DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on 10/05/2020.
Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on January 25, 2022. The submission is         in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because it had more than 150 words. Correction is required. See MPEP § 608.01 (b).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 7, and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 2 recites the limitation “the local computing device” in line 2. There is insufficient antecedent basis for this limitation in the claim, since it is unclear which computing device the term is referring to. For examination purposes the limitation “the local computing device” will be treated as “a computing device”. 

Claim 7 recites the limitation “the executable” in line 2. There is insufficient antecedent basis for this limitation in the claim, since it is unclear which executable the term is referring to. For examination purposes the limitation “the executable” will be treated as “malicious executable”. The examiner suggests to clarify the difference between “the executable” to rectify the issue.

Claim 7 recites the limitation “a network signature” renders the claim indefinite because it is unclear whether “a network signature” as recited in the preamble is the same as “a network signature” recited in line 10. The applicant is required to distinguish between the two. 
Claims 8- 15 which are dependent to claim 7, are similarly rejected.

Claim 16 recites the limitation “the model” in line 2. There is insufficient antecedent basis for this limitation in the claim, since it is unclear which model the term is referring to. For examination purposes the applicant is required to clarify the cited limitation.
Claims 17- 20 which are dependent to claim 16, are similarly rejected.

                                     Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang US (2016/0381042 A1) in view of Gassoway (US 2005/0262560 A1).

In regards to claim 1, Zhang discloses a system, comprising:
 at least one processor (Zhang, Para. 0074); and 
at least one computer readable storage medium that stores program code that includes (Zhang, Para. 0074): 
a suspicious process detector (SPD) configured to (Zhang, Para. 0063, FIG.3): 
wherein a suspicious executable is potentially malicious (Zhang, Para. 0047, the AV engine can flag the executable as malware when the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns); and 
wherein a network signature is a plurality of network events generated by a process (Zhang, Para. 0009, signature generation approaches are resulting in larger and larger AV pattern databases and create generic signatures that result in false positives, which require time to process and fix).  
Zhang fails to disclose receive at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes; and 
generate an indication of whether the first executable is suspicious or malicious based on the first network signature; 
However, Gassoway teaches receive at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes (Gassoway, Paras. 0031, and 0051, the signature generator 505 may generate a signature that can be used to detect the packets created as a result of the malicious program and sends the signature to all Agents; the agent address database 501 may be preprogrammed to include the addresses of all agents 116-118, 220-222 that are to receive signatures); and 
generate an indication of whether the first executable is suspicious or malicious based on the first network signature (Gassoway, Para. 0051, the signature generator 505 may generate a signature that can be used to detect the packets created as a result of the malicious program and sends the signature to all Agents 116-118, 220-222 using the addresses listed in the Agent address database 501); 
Zhang and Gassoway are both considered to be analogous to the claim invention because they are in the same field of detecting a malicious activity in the network based on their network signatures.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Zhang to incorporate the teachings of Gassoway to include receive at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes (Gassoway, Paras. 0031, and 0051); and generate an indication of whether the first executable is suspicious or malicious based on the first network signature (Gassoway, Para. 0051). Doing so would aid Antivirus programs to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection (Gassoway, Para. 0008).

In regards to claim 2, the combination of Zhang and Gassoway teaches the system of claim 1, wherein the SPD is configured to operate on a computing device to detect suspicious or malicious executables on the local computing device (Gassoway, Para. 0039, Agents 220-222 may be computer programs executed on a network device and Para. 0051, the packet database 502 allows the worm detection intelligence 503 to examine multiple packets at the same time to determine the presence of a malicious program).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Gassoway to incorporate the teachings of Zhang to include wherein the SPD is configured to operate on a computing device to detect suspicious or malicious executables on the local computing device (Gassoway, Para. 0039). Doing so would aid Antivirus programs to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection (Gassoway, Para. 0008).

In regards to claim 3, the combination of Zhang and Gassoway teaches the system of claim 1, wherein the SPD is configured to operate on a server, as a service to a plurality of computing devices, to detect suspicious or malicious executables on the plurality of computing devices (Gassoway, Para. 0052, packets sent to the Master 120, 223 may be broken into units of data smaller than one packet (a sub-packet). These sub-packets may then be individually stored in the packet database 502. The worm detection intelligence 503 would then examine the sub-packets for signs of an infection from a malicious program).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Gassoway to incorporate the teachings of Zhang to include wherein the SPD is configured to operate on a server, as a service to a plurality of computing devices, to detect suspicious or malicious executables on the plurality of computing devices (Gassoway, Para. 0052). Doing so would aid Antivirus programs to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection (Gassoway, Para. 0008).

In regards to claim 4, the combination of Zhang and Gassoway teaches the system of claim 1, wherein the SPD is configured to receive a first network traffic log comprising a plurality of network events generated by a plurality of executables executing as the plurality of processes in the first computing environment on a first computing device, wherein each network event is associated with a process in the plurality of processes (Zhang, Para. 0063, Para. 0063, an AV engine can be configured to receive a target file/sample 302, which may also be referred to as executable 302 hereinafter, wherein target file/executable 302 can be a file that is communicated over a network).  

In regards to claim 5, the combination of Zhang and Gassoway teaches the system of claim 4, wherein, to generate the indication of whether the first executable is suspicious or malicious, the SPD is configured to: 
apply the first network traffic log as input to a model trained on network signatures generated by a plurality of executables executing as processes in a plurality of computing environments on a plurality of computing devices (Zhang, Para. 0047, extract a set of target patterns represented within the executable, and then apply a detection model, based on the second revised set of suspicious patterns, against the set of target patterns); and generate, by the model, the indication of whether the plurality of network events in the network traffic log indicate the first executable is suspicious or malicious (Zhang, Para. 0047, the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns).  

In regards to claim 6, the combination of Zhang and Gassoway teaches the system of claim 1, wherein the model is trained to detect suspicious or malicious executables based on a plurality of ordered and unordered network events (Zhang, Fig. 4 and Para. 0067, during the training mode, multiple malware/suspicious patterns such as 404-1, 404-2, . . . 404-N, which may be collectively referred to as suspicious patterns 404 hereinafter, can be generated/created by an AV engine based on a malware file set 402 that contains therein a first set of samples of executables that are known to be or contain malware).  

In regards to claim 7, Zhang discloses a method of detecting a suspicious or malicious executable based on a network signature generated by the executable during processing, the method comprising: 
wherein a suspicious executable is potentially malicious (Zhang, Para. 0047, the AV engine can flag the executable as malware when the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns); and 
wherein a network signature is a plurality of network events generated by a process (Zhang, Para. 0009, signature generation approaches are resulting in larger and larger AV pattern databases and create generic signatures that result in false positives, which require time to process and fix).  
Zhang fails to disclose receiving at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes; and
 generating an indication indicating whether the first executable is suspicious or malicious based on the first network signature;  
However, Gassoway teaches receiving at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes (Gassoway, Paras. 0031, and 0051, the signature generator 505 may generate a signature that can be used to detect the packets created as a result of the malicious program and sends the signature to all Agents; the agent address database 501 may be preprogrammed to include the addresses of all agents 116-118, 220-222 that are to receive signatures); and
 generating an indication indicating whether the first executable is suspicious or malicious based on the first network signature (Gassoway, Para. 0051, the signature generator 505 may generate a signature that can be used to detect the packets created as a result of the malicious program and sends the signature to all Agents 116-118, 220-222 using the addresses listed in the Agent address database 501); 
Zhang and Gassoway are both considered to be analogous to the claim invention because they are in the same field of detecting a malicious activity in the network based on their network signatures.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Zhang to incorporate the teachings of Gassoway to include receiving at least a first network signature generated by executing a first executable as a first process in a first computing environment running a plurality of processes (Gassoway, Paras. 0031); and
 generating an indication indicating whether the first executable is suspicious or malicious based on the first network signature (Gassoway, Para. 0051). Doing so would aid Antivirus programs to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection (Gassoway, Para. 0008).

In regards to claim 8, the combination of Zhang and Gassoway teaches the method of claim 7, further comprising: receiving at least a second network signature generated by executing a second executable as a process in a second computing environment running a plurality of processes (Zhang, Para.0046, detection module/engine 106 can use signatures generated by the detection knowledge configuration module 114 of learning module 104 to classify incoming/target samples into clean samples or malware samples so as to allow/block the transmission/processing of such samples); and generating an indication indicating whether the second executable is suspicious or malicious based on the second network signature (Zhang, Para. 0050, detection module 16 can be configured to match a signature from the target sample/pattern with the global clean signatures and/or global malware signature, based on which, detection module 106 can flag/determine whether the file at issue contains malware or is clean).  

In regards to claim 9, the combination of Zhang and Gassoway teaches the method of claim 7, wherein receiving at least a first network signature comprises: receiving from a first computing device a first network traffic log comprising the first network signature (Zhang, Para. 0053, when learning module 104 is implemented within a first computing device, and detection module 106 is implemented within a second computing device, signatures that are part of the clean samples and signatures that are port of the malware samples can be shared among the first and second computing devices).  

In regards to claim 10, the combination of Zhang and Gassoway teaches the method of claim 9, wherein the first network traffic log comprises a plurality of network events generated by a plurality of executables executing as the plurality of processes in the first computing environment on the first computing device, wherein each network event is associated with a process in the plurality of processes (Zhang, Para. 0063, Para. 0063, an AV engine can be configured to receive a target file/sample 302, which may also be referred to as executable 302 hereinafter, wherein target file/executable 302 can be a file that is communicated over a network).  

In regards to claim 11, the combination of Zhang and Gassoway teaches the method of claim 10, wherein receiving at least a first network signature comprises: receiving from a second computing device a second network traffic log comprising a second plurality of network events generated by a plurality of executables executing as a second plurality of processes in a second computing environment on the second computing device, wherein each network event is associated with a process in the second plurality of processes (Zhang, Para. 0049, detection module 106 can receive one or more target files/samples, also referred as executables, wherein the target files/executables can be files being communicated over a network or a file stored within a file system of a computer system. Detection module 106 can process the received files or executables and extract a set of target patterns within the executables).  

In regards to claim 12, the combination of Zhang and Gassoway teaches the method of claim 9, wherein generating an indication indicating whether the first executable is suspicious or malicious based on the first network signature comprises: applying the first network traffic log as input to a model trained on network signatures generated by a plurality of executables executing as processes on a plurality of computing devices (Zhang, Para. 0047, extract a set of target patterns represented within the executable, and then apply a detection model, based on the second revised set of suspicious patterns, against the set of target patterns); and generating, by the model, the indication indicating whether the plurality of network events in the network traffic log indicate the first executable is suspicious or malicious (Zhang, Para. 0047, the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns).  

In regards to claim 13, the combination of Zhang and Gassoway teaches the method of claim 12, wherein the model is trained to detect suspicious or malicious executables based on a plurality of ordered and unordered network events (Zhang, Fig. 4 and Para. 0067, during the training mode, multiple malware/suspicious patterns such as 404-1, 404-2, . . . 404-N, which may be collectively referred to as suspicious patterns 404 hereinafter, can be generated/created by an AV engine based on a malware file set 402 that contains therein a first set of samples of executables that are known to be or contain malware).  

In regards to claim 14, the combination of Zhang and Gassoway teaches the method of claim 7, further comprising: based on a determination that the first executable is suspicious or malicious, running the first executable alone in an isolated environment for additional analysis (Zhang, Para. 0070, if the declared malware is found to be a correct malware/malicious sample 508, the target sample (patterns thereof) can be stored in a suspicious pattern database 510 and reported as virus).  

In regards to claim 15, the combination of Zhang and Gassoway teaches the method of claim 7, further comprising: based on a determination that the first executable is suspicious or malicious, determining a context of execution of the first executable; and determining whether to terminate execution of the first executable based on the context of execution of the first executable (Zhang, Para. 0071, suspicious patterns having a second false positive rate lower than the first false positive rate by applying a statistical filter to the first revised set of suspicious patterns and by removing any suspicious patterns from the first revised set of suspicious patterns that do not meet a predefined frequency of occurrence).  

In regards to claim 16, Zhang discloses a method comprising: 
and training the model with the first and second pluralities of network signatures to indicate suspicious or malicious executables based on application of the trained model to a network signature generated by running the executable as a process (Zhang, Fig 6, Paras. 0069-0072, at part of the training model, the method can include creating a first revised set of suspicious patterns having a first false positive rate lower than that of the original set of suspicious patterns by removing, by the AV engine, any of the set of clean patterns from the set of suspicious patterns); 
wherein at least one of the first and second network signatures is labeled as suspicious or malicious (Zhang, Para. 0046, the signature is indicative of high frequency suspicious detection patterns) and 
at least one of the first and second network signatures is labeled as not suspicious or not malicious (Zhang, Para. 0065, detection module 308 can be configured to match the signature of target sample 306 with the global clean signatures and/or global malware signature); 
wherein a suspicious executable is potentially malicious (Zhang, Para. 0047, the AV engine can flag the executable as malware when the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns); and wherein a network signature is a plurality of network events generated by a process (Zhang, Para. 0009, signature generation approaches are resulting in larger and larger AV pattern databases and create generic signatures that result in false positives, which require time to process).  
Zhang fails to disclose receiving a first plurality of network signatures generated by a plurality of processes running in a first computing environment in a first computing device; 
receiving a second plurality of network signatures generated by a plurality of processes running in a second computing environment in a second computing device;
However, Gassoway teaches receiving a first plurality of network signatures generated by a plurality of processes running in a first computing environment in a first computing device (Gassoway, Figs. 2 and 5, Para. 0051, the agent address database 501 may be preprogrammed to include the addresses of all agents 116-118, 220-222 that are to receive signatures); 
receiving a second plurality of network signatures generated by a plurality of processes running in a second computing environment in a second computing device (Gassoway, Figs. 2 and 5, Para. 0051, the agent address database 501 may be preprogrammed to include the addresses of all agents 116-118, 220-222 that are to receive signatures);
Zhang and Gassoway are both considered to be analogous to the claim invention because they are in the same field of detecting a malicious activity in the network based on their network signatures.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Zhang to incorporate the teachings of Gassoway to include receiving a first plurality of network signatures generated by a plurality of processes running in a first computing environment in a first computing device (Gassoway, Figs. 2 and 5, Para. 0051); 
receiving a second plurality of network signatures generated by a plurality of processes running in a second computing environment in a second computing device (Gassoway, Figs. 2 and 5, Para. 0051).
Doing so would aid Antivirus programs to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system. Intrusion detection systems and intrusion protection systems (IDSs) are systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection (Gassoway, Para. 0008).

In regards to claim 17, the combination of Zhang and Gassoway teaches the method of claim 16, further comprising: receiving a plurality of network signatures from a plurality of computing devices; applying the trained model to each of the plurality of network signatures; and providing an indication, to a computing device among the plurality of computing devices, indicating whether a network signature provided by the computing device indicates an executable on the computing device is suspicious or malicious (Zhang, Para. 0047, then apply a detection model, based on the second revised set of suspicious patterns, against the set of target patterns. Based on such application of the detection model, the AV engine can flag the executable as malware when the detection model indicates that a target pattern within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns).  

In regards to claim 18, the combination of Zhang and Gassoway teaches the method of claim 16, further comprising: providing the trained model to a plurality of computing devices to run locally to detect suspicious or malicious processes (Zhang, Para. 0070, the AV engine has been trained with a known set of clean and suspicious patterns to generate a detection model, it can receive an executable/target sample file 502 and then configure the detection model to extracting a set of target patterns represented within the executable).  

In regards to claim 19, the combination of Zhang and Gassoway teaches the method of claim 16, further comprising: providing an agent to each of a plurality of computing devices to provide a plurality of network signatures for at least one of training the model and using the trained model to detect suspicious or malicious executables (Zhang, Para. 0069, the AV engine can learn from the clean pattern database 406-2 and from the suspicious pattern database 406-1 (that stores the final set of suspicious patterns) to generate detection model 416 that is indicative of a signature that is configured to process incoming samples and detect whether the incoming samples are malware).  

In regards to claim 20, the combination of Zhang and Gassoway teaches the method of claim 16, wherein the model is a machine learning model (Zhang, Para. 0068, machine learning module 412 can be configured process suspicious patterns 406).  

                                                                   Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
SIRIANNI et al. (US 2020/0374298 A1) teaches a method and system comprise an analytic server, which detects and defends against malware in - flight regardless of the specific nature and methodology of the underlying attack.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496