output data indicates an update requirement for the plurality of instances; and when the determination is affirmative, repeat the extraction of operational parameters. (e.g. col. 6, ll. 57-61, col. 7, ll. 42-61, col. 8, ll. 9-27, 45-58)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bingham into the invention of Volkov-Saher for the purpose of improving overall security and reliability of computer networks, network performance and efficiency and reducing likelihood that a computing device will become infected by malware (Volkov, col. 5, ll. 45-60).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 10176325 discloses system and method for dynamic detection of command and control malware that involves executing an application in a testing environment, collecting incoming network and file content associated with the application, identifying behaviors and data patterns (including repetitive commands associated with C&C server) related to malware from the network and file content, and identifying URLs associated with the C&C server based on the data patterns.
	
US 20120079596 discloses a method of detecting malicious software (malware) includes receiving a file and storing a memory baseline for a system. The method also includes copying the file to the system, executing the file on the system, terminating operation of the system, and storing a post-execution memory map. The method further includes analyzing the memory baseline and the post-execution memory map and determining that the file includes malware.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436