DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-10, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Jiang (CN 109871685 A), and further in view of Montoro (US 2014/0101764).

Regarding claims 1, 8 and 15, Jiang teaches A system for protecting network devices from malicious rich text format (RTF) files (see Machine Translation, page 5, [0018]: “an embodiment of the present invention provides a terminal device, the device includes at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit , so that the processing unit executes the steps of the RTF file parsing method”. And see Machine Translation, page 12, [0039]: “The RTF file parsing method in the embodiment of the present invention can be used for virus detection and killing of terminal equipment”), comprising: memory; and a hardware processor coupled to the memory (see Machine Translation, page 33, [0099] and Fig. 7: “an embodiment of the present invention provides a terminal device, as shown in FIG. 7 , which includes at least one processor 701 and a memory 702 connected to the at least one processor”) and configured to: 
intercept an RTF file destined for a network device (see Machine Translation, page 14, [0041], [0042] and Fig. 3: “Step S301, acquiring the RTF file to be parsed. Specifically, the antivirus engine scans all files to be parsed on the terminal device, identifies the file type of the file to be parsed, and obtains the RTF file to be parsed when it is determined that the file type of the file to be parsed is an RTF file”. Also see Fig. 5, step 502 and Machine Translation, page 25, [0063]: “Step S502, identify the type of the file, when the type of the file is an RTF file, execute steps S503 to S509, otherwise execute step S513”); 
parse the RTF file to identify a plurality of objects in the RTF file (see Machine Translation, pages 26, 27, [0069]-[0074] and Fig. 5: “In step S506, characters other than valid characters in the RTF file are removed, and a target file containing only valid characters "0-9", "a-f" and "{}" is generated. Step S508, matching the preset header identifier with the characters in the target file. The preset header identifier may be a header identifier of target sub-files such as an OLE file, a zip file, and a vbe file. Step S509, when the target file contains characters matching the preset header identifier, determine the domain operator corresponding to the preset header identifier from the target file. In step S510, the characters in the domain operator corresponding to the preset header identifier are determined as the target subfile”. And see Machine Translation, page 17, [0049]: “Specifically, the domain operator is used to indicate the scope of the target subfile, the characters of the target subfile are located in a pair of domain operators, and the domain operator may be "{}"”. And see Machine Translation, pages 17, 18, [0049] and Fig. 3: “the preset header identifier is set as the header identifier of the OLE file, the header identifier of the OLE file is a hexadecimal string "d0cflle0", and all the contents of the OLE file are in a pair of domain operators, That is, the start flag of the OLE file is "{", and the end flag is "}".When the header identifier "d0cflle0" exists in the target file, query the domain operator corresponding to the header identifier "d0cflle0" in the target file. When the domain operators corresponding to "d0cflle0" are paired, the characters in the domain operators are determined as the content of the OLE file in the target file. Sub-files such as a zip file and a vbe file in the RTF file can also be determined by using the same method described above, which will not be repeated here”. The Examiner interprets sub-files such as an OLE file, a zip file, and a vbe file in the RTF file as a plurality of objects in the RTF file. The Examiner further interprets step S510 in Fig. 5, the characters in the domain operator corresponding to the preset header identifier are determined as the target subfile as parse the RTF file to identify a plurality of objects in the RTF file); 
check a first object of the plurality of objects for a first heuristic (see Machine Translation, pages 23, 24, [0058] and [0059]: “Optionally, after the antivirus engine detects the target subfile in the RTF file to be parsed, it can perform logical detection on the target subfile, and when it is determined that the target subfile satisfies the preset logic, the target subfile is determined as a normal file, otherwise, Identify the target subfile as malicious. Specifically, the corresponding logic rules are set in advance according to the attribute information of the target sub-file and stored in the database. For example, set the logic rules corresponding to the OLE file according to the attribute information of the OLE file, set the logic rules corresponding to the zip file according to the attribute information of the zip file, set the logic rules corresponding to the vbe file according to the attribute information of the vbe file, and then set the corresponding logic rules of the OLE file The logic rules, the logic rules corresponding to the zip file, and the logic rules corresponding to the vbe file are stored in the database”. The Examiner interprets “the attribute information of the target sub-file” as a first heuristic of  a first object of the plurality of objects because Merriam-Webster defines the word “heuristic” (adjective) as “involving or serving as an aid to learning, discovery, or problem-solving by experimental and especially trial-and-error methods” and the attribute information serves as an aid to learning, discovery, or problem-solving by experimental and especially trial-and-error methods. The Examiner further interprets “perform logical detection on the target subfile”, wherein “the corresponding logic rules are set in advance according to the attribute information of the target sub-file and stored in the database” as check a first object of the plurality of objects for a first heuristic); 
(see Machine Translation, pages 23, 24, [0058] and [0059]: “Optionally, after the antivirus engine detects the target subfile in the RTF file to be parsed, it can perform logical detection on the target subfile, and when it is determined that the target subfile satisfies the preset logic, the target subfile is determined as a normal file, otherwise, Identify the target subfile as malicious”); and 
based on the classification of the RTF file, take a protective action on the RTF file (see Machine Translation, page 24, [0060]: “when the target subfile is a malicious file, the user is reminded by means of a window or the like. When authorized by the user, the malicious target sub-file can be further processed to prevent the terminal device from being attacked by the malicious file and improve the security of the terminal device”).

Jiang fails to teach based upon an outcome of the checking of the first object for the first heuristic, increase a cumulative weight by a first weight value. Jiang also fails to teach that classifying the RTF file is implemented by comparing the cumulative weight against at least one threshold. 
In the same field of endeavor, Montoro teaches based upon an outcome of the checking of the first object for the first heuristic, increase a cumulative weight by a first weight value (see abstract: “An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score”. The Examiner interprets “a first characteristic of the characteristics” as the first heuristic. The Examiner further interprets “a first score” as a first weight value. The Examiner also interprets “a combined score” as a cumulative weight);
compare the cumulative weight against at least one threshold to classify  a digital object (emphasis added to show the difference between the reference and the claim)(see abstract: “indicating that the received HTTP request is malware when the combined score meets a threshold”).

Both Jiang and Montoro teach classifying a digital object based on a first heuristic of the digital object. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang by configuring the hardware processor to: based upon an outcome of the checking of the first object for the first heuristic, increase a cumulative weight by a first weight value and classify the digital object by comparing the cumulative weight against at least one threshold, as taught by Montoro. It would have been obvious because using a cumulative weight can achieve the commonly understood benefit of taking into account multiple heuristics of the object to quantitatively evaluate the probability of the object being a malware. Because the digital object taught by Jiang is a RTF file, When Jiang is modified in view of Montoro as described above, it would teach a hardware processor…configured to: based upon an outcome of the checking of the first object for the first heuristic, increase a cumulative weight by a first weight value; compare the cumulative weight against at least one threshold to classify the RTF file.

Regarding claims 2, 9 and 16, Jiang fails to teach wherein the hardware processor is further configured to: based upon the outcome of the checking of the first object for the first heuristic, check the first object for a second heuristic; and based upon an outcome of the checking of the first object for the second heuristic, increase the cumulative weight by a second weight value.
In the same field of endeavor, Montoro teaches wherein the hardware processor is further configured to: based upon the outcome of the checking of the first object for the first heuristic, check the first object for a second heuristic; and based upon an outcome of the checking of the first object for the second heuristic, increase the cumulative weight by a second weight value (see abstract: “An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score”. The Examiner interprets “a second characteristic of the characteristics” as the second heuristic. The Examiner further interprets “a second score” as a second weight value.  And see [0028] and Fig. 3: “The score generator 206 then selects a first rule from the rule database 208 (block 306). The score generator 206 processes the selected rule with the header information extracted by the header extractor 204 to obtain a score (block 308). The score generator 206 determines if there are additional rules in the rule database to be processed (block 310). When there are additional rules to be processed, the score generator 206 selects the next rule (block 312) and control returns to block 308 to process the next rule”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of  Montoro by configuring the hardware processor to: based upon the outcome of the checking of the first object for the first heuristic, check the first object for a second heuristic; and based upon an outcome of the checking of the first object for the second heuristic, increase the cumulative weight by a second weight value, as taught by Montoro. It would have been obvious because doing so achieves the commonly understood benefit of taking into account the second heuristic of the object to quantitatively evaluate the probability of the object being a malware.

Regarding claims 3, 10 and 17, Jiang fails to teach wherein the protective action includes quarantining the RTF file.
In the same field of endeavor, Montoro teaches wherein the protective action includes quarantining the  digital object (emphasis added to show the difference between the reference and the claim) (see [0031] and Fig. 3: “For example, the risk detector 212 may report the determination of malware risk to the action controller 214, which may perform an action based on the determination. For example, when the risk detector 212 determines that the communication packet is a risk of malware, the action controller 214 may prevent the packet from being transmitted to the server 106”).
Both Jiang and Montoro teach classifying a digital object as being a malware or not. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang by letting the protective action include quarantining the digital object as taught by Montoro. It would have been obvious because doing so achieves the commonly understood benefit of preventing an attack by the malicious digital object. Because the digital object taught by Jiang is a RTF file, When Jiang is modified in view of Montoro as described above, it would teach wherein the protective action includes quarantining the RTF file.

Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jiang (CN 109871685 A), further in view of Montoro (US 2014/0101764), and further in view of Cao (CN 112182569 A).

Regarding claims 4, 11 and 18, Jiang modified in view of Montoro fails to teach wherein the hardware processor is further configured to: identify a non-object-linking-and-embedding control word in the RTF file; and check a data stream associated with the non-object-linking-and-embedding control word for at least one of: static shell code; dynamic shellcode; an embedded file; a Flash file; encryption; a sledge, and return-oriented-programming code.
In the same field of endeavor, Cao teaches wherein the hardware processor is further configured to: identify a non-object-linking-and-embedding control word (see Machine Translation, page 20, [0072]: “The solution of this application can be applied to all Office file types and all OLE object types contained in them, or other non-OLE object types supported by Office”) in the RTF file (see Machine Translation, page 24, [0086]: “The type of the file to be identified determined in step 201 may be an RTF (Rich Text Format, rich text format) type”); and 
check a data stream associated with the non-object-linking-and-embedding control word for at least one of: static shell code; dynamic shellcode (see Machine Translation, pages 22 and 23, [0081] and [0082]: “S209: When the character string includes a preset suspicious character string, determine that the to-be identified file is a suspicious file. The preset suspicious strings include but are not limited to: instruction codes executed based on software vulnerabilities, preset suspicious command feature information, IP address information, and domain name information. Among them, the instruction code executed based on the software vulnerability can be shellcode code, the shellcode is a piece of code to be executed by exploiting the software vulnerability, and the shellcode is a hexadecimal machine code, which is named because it often allows attackers to obtain a shell. Written in machine language”); an embedded file; a Flash file; encryption; a sledge, and return-oriented-programming code.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of Montoro by configuring the hardware processor to: identify a non-object-linking-and-embedding control word in the RTF file; and check a data stream associated with the non-object-linking-and-embedding control word for at least one of: static shell code; dynamic shellcode; an embedded file; a Flash file; encryption; a sledge, and return-oriented-programming code, as taught by Cao. It would have been obvious because Cao provides the following motivation: “the shellcode is a piece of code to be executed by exploiting the software vulnerability” (see Machine Translation, page 23, [0082]).

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jiang (CN 109871685 A), further in view of Montoro (US 2014/0101764), further in view of non-patent literature entitled “How to detect overlay data in RTF files?” (hereafter “Overlay”), and further in view of Friedlander (US 2016/0352762).

Regarding claims 5, 12 and 19, Jiang modified in view of Montoro fails to teach wherein the hardware processor is further configured to: identify overlay data in the RTF file.
In the same field of endeavor, Overlay teaches wherein the hardware processor is further configured to: identify overlay data in the RTF file (see the question dated September 25, 2017: “How to detect overlay data in RTF files? When officemalscanner says it detected overlay data, what does that mean ? Is overlay data specific to malicious files?” And see the answer dated September 25, 2017: “For example, RTF usually begins with {\rtf1, contains many embedded commands (some using nested {} for parameters) and ends with a matching }. If there is extra data after the final } , it's not part of the document but could be part of the payload used by the exploit inside the main body. It is of course not a 100% indicator of a malicious file but just one of the possible hints that it should be checked more thoroughly”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of Montoro by configuring the hardware processor to: identify overlay data in the RTF file as taught by Overlay. It would have been obvious because Overlay provides the following motivation: “If there is extra data after the final } [overlay data], it's not part of the document but could be part of the payload used by the exploit inside the main body. It is of course not a 100% indicator of a malicious file but just one of the possible hints that it should be checked more thoroughly”.

Jiang modified in view of Montoro and Overlay fails to teach that the hardware processor is configured to: determine a length of the overlay data; and increase the cumulative weight if the length of the overlay data is greater than a threshold.
In the same field of endeavor, Friedlander teaches that the hardware processor is configured to: determine a length of the  and increase the cumulative weight if the length of the (see [0060]: “ a computer may receive a string of data that is addressed to an application that is running on the computer. However, this application processes strings of data that are only of a particular length. If the received string of data is longer than this particular length, then there is a possibility/likelihood that the extra data in the string is actually malware. Thus, receipt of this string of data that is too long for the application is an anomaly for this computer/application”. The Examiner interprets “a particular length” as a threshold. The Examiner further interprets “If the received string of data is longer than this particular length, then there is a possibility/likelihood that the extra data in the string is actually malware” as increase the cumulative weight if the length of the data is greater than a threshold).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of Montoro and Overlay by configuring the hardware processor to: determine a length of the data; and increase the cumulative weight if the length of the data is greater than a threshold; as taught by Friedlander. It would have been obvious because Friedlander provides the following motivation: “If the received string of data is longer than this particular length, then there is a possibility/likelihood that the extra data in the string is actually malware”. Because the data taught by Jiang modified in view of Montoro and Overlay is overlay data, Jiang modified in view of Montoro, Overlay and Friedlander as described above would teach wherein the hardware processor is further configured to: … determine a length of the overlay data; and increase the cumulative weight if the length of the overlay data is greater than a threshold.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jiang (CN 109871685 A), further in view of Montoro (US 2014/0101764), and further in view of Douglas (US 10,009,370).

Regarding claims 6, 13 and 20, Jiang modified in view of Montoro fails to teach wherein the hardware processor is further configured to: identify a MicrosoftTM Office Open XML (MS-OOXML) file in the RTF file; and increase the cumulative weight based on the contents of the MS-OOXML file.
In the same field of endeavor, Douglas teaches wherein the hardware processor is further configured to: identify a MicrosoftTM Office Open XML (MS-OOXML) file in the RTF file; and increase the cumulative weight based on the contents of the MS-OOXML file (see col. 7, lines 5-15 and Fig. 2: “the malware dropper detection module 120 utilizes layered components for detecting malware droppers. The decoding engine 202 obtains the potentially malicious file, and decodes the file to identify code streams embedded in the potentially malicious file 210. The potentially malicious file 210 may be, for example, an Object Linking and Embedding Structure Storage (OLESS) document or an Office Open Extensible Markup Language (OOXML) document containing one or more Visual Basic for Application (VBA) scripting streams”. The Examiner interprets “detecting malware droppers”, wherein the potentially malicious file 210 may be an Office Open Extensible Markup Language (OOXML) document, as increase the cumulative weight based on the contents of the MS-OOXML file).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of Montoro by configuring the hardware processor to: identify a MicrosoftTM Office Open XML (MS-OOXML) file in the RTF file; and increase the cumulative weight based on the contents of the MS-OOXML file, as taught by Douglas. It would have been obvious because Douglas provides the following motivation: “[t]he potentially malicious file 210 may be …an Office Open Extensible Markup Language (OOXML) document”.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Jiang (CN 109871685 A), further in view of Montoro (US 2014/0101764), and further in view of Kryukov (RU 2628922 C1).

Regarding claims 7 and 14, Jiang modified in view of Montoro fails to teach wherein the hardware processor is further configured to: identify a MicrosoftTM Compound File Binary (MS-CFB) file in the RTF file; and increase the cumulative weight based on the contents of the MS-CFB file.
In the same field of endeavor, Kryukov teaches wherein the hardware processor is further configured to: identify a MicrosoftTM Compound File Binary (MS-CFB) file in the RTF file (see Machine Translation, pages 2 and 3, [0010] and [0011]: “The technical result of the present invention consists in the detection of similar compound files, which is achieved by recognizing compound files as similar if the calculated hashes of the compound files match…. In a particular case of implementing the method, the compound file is a Microsoft Compound File Binary File Format file”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Jiang modified in view of Montoro by configuring the hardware processor to: identify a MicrosoftTM Compound File Binary (MS-CFB) file in the RTF file as taught by Kryukov; and increase the cumulative weight, which indicates the probability of the RTF file being a malware, based on the contents of the MS-CFB file taught by Kryukov. It would have been obvious because Kryukov provides the following motivation: “It is worth noting that such polymorphic malicious files can be not only PE (Portable Executable) files, but also any other files whose format allows you to embed malicious code into the file that will be executed in one way or another, for example, Portable Document Format files, Microsoft Compound File Binary (OLE2 files) or one of the Office Open XML formats (DOCX, PPTX, etc.)” (see Machine Translation, pages 1 and 2, [0005]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495