DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The claim objections have been withdrawn in view of the claim amendment. 
The 35 U.S.C. 101 rejection has been withdrawn in view of the claim amendment.
The 35 U.S.C. 112(b) rejection has been withdrawn in view of the claim amendment.

Response to Arguments
Applicant's arguments filed on 05/23/22 have been fully considered.  However, upon further consideration and search, new grounds of rejection have been made in view of newly found prior art.

Claim Objections
Claims --12 and 18 are objected to because of the following informalities:  
“the plurality of objects” in line 8 of claim 12 should read “the second plurality of objects”.
“the reputations” in last line of claim 18 should read “the assigned reputations”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 6-7, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of David (US 20180316699) in view of Bu (US 20140380473) and further in view of Rebelo (US 20160085970).

Claim 1, Seifert discloses A computing apparatus, comprising: a hardware platform comprising a processor and a memory; and instructions encoded within the memory to instruct the processor to: 
receive first feature data for the malware object; (e.g. fig. 3, ¶44-45, 52-54, 58, 64:  file emulation 303 and feature selection 305)
receive second feature data for an unknown object; (e.g. fig. 3, ¶44-45, 64: file emulation 333 and select features 335)
compare the first feature data to the second feature data; based on determining that the second feature data match the first feature data above a threshold, convict the unknown object as malware; and provide a malware reputation for the unknown object. (e.g. fig. 3, ¶48, 59-60, 62-63, 64-65, 69: unknown pair construction 320, unknown pair evaluation 311 and unknown file predictions 317)
Although Seifert discloses receive first feature data for a malware object (see above), Seifert does not appear to explicitly disclose but David discloses receive a client event report, the client event report including an operating system event trace for an attempt to exploit a vulnerability, and first feature data for a malware object that made the attempt (e.g. ¶10, 36-37, 49, 55, 58, 62: obtaining, by the reporting agent, trace information for the blocked process; determining, by the reporting agent, a code portion in an operating system of the controller that served as an exploit for the blocked process; obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process; generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, and (iii) the copy of the malware; and providing, by the reporting agent, the alert to a network interface on the controller for immediate transmission to a backend computer system…Traces of blocked malware attempts can include a variety of information, such as the malware itself, the origin of the malware (e.g., IP address from which the malware originated), and information identifying the code segment that provided the malware exploit. The controller 114 report information on controller operation, as indicated by step E (124). Such reporting can be provided in real-time. For example, the controller 114 can report malware traces in response to the malware 120 is attempt being blocked...The management computer system 122 can receive reports from the controller 114 as well as from multiple other controllers and devices, and can aggregate the reports into a central database system.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by David into the invention of Seifert for the purpose of enabling client devices to provide malware reports that can be aggregated at a central database system to provide a more comprehensive collection of malware information for further use.
Although Seifert-David discloses a vulnerability (see above), Seifert-David does not appear to explicitly disclose but Bu discloses a patched vulnerability (e.g. figs. 1, 4, ¶16, 56, 58-62: This configuration may be accomplished by the software profile(s) identifying "fortified" software for execution within the VM(s). "Fortified software" includes software, such as an operating system and/or an application for example, which has been updated (e.g. fully patched, newest version, etc.) to address known exploits. These VM(s) are used to check for the presence of zero-day exploits.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bu into the invention of Seifert-David for the purpose of collecting information of malware associated with zero-day attacks.
Although Seifert-David-Bu discloses receiving second feature data for the unknown object (see above), the combination does not appear to explicitly disclose but Rebelo discloses receive, from a remote computing device, a request for a reputation for an unknown object different from the malware object, the request comprising second feature data for the unknown object (e.g. figs. 1, 5-7, ¶22, 29, 32, 62-64, 66, 72, 80-82: enterprise server 140 receives application validation requests containing CPE-like strings for executable objects from a plurality of computing devices 110) and instruct the remote computing device to mitigate the unknown object (e.g. ¶66, 73, 83: enterprise server 140 constructs reputations and sends response codes indicating the reputations and instructions to stop/block, warn, or allow for the executable objects to the plurality of computing devices 110).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Rebelo into the invention of Seifert-David-Bu for the purpose of assisting client devices in assessing potential vulnerability of executable objects and taking appropriate actions.

Claim 2, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, wherein the instructions provide a container. (Seifert, e.g. ¶44, 64)

Claim 3, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, wherein the instructions provide a virtual machine, including a virtual processor. (Seifert, e.g. ¶44, 64)

Claim 6, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, wherein the first and second feature data comprise dynamic analysis features. (Seifert, e.g. ¶44-45, 52-54, 58, 64)

Claim 7, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, wherein the instructions are further to provide an artificial intelligence engine. (Seifert, e.g. ¶63-64)

Claim 10, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, wherein the instructions are to receive the first feature data for a set of a plurality of known objects, (Seifert, e.g. fig. 3, ¶44-45, 52-54, 58, 64) and the second feature data for a set of unknown objects. (Seifert, e.g. fig. 3, ¶44-45, 64)

Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of David (US 20180316699) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Zhang (US 20210304013).

Claim 4, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, (see above) and does not appear to explicitly disclose but Zhang discloses wherein the instructions are further to determine that the second feature data do not match the first feature data above the threshold, and to mark the unknown object for additional analysis. (e.g. ¶36)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Zhang into the invention of Seifert-David-Bu-Rebelo for the purpose of further analyzing the unknown file to determine whether the unknown file is malware and adding the unknown file to the set of known malware samples (Zhang, ¶36)

Claim 5, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, (see above) and does not appear to explicitly disclose but Zhang discloses wherein the first and second feature data comprise static features. (e.g. ¶35)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Zhang into the invention of Seifert-David-Bu-Rebelo for the purpose of incorporating static features of the unknown file when classifying the unknown file thereby increasing the accuracy of the classification system.

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of David (US 20180316699) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Phillips (US 20060161984).

Claim 8, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 7, (see above) and does not appear to explicitly disclose but Phillips discloses wherein the second feature data comprise an image file derived from the unknown object. (e.g. ¶45-46)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Phillips into the invention of Seifert-David-Bu-Rebelo for the purpose of incorporating the use of pattern matching techniques on data at a binary level for virus detection (Phillips, ¶5).

Claim 9, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 1, (see above) and does not appear to explicitly disclose but Phillips discloses wherein the second feature data comprise a binary image of the unknown object. (e.g. ¶45-46)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Phillips into the invention of Seifert-David-Bu-Rebelo for the purpose of incorporating the use of pattern matching techniques on data at a binary level for virus detection (Phillips, ¶5).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of David (US 20180316699) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Perry (US 20220019665).

Claim 11, Seifert-David-Bu-Rebelo discloses The computing apparatus of claim 10, (see above) and MinHash algorithm (Seifert, e.g. ¶91) and Jaccard index (Seifert, e.g. ¶28, 124-125, 127).  Seifert-David-Bu-Rebelo does not appear to explicitly disclose but Perry discloses wherein comparing the first feature data to the second feature data comprises querying a MinHash locality sensitive hashing forest based on Jaccard-compatible features, and selecting a subset of most-similar samples by computing a total distance from non-Jaccard-compatible sub-distances. (e.g. ¶49, 52-57, 62-64)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Perry into the invention of Seifert-David-Bu-Rebelo for the purpose of determining measurements of similarity between various types of data (Perry, ¶23).

Claim 12, 15-16, and 18-19 rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of Bu (US 20140380473) and further in view of Rebelo (US 20160085970).

Claim 12, Seifert discloses One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to: 
allocate a first data store and populate the first data store with first feature data for a first plurality of objects convicted as malware; (e.g. fig. 3, ¶44-45, 52-54, 58, 64:  file emulation 303 and feature selection 305)
allocate a second data store and populate the second data store with second feature data for a second plurality of objects with unknown reputations; and (e.g. fig. 3, ¶44-45, 64: file emulation 333 and select features 335)
assign reputations to the second plurality of objects according to their similarity to individual objects selected from the first plurality of objects. (e.g. fig. 3, ¶48, 59-60, 62-63, 64-65, 69: unknown pair construction 320, unknown pair evaluation 311 and unknown file predictions 317)
Although Seifert discloses allocate a first data store and populate the first data store with first feature data for a plurality of objects convicted as malware according to some criteria (see above), Seifert does not appear to explicitly disclose but Bu discloses according to their attempt to exploit patched security vulnerabilities (e.g. figs. 1, 4, ¶16, 56, 58-62: This configuration may be accomplished by the software profile(s) identifying "fortified" software for execution within the VM(s). "Fortified software" includes software, such as an operating system and/or an application for example, which has been updated (e.g. fully patched, newest version, etc.) to address known exploits. These VM(s) are used to check for the presence of zero-day exploits)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bu into the invention of Seifert for the purpose of collecting information of malware associated with zero-day attacks.
Seifert-Bu does not appear to explicitly disclose but Rebelo discloses wherein the plurality of objects with unknown reputations are from remote computing devices (e.g. figs. 1, 5-7, ¶22, 29, 32, 62-64, 66, 72, 80-82: enterprise server 140 receives application validation requests containing CPE-like strings for executable objects from a plurality of computing devices 110) and provide the remote computing devices with respective one or more assigned reputations for the second plurality of objects. (e.g. ¶66, 73, 83: enterprise server 140 constructs reputations and sends response codes indicating the reputations and instructions to stop/block, warn, or allow for the executable objects to the plurality of computing devices 110).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Rebelo into the invention of Seifert-Bu for the purpose of assisting client devices in assessing potential vulnerability of executable objects and taking appropriate actions.

Claim 15, Seifert-Bu-Rebelo discloses The one or more tangible, non-transitory computer-readable storage media of claim 12, wherein the first and second feature data comprise dynamic analysis features. (Seifert, e.g. ¶44-45, 52-54, 58, 64)

Claim 16, Seifert-Bu-Rebelo discloses The one or more tangible, non-transitory computer-readable storage media of claim 12, wherein the instructions are further to provide an artificial intelligence engine. (Seifert, e.g. ¶63-64)

Claim 18, Seifert discloses A computer-implemented method of analyzing a set of unknown binary objects, comprising: 
convicting a first set of objects as malware; (e.g. fig. 3, ¶64: known labeled malware files 313)
collecting first feature data for the first set of objects in a first data store; (e.g. fig. 3, ¶44-45, 52-54, 58, 64:  file emulation 303 and feature selection 305)
collecting second feature data for a second set of unknown objects; and (e.g. fig. 3, ¶44-45, 64: file emulation 333 and select features 335)
for the unknown objects, finding a most-similar object in the first set of objects, and assigning reputations to the unknown objects according to a degree of similarity to the first set of objects. (e.g. fig. 3, ¶48, 59-60, 62-63, 64-65, 69: unknown pair construction 320, unknown pair evaluation 311 and unknown file predictions 317)
Although Seifert discloses convicting a first set of objects as malware according to some criteria (see above), Seifert does not appear to explicitly disclose but Bu discloses according to their attempt to exploit patched vulnerabilities on endpoint devices (e.g. figs. 1, 4, ¶16, 56, 58-62: This configuration may be accomplished by the software profile(s) identifying "fortified" software for execution within the VM(s). "Fortified software" includes software, such as an operating system and/or an application for example, which has been updated (e.g. fully patched, newest version, etc.) to address known exploits. These VM(s) are used to check for the presence of zero-day exploits).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bu into the invention of Seifert for the purpose of collecting information of malware associated with zero-day attacks.
Although Seifert-Bu discloses collecting second feature data for a second set of unknown objects (see above), Seifert-Bu does not appear to explicitly disclose but Rebelo discloses received from a plurality of remote devices that have requested reputations for the second set of unknown objects (e.g. figs. 1, 5-7, ¶22, 29, 32, 62-64, 66, 72, 80-82: enterprise server 140 receives application validation requests containing CPE-like strings for executable objects from a plurality of computing devices 110) and providing the reputations to the remote devices. (e.g. ¶66, 73, 83: enterprise server 140 constructs reputations and sends response codes indicating the reputations and instructions to stop/block, warn, or allow for the executable objects to the plurality of computing devices 110).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Rebelo into the invention of Seifert-Bu for the purpose of assisting client devices in assessing potential vulnerability of executable objects and taking appropriate actions.

Claim 19, Seifert-Bu-Rebelo discloses The method of claim 18, further comprising receiving first feature data for a set of a plurality of known objects, (Seifert, e.g. fig. 3, ¶44-45, 52-54, 58, 64) and second feature data for a set of unknown objects. (Seifert, e.g. fig. 3, ¶44-45, 64)

Claim 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Zhang (US 20210304013).

Claim 13, Seifert-Bu-Rebelo discloses The one or more tangible, non-transitory computer-readable storage media of claim 12, (see above) and does not appear to explicitly disclose but Zhang discloses wherein the instructions are further to determine that the second feature data do not match the first feature data above a threshold for at least some of the second plurality of objects, and to mark the at least some of the second plurality of objects with unknown reputations for additional analysis. (e.g. ¶36)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Zhang into the invention of Seifert-Bu-Rebelo for the purpose of further analyzing the unknown file to determine whether the unknown file is malware and adding the unknown file to the set of known malware samples. (Zhang, ¶36)

Claim 14, Seifert-Bu-Rebelo discloses The one or more tangible, non-transitory computer-readable storage media of claim 12, (see above) and does not appear to explicitly disclose but Zhang discloses wherein the first and second feature data comprise static features. (e.g. ¶35)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Zhang into the invention of Seifert-Bu-Rebelo for the purpose of incorporating static features of the unknown file when classifying the unknown file thereby increasing the accuracy of the classification system.

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Phillips (US 20060161984).

Claim 17, Seifert-Bu-Rebelo discloses The one or more tangible, non-transitory computer-readable storage media of claim 16, (see above) and does not explicitly disclose but Phillips discloses wherein the second feature data comprise an image file derived from the objects. (e.g. ¶45-46)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Phillips into the invention of Seifert-Bu-Rebelo for the purpose of incorporating the use of pattern matching techniques on data at a binary level for virus detection (Phillips, ¶5).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Seifert (US 20210141897) in view of Bu (US 20140380473) in view of Rebelo (US 20160085970) and further in view of Perry (US 20220019665).

Claim 20, Seifert-Bu-Rebelo discloses The method of claim 19, (see above) and MinHash algorithm (Seifert, e.g. ¶91) and Jaccard index (Seifert, e.g. ¶28, 124-125, 127).  Seifert-Bu-Rebelo does not appear to explicitly disclose but Perry discloses wherein finding a most-similar object comprises querying a MinHash locality sensitive hashing forest based on Jaccard-compatible features, and selecting a subset of most-similar samples by computing a total distance from non-Jaccard-compatible sub-distances. (e.g. ¶49, 52-57, 62-64)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Perry into the invention of Seifert-Bu-Rebelo for the purpose of determining measurements of similarity between various types of data (Perry, ¶23).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20130145472 discloses [0035] Reputation server 104 may be configured to accept requests from clients such as anti-malware module 114 for information about the malware status of a given process or file such as source file 118, process 112, or destination file 110. [0036] Reputation server 104 may be configured to mine and record information regarding processes or files from a wide variety of clients located in many different locations. Reputation server 104 may include or be communicatively coupled to a reputation database which may include information regarding processes or files, including whether the process or file is known to be malware, known to be safe, or unknown with regards to malware status. Reputation databases may index such information according to, for example, digital hash or signature. Reputation databases may include counters for determining how often a process or file has been reported. Reputation databases may be implemented in any suitable mechanism such as a file, record, database, or any combination thereof. [0041] Anti-malware module 114 may be configured to receive the malware status from reputation server 104 or web reputation server of the process, file, or website under examination. Based on its analysis or the information, anti-malware module 114 may be configured to perform any suitable action with respect to the attempted access of task scheduler 116. Anti-malware module 114 may be configured to allow the attempted access, deny the attempted access, send additional information to reputation server 104 or web reputation server 106, prompt user 111 for input, clean a process or file from electronic device 102, or take any other suitable action.

US 20150096018 discloses systems and methods allow protecting a computer system from malware, such as viruses, Trojans, and spyware. A reputation manager executes in conjunction with an anti-malware engine. The reputation manager determines a reputation of a target process executing on the computer system according to a reputation of a set of executable modules, such as shared libraries, loaded by the target process. The anti-malware engine may be configured to employ a process-specific protocol to scan the target process for malware, the protocol selected according to process reputation. Processes trusted to be non-malicious may thus be scanned using a more relaxed protocol than unknown or untrusted processes. The reputation of executable modules may be static; an indicator of module reputation may be stored and/or retrieved by a remote reputation server. Process reputation may be dynamically changeable, i.e. re-computed repeatedly by the reputation manager in response to process life-cycle and/or security events.

US 20110047620 discloses a system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets). A mobile communication device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces an assessment for the application, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats.


Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436