DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on 06/30/2022.
Claims 1, 8, 11, 13-16 and 18-20 have been amended. All other claims are previously presented.
Claims 1-20 are submitted for examination.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on September 30, 2019 does not claim any priority. 
Response to Arguments
Applicant’s amendment, filed on June 30, 2022 has claims 1, 8, 11, 13-16 and 18-20 amended and all other claims are previously presented. Among the amended claims, claims 1, 13 and 19 are independent ones, and thus, the amendment necessitates a new ground of rejection.
The prior objection of Claims 1, 8, 11, 13 and 19 have been withdrawn in view of the amendment received on 06/30/2022.
Applicant’s remark, filed on June 30, 2022 on middle of page 7 regarding, "identify a scripted process for security analysis, wherein the scripted process comprises a command-line invocation of a process with parameters, Upon review, the cited references, taken alone or together, do not appear to disclose this limitation” has been considered and found persuasive. However, applicant amendment necessitates a new ground of rejection. A newly cited prior art by ALEXANDER Ledenev (US PGPUB. # US 2015/0101052) discloses, number of functions called during its execution. In this example, the functions are called by the scripts, such as Javascript of VBScript, which parameters can contain malicious content. To check the scripts, the exemplary functions foo2 (param1, param2, param3, . . . paramn) and foo3 (param1, param2, param3, . . . paramn) need to be intercepted. Note that the number of function parameters can change due to the situation, when the function is called (i.e., the function foo2 can be called with one, two, three and even more parameters). The parameters are variables of any type (integer, floating point variable, string, Boolean variable, etc.). Note that unlike language with strictly defined parameter numbers and types, script languages often allow dynamic definition of parameter types and number of parameters, based on the context of the calling code. Thus, with script language, the same parameter can be an integer, a string, an array, and so on. (Fig. 2A, ¶34). Ledenev further discloses, in step 410, the initial function of the application 200 is captured by the capturer 210. In step 420, the parameters used to call the function are checked for malicious code by the analyzer 220. The malicious code can be spread within the parameters transferred by GET and POST requests.  (Fig. 4, ¶42). Examiner submits that Ledenev teaches, script language having command lines with functions. The functions are called utilizing parameters. Thus Lednev teaches the limitation, “identify a scripted process for security analysis, wherein the scripted process comprises a command-line invocation of a process with parameters”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims  1, 9, 12-14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Zheng et al. (US PGPUB. # US 2020/0004963, hereinafter “Zheng”), and further in view of Fang et al. (US PAT. # US 10,956,477, hereinafter “Fang”), and further in view of Alexander Ledenev (US PGPUB. # US 2015/0101052, hereinafter “Ledenev”).

Regarding Claim 1, Zheng teaches,
A computing apparatus, comprising: 
a processor and memory; (Fig. 2A (202, 204)) and 
instructions encoded within the memory to instruct the processor to: (¶22)
identify a scripted process for security analysis, (Fig. 3, ¶69, “, coordinator 304 fetches a sample from queue 302 for processing (e.g., fetches a copy of malware 158). In particular, coordinator 304 first provides the sample to static analysis engine 306 for static analysis”, ¶71-¶72, Fig. 4(402), “when static analysis is performed on a sample. As one example, static analysis is performed on “game.apk” by a static analysis engine 306 at 402”, i.e. game.apk application (scripted process) is identified for a security analysis), [wherein the scripted process comprises a command-line invocation of a process with parameters];
hook application programming interface (API) calls of the scripted process to determine a plurality of pre-execution parameters and runtime parameters; (¶75, “ a call graph can be constructed and examined with respect to sensitive code segments. In particular, a determination can be made about how sensitive code segments can potentially be called (if at all) by an executing application, ¶99, ¶102, “The environment used by dynamic analysis engine 310 is instrumented/hooked such that behaviors observed while the application is executing are logged as they occur (e.g., using a customized kernel that supports hooking and logcat). Network traffic associated with the emulator is also captured (e.g., using pcap)., ¶107-¶108, ¶110-¶127, Fig. 4(404, 406), ¶129, Fig. 8A, Fig. 8B,  ¶143-¶144, “Examples of framework APIs that can be hooked include: file input/output operations, network connections, process creations, shell command executions, GSM/SMS messaging, cryptography operations, database operations, interprocess communications, dynamic payload loading, etc. For such APIs, hooking can be performed by recording the invoked method and passed in arguments in the body of the target method directly.”, ¶146,   i.e. pre-execution, runtime parameters are determined by hook of APIs).
Zheng does not teach explicitly,
[identify a scripted process for security analysis], wherein the scripted process comprises a command-line invocation of a process with parameters;
assign individual scores to the pre-execution parameters and runtime parameters; 
compute a sum of the individual scores; compare the sum to a threshold; and 
based on determining that the sum is above threshold detect malicious or suspicious activity.
However, Fang teaches,
assign individual scores to the pre-execution parameters and runtime parameters; (CL(9), LN(19-31), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned).
compute a sum of the individual scores; (CL(4), LN(6-8), “The prediction score may be weighted and produced as an aggregate of scoring of the model-adapted tokens in determining a verdict for the script”, CL(14), LN(1-6), “a prediction score for the script is generated. The prediction score may be based, at least in part, on a collection of scores associated with a set of model-adapted tokens generated from the normalized script text 355 (e.g., based on the plurality of analytic tokens)”, CL(14), LN(59-63), “a selected prediction score(s) produced by the classifier 373 (e.g., an aggregate of the prediction scores or a final prediction score) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds to determine a malicious classification”, i.e. final predication score is calculated from individual predication score).
compare the sum to a threshold; (CL(14), LN(35-40), “A selected combination of some or all of these weighted, prediction scores (e.g., an aggregate of the prediction scores) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds”, Fig. 4A(440), CL(15), LN(63-66), “ The classification of the script may be determined based, at least in part, on the prediction score that represents the level of maliciousness of the script (item 440).”, i.e. predication score is compared to a threshold) and 
based on determining that the sum is above threshold detect malicious or suspicious activity. (CL(4), LN(8-10), “if the prediction score exceeds a first specified score threshold, the enhanced malware detection system may classify the script as malicious”, CL(14), LN(38-40), “The likelihood of maliciousness is compared to one or more specified thresholds (e.g., a first threshold for malicious classification”, Fig. 4A (450), CL(15), LN(67), CL(16), LN(1-3)), “the script may be determined as malicious based on the correlation between the prediction score (with any weighting applied) to a first threshold for malicious classification”, i.e. malicious activity is determined).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fang with the invention of Zheng.
Zheng teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis. Fang teaches, assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not.
Therefore, it would have been obvious to have assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not of Fang with identifying a script for security analysis by collecting various parameters by static and dynamic analysis of Zheng for improvements to techniques for identifying and mitigating malware, including malware that targets mobile devices. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Zheng and Fang does not teach explicitly,
[identify a scripted process for security analysis], wherein the scripted process comprises a command-line invocation of a process with parameters;
However, Ledenev teaches,
[identify a scripted process for security analysis], wherein the scripted process comprises a command-line invocation of a process with parameters; (Fig. 2A, ¶34, “the functions are called by the scripts, such as Javascript of VBScript, which parameters can contain malicious content”, Fig. 4, ¶42, “the parameters used to call the function are checked for malicious code by the analyzer 220. The malicious code can be spread within the parameters transferred by GET and POST requests”, i.e. scripted process comprises command line invocation of parameters). 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ledenev with the invention of Zheng in view of Fang.
Zheng in view of Fang teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not. Ledenev teaches, intercepting function with parameters of a command line script for malware analysis. 
Therefore, it would have been obvious to have intercepting function with parameters of a command line script for malware analysis of Ledenev into the teachings of Zheng in view of Fang for re-calling the application captured function while maintaining the function parameter stack. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 13, Zheng teaches,
 One or more tangible, non-transitory computer-readable media having stored thereon executable instructions to instruct a processor to: 
determine that a script is to be subjected to an analysis pipeline, (Fig. 3, ¶69, “, coordinator 304 fetches a sample from queue 302 for processing (e.g., fetches a copy of malware 158). In particular, coordinator 304 first provides the sample to static analysis engine 306 for static analysis”, ¶71-¶72, Fig. 4(402), “when static analysis is performed on a sample. As one example, static analysis is performed on “game.apk” by a static analysis engine 306 at 402”, i.e. game.apk application (scripted process) is identified for a security analysis). [the script comprising a process with execution parameters] and 
provision an analysis pipeline for analysis of the script, (Fig. 4, ¶129)  the analysis pipeline comprising: 
a pre-execution phase (¶75, “ a call graph can be constructed and examined with respect to sensitive code segments. In particular, a determination can be made about how sensitive code segments can potentially be called (if at all) by an executing application, i.e. static analysis is done in pre-execution phase) [to isolate execution parameters, and assign to the execution parameters individual scores]; 
an execution behavior phase (¶99, ¶102, “The environment used by dynamic analysis engine 310 is instrumented/hooked such that behaviors observed while the application is executing are logged as they occur (e.g., using a customized kernel that supports hooking and logcat). Network traffic associated with the emulator is also captured (e.g., using pcap)., ¶107-¶108, ¶110-¶127, Fig. 4(404, 406), ¶129, Fig. 8A, Fig. 8B,  ¶143-¶144, “Examples of framework APIs that can be hooked include: file input/output operations, network connections, process creations, shell command executions, GSM/SMS messaging, cryptography operations, database operations, interprocess communications, dynamic payload loading, etc. For such APIs, hooking can be performed by recording the invoked method and passed in arguments in the body of the target method directly.”, ¶146, i.e. dynamic analysis is performed during execution/runtime phase) [to isolate runtime behavior tokens of the script, and assign to the runtime tokens individual scores];
Zheng does not teach explicitly, 
[determine that a script is to be subjected to an analysis pipeline], the script comprising a process with execution parameters; and
[a pre-execution phase] to isolate execution parameters, and assign to the execution parameters individual scores; 
[an execution behavior phase] to isolate runtime behavior tokens of the script, and assign to the runtime tokens individual scores;
an attack detection phase to compute a signature comprising a sum of the individual scores, and to compare the signature to a detection threshold; and 
a decision phase to detect the process as malicious or potentially malicious based on the comparing.
However, Fang teaches,
[a pre-execution phase to isolate execution parameters], and assign [to the execution parameters] individual scores; (CL(2), LN(58-67), “the text associated with each script under analysis (referred to as the “script text”) may undergo tokenization to produce natural (i.e., human) language samples. These natural language samples are referred to as analytic tokens”, CL(3), LN(46-65), CL(9), LN(19-31), CL(8), LN(29-49), CL(12), LN(50-67), CL(13), LN(1-10), CL(14), LN(7-42), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned).
[an execution behavior phase] to isolate runtime behavior tokens of the script, and assign to the runtime tokens individual scores; (CL(2), LN(58-67), “the text associated with each script under analysis (referred to as the “script text”) may undergo tokenization to produce natural (i.e., human) language samples. These natural language samples are referred to as analytic tokens”, CL(3), LN(46-65), CL(9), LN(19-31), CL(8), LN(29-49), CL(12), LN(50-67), CL(13), LN(1-10), CL(14), LN(7-42)CL(9), LN(19-31), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned)
an attack detection phase to compute a signature comprising a sum of the individual scores, (CL(4), LN(6-8), “The prediction score may be weighted and produced as an aggregate of scoring of the model-adapted tokens in determining a verdict for the script”, CL(14), LN(1-6), “a prediction score for the script is generated. The prediction score may be based, at least in part, on a collection of scores associated with a set of model-adapted tokens generated from the normalized script text 355 (e.g., based on the plurality of analytic tokens)”, CL(14), LN(59-63), “a selected prediction score(s) produced by the classifier 373 (e.g., an aggregate of the prediction scores or a final prediction score) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds to determine a malicious classification”, i.e. final predication score is calculated from individual predication score), and to compare the signature to a detection threshold; (CL(14), LN(35-40), “A selected combination of some or all of these weighted, prediction scores (e.g., an aggregate of the prediction scores) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds”, Fig. 4A(440), CL(15), LN(63-66), “ The classification of the script may be determined based, at least in part, on the prediction score that represents the level of maliciousness of the script (item 440).”, i.e. predication score is compared to a threshold); and 
a decision phase to detect the process as malicious or potentially malicious based on the comparing. (CL(4), LN(8-10), “if the prediction score exceeds a first specified score threshold, the enhanced malware detection system may classify the script as malicious”, CL(14), LN(38-40), “The likelihood of maliciousness is compared to one or more specified thresholds (e.g., a first threshold for malicious classification”, Fig. 4A (450), CL(15), LN(67), CL(16), LN(1-3)), “the script may be determined as malicious based on the correlation between the prediction score (with any weighting applied) to a first threshold for malicious classification”, i.e. malicious activity is determined).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fang with the invention of Zheng.
Zheng teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis. Fang teaches, assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not.
Therefore, it would have been obvious to have assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not of Fang with identifying a script for security analysis by collecting various parameters by static and dynamic analysis of Zheng for improvements to techniques for identifying and mitigating malware, including malware that targets mobile devices. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Zheng and Fang does not teach explicitly,
[determine that a script is to be subjected to an analysis pipeline], the script comprising a process with execution parameters; and
a pre-execution phase to isolate execution parameters, [and assign] to the execution parameters [individual scores];
However, Ledenev teaches,
[determine that a script is to be subjected to an analysis pipeline], the script comprising a process with execution parameters; (Fig. 2A, ¶34, “the functions are called by the scripts, such as Javascript of VBScript, which parameters can contain malicious content”, Fig. 4, ¶42, “the parameters used to call the function are checked for malicious code by the analyzer 220. The malicious code can be spread within the parameters transferred by GET and POST requests”, i.e. scripted process comprises command line invocation of parameters) and
a pre-execution phase to isolate execution parameters, [and assign] to the execution parameters (Fig. 4, ¶42, “the initial function of the application 200 is captured by the capturer 210. In step 420, the parameters used to call the function are checked for malicious code by the analyzer 220”, i.e. execution parameters are isolated during a pre-execution phase) [individual scores];
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ledenev with the invention of Zheng in view of Fang.
Zheng in view of Fang teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not. Ledenev teaches, intercepting function with parameters of a command line script for malware analysis. 
Therefore, it would have been obvious to have intercepting function with parameters of a command line script for malware analysis of Ledenev into the teachings of Zheng in view of Fang for re-calling the application captured function while maintaining the function parameter stack. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).


Regarding Claim 19, Zheng teaches,
A computer-implemented method of detecting malicious scripts, comprising:
identifying a script for analysis in a script analysis pipeline, (Fig. 3, ¶69, “, coordinator 304 fetches a sample from queue 302 for processing (e.g., fetches a copy of malware 158). In particular, coordinator 304 first provides the sample to static analysis engine 306 for static analysis”, ¶71-¶72, Fig. 4(402), “when static analysis is performed on a sample. As one example, static analysis is performed on “game.apk” by a static analysis engine 306 at 402”, i.e. game.apk application (scripted process) is identified for a security analysis), [the script comprising a process and execution parameter] and 
in a pre-execution phase, hooking operating system application programming interfaces (APIs) [that provide the execution parameters], detecting invoked APIs, (¶75, “ a call graph can be constructed and examined with respect to sensitive code segments. In particular, a determination can be made about how sensitive code segments can potentially be called (if at all) by an executing application, ¶99, ¶102, “The environment used by dynamic analysis engine 310 is instrumented/hooked such that behaviors observed while the application is executing are logged as they occur (e.g., using a customized kernel that supports hooking and logcat). Network traffic associated with the emulator is also captured (e.g., using pcap)., ¶107-¶108, ¶110-¶127, Fig. 4(404, 406), ¶129, Fig. 8A, Fig. 8B,  ¶143-¶144, “Examples of framework APIs that can be hooked include: file input/output operations, network connections, process creations, shell command executions, GSM/SMS messaging, cryptography operations, database operations, interprocess communications, dynamic payload loading, etc. For such APIs, hooking can be performed by recording the invoked method and passed in arguments in the body of the target method directly.”, ¶146,   i.e. static analysis is done in pre-execution phase and pre-execution, runtime parameters are determined by hook of APIs)) [and assigning individual scores to the execution parameters]; 
in an execution behavior phase, hooking operating system APIs that provide runtime behaviors, detecting invoked APIs, (¶99, ¶102, “The environment used by dynamic analysis engine 310 is instrumented/hooked such that behaviors observed while the application is executing are logged as they occur (e.g., using a customized kernel that supports hooking and logcat). Network traffic associated with the emulator is also captured (e.g., using pcap)., ¶107-¶108, ¶110-¶127, Fig. 4(404, 406), ¶129, Fig. 8A, Fig. 8B,  ¶143-¶144, “Examples of framework APIs that can be hooked include: file input/output operations, network connections, process creations, shell command executions, GSM/SMS messaging, cryptography operations, database operations, interprocess communications, dynamic payload loading, etc. For such APIs, hooking can be performed by recording the invoked method and passed in arguments in the body of the target method directly.”, ¶146, i.e. run time behaviors are collected) [and assigning individual scores to the invoked APIs]; 
Zheng does not teach explicitly,
[identifying a script for analysis in a script analysis pipeline], the script comprising a process and execution parameter and 
[in a pre-execution phase, hooking operating system application programming interfaces (APIs)] that provide the execution parameters, [detecting invoked APIs], and assigning individual scores to the execution parameters;
[in an execution behavior phase, hooking operating system APIs that provide runtime behaviors, detecting invoked APIs], and assigning individual scores to the invoked APIs;
in an attack detection phase, assigning a composite score to the script comprising a sum of the individual scores, comparing the composite score to a flexible threshold, and detecting the script based on the determining that the composite score is above the flexible threshold.
However, Fang teaches,
[in a pre-execution phase, hooking operating system application programming interfaces (APIs) that provide the execution parameters, detecting invoked APIs], and assigning individual scores [to the execution parameters]; (CL(9), LN(19-31), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned).
[in an execution behavior phase, hooking operating system APIs that provide runtime behaviors, detecting invoked APIs], and assigning individual scores to the invoked APIs; (CL(9), LN(19-31), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned).
in an attack detection phase, assigning a composite score to the script comprising a sum of the individual scores, (CL(4), LN(6-8), “The prediction score may be weighted and produced as an aggregate of scoring of the model-adapted tokens in determining a verdict for the script”, CL(14), LN(1-6), “a prediction score for the script is generated. The prediction score may be based, at least in part, on a collection of scores associated with a set of model-adapted tokens generated from the normalized script text 355 (e.g., based on the plurality of analytic tokens)”, CL(14), LN(59-63), “a selected prediction score(s) produced by the classifier 373 (e.g., an aggregate of the prediction scores or a final prediction score) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds to determine a malicious classification”, i.e. final predication score is calculated from individual predication score) comparing the composite score to a flexible threshold, (CL(14), LN(35-40), “A selected combination of some or all of these weighted, prediction scores (e.g., an aggregate of the prediction scores) may signify a likelihood of maliciousness for the script. The likelihood of maliciousness is compared to one or more specified thresholds”, Fig. 4A(440), CL(15), LN(63-66), “ The classification of the script may be determined based, at least in part, on the prediction score that represents the level of maliciousness of the script (item 440).”, i.e. predication score is compared to a threshold) and detecting the script based on the determining that the composite score is above the flexible threshold (CL(4), LN(8-10), “if the prediction score exceeds a first specified score threshold, the enhanced malware detection system may classify the script as malicious”, CL(14), LN(38-40), “The likelihood of maliciousness is compared to one or more specified thresholds (e.g., a first threshold for malicious classification”, Fig. 4A (450), CL(15), LN(67), CL(16), LN(1-3)), “the script may be determined as malicious based on the correlation between the prediction score (with any weighting applied) to a first threshold for malicious classification”, i.e. malicious activity is determined).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fang with the invention of Zheng.
Zheng teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis. Fang teaches, assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not.
Therefore, it would have been obvious to have assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not of Fang with identifying a script for security analysis by collecting various parameters by static and dynamic analysis of Zheng for improvements to techniques for identifying and mitigating malware, including malware that targets mobile devices. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Zheng and Fang does not teach explicitly,
[identifying a script for analysis in a script analysis pipeline], the script comprising a process and execution parameter;  and 
[in a pre-execution phase, hooking operating system application programming interfaces (APIs)] that provide the execution parameters, [detecting invoked APIs, and assigning individual scores] to the execution parameters;
However, Ledenev teaches,
[identifying a script for analysis in a script analysis pipeline], the script comprising a process and execution parameter; (Fig. 2A, ¶34, “the functions are called by the scripts, such as Javascript of VBScript, which parameters can contain malicious content”, Fig. 4, ¶42, “the parameters used to call the function are checked for malicious code by the analyzer 220. The malicious code can be spread within the parameters transferred by GET and POST requests”, i.e. scripted process comprises command line invocation of parameters) and 
[in a pre-execution phase, hooking operating system application programming interfaces (APIs)] that provide the execution parameters, (Fig. 4, ¶42, “the initial function of the application 200 is captured by the capturer 210. In step 420, the parameters used to call the function are checked for malicious code by the analyzer 220”, i.e. execution parameters are isolated during a pre-execution phase)  [detecting invoked APIs, and assigning individual scores] to the execution parameters; (Fig. 4, ¶42, “the initial function of the application 200 is captured by the capturer 210. In step 420, the parameters used to call the function are checked for malicious code by the analyzer 220”, i.e. execution parameters are isolated during a pre-execution phase).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ledenev with the invention of Zheng in view of Fang.
Zheng in view of Fang teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not. Ledenev teaches, intercepting function with parameters of a command line script for malware analysis. 
Therefore, it would have been obvious to have intercepting function with parameters of a command line script for malware analysis of Ledenev into the teachings of Zheng in view of Fang for re-calling the application captured function while maintaining the function parameter stack. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Regarding Claim 9, rejection of Claim 1 is included and for the same motivation  Zheng teaches, 
The computing apparatus of claim 1, wherein the instructions are to keep an event log of analyzed events with associated scores. (¶58, “behaviors resulting from executing applications in the virtual machines are logged and analyzed”, ¶102, ¶107-¶108, ¶141, ¶76, “ points can be assigned to each of the features (e.g., based on severity if found; based on how reliable the feature is for predicting malice; etc.) and a verdict can be assigned by static analysis engine 306 (or coordinator 304, if applicable) based on the number of points associated with the static analysis results”, ¶103, “As another example, points can be assigned to actions taken (e.g., based on severity if found; based on how reliable the action is for predicting malice; etc.) and a verdict can be assigned by dynamic analysis engine 310 (or coordinator 304, if applicable) based on the number of points associated with the dynamic analysis results”, ¶130, “assigning points to each of the features triggered by the application (i.e., both the static features and the dynamic features). If the score exceeds a threshold, the application is determined to be malicious”, i.e. events are logged and points (score) are assigned). 

Regarding Claim 12, rejection of Claim 1 is included and for the same motivation  Zheng does not teach explicitly,
The computing apparatus of claim 1, wherein the scripted process is a Windows PowerShell script. 
However, Fang teaches,
The computing apparatus of claim 1, wherein the scripted process is a Windows PowerShell script. (Fig. 1 (112, 115), CL(11), LN(9-25), “An illustrative representation of the script text 115 associated with the script 112 (e.g., Powershell), which is observed by the monitoring component 130”).

Regarding Claim 14, rejection of Claim 13 is included and for the same motivation  Zheng teaches, 
The one or more tangible, non-transitory computer-readable media of claim 13, [wherein isolating the pre-execution parameters and isolating the runtime behavior tokens] comprises inserting operating system application programming interface (API) hooks into APIs (¶75, “ a call graph can be constructed and examined with respect to sensitive code segments. In particular, a determination can be made about how sensitive code segments can potentially be called (if at all) by an executing application, ¶99, ¶102, “The environment used by dynamic analysis engine 310 is instrumented/hooked such that behaviors observed while the application is executing are logged as they occur (e.g., using a customized kernel that supports hooking and logcat). Network traffic associated with the emulator is also captured (e.g., using pcap)., ¶107-¶108, ¶110-¶127, Fig. 4(404, 406), ¶129, Fig. 8A, Fig. 8B,  ¶143-¶144, “Examples of framework APIs that can be hooked include: file input/output operations, network connections, process creations, shell command executions, GSM/SMS messaging, cryptography operations, database operations, interprocess communications, dynamic payload loading, etc. For such APIs, hooking can be performed by recording the invoked method and passed in arguments in the body of the target method directly.”, ¶146,   i.e. pre-execution, runtime parameters are determined by hook of APIs) [that provide the execution parameters and runtime behavior tokens].
Zheng does not teach explicitly,
The one or more tangible, non-transitory computer-readable media of claim 13, wherein isolating the pre-execution tokens and isolating the runtime behavior tokens [comprises inserting operating system application programming interface (API) hooks into APIs] that provide the pre-execution tokens and runtime behavior tokens.
However, Fang teaches,
The one or more tangible, non-transitory computer-readable media of claim 13, wherein [isolating the pre-execution parameters]  and isolating the runtime behavior tokens (CL(2), LN(58-67), “the text associated with each script under analysis (referred to as the “script text”) may undergo tokenization to produce natural (i.e., human) language samples. These natural language samples are referred to as analytic tokens”, CL(3), LN(46-65), CL(9), LN(19-31), CL(8), LN(29-49), CL(12), LN(50-67), CL(13), LN(1-10), CL(14), LN(7-42) [comprises inserting operating system application programming interface (API) hooks into APIs] that provide [the execution parameters] and runtime behavior tokens. (CL(2), LN(58-67), “the text associated with each script under analysis (referred to as the “script text”) may undergo tokenization to produce natural (i.e., human) language samples. These natural language samples are referred to as analytic tokens”, CL(3), LN(46-65), CL(9), LN(19-31), CL(8), LN(29-49), CL(12), LN(50-67), CL(13), LN(1-10), CL(14), LN(7-42).
Combination of Zheng and Fang does not teach explicitly,
[The one or more tangible, non-transitory computer-readable media of claim 13, wherein] isolating the pre-execution parameters  [and isolating the runtime behavior tokens comprises inserting operating system application programming interface (API) hooks into APIs that provide] the execution parameters [and runtime behavior tokens].
However Ledenev teaches,
[The one or more tangible, non-transitory computer-readable media of claim 13, wherein] isolating the pre-execution parameters (Fig. 4, ¶42, “the initial function of the application 200 is captured by the capturer 210. In step 420, the parameters used to call the function are checked for malicious code by the analyzer 220”, i.e. execution parameters are isolated during a pre-execution phase)  [and isolating the runtime behavior tokens comprises inserting operating system application programming interface (API) hooks into APIs that provide] the execution parameters (Fig. 2A, ¶34, “the functions are called by the scripts, such as Javascript of VBScript, which parameters can contain malicious content”, Fig. 4, ¶42, “the parameters used to call the function are checked for malicious code by the analyzer 220. The malicious code can be spread within the parameters transferred by GET and POST requests”, i.e. scripted process comprises command line invocation of parameters) [and runtime behavior tokens].


Claims  2-5, 7, 15-17, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zheng et al. (US PGPUB. # US 2020/0004963, hereinafter “Zheng”), and further in view of Fang et al. (US PAT. # US 10,956,477, hereinafter “Fang”), and further in view of Alexander Ledenev (US PGPUB. # US 2015/0101052, hereinafter “Ledenev”), and further in view of Banerjee et al. (US PGPUB. # US 2010/0186088, hereinafter “Banerjee”).

Referring to Claims 2, 15 and 20:
Regarding Claim 2, rejection of Claim 1 is included and combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 1, wherein the instructions are further to instruct the processor to adjust the threshold according to enterprise-specific usage.
However, Banerjee teaches,
The computing apparatus of claim 1, wherein the instructions are further to instruct the processor to adjust the threshold according to enterprise-specific usage. (¶10, “in an enterprise setting”, ¶108, “ Compare the frequency of keywords found in a web page with a predefined and adaptive in time threshold”, ¶109, “This is used to compare the characteristics of a suspicious web page with a predefined and tunable, with time, threshold”, ¶153, “It uses a variety of thresholds and parameters that are tunable”, i.e. threshold is tunable (adjustable) according to enterprise usage).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Banerjee with the invention of Zheng in view of Fang and Ledenev.
Zheng in view of Fang and Ledenev teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis. Banerjee teaches a tunable threshold according to specific need. Therefore, it would have been obvious to have a tunable threshold according to specific need of Banerjee into the teachings of Zheng in view of Fang and Ledenev so an end user or an enterprise can scan the code as per the sensitivity of work and to avoid unnecessary delay in processing. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 15, rejection of Claim 13 is included and Claim 15 is rejected with the same rationale as applied against Claim 2 above. 

Regarding Claim 20, rejection of Claim 19 is included and Claim 20 is rejected with the same rationale as applied against Claim 2 above. 
Referring to Claims 3 and 16:
Regarding Claim 3, rejection of Claim 1 is included and combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 1, wherein the instructions are further to instruct the processor to adjust the threshold according to endpoint-specific usage.
However, Banerjee teaches,
The computing apparatus of claim 1, wherein the instructions are further to instruct the processor to adjust the threshold according to endpoint-specific usage. (¶34, “The level that the user wants to be "protected" can depend on her expertise and confidence in her abilities. Similarly, what constitutes appropriate web-content is specific to the user and the environment “, ¶145, “A client system 1204 is in communication with the network 1203 and includes website analysis software 1205 according to an embodiment of the present system in communication with a browser 1206. Optionally, a provider server 1207 having website analysis software can be in communication with the network 1203 and the client system 1204 having the website analysis software 1205 “, ¶108, “ Compare the frequency of keywords found in a web page with a predefined and adaptive in time threshold”, ¶109, “This is used to compare the characteristics of a suspicious web page with a predefined and tunable, with time, threshold”, ¶153, “It uses a variety of thresholds and parameters that are tunable”, i.e. threshold is tunable (adjustable) according to client (endpoint) usage).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Banerjee with the invention of Zheng in view of Fang and Ledenev.
Zheng in view of Fang and Ledenev teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis. Banerjee teaches a tunable threshold according to specific need. Therefore, it would have been obvious to have a tunable threshold according to specific need of Banerjee into the teachings of Zheng in view of Fang and Ledenev so an end user or an enterprise can scan the code as per the sensitivity of work and to avoid unnecessary delay in processing. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 16, rejection of Claim 13 is included and Claim 16 is rejected with the same rationale as applied against Claim 3 above. 

Referring to Claims 4 and 18:
Regarding Claim 4, rejection of Claim 3 is included and for the same motivation combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 3, wherein the instructions are to adjust the threshold according to a machine learning algorithm.
However, Banerjee teaches,
The computing apparatus of claim 3, wherein the instructions are to adjust the threshold according to a machine learning algorithm. (¶153, “It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user”, i.e. threshold is adjusted according to a machine learning algorithm).

Regarding Claim 18, rejection of Claim 15 is included and Claim 16 is rejected with the same rationale as applied against Claim 4 above. 

Regarding Claim 5 rejection of Claim 4 is included and for the same motivation combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 4, wherein the machine learning algorithm is an average predictor algorithm.
However, Banerjee teaches,
The computing apparatus of claim 4, wherein the machine learning algorithm is an average predictor algorithm. (¶91, “input to a decision logic module 204 that combines them along with user-specific preferences and prior history for a final answer or output 214 using machine learning and other techniques”, ¶121, “The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest)”).

Regarding Claim 7 rejection of Claim 1 is included and for the same motivation combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 1, wherein the instructions are to compute an intermediate score from pre-execution parameters, and to make an intermediate detection decision from the intermediate score.
However, Banerjee teaches,
The computing apparatus of claim 1, wherein the instructions are to compute an intermediate score from pre-execution parameters, and to make an intermediate detection decision from the intermediate score. (¶91, “Partial answers or scores are developed from each module, and input to a decision logic module 204 that combines them along with user-specific preferences and prior history for a final answer or output 214 using machine learning and other techniques”, Fig. 4, ¶101-¶105, Claim 2, “wherein calculating the threat score comprises calculating one or more intermediate threat scores”, i.e. intermediate score is computed to make an intermediate detection decision).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Banerjee with the invention of Zheng in view of Fang and Ledenev.
Zheng in view of Fang and Ledenev teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis. Banerjee teaches a tunable threshold according to specific need. Therefore, it would have been obvious to have a tunable threshold according to specific need of Banerjee into the teachings of Zheng in view of Fang and Ledenev so an end user or an enterprise can scan the code as per the sensitivity of work and to avoid unnecessary delay in processing. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396.

Regarding Claim 17 rejection of Claim 15 is included and for the same motivation Zheng does not teach explicitly,
The one or more tangible, non-transitory computer-readable media of claim 15, wherein the threshold regulator is further to adjust individual token scores.
However, Fang teaches,
The one or more tangible, non-transitory computer-readable media of claim 15, [wherein the threshold regulator is further to adjust individual] token scores. (CL(9), LN(19-31), “The NLP model 162 assigns a prediction score to the set of model-adapted tokens forming the normalized script text”, i.e. predication score (score) is assigned).
Combination of Zheng, Fang and Ledenev does not teach explicitly,
The one or more tangible, non-transitory computer-readable media of claim 15, wherein the threshold regulator is further to adjust individual [token scores].
However, Banerjee teaches,
The one or more tangible, non-transitory computer-readable media of claim 15, wherein the threshold regulator is further to adjust individual [token scores]. (¶153, “It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user”, i.e. threshold is adjusted according to a machine learning algorithm).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Zheng et al. (US PGPUB. # US 2020/0004963, hereinafter “Zheng”), and further in view of Fang et al. (US PAT. # US 10,956,477, hereinafter “Fang”), and further in view of Alexander Ledenev (US PGPUB. # US 2015/0101052, hereinafter “Ledenev”), and further in view of Banerjee et al. (US PGPUB. # US 2010/0186088, hereinafter “Banerjee”), and further in view of George Kassabgi (US PGPUB. # US 2018/0278554, hereinafter “Kassabgi”).

Regarding Claim 6, rejection of Claim 3 is included and combination of Zheng, Fang, Ledenev and Banerjee does not teach explicitly,  
The computing apparatus of claim 3, wherein the instructions are further to adjust the threshold downward during off-peak computing hours.
However, Kassabgi teaches,
The computing apparatus of claim 3, wherein the instructions are further to adjust the threshold downward during off-peak computing hours. (¶57, “A lower threshold may accordingly be set for some proposed communications (e.g., those relating to topics involving a relatively low amount of risk) generated during those “off hours,” to allow the system to send proposed communications that under other circumstances would have been reviewed by a human due to a higher threshold setting”, i.e. threshold is lowered during off-peak hours).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kassabgi with the invention of Zheng in view of Fang, Ledenev and Banerjee.
Zheng in view of Fang, Ledenev and Banerjee teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis and  a tunable threshold according to specific need. Kassabgi teaches, lowering threshold during an off-peak hours. Therefore, it would have been obvious to lower a threshold during an off-peak hours of Kassabgi into the teachings of Zheng in view of Fang, Ledenev and Banergee to minimize computing processing. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zheng et al. (US PGPUB. # US 2020/0004963, hereinafter “Zheng”), and further in view of Fang et al. (US PAT. # US 10,956,477, hereinafter “Fang”), and further in view of Alexander Ledenev (US PGPUB. # US 2015/0101052, hereinafter “Ledenev”), and further in view of Banerjee et al. (US PGPUB. # US 2010/0186088, hereinafter “Banerjee”), and further in view of Dasgupta et al. (US PGPUB. # US 2011/0173142, hereinafter “Dasgupta”).

Regarding Claim 8 rejection of Claim 7 is included and combination of Zheng, Fang, Ledenev and Banerjee does not teach explicitly,
The computing apparatus of claim 7, wherein the intermediate detection comprises proceeding to computing runtime parameters if the intermediate score is between a lower threshold and an upper threshold.
However, Dasgupta teaches,
The computing apparatus of claim 7, wherein the intermediate detection comprises proceeding to computing runtime parameters if the intermediate score is between a lower threshold and an upper threshold. (¶41, “The sender ID can optionally be designated as a potential spammer if the score is between the upper and lower thresholds (e.g., the upper threshold differs from the lower threshold)”, “the model scores could be adjusted until the spam designations could be accurately determined for all or a predetermined percentage of the known behavior patterns”, i.e. process continues when an intermediate score falls between lower threshold and upper threshold).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Dasgupta with the invention of Zheng in view of Fang and Banerjee.
Zheng in view of Fang, Ledenev and Banerjee teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis and  a tunable threshold according to specific need. Dasgupta teaches, tuning the model when intermediate score falls between lower threshold and upper threshold. Therefore, it would have been obvious to tune the model when intermediate score falls between lower threshold and upper threshold of Dasgupta into the teachings of Zheng in view of Fang, Ledenev and Banergee to accurately providing malicious user and/or activity. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Claims  10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Zheng et al. (US PGPUB. # US 2020/0004963, hereinafter “Zheng”), and further in view of Fang et al. (US PAT. # US 10,956,477, hereinafter “Fang”), and further in view of Alexander Ledenev (US PGPUB. # US 2015/0101052, hereinafter “Ledenev”), and further in view of Igor G. Muttik (US PGPUB. # US 2018/0097829, hereinafter “Muttik”).

Regarding Claim 10, rejection of Claim 1 is included and combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 1, wherein the instructions are to cache a reputation for the scripted process.
However, Muttik teaches,
The computing apparatus of claim 1, wherein the instructions are to cache a reputation for the scripted process. (¶57, ¶110, “ the information being tracked, sent, received, or stored in a processor could be provided in any database, register, table, cache, queue, control list, or storage structure, based on particular needs and implementations, all of which could be referenced in any suitable timeframe”, ¶49, “a local reputation may be generated based on that global reputation”, i.e. reputation is stored in a cache).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Muttik with the invention of Zheng in view of Fang.
Zheng in view of Fang and Ledenev teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis. Muttik teaches, storing reputation information into a cache to further analyze an object. Therefore, it would have been obvious to store reputation information into a cache to further analyze an object of Muttik into the teachings of Zheng in view of Fang and Ledenev to optimize the process of analyzing an object as malicious object. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 11, rejection of Claim 1 is included and combination of Zheng, Fang and Ledenev does not teach explicitly,
The computing apparatus of claim 1, wherein the instructions are to identify the scripted process for analysis only based on determining that the scripted process does not have a cached reliable reputation.
However, Muttik teaches,
The computing apparatus of claim 1, wherein the instructions are to identify the scripted process for analysis only based on determining that the scripted process does not have a cached reliable reputation. (¶49, “ a security appliance in cluster 142 may query security services provider 190 to see if the new object has a globally-recognized reputation. If so, a local reputation may be generated based on that global reputation. If not, the object is completely new and may be treated as a “candidate malicious object,”, i.e. object is further analyzed when its reputation is not stored in the cache).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Muttik with the invention of Zheng in view of Fang.
Zheng in view of Fang and Ledenev teaches, identifying a script for security analysis by collecting various parameters by static and dynamic analysis and assigning predication score to various parameters and comparing an aggregate score with a threshold to determine whether the script is malicious or not and intercepting function with parameters of a command line script for malware analysis. Muttik teaches, storing reputation information into a cache to further analyze an object. Therefore, it would have been obvious to store reputation information into a cache to further analyze an object of Muttik into the teachings of Zheng in view of Fang and Ledenev to optimize the process of analyzing an object as malicious object. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
USUI et al. (US # 2021/0390183) discloses, an analysis function imparting device according to the present invention includes processing circuitry configured to execute a script engine while monitoring the script engine to acquire an execution trace including an application programming interface (API) trace and a branch trace, analyze the execution trace, and detect a hook point that is a location to which a hook is applied and a code for analysis is inserted, detect, based on monitoring at the hook point, a tap point that is a memory monitoring location at which the code for analysis outputs a log, and apply a hook to the script engine to impart an analysis function to the script engine based on the hook point and the tap point.
Powers et al. (US # 11,010,472) disclose, a method for providing real-time anti-malware detection and protection. The computer uses artificial intelligence techniques to learn and detect new exploits in real time and protect the full system from harm. The computer trains a first machine learning model for executable files. The computer trains a second machine learning model for non-executable files. The computer trains a third machine learning model for network traffic. The computer identifies malware using the various machine learning models. The computer restores to a clean, uncorrupted state using virtual machine technology. The computer reports the detected malware to a security server, such as security information and even management (SIEM) systems, by transmitting detection alert message regarding the malware. The computer interacts with an administrative system over an isolated control network to allow the system administrator to correct the corruption caused by the malware.
Nilangeker et al. (US # 2020/0177613) disclose, a method for detecting impact of the vulnerability by using a normalizer and correlator. In various implementations, the method includes: accessing a first set of data from a first data sources, calculating a risk level value for each of the first set of data based on a first set of rules, sorting the first set of data based on their risk level, accessing the sorted first set of data by a correlator, accessing, by the correlator, a second set of data from second data sources, correlating each of the sorted first set of data to at least a data of the second set of data based a second set of rules, and calculating a confidence score for each data of the sorted first set of data based on a third set of rules.
Paithane et al. (US # 10,671,726) discloses, processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.
Agranonik et al. (US # 10,581,888) discloses, method includes generating a tokenized representation of a given software script, the tokenized representation comprising two or more tokens representing two or more commands in the given software script. The method also includes mapping the tokens of the tokenized representation to a vector space providing contextual representation of the tokens utilizing an embedding layer of a deep learning network, detecting sequences of the mapped tokens representing sequences of commands associated with designated types of script behavior utilizing at least one hidden layer of the deep learning network, and classifying the given software script based on the detected sequences of the mapped tokens utilizing one or more classification layers of the deep learning network. The method further includes modifying access by a given client device to the given software script responsive to classifying the given software script as a given software script type.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/          Primary Examiner, Art Unit 2498