Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/04/2022 has been entered.

Status of Claims
This is in response to the amendment filed 04/04/2022.  Claims 1, 7 and 9 have been amended.  Claims 8 has been cancelled.  Claims 1-7 and 9 are pending and have been considered.

Priority
16619986, filed 12/06/2019 is a national stage entry of PCT/JP2018/017787, International Filing Date: 05/08/2018; claims foreign priority to 2017-116668, filed 06/14/2017.

Drawings
The drawings filed on 12/06/2019 are accepted.

Specification
The specification filed on 12/06/2019 is accepted.

Response to Arguments
Applicant’s arguments, with respect to prior arts of record failing to teach the newly amended independent claims such as “calculating similarity between the difference of the predetermined part extracted by the secondly extracting and the features of the difference of the part where the vulnerability correction is made, using a linear classifier”, have been fully considered but are not persuasive because:
 Horne teaches [0046] In another embodiment regarding FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity  percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file (corrected malware variant) and variation B(difference, the examiner notes that the variation B is the difference between the malware free executable and malware infected executable) of the Anthrax virus may result in a 57% dissimilarity. In one embodiment, this may mean that 57% of the lines of code between each file are different or in a different order. In another embodiment, the comparison process may be customized to place different weights on different code segments. As a result, the overall dissimilarity percentage may be lower than if all code segments were weighted the same. [0047] In yet another embodiment regarding FIGS. 2A and 2B, step 260 may associate with a dissimilarity threshold instead of a similarity threshold. For instance, if the dissimilarity threshold is 50% and the dissimilarity percentage between the normalized file and variant B of the Anthrax virus is 57%, the normalized file may be added to the database. 0053] In another embodiment to step 340, dissimilarity percentages may be used in place of similarity percentages. As described above in regards to step 250 a comparison of code segments between the normalized file and an existing malware variant may result in a percentage of dissimilarity between the two files in contrast to a similarity. [0055] In yet another embodiment, step 350 may be based on a dissimilarity threshold as described above in regards to step 260. In other words, the percentage that the normalized file and an existing malware variant are dissimilar from each other may be used in contrast to them being similar.
The newly found prior to Schipka U.S. 2009/0013405  also teaches  see par.27, the invention provides the capability of distinguishing between clean and dirty files by virtue of the similarity with the files in the corpus. In par. [0067] An example of in which the classifier 25 is a linear  classifier  will now be described. In this case, the classifier  25 calculates a linear  combination of values associated with each feature. Those values are weighted in the linear combination by respective weightings in respect of each feature. In this example those weightings constitute the parameters 13 which are supplied from the training system 32. [0081] It can be seen from the above description of the classifier  25 as a linear classifier  that the weights w.sub.j associated with each feature contained in the parameters 13 effectively indicate the significance of the feature. A higher weight increases the linear combination and so means that the feature is more likely to signify a dirty file. A negative weight decreases the linear combination and so means that the feature is more likely to signify a clean file. With other types of classification technique, the parameters  similarity indicate the significance of the different features.[0082] The scanning system 1 is nonetheless heuristic in the sense that it only indicates a probabilistic likelihood of the file 100 being dirty or clean on the basis of similarity with the reference files 101.[0083] Such classification allows detection of new pieces of malware  when first encountered and before there has been time to develop a signature. This is because the classification is based on the reference files 101 and therefore allows detection of malware on the basis of similarity with the reference files 101, therefore the combination of Horne and Schipka teaches the claimed limitations for which  it is cited.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Upchurch U.S. 2017/0300691 A1 in view of Horne U.S. 2009/0313700 A1 in further view of  Chipka U.S. 2009/0013405 A1.
Claim 1: Upchurch teaches a device for supporting specification, the device comprising: 
a memory (par.17-19, item 124); and 
a processor coupled to the memory and programmed to execute a process (par.17-19, items 120, item 124) comprising: 
firstly extracting, from an executable file converted from the source code before the vulnerability correction and an executable file converted from the source code after the vulnerability correction (par.25, 28, 32-33, Fig.3, the computing device 100 normalizes the code by extracting the first byte of every computer instruction included in the code segment 206. Thus, for each code segment 206 included in the malware samples, the computing device 100 generates a corresponding normalized code segment 210. For example, the computing device 100 may extract the first byte of every computer instruction included in a basic block 206 or in an algorithm 206. Extracting the first byte of each computer instruction may allow each instruction to be represented by a constant amount of data), 
Upchurch does not teach, However Horn in the same field of endeavor teaches 
comparing a source code before vulnerability correction with a source code after the vulnerability correction made to the source code (Fig. 2 A-B, 3 A-B, par.33-36, binary file suspected of containing malware code is received and placed in a memory and normalized by the normalize module. once the dump file has been normalized, the remaining code (i.e., the normalized code) may be placed in an additional file. Next, the normalized code is compared with one or more known malware variations (step 240) by the comparison module 145), and specifying a part where a difference is generated (par.46, may be used to determine a dissimilarity percentage in contrast to a similarity percentage);
a difference of the part specified by the specifying (par. 39, 46, may be used to determine a dissimilarity percentage in contrast to a similarity percentage);
 calculating features of the difference extracted by the firstly extracting (par.40, 44, 46, FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity. As a result, the overall dissimilarity percentage may be lower than if all code segments were weighted the same); 
secondly extracting, from an executable file converted from a source code before a correction and an executable file converted from the source code after a correction, a difference of a predetermined part (par.40, 44, 46, In another embodiment regarding FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity. In one embodiment, this may mean that 57% of the lines of code between each file are different or in a different order. In another embodiment, the comparison process may be customized to place different weights on different code segments. As a result, the overall dissimilarity percentage may be lower than if all code segments were weighted the same); and
 calculating similarity between the difference of the predetermined part extracted by the secondly extracting and the features of the difference of the part where the vulnerability correction is made (par.40, 44, and 46, FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity. In one embodiment, this may mean that 57% of the lines of code between each file are different or in a different order. In another embodiment, the comparison process may be customized to place different weights on different code segments. As a result, the overall dissimilarity percentage may be lower than if all code segments were weighted the same). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the invention to modify the teaching of Upchurch with the additional feature of Horne in order to provide the ability for generating malware definitions for use in managing malware on a computer by using a comparison of normalized assembly code, as taught by Horne par.1.
The combination fails to teach calculating similarity is made using linear classifier, however Schipka in the same filed of endeavor teaches
calculating similarity is made using linear classifier (par.81-83, This is because the classification is based on the reference files 101 and therefore allows detection of malware on the basis of similarity with the reference files 10).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the invention to modify the combined teaching of Upchurch with the additional feature of Schipka in order to provide the ability to detect new pieces of malware even before there has been time to develop a signature for a given piece of malware  and include the case that the piece of malware has not previously been encountered, as taught by Schipka par.27.
Claims 7 and 9:  Upchurch teaches method a non-transitory computer-readable recording medium having stored therein a program for supporting specification that causes a computer to execute a process, the method comprising: 
firstly extracting, from an executable file converted from the source code before the vulnerability correction and an executable file converted from the source code after the vulnerability correction (par.25, 28, 32-33, Fig.3, the computing device 100 normalizes the code by extracting the first byte of every computer instruction included in the code segment 206. Thus, for each code segment 206 included in the malware samples, the computing device 100 generates a corresponding normalized code segment 210. For example, the computing device 100 may extract the first byte of every computer instruction included in a basic block 206 or in an algorithm 206. Extracting the first byte of each computer instruction may allow each instruction to be represented by a constant amount of data); 
Upchurch does not teach, However Horne in the same field of endeavor teaches 
comparing a source code before vulnerability correction with a source code after the vulnerability correction made to the source code (par.33-36, binary file suspected of containing malware code is received and placed in a memory and normalized by the normalize module. once the dump file has been normalized, the remaining code (i.e., the normalized code) may be placed in an additional file. Next, the normalized code is compared with one or more known malware variations (step 240) by the comparison module 145), and specifying a part where a difference is generated (par.46, may be used to determine a dissimilarity percentage in contrast to a similarity percentage);
a difference of the part specified by the specifying (par. 39, 46, may be used to determine a dissimilarity percentage in contrast to a similarity percentage);
calculating features of the difference extracted by the firstly extracting (par. 40, 44, 46, FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity);
 	secondly extracting, from an executable file converted from a source code and an executable file converted from a source code after correction is made to the source code, a difference of a predetermined part (par.40, 44, 46, FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity); and 
calculating similarity between the difference of the predetermined part extracted by the secondly extracting and the features of the difference of the part where the vulnerability correction is made (par.40, 44, and 46, In another embodiment regarding FIGS. 2A and 2B, step 250 may be used to determine a dissimilarity percentage in contrast to a similarity percentage. In other words, a comparison between the normalized file and variation B of the Anthrax virus may result in a 57% dissimilarity. In one embodiment, this may mean that 57% of the lines of code between each file are different or in a different order. In another embodiment, the comparison process may be customized to place different weights on different code segments. As a result, the overall dissimilarity percentage may be lower than if all code segments were weighted the same). 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the invention to modify the teaching of Upchurch with the additional feature of Horne in order to provide the ability for generating malware definitions for use in managing malware on a computer by using a comparison of normalized assembly code, as taught by Horne par.1.
The combination fails to teach calculating similarity is made using linear classifier, however Schipka in the same filed of endeavor teaches
calculating similarity is made using linear classifier (par.81-83, This is because the classification is based on the reference files 101 and therefore allows detection of malware on the basis of similarity with the reference files 10).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the invention to modify the combined teaching of Upchurch with the additional feature of Schipka in order to provide the ability to detect new pieces of malware even before there has been time to develop a signature for a given piece of malware  and include the case that the piece of malware has not previously been encountered, as taught by Schipka par.27.
Claim 2: the combination teaches
wherein the firstly extracting and the secondly extracting extract a difference in any one of function unit, basic block unit, and machine language instruction unit (Upchurch, par.25. 78-80, Horne par. 39, 40, 44, 46, 51). 
The same motivation to modify Upchurch in view of Horne applied to claim 1 above applies here.
Claim 3: the combination teaches 
 wherein the firstly extracting and the secondly extracting extract a difference based on at least one of machine language instruction, calling function, and immediate value (Upchurch, par.25. 78-80, Horne par. 39, 40, 44, 46, 51). 
The same motivation to modify Upchurch in view of Horne applied to claim 1 above applies here.
Claim 4: the combination teaches 
 wherein the firstly extracting and the secondly extracting extract a difference of number of times of appearance of predetermined information in the executable files before and after the correction (Horne, par.40, 45, 52, 53). 
The same motivation to modify Upchurch in view of Horne applied to claim 1 above applies here.
Claim 5: the combination teaches
wherein the firstly extracting and the secondly extracting extract an increased amount and a decreased amount of predetermined information in the executable files before and after the correction as a difference (Horne, par.40, 45, 52, 53). 
The same motivation to modify Upchurch in view of Horne applied to claim 1 above applies here.
Claim 6: the combination teaches  
wherein the firstly extracting further extracts, from an executable file converted from a source code and an executable file converted from a source code after correction other than vulnerability correction is made to the source code, a difference of a part where the correction other than the vulnerability correction is made, and the calculating similarity calculates similarity between the difference of the predetermined part calculated by the secondly extracting and features of a difference of a part where the correction other than the vulnerability correction is made calculated by the calculating features(Upchurch, par.25. 28, 32-33, Fig.3,  Horne par. 39, 40, 44, 46, 51). 
The same motivation to modify Upchurch in view of Horne applied to claim 1 above applies here.
Conclusion
	The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Shen et all U.S. 2015/0058984 A1 computer implemented method for distilling a malware program in a system.                                                                                                                                                                          Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Thursday, June 30, 2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436