DETAILED ACTION

A response was received on 28 February 2022.  By this response, Claims 1-3, 12, 14, 22, and 23 have been amended.  No claims have been added or canceled.  Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are currently pending in the present application.

Response to Arguments

Applicant's arguments filed 28 February 2022 have been fully considered but they are not persuasive.
Regarding the rejection of Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 under 35 U.S.C. 112(b) as indefinite, and with particular reference to independent Claims 1 and 14, Applicant argues that the rejection is improper because claim elements are not required to appear more than once in a claim and that the limitation of “determining if the first contiguous string block is found in a second database containing one or more contiguous string blocks extracted from known malware” is “an element of developing a signature for malware identification” (pages 6-7 of the present response).  However, the rejection was not made solely based on the limitation appearing only once in the claim; rather, the rejection was due to the lack of a use of this determination amounting to a gap in the claim, constituting an omission of essential subject matter.  Although Applicant asserts that the limitation is an element of developing a signature, such determination (or a result thereof) is not recited in relation to or in the context of the step of forming a signature or anywhere else in the claims.  Therefore, because it is not clear how this determination or a result thereof is to be used, this amounts to a gap in the claim which renders the bounds of the claims indefinite.
Regarding the rejection of Claims 14, 17-19, 22, and 23 under 35 U.S.C. 102(a)(1) as anticipated by any general purpose computer, Applicant argues that the claims recite functionalities requiring enabling software and are therefore structural limitations, and further argues that if a machine is programmed in a certain way, it is physically different from the machine without that program, citing In re Lowry (page 7 of the present response).  However, the claim does not recite that the machine is programmed in any particular way.  Although the claim recites that the processor is “to execute the instructions”, this only recites an intended use or capability of the processor to perform the claimed functions.  This is distinct from a recitation of a processor “configured to execute the instructions” or “programmed to execute the instructions” or similar.  The claim also only requires that the instructions are “in the apparatus” which does not require any actual programming or execution of the instructions.  As currently written, the claim does not recite any particular configuration or programming of the apparatus or components thereof.  The rejection could be overcome if Claim 14 were amended to explicitly recite that the processor is “configured to execute” or “programmed to execute” the instructions to perform the various claimed functions, or other similar language that positively recited the execution of the instructions or programming/configuration of the memory and/or processor.
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.

Specification

The objection to the specification for failure to provide proper antecedent basis for the claimed subject matter is NOT withdrawn, because the amendments have raised new issues, as detailed below.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:  Independent Claim 1 has been amended to recite “wherein the signature is deployed in a learning mode to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record”, and independent Claim 14 has been amended to recite a similar limitation.  Although the specification describes a learning mode, there is not clear antecedent basis for deploying the signature in the learning mode specifically in order to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record.  For further detail, see below regarding the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.

Claim Objections

The objections to Claims 1 and 14 for informalities are withdrawn in light of the amendments to the claims.

Claim Rejections - 35 USC § 112

The rejection of Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 under 35 U.S.C. 112(a) for failure to comply with the written description requirement is NOT withdrawn because the amendments have raised new issues, as detailed below.  The rejection of Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 under 35 U.S.C. 112(b) as indefinite is NOT withdrawn because not all issues have been addressed and/or the amendments have raised new issues, as detailed below.

The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Independent Claim 1 has been amended to recite “wherein the signature is deployed in a learning mode to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record”, and independent Claim 14 has been amended to recite a similar limitation.  Applicant has cited paragraphs 0030-0031 of the specification for support for the claims as amended.  However, although paragraph 0031 describes a learning mode, there is not clear description of deploying the signature in the learning mode specifically in order to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record.  The cited portions do not clearly discuss a determination that the signature does not correspond to a clean record, nor do they discuss updating the confidence indicator.  Therefore, there is not clear written description of the claims as amended.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-4, 6, 7, 11, 12, 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “determining if the first contiguous string block is found in a second database containing one or more contiguous string blocks extracted from known malware” in lines 11-12.  However, this determination is not used elsewhere in the claim, which amounts to a gap in the claim and/or an omission of essential subject matter.  The claim further recites “a contiguous string block” in line 23.  It is not clear whether this is intended to refer to the first or second contiguous string block, the wildcarded contiguous string block, one of the other string blocks in the plurality of contiguous string blocks, or a distinct string block.  The claim additionally recites “a clean record” in line 25.  The term “clean” is a relative term that is not clearly defined in the specification.  The specification describes clean as “not a good indicator of malware” (paragraph 0026) but this is also ambiguous as to how good or bad an indicator it must be to be considered “clean”.  There is not a clear definition or standard of comparison provided.  See MPEP § 2173.05(b).  The above ambiguities render the claim indefinite.
Claim 3 recites “the first wildcarded contiguous string block” in lines 2-3.  Although Claims 1 and 2 recited a wildcarded contiguous string block, there is not clear antecedent basis for this block being a first block.
Claim 12 recites “a confidence indicator” in lines 2-3.  It is not clear whether this is intended to refer to the first confidence indicator assigned in Claim 1, the second confidence indicator assigned in Claim 2, or to a distinct indicator.
Claim 14 recites that the processor executes instructions to “determine if the first string is found in a second database containing one or more strings extracted from known malware” in lines 11-12.  However, this determination is not used elsewhere in the claim, which amounts to a gap in the claim and/or an omission of essential subject matter.  The claim further recites “the signature” in line 13.  There is insufficient antecedent basis for this limitation in the claim.  The claim additionally recites “the signature deployed in a learning mode” in line 18.  This is grammatically unclear as to how it relates to the remainder of the claim limitation, although it appears that this may be intended to be a “wherein” clause or similar.  The claim also recites “a clean record” in line 20.  The term “clean” is a relative term that is not clearly defined in the specification.  The specification describes clean as “not a good indicator of malware” (paragraph 0026) but this is also ambiguous as to how good or bad an indicator it must be to be considered “clean”.  There is not a clear definition or standard of comparison provided.  See MPEP § 2173.05(b).  The above ambiguities render the claim indefinite.
Claim 22 recites “the first wildcarded string” in lines 4 and 7-8.  There is insufficient antecedent basis for this limitation in the claims.
Claim 23 recites “the first confidence indicator” in lines 3-4.  There is insufficient antecedent basis for this limitation in the claims.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 14, 17-19, 22, and 23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by any general purpose computer.
Claim 14 recites an apparatus that comprises a memory, instructions, and a processor “to execute the instructions to” perform various functions.  This only requires an intended use or capability of the processor to perform the claimed functions.  Any general purpose computer includes a memory and a processor, and is capable of being programmed to perform the claimed functions.  Therefore, without reciting particular configuration or programming of the apparatus or components thereof, Claim 14 is anticipated by any general purpose computer.  Claims 18 and 19 do not provide any other structural or functional limitations, and Claims 17, 22, and 23 only recite further intended uses or capabilities of the apparatus, and therefore, the dependent claims are also anticipated by any general purpose computer for similar reasons.



Allowable Subject Matter

Claims 1-4, 6, 7, 11, and 12 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 112(a) and (b) set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter:
Independent Claim 1 is directed to a method that includes identifying a first contiguous string block from malware information in a first database; assigning a ranking score to the first block based on a sum of sample counts and a proximity of the component strings to other component strings in the first block; determining if the first block is in a second database of string blocks; wildcarding differences between the first block and a second contiguous string block; forming a signature for a malware family including a plurality of contiguous string blocks including the wildcarded block; and assigning a confidence indicator to the signature based on a count of wildcard characters, a count of strings, and a block order, where the signature is deployed in a learning mode to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record.
The closest prior art, Sun, Tuvell, and Borthakur, generally discloses identifying a first string block, assigning a ranking score, determining if the first block is found in a database of strings extracted from known malware, forming a signature for a malware family, and generating a confidence indicator.  The cited art also generally discloses using a sum of sample counts and determining an order based on the ranking score, as well as wildcarding differences to create a first wildcarded block and that a signature includes the wildcarded block.  Further, the cited art also generally discloses using a proximity of strings for ranking.  However, none of the cited art, alone or in combination, clearly teaches or suggests assigning a confidence indicator to the signature based on a count of wildcard characters, a count of strings, and a block order, where the signature is deployed in a learning mode to update the confidence indicator responsive to a determination that the signature does not correspond to a clean record, in combination with the other claimed limitations.  At least this subject matter would be allowable over the cited art if the other rejections set forth above were overcome.
It is noted that substantial changes in scope to the claims may necessitate reconsideration of this indication of allowability.

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492