DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination (RCE) under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application on April 8, 2022 and after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on March 10, 2022 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on February 4, 2022 was considered by the Examiner in association with the Advisory Action of April 5, 2022.  Thus, the Applicant’s request to consider the IDS at page 14 of the Remarks is moot.
Response to Amendments
	This office action is responsive to application 16/606,156 where the Applicant filed an RCE on April 8, 2022 for the corresponding amendments filed on March 10, 2022.  Claims 1, 10, and 19-20 were amended, and claims 1-20 remain pending in the application.
Response to Arguments
	The Examiner has fully considered the Applicant’s arguments filed with the RCE, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 10 of the Remarks that concerns the § 101 rejection, the amendments to claims 19 and 20 adequately address the issue of non-statutory subject matter and the § 101 rejection is withdrawn.
Regarding the Applicant’s response at pages 10-14 of the Remarks that concerns the § 103 rejection of independent claims 1, 10, and 19, the Applicant’s arguments in conjunction with the claim amendments are persuasive, and consequently the Examiner conducted a new prior art search. The Applicant’s arguments are now moot with respect to the independent claims because the arguments do not apply to one of the references currently used in the rejection of the aforementioned claims as detailed below.
Regarding the Applicant’s response at page 14 of the Remarks that concerns the § 103 rejection of dependent claims 5 and 14, the argument for patentability rests upon the patentability of the independent claims 1 and 10.  Because independent claims 1 and 10 are not patentable over the prior art as detailed below, claims 5 and 14 are similarly not allowable.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


A.	Independent claims 1, 10, and 19, and thus the respective dependent claims 2-9, 11-18, and 20, are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  
Each of the independent claims recite a limitation (or variation thereof) of “the one or more signatures being utilized for subsequent detection of malicious code.”  This recitation is indefinite because the limitation is ambiguous as to the intent of reciting an additional step or reciting a narrowing characteristic of the signature.  In other words, there is a difference between the following two claim constructs:
1) utilizing the one or more signatures for subsequent detection of malicious code.
or
2) wherein the one or more signatures are suitable for subsequent detection of malicious code.
As the claims are currently advanced, it is unclear as to whether the Applicant’s intent is to advance an additional step or to further limit the nature of the signature.  This rejection may be overcome by amending the claims or providing a persuasive argument (i.e., the Examiner believes the claims could be placed in better form with the suggested amendments, but the Examiner is open to arguments to the contrary if the Applicant wishes to keep the claims in their current form).
B.	Dependent claims 2 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  
Claims 2 and 11 are ambiguous because two limitations, namely “dynamic indicators of compromise” and “resources,” are simultaneously being limited via the transitional phrase of comprising.  At the end of each claim, the recitation of “a change in entropy…” occurs, and according to the specification this is a dynamic indicator of compromise.  However, prior to this recitation, limitations regarding resources are listed, which introduces ambiguity.  Additionally, the transitional phrase of “include” and “comprising” as they are used within the claims suggest that each element in the respective listings must be present, which is inconsistent with the use of “one or more” for each of the dynamic indicators of compromise and resources.  To overcome this ambiguity, the Examiner suggests the following claim construction in which the different limitations are separated out and the use of “include” is clarified:
…the automatically determined one or more indicators of compromise comprise one or more dynamic indicators of compromise,
wherein the dynamic indicators of compromise include at least one of:
an access caused by the deobfuscated portion to one or more resources; and
a change in entropy…, and
wherein the resources include at least one of:
at least one file or directory…
	at least one key registry…
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The following conventions apply to the mapping of the prior art to the claims:
Italicized text – claim language.
Parenthetical plain text – Examiner’s citation and explanation.
Quotation marks – language quoted from a prior art reference.
Underlining – language quoted from a claim.
Brackets – material altered from either a prior art reference or a claim, which includes the Examiner’s explanation that relates a claim limitation to the quoted material of a reference.
Braces – a limitation previously addressed in the primary reference analysis, but presented to provide context to a further limitation addressed in a secondary reference analysis.
Numbered footnote – a first phrase to be moved upwards to the primary reference analysis.
Lettered footnote – a second phrase to be moved after the movement of the first phrase from which it was lifted, or more succinctly, move numbered material first, lettered material last.
A.	Claims 1-4, 6-13, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada et al. (US 2016/0381043, “Yamada”) in view of Sallam (US 2012/0254995, “Sallam”).

Regarding Claim 1
Yamada discloses
A method performed by a computing device for identifying malicious code (Fig. 8, ¶ [0059], “Turning to FIG. 8, FIG. 8 is an example flowchart illustrating possible operations of a flow 800 that may be associated with detecting shellcode [that acts as malicious code],” and “At 804, the system determines if self-modifying code is detected.”),
the malicious code (Fig. 8, ¶ [0059]) comprising deobfuscation code configured to deobfuscate (Fig. 1, ¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code, to detect the self-decrypting code sequence [acting as deobfuscation code configured to deobfuscate via decrypting code], allow antivirus software to dynamically apply signature based methods, and identify malware after the decryption of the obfuscated malware code.”) an obfuscated portion of the malicious code (¶ [0024], “Obfuscated malware or shellcode is typically encrypted [as an obfuscated portion of the malicious code] and needs to be self-decrypted prior to the execution.”),
to generate a deobfuscated portion during execution of the deobfuscated code (¶ [0024], i.e., the “obfuscated malware” is “self-decrypted” via “self-decrypting (decoding) operations” via deobfuscation code, with the execution of the deobfuscation code/self-decrypting operations generat[ing] a deobfuscated portion),
the method (Fig. 8, ¶ [0059]) comprising:
1 …;
2 …; and
obtaining a snapshot of runtime characteristics of at least one of the deobfuscated code or the deobfuscated portion of the malicious code (¶ [0024], “Communication system 100 can be configured to allow for runtime detection of obfuscated malware code;” and ¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code [as the deobfuscated portion of the malicious code] for finding the known malware signatures [as a runtime characteristic],” i.e., the “malware signature”/runtime characteristic comprises a snapshot “dynamically” obtained via scanning methods during “runtime detection;” see also Sallam ¶ [0100], “In step 335, the access may be analyzed [as a snapshot] to determine whether the requesting entity has permission to access the requested resource. Contextual information associated with the attempted access may be accessed to make such a determination.”) in response to the suspending (Sallam Fig. 3, ¶ [0100),
wherein one or more indicators of compromise that indicate the presence of the malicious code on the computing device (¶ [0036], i.e., “known malware signatures” comprise an indicator of compromise that indicate[s] the presence of the malicious code) are automatically determined based on an analysis of the snapshot (¶ [0024], “…to detect the self-decrypting code sequence, allow antivirus software to dynamically apply signature based methods, and identify malware after the decryption of the obfuscated malware code,” i.e., this occurs automatically and without the intervention of an administrator), and
wherein one or more signatures are determined based on the automatically determined one or more indicators of compromise (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding [and thereby determine[]] the known malware signatures.”),
the one or more signatures being utilized for subsequent detection of malicious code (¶ [0036], “…known malware signature,” i.e., “known” indicates a previous detection and characterization to create a “signature” that is then utilized for subsequent detection of malicious code).
Yamada doesn’t disclose
1 detecting that the deobfuscated portion of the malicious code has attempted to access a particular region of memory designated as being non-accessible;
2 suspending execution of the deobfuscated portion of the malicious code in response to the detecting;
Sallam, however, discloses
1 detecting that {the deobfuscated portion of the malicious code (Yamada ¶ [0024])} has attempted to access a particular region of memory (¶¶ [0099]-[0100], “…scanning memory for the presence of malware [i.e., the deobfuscated portion as disclosed by Yamada ¶ [0024]], and scanning memory for attempted memory modifications [via a memory access] may be conducted in parallel.;” “In step 330, the access of a system resource such as system memory, registers, or I/O devices may be trapped;” and “In step 335, the access may be analyzed to determine whether the requesting entity has permission to access the requested resource.”) designated as being non-accessible (Fig. 3, ¶¶ [0097]-[0098], In step 325, as system memory is allocated for the virtual machine monitor, the in-O/S security agent, and the below-O/S security agent, such memory may be secured [and thereby designated as being non-accessible] against unauthorized read and write operations);
2 suspending execution of the deobfuscated portion of the malicious code in response to the detecting (Fig. 3, ¶ [0100], “If the access is suspicious, then in step 340, a suspicious attempted access of the system resources may be blocked [that thereby suspend[s] execution of the deobfuscated portion of the malicious code]. Such an attempt may be reported to the protection server. If the access is not suspicious, then the access [is not suspended and] may be allowed in step 370.”);
                Regarding the combination of Yamada and Sallam, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the malware detection system of Yamada to have included the memory access feature of Sallam. One of ordinary skill in the art would have been motivated to incorporate the memory access feature of Sallam because Yamada discloses accessing memory without specifically teaching “the memory designated as being non-accessible,” see Yamada ¶ [0053] (stating “The profiling and monitoring can start upon a particular event or when an address or area of memory is accessed.”), and Sallam teaches “such memory may be secured against unauthorized read and write operations,” see Sallam ¶ [0098], and “If the access [to the secured memory] is suspicious, then in step 340, a suspicious attempted access of the system resources may be blocked,” see Sallam ¶ [0100], which improves security.   
 Regarding Claim 2
Yamada in view of Sallam (“Yamada-Sallam”) discloses the method of claim 1, and Yamada further discloses
wherein the automatically determined one or more indicators of compromise (¶¶ [0024], [0036]) comprise one or more dynamic indicators of compromise (Fig. 2, ¶ [0048], “Execution profiling binary translation module 124 can be configured to run within a target application process space along with security module 114 and can be loaded dynamically by security module 114 to enable dynamic behavioral monitoring [to automatically determine … dynamic indicators of compromise] of the execution of an application.”) that include:
an access caused by the deobfuscated portion to one or more resources of an operating system executing on the computing device (¶ [0053], “The profiling and monitoring can start upon a particular event or when an address or area of memory [that represents a resource] is accessed;” see also Sallam ¶ [0100], “In step 330, the access of a system resource such as system memory, registers, or I/O devices may be trapped.”), 
the one or more resources comprising:
at least one file or directory of a file system maintained by the operating system or an application programming interface (API) for accessing the file system;
at least one registry key or value of a registry maintained by the operating system or an API for accessing the registry;
at least one of a process or thread maintained by the operating system or an API for manipulating at least one of the process or thread (Fig. 2, ¶¶ [0048]-[0049], “Binary translation system layer 132 can be configured to provide virtualize operating system interfaces such as system calls, exceptions, asynchronous callbacks, process and thread creations, etc.;” “Execution profiling module 126 can be configured to communicate with security module 114 and expose execution application program interfaces (APIs);” see also Sallam ¶ [0102], “For example, a list of active threads running on the electronic device may be modified to hide the presence of a malicious process. If a modification is detected, then in step 365 it may be determined whether such modifications are permissible.” noting only one limitation need be met with the claim limitation of one or more resources comprising);
one or more explicitly-loaded modules or an API for explicitly loading the modules;
one or more delay-loaded modules or an API for delay-loading the modules;
one or more APIs for accessing one or more user privileges or profiles;
one or more mutexes maintained by the operating system or an API for accessing the one or more mutexes;
one or more environment variables maintained by the operating system or an API for accessing the one or more environment variables;
one or more APIs for performing one or more cryptographic primitives; or
network activity caused by the deobfuscated portion and performed by the computing device or an API for performing the network activity or for accessing network parameters utilized for performing the network activity; and
a change in entropy of one or more code sections of the memory after execution of the deobfuscated portion of the malicious code (noting only one limitation need be met with the claim limitation of one or more dynamic indicators of compromise).
Regarding Claim 3
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
wherein the automatically determined one or more indicators of compromise (¶¶ [0024], [0036]) comprise one or more static indicators of compromise (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding the known malware signatures;” see also Sallam ¶ [0083], “For example, in-O/S security agent 218 may examine the contents of memory 206, or system memory 228 for patterns that correspond to signatures of malware. Such an examination may reveal that, for example, application 210 contains a block of code corresponding to a known segment of malware,” i.e., signatures that identify known malware represent portions of malware that remain constant over time and thus are static, thus a signature comprises a static indicator of compromise) 
that include at least one string, metadata or byte sequence associated with at least one of the deobfuscation code or the deobfuscated portion (¶ [0036], where the “de-obfuscated malware code” consists of a byte sequence associated with … deobfuscated portion; see also Sallam ¶ [0100], “Such an examination may reveal that, for example, application 210 contains a block of code [or byte sequence] corresponding to a known segment of malware.”).
Regarding Claim 4
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
determining a deobfuscation scheme utilized by the deobfuscation code (¶ [0037], “During de-obfuscation [via the deobfuscation code], the malware first needs to read the original code [as part of the de-obfuscation scheme]. This can be detected [and thereby determin[ed]] with faulting on a poisoned address;” and “The last stage [as part of the deobfuscation scheme] can be detected by SMC [static memory controller] detection mechanism provided by the BT [binary translation] module.”) 
to generate the deobfuscated portion of the malicious code based on the analyzing (¶ [0037], “After SMC (e.g., de-obfuscation) executes, security module 114 can inspect the de-obfuscated code to determine [as part of the analysis of the snapshot] if the code is malicious.”).
Regarding Claim 6
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
wherein the obfuscated portion of the malicious code is encrypted, and wherein the deobfuscation code is configured to decrypt the obfuscated portion (¶ [0024], “Obfuscated malware [that includes the obfuscated portion of the malicous code] or shellcode is typically encrypted and needs to be self-decrypted [via the deobfuscation code] prior to the execution.”).
Regarding Claim 7
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
determining an invariant portion of the malicious code that remains unchanged across multiple executions of the malicious code (¶ [0024], “The process can involve self-modifying code operations modifying a number of bytes in its code prior to the malware code execution,” with the remaining non-modified bytes in the code comprising an invariant portion of the malicious code that was not “self-modif[ied];” and ¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code [that was determin[ed] to be an invariant portion of the malicious code] for finding the known malware signatures.”),
wherein the one or more signatures is based on the invariant portion of the malicious code (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding the known malware signatures [that is based on the invariant portion of the malicious code],” i.e., signatures that identify “known malware” are based on invariant portion[s] of the malicious code that remain constant over time in order for the signature to identify the associated malware).
Regarding Claim 8
Yamada-Thomas discloses the method of claim 3, and Yamada further discloses
wherein the one or more signatures comprise the one or more static indicators of compromise (¶ [0036], “This allows security module 114 to dynamically apply signature based scanning methods to de-obfuscated malware code for finding the known malware signatures;” see also Sallam ¶ [0083], “For example, in-O/S security agent 218 may examine the contents of memory 206, or system memory 228 for patterns that correspond to signatures of malware. Such an examination may reveal that, for example, application 210 contains a block of code corresponding to a known segment of malware,” i.e., signatures that identify known malware represent code of malware that remains constant over time and thus are static, thus signatures comprise a static indicators of compromise).
Regarding Claim 9
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
wherein the runtime characteristics (¶ [0024]) comprise at least one of:
Sallam further discloses
register values at the time of suspending of a particular thread associated with the malicious code (¶ [0100], “In step 330, the access of a system resource such as system memory, registers, or I/O devices may be trapped [and determined as a runtime characteristic when suspending occurs via the blocking of the suspicious attempt of the malicious code at step 340];” and ¶ [0102], “For example, a list of active threads running on the electronic device may be modified to hide the presence of a malicious process. If a modification is detected, then in step 365 it may be determined whether such modifications are permissible,” noting only one limitation need be met with the limitation of at least one of);
a number of sequential function calls that occurred prior to suspending of a particular thread associated with the malicious code;
a listing of library modules loaded at the time of the suspending;
a listing of file handles opened at the time of the suspending; or
at least a partial memory dump at the time of the suspending.
	Regarding the combination of Yamada and Sallam, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the malware detection system of Yamada to have included the register feature of Sallam. One of ordinary skill in the art would have been motivated to incorporate the register feature of Sallam because Sallam teaches the “trapping” of the registers can be “analyzed to determine whether the requesting entity has permission to accesses the requested resource,” and “suspicious” requests are “blocked,” thereby improving security.  See Sallam ¶ [0100].

Regarding Claims 10-11 and 19-20
With respect to claims 10-11 and 19-20, a corresponding reasoning as given earlier for claims 1-2 applies, mutatis mutandis, to the subject matter of claims 10-11 and 19-20. Therefore, claims 10-11 and 19-20 are rejected, for similar reasons, under the grounds set forth for claims 1-2.
 Regarding Claims 12-13 and 15-18
With respect to claims 12-13 and 15-18, a corresponding reasoning as given earlier for claims 3-4 and 6-9 applies, mutatis mutandis, to the subject matter of claims 12-13 and 15-18. Therefore, claims 12-13 and 15-18 are rejected, for similar reasons, under the grounds set forth for claims 3-4 and 6-9.
B.	Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada in view of Sallam, and further in view of Yavo (US 2018/0253549, “Yavo”).
Regarding Claim 5
Yamada-Sallam discloses the method of claim 1, and Yamada further discloses
wherein the malicious code is…1 (¶ [0024])
Yamada-Sallam doesn’t disclose
1 …Just-in-Time compiled shellcode.
Yavo, however, discloses
1 …Just-in-Time compiled shellcode (¶ [0011], “Having no code generation privileges, the ability of the attacker, using the JIT executing process, to exploit and generate malicious code within the processing environment may be significantly reduced.”).
Regarding the combination of Yamada-Sallam and Yavo, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the detection system of Yamada-Sallam to have included the JIT feature of Yavo. One of ordinary skill in the art would have been motivated to incorporate the JIT feature of Yavo because Yamada discusses the detection of shellcode, see Yamada ¶ [0018] (stating “communication system 100 can be configured for detecting shellcode…”), Yavo discusses an attacker using JIT code, see Yavo ¶ [0011], and Yavo discloses a detection system where “the ability of the attacker, using the JIT executing process, to exploit and generate malicious code within the processing environment may be significantly reduced.”  See Yavo ¶ [0011].   
Regarding Claim 14
With respect to dependent claim 14, a corresponding reasoning as given earlier for dependent claim 5 applies, mutatis mutandis, to the subject matter of claim 14. Therefore, claim 14 is rejected, for similar reasons, under the grounds set forth for claim 5. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491