DETAILED ACTION
This action is in response to new application filed 5/31/2020 titled “Undetectable Sandbox for Malware”. Claims 1-20 were received for consideration and are under examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/21/21, 10/03/21 and 12/14/21 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 7, 8, 11-13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al (US 10,162,966) in view of Zhang et al (US 2017/0337372).
With respect to claim 1 Huang teaches a system, comprising: 
hardware processing circuitry (See Huang figure 1 element 108 main memory and column 2 lines 6-7); and 
one or more hardware memories storing instructions that when executed configure the hardware processing circuitry to perform operations (See Huang figure 1 element 101 processor and column 2 lines 7-18), comprising: 
intercepting a sequence of instructions of an executing application (see Huang column 3 lines 65-68 i.e. In the example of FIG. 3, a sample program being evaluated for malware is analyzed during runtime (see 306)); 
providing the sequence of instructions (see Huang column 4 lines 11-20 i.e. During execution of the sample, the anti-malware module 110 may perform dynamic analysis of the sample to detect whether or not the sample comprises malware. The anti-malware module 110 may employ suitable conventional dynamic analysis algorithms to evaluate the sample for malware without detracting from the merits of the present invention and column 5 lines 15-38); 
receiving based on the provided sequence of instructions, an indication of a modification to the executing application (see Huang column 25-33 i.e. As previously noted, when a breakpoint is hit in the image space of the sample (step 404 to step 406), the malware detection system determines if the breakpoint was previously set at a conditional statement that is being evaluated (step 406). If so (step 406 to step 410), the actual evaluated value of the conditional statement at runtime is compared to the expected value of the conditional statement as defined in the expectedCondition field of the corresponding semantic pattern (step 410 to step 411)); and 
performing the indicated modification (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).
	Huang does not teach the module is a machine learning model.
	Zhang teaches the module is a machine learning model (see Zhang paragraph 0033 i.e. The machine learning models created and used by the behavior analysis module 264 may include, but are not limited to, logistic regression, support vector machine (SVM), linear SVM, decision trees, and neural network classifiers)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of Zhang to have used a machine learning model as a way to train the behavior analysis module for better detection (see Zhang paragraph 0033). Therefore one would have been motivated to have user a machine learning model.
	With respect to claim 2 Huang teaches the system of claim 1, wherein the executing application is a potential malware application executing in a sandbox environment (See Huang column 3 lines 39-41).

With respect to claim 7 Huang teaches the system of claim 3, further comprising identifying a control-flow instruction of the executing application, wherein the modification is a modification of the control-flow instruction (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).

With respect to claim 8 Huang teaches the system of claim 3, further comprising capturing a portion of executable code of the executing application within a predefined proximity of the function call, and providing the portion to the machine learning model, wherein the indication of the modification is based on the provided portion (See Huang figure 4 and column 7 lines 40-64 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken. Instead of inversing the conditional variable, other ways of changing the execution path may also be performed including jumping directly to the address of instructions to be executed, altering the value of the program counter register (e.g., EIP in x86 architecture) to the address of the expected branch, etc. Thereafter, the malware detection system resumes execution from the current breakpoint (step 412 to step 413). Breakpoints where rectification have already been performed may be removed. The runtime behavior of the sample is analyzed during execution in the malware detection system (step 420). As can be appreciated, by rectifying the execution path of the sample, malicious code that otherwise may be bypassed are executed, thereby allowing for proper dynamic analysis of the sample).

With respect to claim 11 Huang teaches the system of claim 1, further comprising storing a record in a data store, the record indicating the modification to the executing application (see Huang column 4 lines 31-37 i.e. The semantic patterns may be created by antivirus researchers from known malicious samples, such as those collected from honeypot systems, received from submissions, etc. Common features of evasion techniques may be analyzed and summarized as semantic patterns).

With respect to claim 12 Huang teaches the system of claim 11, further comprising: identifying based on a plurality of records in the data store, a modification common to the plurality of records; and modifying a sandbox environment configuration, such that the configuration is consistent with the identified modification (see Huang column 4 lines 31-37 i.e. The semantic patterns may be created by antivirus researchers from known malicious samples, such as those collected from honeypot systems, received from submissions, etc. Common features of evasion techniques may be analyzed and summarized as semantic patterns).

With respect to claim 13 Huang teaches a method of detonating a potential malware application in a sandbox environment, comprising: 
intercepting a sequence of instructions of the potential malware application as the potential malware application is executing in the sandbox environment (see Huang column 3 lines 65-68 i.e. In the example of FIG. 3, a sample program being evaluated for malware is analyzed during runtime (see 306)) and column 3 lines 39-41); 
providing the sequence of instructions (see Huang column 4 lines 11-20 i.e. During execution of the sample, the anti-malware module 110 may perform dynamic analysis of the sample to detect whether or not the sample comprises malware. The anti-malware module 110 may employ suitable conventional dynamic analysis algorithms to evaluate the sample for malware without detracting from the merits of the present invention and column 5 lines 15-38); 
receiving, from the machine learning model based on the provided sequence of instructions, an indication of a modification to the potential malware application (see Huang column 25-33 i.e. As previously noted, when a breakpoint is hit in the image space of the sample (step 404 to step 406), the malware detection system determines if the breakpoint was previously set at a conditional statement that is being evaluated (step 406). If so (step 406 to step 410), the actual evaluated value of the conditional statement at runtime is compared to the expected value of the conditional statement as defined in the expectedCondition field of the corresponding semantic pattern (step 410 to step 411)); and 
performing the indicated modification to the potential malware application as the potential malware application is executed in the sandbox environment (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).
Huang does not teach the module is a machine learning model.
	Zhang teaches the module is a machine learning model (see Zhang paragraph 0033 i.e. The machine learning models created and used by the behavior analysis module 264 may include, but are not limited to, logistic regression, support vector machine (SVM), linear SVM, decision trees, and neural network classifiers)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of Zhang to have used a machine learning model as a way to train the behavior analysis module for better detection (see Zhang paragraph 0033). Therefore one would have been motivated to have user a machine learning model.

With respect to claim 20 Huang teaches a non-transitory computer readable storage medium comprising instructions that when executed configure hardware processing circuitry to perform operations comprising: 
intercepting a sequence of instructions of a potential malware application executing in a sandbox environment (see Huang column 3 lines 65-68 i.e. In the example of FIG. 3, a sample program being evaluated for malware is analyzed during runtime (see 306) and column 3 lines 39-41)); 
providing the sequence of instructions (see Huang column 4 lines 11-20 i.e. During execution of the sample, the anti-malware module 110 may perform dynamic analysis of the sample to detect whether or not the sample comprises malware. The anti-malware module 110 may employ suitable conventional dynamic analysis algorithms to evaluate the sample for malware without detracting from the merits of the present invention and column 5 lines 15-38); 
receiving, from the machine learning model based on the provided sequence of instructions, an indication of a modification to the potential malware application (see Huang column 25-33 i.e. As previously noted, when a breakpoint is hit in the image space of the sample (step 404 to step 406), the malware detection system determines if the breakpoint was previously set at a conditional statement that is being evaluated (step 406). If so (step 406 to step 410), the actual evaluated value of the conditional statement at runtime is compared to the expected value of the conditional statement as defined in the expectedCondition field of the corresponding semantic pattern (step 410 to step 411)); and 
performing the indicated modification to the potential malware application while the potential malware application is executing in the sandbox environment (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).
Huang does not teach the module is a machine learning model.
	Zhang teaches the module is a machine learning model (see Zhang paragraph 0033 i.e. The machine learning models created and used by the behavior analysis module 264 may include, but are not limited to, logistic regression, support vector machine (SVM), linear SVM, decision trees, and neural network classifiers)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of Zhang to have used a machine learning model as a way to train the behavior analysis module for better detection (see Zhang paragraph 0033). Therefore one would have been motivated to have user a machine learning model.

Claims 3-6, 9 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al (US 10,162,966) in view of Zhang et al (US 2017/0337372) in view of GU (US 2019/0108339).
With respect to claim 3 Huang teaches the system of claim 1, but does not disclose wherein the sequence of instructions include a function call instruction, the operations further comprising: determining a call stack of the executing application at the function call instruction; determining parameters of the function call; and providing the call stack and the parameters to the machine learning model, wherein the indication of the modification is further based on the provided call stack and parameters.
Gu teaches wherein the sequence of instructions include a function call instruction, the operations further comprising: determining a call stack of the executing application at the function call instruction; determining parameters of the function call; and providing the call stack and the parameters to the machine learning model, wherein the indication of the modification is further based on the provided call stack and parameters (see GU figure 7B and paragraph 0030-0033 i.e. At step 706 (shown in FIG. 7B), the operating system of the physical host intercepts a system call by malware or an untrusted resource to a resource on the physical host. At step 707, the physical host updates a call graph on a database storing call graphs. The call graph database is a recording of the current running malware call behaviors. At step 708, the physical host determines whether a status of the system call matches patterns of dynamic scarecrow resources. The dynamic scarecrow resources are stored in a database. In one embodiment, both the dynamic scarecrow resources (dynamic imitating resources) and the static scarecrow resources (static imitating resources) are stored on the same database. In another embodiment, the dynamic scarecrow resources (dynamic imitating resources) are stored on one database while the static scarecrow resources (static imitating resources) are stored on another database).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 4 Huang teaches the system of claim 3, but does not disclose further comprising determining second parameters of a second function call, and providing the second parameters of the second function call to the machine learning model, wherein the indication of the modification is further based on the provided second parameters. 
GU teaches further comprising determining second parameters of a second function call, and providing the second parameters of the second function call to the machine learning model, wherein the indication of the modification is further based on the provided second parameters (see GU figure 7B and paragraph 0030 i.e. At step 706 (shown in FIG. 7B), the operating system of the physical host intercepts a system call by malware or an untrusted resource to a resource on the physical host. At step 707, the physical host updates a call graph on a database storing call graphs. The call graph database is a recording of the current running malware call behaviors. At step 708, the physical host determines whether a status of the system call matches patterns of dynamic scarecrow resources. The dynamic scarecrow resources are stored in a database. In one embodiment, both the dynamic scarecrow resources (dynamic imitating resources) and the static scarecrow resources (static imitating resources) are stored on the same database. In another embodiment, the dynamic scarecrow resources (dynamic imitating resources) are stored on one database while the static scarecrow resources (static imitating resources) are stored on another database).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

	
With respect to claim 5 Huang teaches the system of claim 3, but does not disclose wherein the modification is a modification of an output of the function call.
GU teaches wherein the modification is a modification of an output of the function call (see GU figure 7B and paragraph 0031-0032 i.e. In response to determining that the status of the system call matches patterns of dynamic scarecrow resources (YES branch of step 708), the physical host at step 709 determines whether to modify values in memory. In response to determining to modify the values in the memory (YES branch of step 709), the physical host at step 710 modifies the values in the memory. In response to determining not to modify the values in the memory (NO branch of step 709), the physical host at step 710 determines whether to return a virtual value to the malware or the untrusted resource. In response to determining to return the virtual value to the malware or the untrusted resource (YES branch of step 711), the physical host at step 712 returns the virtual value to the malware or the untrusted resource. After step 712, the physical host reiterates step 706. In response to determining not to return the virtual value to the malware or the untrusted resource (NO branch of step 711), the physical host reiterates step 706).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 6 Huang teaches the system of claim 5, but does not disclose further comprising selecting, from a list of return values of the function call, a return value, and setting the output to the selected return value. 
GU teaches further comprising selecting, from a list of return values of the function call, a return value, and setting the output to the selected return value (see GU figure 7B and paragraph 0031-0032 i.e. In response to determining that the status of the system call matches patterns of dynamic scarecrow resources (YES branch of step 708), the physical host at step 709 determines whether to modify values in memory. In response to determining to modify the values in the memory (YES branch of step 709), the physical host at step 710 modifies the values in the memory. In response to determining not to modify the values in the memory (NO branch of step 709), the physical host at step 710 determines whether to return a virtual value to the malware or the untrusted resource. In response to determining to return the virtual value to the malware or the untrusted resource (YES branch of step 711), the physical host at step 712 returns the virtual value to the malware or the untrusted resource. After step 712, the physical host reiterates step 706. In response to determining not to return the virtual value to the malware or the untrusted resource (NO branch of step 711), the physical host reiterates step 706).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 9 Huang teaches the system of claim 3, further comprising capturing a sequence of function calls by the executing application, and providing data indicating the sequence of function calls to the machine learning model, wherein the indication of the modification is based on the indicated sequence of function calls (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).

With respect to claim 14 Huang teaches the method of claim 13, but does not disclose wherein the sequence of instructions include a function call instruction, the method further comprising: determining a call stack of the potential malware application at the function call instruction; determining parameters of the function call; and providing the call stack and the parameters to the machine learning model, wherein the indication of the modification is further based on the provided call stack and parameters. 
GU teaches wherein the sequence of instructions include a function call instruction, the method further comprising: determining a call stack of the potential malware application at the function call instruction; determining parameters of the function call; and providing the call stack and the parameters to the machine learning model, wherein the indication of the modification is further based on the provided call stack and parameters (see GU figure 7B and paragraph 0030-0033 i.e. At step 706 (shown in FIG. 7B), the operating system of the physical host intercepts a system call by malware or an untrusted resource to a resource on the physical host. At step 707, the physical host updates a call graph on a database storing call graphs. The call graph database is a recording of the current running malware call behaviors. At step 708, the physical host determines whether a status of the system call matches patterns of dynamic scarecrow resources. The dynamic scarecrow resources are stored in a database. In one embodiment, both the dynamic scarecrow resources (dynamic imitating resources) and the static scarecrow resources (static imitating resources) are stored on the same database. In another embodiment, the dynamic scarecrow resources (dynamic imitating resources) are stored on one database while the static scarecrow resources (static imitating resources) are stored on another database).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 15 Huang teaches the method of claim 14, but does not disclose further comprising determining second parameters of a second function call, and providing the second parameters of the second function call to the machine learning model, wherein the indication of the modification is further based on the provided second parameters.
GU teaches further comprising determining second parameters of a second function call, and providing the second parameters of the second function call to the machine learning model, wherein the indication of the modification is further based on the provided second parameters (see GU figure 7B and paragraph 0030 i.e. At step 706 (shown in FIG. 7B), the operating system of the physical host intercepts a system call by malware or an untrusted resource to a resource on the physical host. At step 707, the physical host updates a call graph on a database storing call graphs. The call graph database is a recording of the current running malware call behaviors. At step 708, the physical host determines whether a status of the system call matches patterns of dynamic scarecrow resources. The dynamic scarecrow resources are stored in a database. In one embodiment, both the dynamic scarecrow resources (dynamic imitating resources) and the static scarecrow resources (static imitating resources) are stored on the same database. In another embodiment, the dynamic scarecrow resources (dynamic imitating resources) are stored on one database while the static scarecrow resources (static imitating resources) are stored on another database).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 16 Huang teaches the method of claim 14, but does not disclose wherein the modification is a modification of an output of the function call.
Gu teaches wherein the modification is a modification of an output of the function call (see GU figure 7B and paragraph 0031-0032 i.e. In response to determining that the status of the system call matches patterns of dynamic scarecrow resources (YES branch of step 708), the physical host at step 709 determines whether to modify values in memory. In response to determining to modify the values in the memory (YES branch of step 709), the physical host at step 710 modifies the values in the memory. In response to determining not to modify the values in the memory (NO branch of step 709), the physical host at step 710 determines whether to return a virtual value to the malware or the untrusted resource. In response to determining to return the virtual value to the malware or the untrusted resource (YES branch of step 711), the physical host at step 712 returns the virtual value to the malware or the untrusted resource. After step 712, the physical host reiterates step 706. In response to determining not to return the virtual value to the malware or the untrusted resource (NO branch of step 711), the physical host reiterates step 706).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Huang in view of GU to have compared system calls with a pattern of dynamic scarecrow resources (predefined system calls, APIs, and relationships of the calls) as a way to determine when to modify the return value. Therefore one would have been motivated to have compared system calls with a pattern of dynamic scarecrow resources.

With respect to claim 17 Huang teaches the method of claim 14, further comprising identifying a control-flow instruction of the potential malware application, wherein the modification is a modification of the control- flow instruction (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).

With respect to claim 18 Huang teaches the method of claim 14, further comprising capturing a portion of executable code of the potential malware application within a predefined proximity of the function call, and providing the portion to the machine learning model, wherein the indication of the modification is based on the provided portion (See Huang figure 4 and column 7 lines 40-64 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken. Instead of inversing the conditional variable, other ways of changing the execution path may also be performed including jumping directly to the address of instructions to be executed, altering the value of the program counter register (e.g., EIP in x86 architecture) to the address of the expected branch, etc. Thereafter, the malware detection system resumes execution from the current breakpoint (step 412 to step 413). Breakpoints where rectification have already been performed may be removed. The runtime behavior of the sample is analyzed during execution in the malware detection system (step 420). As can be appreciated, by rectifying the execution path of the sample, malicious code that otherwise may be bypassed are executed, thereby allowing for proper dynamic analysis of the sample).

With respect to claim 19 Huang teaches the method of claim 14, further comprising capturing a sequence of function calls by the potential malware application, and providing data indicating the sequence of function calls to the machine learning model, wherein the indication of the modification is based on the indicated sequence of function calls (see Huang column 7 lines 40-50 i.e. Otherwise, when the expected and actual evaluated values of the conditional statement are not the same, the malware detection system changes the execution path to the expected branch (step 411 to step 412). More particularly, in this case, the current context, such as certain flag registers, may be modified to inverse the actual evaluated value of a conditional variable being evaluated, so that the expected branch is taken. For example, the actual evaluated value of the conditional variable may be inversed (e.g., from TRUE to FALSE, or from FALSE to TRUE), so that the execution path that is being hidden by the evasion code is taken).

Allowable Subject Matter
Claims 10 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
With respect to claim 10 the prior art teaches the system of claim 1, but does not teach wherein the machine learning model is configured to apply a reinforcement learning algorithm, the machine learning model trained to generate a modification that results in successful execution of the executing application, wherein successful execution is detected when the executing application creates a new process, creates a new file, creates a new registry entry, establishes a network connection, or the executing application invokes a number of API calls that exceeds a predefined threshold.

Prior Art
Vincant et al (US 9,171,160) titled “Dynamically Adaptive Framework And Method For Classifying Malware Using Intelligent Static, Emulation, And Dynamic Analyses”
Kolbitsch et al (US 2014/0317745) titled “METHODS AND SYSTEMS FOR MALWARE DETECTION BASED ON ENVIRONMENT-DEPENDENT BEHAVIOR”
Ciubotariu et al (US 10,621,348) titled “Detecting A Malicious Application Executing In An Emulator Based On A Check Made By The Malicious Application After Making An API Call”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492