DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-5 and 7-20 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/07/22 has been entered.

Response to Arguments
Applicant's arguments filed on 06/07/22 have been fully considered but are moot in view of the new grounds of rejection presented below in view of newly found prior arts.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 7, 13-14, 16-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) and further in view of Bell (US 10402216).

Claim 1, Yan discloses A system for identifying suspicious code embedded in a file in an isolated computing environment, the system comprising: 
one or more memory devices storing computer-readable code; and one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer-readable code to: 
automatically receive an indication of suspicious information; automatically transfer the suspicious information to a virtual container upon receiving the indication of the suspicious information, wherein the virtual container is for analyzing the suspicious information; execute the suspicious information within the virtual container in response to transferring the suspicious information to the virtual container; (e.g. ¶60: In the device, phase 2140 comprises executing applications, optionally in a virtual machine instance, and collecting the data which characterizes the functioning of the applications. In phases 2120 and 2130, respectively, the malware hash function set and the non-malware hash function set are used to obtain a malware hash value pattern and a non-malware hash value pattern. These are provided to the server SRV for comparison in phase 2100)
identify at least a signature or a pattern associated with the suspicious information, wherein the signature or the pattern is associated with one or more moves implemented by the suspicious information upon the execution of the suspicious information in the virtual container; (e.g. ¶48, 55, 60: Applied to classifying an unknown application, a dynamic method may be used to collect its runtime system calling data in terms of individual calls and/or sequential system calls, such as, for example sequential system calls with different depth. Frequencies of system calls may also be included in such data which characterizes the functioning of an application. The calls may involve file and/or network access, for example. Target patterns, such as the system call patterns, of the unknown application may be extracted from its runtime system calling data. By comparing them with both the malicious pattern set and the normal pattern set, the unknown application may be classified as malware or non-malware based on its dynamic behavioural pattern…When detecting an unknown application in a user device, its data characterizing its runtime behaviour may be collected, such as system calling data including individual calls and/or sequential system calls with different depth. Then the user device may use hash function sets Hm and Hn on the collected runtime data to calculate the corresponding hash output values and send them to the server for checking if the hash output value patterns match the patterns inside MBF and NBF. Based on the hash output value matching, corresponding weights may be added together in terms of non-malware patterns and malware patterns, respectively. Based on the summed weights and predefined thresholds, the server can judge if the tested app is malware or a non-malware app…In the device, phase 2140 comprises executing applications, optionally in a virtual machine instance, and collecting the data which characterizes the functioning of the applications. In phases 2120 and 2130, respectively, the malware hash function set and the non-malware hash function set are used to obtain a malware hash value pattern and a non-malware hash value pattern. These are provided to the server SRV for comparison in phase 2100. It should be noted that the term “one or more moves” covers any type of one or more action, activity, or behavior.)
compare a hash of the signature or the pattern with stored hashes of signatures or patterns; determine that the suspicious information comprises harmful information when the hash match the stored hashes of signatures or patterns; and (e.g. ¶48, 50, 52, 55, 59: To enable comparing behaviour of an unknown application with the malicious pattern set and the normal pattern set, hash functions may be employed. In detail, data characterizing functioning of the application may be collected, for example using a standardized manner to gather, for example, the system call data described above. Once the data has been collected, two sets of hash functions may be applied to the data. A set of hash functions may comprise, for example, hash functions of a same hash function family but with differing parameters, such that different hash functions of the set each produce different hash output values with a same input. The data characterizing functioning of the application thus characterizes the behaviour of the application when it is run…By comparing them with both the malicious pattern set and the normal pattern set, the unknown application may be classified as malware or non-malware based on its dynamic behavioural pattern…where a device sends its hash output value sets obtained from the data to such a server, the server may compare the hash output values received from the device to the hash output values it has, to determine if the behaviour of the application in the device matches with known malware and/or non-malware. In other words, the server may determine whether the hash output values received from the device are a malware pattern or a non-malware pattern…the user device may use hash function sets Hm and Hn on the collected runtime data to calculate the corresponding hash output values and send them to the server for checking if the hash output value patterns match the patterns inside MBF and NBF. Based on the hash output value matching, corresponding weights may be added together in terms of non-malware patterns and malware patterns, respectively. Based on the summed weights and predefined thresholds, the server can judge if the tested app is malware or a non-malware app…in phase 2100 hash value patterns from a user device are compared to hash value patterns received in the server from AP, to determine whether the hash value patterns received from the user device more resemble malware or non-malware patterns received from the AP)
perform a mitigation action based on the determination that the suspicious information comprises the harmful information. (e.g. ¶20: delete or quarantine the application based on an indication received from the server in response to the sets of one-way function output values)
Although Yan discloses automatically receive an indication of suspicious information (see above), Yan does not appear to explicitly disclose but Paithane 726 discloses automatically receive an indication of suspicious information from a target user computer system associated with a target user that received the suspicious information; (e.g. col. 7, ll. 10-15, 22-28, 39-42: the interface 136 operates as a data capturing device (sometimes referred to as a “network tap”) that is configured to receive at least a portion of network traffic propagating to/from one or more endpoint devices 130 (hereinafter, “endpoint device(s)”) and provide information associated with the received portion of the network traffic to the first TDP 110.sub.1…In general terms, the interface 136 is configured to capture data directed to or from one or more endpoint device(s) 130, where the captured data includes at least one object for analysis and its corresponding metadata.  It should be noted that the term “user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Yan for the purpose of enabling the system to analyze data object received from one or more devices for malware (col. 7, ll. 39-42).
Although Yan discloses wherein the virtual container is for analyzing the suspicious information (see above), Yan does not appear to explicitly disclose but Bell discloses the virtual container is an isolated disposable container (e.g. col. 5, ll. 1-16: Virtual machines 142 spawned by virtual machine spawner 132 generally execute within virtual machine execution space 140, which provides an isolated container in which each virtual machine 142 executes until a virtual machine 142 is terminated (e.g., shut down)…shut down the selected virtual machine 142 and terminate the execution space allocated to the selected virtual machine, which frees up resources that can be allocated to a virtual machine execution space for another virtual machine).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bell into the invention of Yan-Paithane 726 for the purpose of freeing up resources that can be allocated to a virtual machine execution space for another virtual machine (Bell, col. 5, ll. 14-16).
	
Claim 7, Yan-Paithane 726-Bell discloses The system of claim 1, wherein the indication of the suspicious information is received automatically from an organization system. (Paithane 726, e.g. col. 7, ll. 10-15, 22-28, 39-42)

Claim 13, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and Paithane 726 discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: automatically set virtual environment configurations for the virtual container based on configurations of the target user computer system of the target user from which the suspicious information was received.  (e.g. col. 7, ll. 39-49, col. 9, ll. 44-53).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Yan-Bell for the purpose of customizing the virtual machine to more effectively analyze an object for malware thereby improving computer security.
	
Claim 14, Yan-Paithane 726-Bell discloses The system of claim 1, wherein the mitigation action comprises sending a notification to a user when the harmful information is identified. (Yan, e.g. ¶20)
	
Claim 16, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and Paithane 726 discloses wherein the one or more processing devices are configured to execute the computer-readable code to: store a log of each analysis action performed by an analyst user within the virtual container while analyzing the suspicious information.  (e.g. col. 3, ll. 51-col. 4, ll. 2. It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Yan-Bell for the purpose of later retrieving for review by security personnel (Paithane 726, col. 4, ll. 25-27).

Claim 17, this claim is rejected for similar reasons as in claim 1.

Claim 19, this claim is rejected for similar reasons as in claim 1.

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) in view of Bell (US 10402216) and further in view of Paithane 660 (US 20180048660).

Claim 8, Yan-Paithane 726-Bell discloses The system of claim 1, wherein the system is an isolation system (Yan, e.g. ¶20) and does not appear to explicitly disclose but Paithane 660 discloses that provides physical separation and logical separation when analyzing the suspicious information.  (e.g. figs. 2-3, ¶6, 16).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 660 into the invention of Yan-Paithane 726-Bell for the purpose of safely analyzing the suspicious application while preventing the suspicious application from affecting the rest of the system.

Claim 9, Yan-Paithane 726-Bell-Paithane 660 discloses The system of claim 8, wherein the isolation system is accessed through an application programming interface located on an analyst computer system, on the isolation system, or on an application programing interface system. (Yan, e.g. ¶43-44, 52, 55, 60)

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) in view of Bell (US 10402216) and further in view of Kutt (US 20210240825).

Claim 15, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Kutt discloses wherein the mitigation action comprises requesting removal of the harmful information from the target user computer system, allowing an analyst user to access target user computer system of the target user to remediate the harmful information, requiring a username or password change, notifying other analyst users of the harmful information, notifying other users within an organization of the harmful information, notifying a third-party of the harmful information, blocking a website for the harmful information, preventing future download of the harmful information, or automatically deleting any future communication with the harmful information. (e.g. ¶128)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kutt into the invention of Yan-Paithane 726-Bell for the purpose of informing the subscriber that the sample was determined to be malicious so that the subscriber can perform a response based on a locally configured security policy and sharing the malicious verdict with other devices and platforms (Kutt, ¶128).

Claims 2-5, 11, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) and further in view of Bell (US 10402216) and further in view of Gaetano (US 20190294778).

Claim 2, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: determine that the hash does not match the stored hashes of signatures or patterns; allow an analyst user to access to at least one other virtual container in order to further analyze the suspicious information when the hash does not match the stored hashes of signatures or patterns; and allow the analyst user to analyze the suspicious information in the at least one other virtual container.  (e.g. fig. 2, S220, S225, S230, S235, ¶19, 25-26.  It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Yan-Paithane 726-Bell for the purpose of safely monitoring the unknown application to classify the unknown application as malicious or safe (Gaetano, ¶11, 19).

Claim 3, Yan-Paithane 726-Bell-Gaetano discloses The system of claim 2, wherein the one or more processing devices are further configured to execute the computer-readable code to: receive an indication from the analyst user that the suspicious information does not comprise the harmful information; and Page 26 of 31 AttyDktNo.:9960US1.014033.3783determine that the suspicious information is acceptable information.  (Gaetano, e.g. fig. 2, S230, S235, S240, S245, S255, S270, ¶22, 31, 36).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Yan-Paithane 726-Bell for the purpose of classifying the application as safe and updating a knowledge database with a hash of the application for future reference (Gaetano, ¶22, 36).

Claim 4, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: store the hash in an acceptable list comprising a plurality of acceptable signature hashes. (e.g. fig. 2, S220, S225, S230, S235, S240, S255, S270, ¶22, 36)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Yan-Paithane 726-Bell for the purpose of updating a knowledge database with a hash of the application classified as safe for future reference (Gaetano, ¶22, 36).

Claim 5, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the mitigation action comprises discarding the virtual container. (e.g. fig. 2, S265, ¶35).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Yan-Paithane 726-Bell for the purpose of preventing a malicious application from affecting the rest of the system and saving processing resources.  

Claim 11, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: create a virtual container when the analyst user accesses the system. (e.g. ¶19.  It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Yan-Paithane 726-Bell for the purpose of safely monitoring the unknown application to classify the unknown application as malicious or safe (Gaetano, ¶11, 19).

Claim 18, this claim is rejected for similar reasons as in claim 2.

Claim 20, this claim is rejected for similar reasons as in claim 2.


Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) in view of Bell (US 10402216) in view of Gaetano (US 20190294778) and further in view of Paithane 660 (US 20180048660).


Claim 12, Yan-Paithane 726-Bell-Gaetano discloses The system of claim 11, (see above) and does not appear to explicitly disclose but Paithane 660 discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: receive virtual environment configurations from the analyst user for the virtual container for the suspicious information.  (e.g. ¶42, 44, 51-53.  It should be noted that the term “analyst” covers any human, process, program, processor, device, etc. and combination thereof, that performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 660 into the invention of Yan-Paithane 726-Bell-Gaetano for the purpose of enabling configuration of the virtual machine to increase the effectiveness of the virtual machine in analyzing and categorizing the suspicious object.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Yan (US 20210256126) in view of Paithane 726 (US 10671726) and further in view of Bell (US 10402216) and further in view of Kruglick (US 20160210164).

Claim 10, Yan-Paithane 726-Bell discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Kruglick discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: create a plurality of virtual containers for a plurality of analysts, wherein each of the plurality of virtual containers are specific to each of the plurality of analysts.  (e.g. ¶18, 22, 28.  It should be noted that the term “analyst” covers any human, process, program, processor, device, etc. and combination thereof, that performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kruglick into the invention of Yan-Paithane 726-Bell for the purpose of associating virtual machines with respective users and providing the respective users with reports that may assist the users in generating analytics (Kruglick, ¶18, 22).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 9876812 discloses automatic malware signature extraction from runtime information wherein the computer system 100 may retrieve a file 212 from the sample data store 210, collect runtime information of an original code of the file 212 in memory, automatically extract a malware signature of the file 212 from the runtime information, and generate a pattern that incorporates the extracted malware signature….the file 212 is deemed to be suspicious and is accordingly passed on to the sandbox environment 214 for further analysis. The sandbox environment 214 provides a safe computing environment where a target file, which in this example is the file 212, may be safely executed without compromising the computer system 100. The sandbox environment 114 may be implemented using the CUCKOO SANDBOX malware analysis system, for example. Other suitable sandboxes or tools for creating an isolated computing environment may also be employed. The sandbox environment 214 may include a virtual machine 230 for executing the instrumentation module 215 and a target file. The sandbox environment 214 may receive target files from the pre-filter 213 (or other sources), distribute the target files to the virtual machine 230 for runtime analysis, and collect runtime information of the target files from the instrumentation module 215… The instrumentation code allows for monitoring of the process of the target file at runtime. More specifically, the instrumentation code may collect runtime information of the original code, such as the type of instructions (generic, stack operation, memory read, memory write, memory read/write) executed, instruction addresses, instruction execution counts, modified memory contents, API (application programming interface) call records, etc.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436