DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This action is responsive to the Request for Continued Examination filed on 04/04/2022, which refers to the Amendment filed on 02/24/2022. Claims 19-28 and 30-38 are pending in the case. Claims 19, 27, and 36 are independent claims.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/24/2022 has been entered.

Response to Arguments
Applicant's prior art arguments have been fully considered but they are not persuasive. Applicant argues that, “the static learning process generating a complete list of tuple FROM addresses associated with the OS interactions and an incomplete list of TO addresses associated with the OS interactions,” and, “the dynamic learning process supplementing the static learning process to provide TO addresses not identified during the static learning process and complete the list of TO addresses generated and stored in the database of tuple addresses during the static learning process,” are not taught by the cited references (page 11 et seq.). Examiner respectfully disagrees. Khazan et al. (U.S. Pat. App. Pub. No. 2005/0108562, hereinafter Khazan) explicitly discloses that in the static analysis the “calls identified do not include those whose target addresses are computed at run time” (see paragraph 43). Moreover, Khazan expounds on this by discussing how the static analysis is supplemented by the dynamic analysis by using “the return address to determine the location of the previous instruction and to verify that this instruction corresponds to, for example, a call or other expected instruction” (see paragraph 85). This reads on the broadest reasonable interpretation of the claim language. Therefore, Examiner respectfully asserts that the cited art sufficiently teaches the limitations recited in the amended claims.

Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant are advised of the obligation under 37 C.F.R. § 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. § 102(b)(2)(C) for any potential 35 U.S.C. § 102(a)(2) prior art against the later invention.

Claims 19-21, 23, 25, 27-30, 32, 34, and 36-38 are rejected under 35 U.S.C. § 103 as being unpatentable over Khazan et al. (U.S. Pat. App. Pub. No. 2005/0108562, hereinafter Khazan) in view of Sukhomlinov et al. (U.S. Pat. App. Pub. No. 2017/0091454, hereinafter Sukhomlinov).

As to independent claim 19, Khazan teaches:
A system for generating a database of tuple addresses associated with a computer program and executable files associated with the computer program, the system comprising (Title and abstract):
a learning server including a hardware processor configured to execute code to perform a method for generating the database of tuple addresses associated with the computer program and executable files associated with the computer program, the method including (Figure 3, host computer system 14a, processor 80, Figure 4a, application executable 102, libraries 114):
performing a static learning process to identify tuple FROM addresses and TO addresses associated with the execution of a sample file by the computer program, the static learning process parsing executable code associated with the execution of the sample file by the computer program to determine the computer program interactions with an operatively associated operating system (OS), the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address, the static learning process generating a complete list of tuple FROM addresses associated with the OS interactions and an incomplete list of TO addresses associated with the OS interactions, and the static learning process storing the generated complete list of tuple FROM and incomplete list of TO addresses in the database of tuple addresses associated with the computer program (Figure 4A, static analyzer 104, list of target and invocation locations 106. The target and invocation locations read on the claimed from and to addresses. Paragraph 46, jump instruction, a call instruction, or other types of instructions transferring control from the application as may be the case for various routines being monitored. Applicant’s specification describes at paragraph 33 that: "Translation engine 13 may cause processor 12 to perform a dynamic learning process in which a sample file is translated to a corresponding list of address tuples used in execution of the file. As described in detail herein, processor 12 may obtain sample files for the learning process." Paragraph 43 teaches that while a complete FROM list of address is obtained by the static analysis the TO list of addresses is incomplete, "the static analysis processing described herein identifies, within the binary code of an application, the calls that are made to a set of predetermined target functions, and information related to these calls. The calls identified do not include those whose target addresses are computed at run time"); and
… the dynamic learning process supplementing the static learning process to provide TO addresses not identified during the static learning process and complete the list of TO addresses generated and stored in the database of tuple addresses during the static learning process ( Figure 4a, libraries 114. Paragraph 85 teaches, " As part of verification processing done by the dynamic analyzer, an embodiment may use the return address to determine the location of the previous instruction and to verify that this instruction corresponds to, for example, a call or other expected instruction. It should be noted that in one possible embodiment, call locations may be defined as the locations that follow the call instructions, or as addresses of the instructions to which these calls are designed to return. The address of the location in this instance may be determined at run time by examining the return address included in the run time stack. Once determined, this location may be verified against the locations identified as part of static analysis."),
wherein, the static learning process and dynamic learning process are performed on a plurality of sample files to populate the database of tuple addresses associated with the computer program (Figure 4a, libraries 114, list of target and invocation locations 106. The target locations read on the claimed to addresses).
While Khazan does discuss a dynamic analysis (Figure 4a, dynamic analyzer 108), Khazan does not appear to expressly teach performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address.
Sukhomlinov teaches performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address (Paragraph 45, the analytical client may perform code analysis (static, dynamic, or both, as desired). Paragraph 17, the LBR stack is a processor model-specific set of specific registers, each entry of which stores a source address and a destination address of the last branch. This, the LBR stack provides a record of recent branches. Some embodiments may also record when the branch was mispredicted. Paragraph 43, store addresses of RET and JMP transitions. RET refers to a return and reads on the claimed return instruction, and JMP refers to a jump and reads on the claimed jump instruction).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan to include the malicious code analysis of Sukhomlinov in order to better protect against ROP and JOP attacks (see Sukhomlinov at paragraph 8).

As to dependent claim 20, Khazan further teaches a verification process is performed to validate tuple addresses before tuple addresses are added to the database of tuple addresses associated with the computer program (Paragraph 67, verification may be performed of the target function calls being monitored using only the invocation and target location information).

As to dependent claim 21, Khazan further teaches the method for generating the database of tuple addresses associated with the computer program is performed for a plurality of computer programs and respective executable files associated with the plurality of computer programs, and the database of tuple addresses includes a sub-database for tuple addresses for each computer program and respective executable files (Figure 4a, application executables 102, libraries 114, list of target and invocation locations 106. Paragraph 107, monitor executions of applications. Paragraph 64, an application model. The application specific model reads on the sub-database).

As to dependent claim 23, Vincent further teaches the database of tuple addresses is used to detect potentially malicious code associated with one or more email attachments (Paragraph 49, the specimen can be Web content, email attachment, or manually submitted content for malware detection).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov to include the combined static and dynamic analysis of Vincent in order to improve flexibility and efficiency in detecting malware, specifically stopping the introduction of malicious network content upon receipt or opening of email while minimizing false positives in malware detection which may needlessly slow or interfere with download of network content or receipt of email (see Vincent at paragraphs 3, 6, and 23).

As to dependent claim 25, Sukhomlinov further teaches a branch predictor and associated branch misprediction counter are used to trigger the dynamic learning process (Paragraph 21, when a mispredict event occurs (or, preferably, when a mispredict count exceeds a predetermined threshold) the reason for the misprediction may be analyzed).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan to include the malicious code analysis of Sukhomlinov in order to better protect against ROP and JOP attacks (see Sukhomlinov at paragraph 8).

As to independent claim 27, Khazan teaches:
A method for generating a database of tuple addresses associated with a computer program and executable files associated with the computer program, the method comprising (Title and abstract):
using a learning server including a hardware processor configured to execute code to perform the method for generating the database of tuple addresses associated with the computer program and executable files associated with the computer program, performing a static learning process to identify tuple FROM addresses and TO addresses associated with the execution of a sample file by the computer program, the static learning process parsing executable code associated with the execution of the sample file by the computer program to determine the computer program interactions with an operatively associated operating system (OS), the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address, the static learning process generating a complete list of tuple FROM addresses associated with the OS interactions and an incomplete list of TO addresses associated with the OS interactions, and the static learning process storing the generated complete list of tuple FROM and incomplete list of TO addresses in the database of tuple addresses associated with the computer program (Figure 3, host computer system 14a, processor 80, Figure 4a, application executable 102, libraries 114. Figure 4A, static analyzer 104, list of target and invocation locations 106. The target and invocation locations read on the claimed from and to addresses. Paragraph 46, jump instruction, a call instruction, or other types of instructions transferring control from the application as may be the case for various routines being monitored. Applicant’s specification describes at paragraph 33 that: "Translation engine 13 may cause processor 12 to perform a dynamic learning process in which a sample file is translated to a corresponding list of address tuples used in execution of the file. As described in detail herein, processor 12 may obtain sample files for the learning process." Paragraph 43 teaches that while a complete FROM list of address is obtained by the static analysis the TO list of addresses is incomplete, "the static analysis processing described herein identifies, within the binary code of an application, the calls that are made to a set of predetermined target functions, and information related to these calls. The calls identified do not include those whose target addresses are computed at run time"); and
… the dynamic learning process supplementing the static learning process to provide TO addresses not identified during the static learning process and complete the list of TO addresses generated and stored in the database of tuple addresses during the static learning process (Figure 4a, libraries 114. Paragraph 85 teaches, " As part of verification processing done by the dynamic analyzer, an embodiment may use the return address to determine the location of the previous instruction and to verify that this instruction corresponds to, for example, a call or other expected instruction. It should be noted that in one possible embodiment, call locations may be defined as the locations that follow the call instructions, or as addresses of the instructions to which these calls are designed to return. The address of the location in this instance may be determined at run time by examining the return address included in the run time stack. Once determined, this location may be verified against the locations identified as part of static analysis”),
wherein the static learning process and the dynamic learning process are performed on a plurality of sample files to populate the database of tuple addresses associated with the computer program (Figure 4a, libraries 114, list of target and invocation locations 106. The target locations read on the claimed to addresses).
While Khazan does discuss a dynamic analysis (Figure 4a, dynamic analyzer 108), Khazan does not appear to expressly teach performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address,.
Sukhomlinov teaches performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address, (Paragraph 45, the analytical client may perform code analysis (static, dynamic, or both, as desired). Paragraph 17, the LBR stack is a processor model-specific set of specific registers, each entry of which stores a source address and a destination address of the last branch. This, the LBR stack provides a record of recent branches. Some embodiments may also record when the branch was mispredicted. Paragraph 43, store addresses of RET and JMP transitions. RET refers to a return and reads on the claimed return instruction, and JMP refers to a jump and reads on the claimed jump instruction).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan to include the malicious code analysis of Sukhomlinov in order to better protect against ROP and JOP attacks (see Sukhomlinov at paragraph 8).

As to dependent claim 28, Khazan further teaches a verification process is performed to validate tuple addresses before tuple addresses are added to the database of tuple addresses associated with the computer program (Paragraph 67, verification may be performed of the target function calls being monitored using only the invocation and target location information).

As to dependent claim 30, Khazan further teaches the method for generating the database of tuple addresses associated with the computer program is performed for a plurality of computer programs and respective executable files associated with the plurality of computer programs, and the database of tuple addresses includes a sub-database for tuple addresses for each computer program and respective executable files (Figure 4a, application executables 102, libraries 114, list of target and invocation locations 106. Paragraph 107, monitor executions of applications. Paragraph 64, an application model. The application specific model reads on the sub-database).

As to dependent claim 32, Vincent further teaches the database of tuple addresses is used to detect potentially malicious code associated with one or more email attachments (Paragraph 49, the specimen can be Web content, email attachment, or manually submitted content for malware detection).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov to include the combined static and dynamic analysis of Vincent in order to improve flexibility and efficiency in detecting malware, specifically stopping the introduction of malicious network content upon receipt or opening of email while minimizing false positives in malware detection which may needlessly slow or interfere with download of network content or receipt of email (see Vincent at paragraphs 3, 6, and 23).

As to dependent claim 34, Sukhomlinov further teaches a branch predictor and associated branch misprediction counter are used to trigger the dynamic learning process (Paragraph 21, when a mispredict event occurs (or, preferably, when a mispredict count exceeds a predetermined threshold) the reason for the misprediction may be analyzed).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan to include the malicious code analysis of Sukhomlinov in order to better protect against ROP and JOP attacks (see Sukhomlinov at paragraph 8).

As to independent claim 36, Khazan teaches:
A system for detecting potential malicious content included in a candidate file executable by a computer program, the system using a database of tuple addresses associated with the computer program and sample executable files associated with the computer program, the system comprising (Title and abstract):
a file processing server including a hardware processor configured to execute code to perform a method of detecting potentially malicious content in the candidate file using the database of tuple addresses associated with the computer program and sample executable files associated with the computer program, the method including (Figure 3, host computer system 14a, processor 80. Figure 4a, application executable 102, libraries 114):
the file processing server generating a tuple address list associated with the execution of the candidate file by the computer program (Figure 4a, application executable 102, libraries 114); and
the file processing server determining the candidate file potentially includes malicious content if the candidate file generated tuple address list is inconsistent with at least some of the tuple addresses included in the database of tuple addresses associated with the computer program and sample executable files associated with the computer program (Abstract, the verification may involve comparing the invocation and target location, as well as other call-related information, available at the time of call interception to the corresponding information identified by static analysis. A failed verification determines that the application includes malicious code),
wherein the database of tuple addresses associated with the computer program and sample executable files associated with the computer program is generated by a learning server including a hardware processor configured to execute code to perform a method for generating the database of tuple addresses associated with the computer program and sample executable files associated with the computer program, the method including (Figure 3, host computer system 14a, processor 80. Figure 4a, application executable 102, libraries 114):
performing a static learning process to identify tuple FROM addresses and TO addresses associated with the execution of the computer program and a sample executable file, the static learning process parsing executable code associated with the execution of the sample file by the computer program to determine the computer program interactions with an operatively associated operating system (OS), the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address, the static learning process generating a complete list of tuple FROM addresses associated with the OS interactions and an incomplete list of TO addresses associated with the OS interactions, and the static learning process storing the generated complete list of tuple FROM and incomplete list of TO addresses in the database of tuple addresses associated with the computer program (Figure 4A, static analyzer 104, list of target and invocation locations 106. The target and invocation locations read on the claimed from and to addresses. Paragraph 46, jump instruction, a call instruction, or other types of instructions transferring control from the application as may be the case for various routines being monitored. Applicant’s specification describes at paragraph 33 that: "Translation engine 13 may cause processor 12 to perform a dynamic learning process in which a sample file is translated to a corresponding list of address tuples used in execution of the file. As described in detail herein, processor 12 may obtain sample files for the learning process." Paragraph 43 teaches that while a complete FROM list of address is obtained by the static analysis the TO list of addresses is incomplete, "the static analysis processing described herein identifies, within the binary code of an application, the calls that are made to a set of predetermined target functions, and information related to these calls. The calls identified do not include those whose target addresses are computed at run time."); and
… the dynamic learning process supplementing the static learning process to provide TO addresses not identified during the static learning process and complete the list of TO addresses generated and stored in the database of tuple addresses during the static learning process (Figure 4a, libraries 114. Paragraph 85 teaches, " As part of verification processing done by the dynamic analyzer, an embodiment may use the return address to determine the location of the previous instruction and to verify that this instruction corresponds to, for example, a call or other expected instruction. It should be noted that in one possible embodiment, call locations may be defined as the locations that follow the call instructions, or as addresses of the instructions to which these calls are designed to return. The address of the location in this instance may be determined at run time by examining the return address included in the run time stack. Once determined, this location may be verified against the locations identified as part of static analysis."),
wherein, the static learning process and the dynamic learning process are performed on a plurality of sample executable files to populate the database of tuple addresses associated with the computer program (Figure 4a, libraries 114, list of target and invocation locations 106. The target locations read on the claimed to addresses).
While Khazan does discuss a dynamic analysis (Figure 4a, dynamic analyzer 108), Khazan does not appear to expressly teach performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample executable file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address.
Sukhomlinov teaches performing a dynamic learning process to identify tuple FROM addresses and TO addresses associated with the execution of the sample executable file by the computer program, the dynamic learning process determining the computer program interactions with the operating system (OS) while executing the sample file, the OS interactions including at least one of a call instruction, jump instruction, return instruction and other instruction which directs the computer program to an associated OS destination from an associated computer program FROM address (Paragraph 45, the analytical client may perform code analysis (static, dynamic, or both, as desired). Paragraph 17, the LBR stack is a processor model-specific set of specific registers, each entry of which stores a source address and a destination address of the last branch. This, the LBR stack provides a record of recent branches. Some embodiments may also record when the branch was mispredicted. Paragraph 43, store addresses of RET and JMP transitions. RET refers to a return and reads on the claimed return instruction, and JMP refers to a jump and reads on the claimed jump instruction).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan to include the malicious code analysis of Sukhomlinov in order to better protect against ROP and JOP attacks (see Sukhomlinov at paragraph 8).

As to dependent claim 37, Khazan further teaches a verification process is performed to validate tuple addresses before tuple addresses are added to the database of tuple addresses associated with the computer program (Paragraph 67, verification may be performed of the target function calls being monitored using only the invocation and target location information).

As to dependent claim 38, Khazan further teaches the method for generating the database of tuple addresses associated with the computer program is performed for a plurality of computer programs and respective executable files associated with the plurality of computer programs, and the database of tuple addresses includes a sub-database for tuple addresses for each computer program and respective executable files (Figure 4a, application executables 102, libraries 114, list of target and invocation locations 106. Paragraph 107, monitor executions of applications. Paragraph 64, an application model. The application specific model reads on the sub-database).

Claims 22 and 31 are rejected under 35 U.S.C. § 103 as being unpatentable over Khazan in view of Sukhomlinov, Vincent, and Wang et al. (U.S. Pat. App. Pub. No. 2014/0189864, hereinafter Wang).

As to dependent claim 22, the rejection of claim 19 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach the sample files are acquired using one or more of a web crawler and a sample file database.
Wang teaches the sample files are acquired using one or more of a web crawler and a sample file database (Figure 1, receiver component 102 receives web page content extracted by static crawler).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the web pages malware identification techniques of Wang in order to identify web pages that belong to a malware distribution network (see Wang at paragraph 7).

As to dependent claim 31, the rejection of claim 27 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach the sample files are acquired using one or more of a web crawler and a sample file database.
Wang teaches the sample files are acquired using one or more of a web crawler and a sample file database (Figure 1, receiver component 102 receives web page content extracted by static crawler).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the web pages malware identification techniques of Wang in order to identify web pages that belong to a malware distribution network (see Wang at paragraph 7).

Claims 24, 26, 33, and 35 are rejected under 35 U.S.C. § 103 as being unpatentable over Khazan in view of Sukhomlinov, Vincent, and Bates et al. (U.S. Pat. App. Pub. No. 2008/0052683, hereinafter Bates).

As to dependent claim 24, the rejection of claim 19 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach a breakpoint discovery process is used for selection of sample files included in the database.
Bates teaches a breakpoint discovery process is used for selection of sample files included in the database (Paragraph 14, application of conditional breakpoints read on the claimed discover).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the break point analysis of Bates in order to identify unexpected code paths during execution (see Bates at paragraph 14).

As to dependent claim 26, the rejection of claim 19 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach the method for generating the database of tuple addresses is executed using a debugger process running parallel to an execution of the sample file by the computer program.
Bates teaches the method for generating the database of tuple addresses is executed using a debugger process running parallel to an execution of the sample file by the computer program (Paragraph 38, breakpoint handler 221 is an executable run-time routine which is invoked upon encountering a breakpoint during program execution. In the preferred embodiment, the debugger monitors program execution when running in a debug mode. The breakpoint handler part of the debugger at least reads on the claimed process running parallel to the program execution running in a debug mode).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the break point analysis of Bates in order to identify unexpected code paths during execution (see Bates at paragraph 14).

As to dependent claim 33, the rejection of claim 27 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach a breakpoint discovery process is used for selection of sample files included in the database.
Bates teaches a breakpoint discovery process is used for selection of sample files included in the database (Paragraph 14, application of conditional breakpoints read on the claimed discover).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the break point analysis of Bates in order to identify unexpected code paths during execution (see Bates at paragraph 14).

As to dependent claim 35, the rejection of claim 27 is incorporated.
Khazan as modified by Sukhomlinov and Vincent does not appear to expressly teach the method for generating the database of tuple addresses is executed using a debugger process running parallel to an execution of the sample file by the computer program.
Bates teaches the method for generating the database of tuple addresses is executed using a debugger process running parallel to an execution of the sample file by the computer program (Paragraph 38, breakpoint handler 221 is an executable run-time routine which is invoked upon encountering a breakpoint during program execution. In the preferred embodiment, the debugger monitors program execution when running in a debug mode. The breakpoint handler part of the debugger at least reads on the claimed process running parallel to the program execution running in a debug mode).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the malicious code analysis of Khazan as modified by Sukhomlinov and Vincent to include the break point analysis of Bates in order to identify unexpected code paths during execution (see Bates at paragraph 14).

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure. Applicant is required under 37 C.F.R. § 1.111(c) to consider these references fully when responding to this action.
It is noted that any citation to specific pages, columns, lines, or figures in the prior art references and any interpretation of the references should not be considered to be limiting in any way. A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art. In re Heck, 699 F.2d 1331, 1332-33, 216 U.S.P.Q. 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 U.S.P.Q. 275, 277 (C.C.P.A. 1968)).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Casey R. Garner whose telephone number is 571-272-2467. The examiner can normally be reached on Monday to Friday, 8am to 5pm, Eastern Time.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 571-270-3428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Casey R. Garner/Examiner, Art Unit 2123