DETAILED ACTION
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	This communication is in response to applicant's amendment dated 7/18/2022 and interview dated 8/22/2022.
3.	Applicant's remarks, filed on 7/18/2022, with respect to the art rejection of the claims have been fully considered and they are persuasive as amended and in the light of the Examiner's amendments. 

EXAMINER’S AMENDMENT
4.1.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 
Authorization for this examiner’s amendment was given in a telephone interview with James J. Barta, Jr. (Reg. No. 47409) on 8/22/2022.

4.2.	This listing of claims will replace all prior versions and listings of claims in the application:

1. (Currently Amended) A method for cryptocurrency-based malware detection, the method comprising:
analyzing a plurality of cryptocurrency-based malware or ransomware attacks, wherein analyzing the plurality of cryptocurrency-based malware or ransomware attacks comprises analyzing a screenshot of a ransomware note displayed on an end user device, associated with each of the plurality of cryptocurrency-based malware or ransomware attacks at least by:
determining a uniform resource locator (URL) of a decryptor download site of a cryptocurrency-based malware or ransomware attack;
determining a cryptocurrency payment address of the cryptocurrency-based malware or ransomware attack;
determining a receipt or a decoder link for the cryptocurrency-based malware or ransomware attack; and
tracing a ransom payment paid to the cryptocurrency payment address in response to the cryptocurrency-based malware or ransomware attack;
building a malware or ransomware attack database with cryptocurrency payment addresses of the plurality of cryptocurrency-based malware or ransomware attacks; [[and]]
applying a clustering process to identify which of the cryptocurrency payment addresses has a plurality of inputs; and
identifying a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database.
2. (Currently Amended) The method according to claim 1, further comprising obtaining one or more indicators of compromise of [[an]] the end user device that are indicative of a cryptocurrency-based malware or ransomware attack.
3. (Canceled).
4. (Canceled).
5. (Previously Presented) The method according to claim 1, further comprising:
assessing parameters of the cryptocurrency payment address for each of the plurality of malware or ransomware attacks; and
comparing one or more addresses of the proposed cryptocurrency transaction to the parameters.
6. (Original) The method according to claim 1, further comprising:
obtaining a sample of a ransomware from the decryptor download site;
identifying additional cryptocurrency addresses included in the sample; and
adding the additional cryptocurrency addresses to the malware or ransomware attack database.
7. (Original) The method according to claim 6, further comprising determining victim cryptocurrency addresses that were inputs to the additional cryptocurrency addresses using a reverse search.
8. (Original) The method according to claim 7, further comprising determining payoff accounts linked to the victim cryptocurrency addresses based on the reverse search.
9. (Currently Amended) A system, comprising:
a processor; and
a memory for storing instructions, the processor executing the instructions to:
analyze a plurality of cryptocurrency-based malware or ransomware attacks, wherein analyzing the plurality of cryptocurrency-based malware or ransomware attacks comprises analyzing a screenshot of a ransomware note displayed on an end user device, associated with each of the plurality of cryptocurrency-based malware or ransomware attacks at least by: 
determining a uniform resource locator (URL) of a decryptor download site of a cryptocurrency-based malware or ransomware attack;
determining a cryptocurrency payment address of the cryptocurrency-based malware or ransomware attack;
determining a receipt or a decoder link for the cryptocurrency-based malware or ransomware attack; and
tracing a ransom payment paid to the cryptocurrency payment address in response to the cryptocurrency-based malware or ransomware attack;
build a malware or ransomware attack database with [[the]] cryptocurrency payment addresses of the plurality of cryptocurrency-based malware or ransomware attacks;
apply a clustering process to identify which of the cryptocurrency payment addresses has a plurality of inputs; and
identify a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database

10. (Canceled).
11. (Previously Presented) The system according to claim 9, wherein the processor disassembles a malware or ransomware attack of the plurality of cryptocurrency-based malware or ransomware attacks to discover one or more of the cryptocurrency payment addresses to which a ransom payment has been paid.
12. (Canceled).
13. (Canceled).
14. (Currently Amended) The system according to claim [[10]] 9, wherein the processor:
obtains a code sample of the cryptocurrency-based malware or ransomware attack from the decryptor download site;
identifies additional cryptocurrency addresses included in the code sample; and
adds the additional cryptocurrency addresses to the malware or ransomware attack database.
15. (Currently Amended) A method, comprising:
analyzing a plurality of cryptocurrency-based malware or ransomware attacks, wherein analyzing the plurality of cryptocurrency-based malware or ransomware attacks comprises analyzing a screenshot of a ransomware note displayed on an end user device, associated with each of the plurality of cryptocurrency-based malware or ransomware attacks  at least by: 
determining a uniform resource locator (URL) of a decryptor download site of a cryptocurrency-based malware or ransomware attack;
determining a cryptocurrency payment address of the cryptocurrency-based malware or ransomware attack;
determining a receipt or a decoder link for the cryptocurrency-based malware or ransomware attack; and
tracing a ransom payment paid to the cryptocurrency payment address in response to the cryptocurrency-based malware or ransomware attack;
building a malware or ransomware attack database with [[the]] cryptocurrency payment addresses of the plurality of cryptocurrency-based malware or ransomware attacks;
applying a clustering process to identify which of the cryptocurrency payment addresses has a plurality of inputs; 
identifying a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database; and
based on the identifying that the address of the proposed cryptocurrency transaction is included in the malware or ransomware attack database, denying the proposed cryptocurrency transaction.
16. (Currently Amended) The method according to claim 15, further comprising obtaining one or more indicators of compromise of [[an]] the end user device, wherein the plurality of cryptocurrency-based malware or ransomware attacks includes a cryptocurrency-based malware or ransomware attack of the end user device.
17. (Canceled).
18. (Currently Amended) The method according to claim [[16]] 15, further comprising:
obtaining a code sample of the cryptocurrency-based malware or ransomware attack from [[a]] the decryptor download site;
identifying additional cryptocurrency addresses included in the code sample; and
adding the additional cryptocurrency addresses to the malware or ransomware attack database.
19. (Original) The method according to claim 18, further comprising determining victim cryptocurrency addresses that were inputs to the additional cryptocurrency addresses using a reverse search.
20. (Previously Presented) The method according to claim 19, further comprising determining payoff accounts linked to the victim cryptocurrency addresses based on the reverse search.
21. (New) The method according to claim 1, further comprising:
calculating a risk score for the proposed transaction; 
comparing the calculated risk score with a threshold score; and
based on the comparison, canceling or allowing the proposed transaction.
22. (New) The method according to claim 21, wherein the calculated risk score for the proposed transaction is a highest risk score of an input address and an output address for the proposed transaction.
23. (New) The method according to claim 1, wherein the proposed transaction is a blockchain transaction.
24. (New) The system according to claim 9, wherein the processor:
calculates a risk score for the proposed transaction; 
compares the calculated risk score with a threshold score; and
based on the comparison, cancels or allows the proposed transaction.
25. (New) The system according to claim 24, wherein the calculated risk score for the proposed transaction is a highest risk score of an input address and an output address for the proposed transaction.
26. (New) The system according to claim 9, wherein the proposed transaction is a blockchain transaction.
Allowable Subject Matter
5.1.	Claims 1-2, 5-9, 11, 14-16 and 18-20 are allowed.
5.2.	a).	US Patent Application No. 20150381637 to Raff et al discloses a  crowdsourcing log analysis system and methods for protecting computers and networks from malware attacks by analyzing data log information obtained from a plurality of client network. The client networks are associated with a set of network entities representing a plurality of business units or customers. The system may further comprise a plurality of server machines, each operable to execute a security product associated with a security product vendor and log associated information of at the network entities into at least one log file. The log files may be uploaded onto a breach detection platform for analysis based upon crowdsourcing principles and is operable to generate a risk factor attribute for at least one suspect entity

b).	US Patent Application No. 20160300227 to Subhedar et al discloses systems and methods for tracking, predicting, and mitigating Advanced Persistent Threat (APT) attacks in a network include detecting, from monitoring, events related to one or more subscribed entities, wherein the monitoring includes two or more of analyzing traffic flow, analyzing virtual currency transactions, and monitoring information related to the one or more subscribed entities on the Internet; analyzing the events to determine a likelihood of an attack on a specific subscribed entity of the one or more subscribed entities; and causing mitigation of the attack based on the determined likelihood, wherein the mitigation comprises one or more actions in the network relative to the specific subscribed entity.

c).	US Patent Application No. 20170132635 to Caldera et al discloses in some examples, a computerized sanction screening system may include an automated system for collection of sanction information, and a routine for analyzing additional available data related to sanction information entities. The system may also include an automated analysis summary routine for creating condensed information subsets or graphlets containing relevant information about sanction entities, some of which can be entities themselves, organized in a data retrieval system, such that an automated transaction system can check data from transactions and automatically identify and flag potentially sanctioned transactions. Then upon exceeding a preset contextual limit, a potential blocking warning is issued.

5.3.	The following is an examiner's statement of reasons for allowance: thecombination of Subhedar et al., Caldera et al., Caldera et al., whether alone or in combination with the other prior arts of record fail to teach or render obvious " analyzing a plurality of cryptocurrency-based malware or ransomware attacks, wherein analyzing the plurality of cryptocurrency-based malware or ransomware attacks comprises analyzing a screenshot of a ransomware note displayed on an end user device, associated with each of the plurality of cryptocurrency-based malware or ransomware attacks at least by: determining a uniform resource locator (URL) of a decryptor download site of a cryptocurrency-based malware or ransomware attack; determining a cryptocurrency payment address of the cryptocurrency-based malware or ransomware attack; determining a receipt or a decoder link for the cryptocurrency-based malware or ransomware attack; and tracing a ransom payment paid to the cryptocurrency payment address in response to the cryptocurrency-based malware or ransomware attack; building a malware or ransomware attack database with cryptocurrency payment addresses of the plurality of cryptocurrency-based malware or ransomware attacks; applying a clustering process to identify which of the cryptocurrency payment addresses has a plurality of inputs; and identifying a proposed cryptocurrency transaction that includes an address that is included in the malware or ransomware attack database." asrecited in claim 1.
Therefore, independent claim 1is allowable over the prior arts of record.  The other independent claims 9 and 15 recite similar subject matter. Consequently, independent claims 1, 9 and 15 are also allowable over the prior arts of record.
Claims 2, 5-8, 11, 14, 16 and 18-20 are directly or indirectly dependent upon claims 1, 9 and 15 therefore, they are also allowable over the prior arts of record.

Conclusion
6.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195. The examiner can normally be reached 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497