Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim 1 is rejected under 35 U.S.C. 102 (a)(1) and (a)(2) as being anticipated by Ha et al., (US Patent No. .10,089,461), hereinafter “Ha”

Regarding claim 1, Ha disclose
a method of detecting computer malware, comprising: 
receiving a binary object for analysis [Ha, column 5, lines 62-67, column 6, lines 1-6]; 
allocating the binary object to a sandbox [Ha, column 5, lines 62-67, column 6, lines 1-6]; 
within the sandbox [Ha, column 4, lines 62-67], loading the binary object into an executable memory region [Ha, column 5, lines 62-67, column 6, lines 1-6]; 
performing a memory dump of the executable memory region [Ha, column 6, lines7-10,  21-37, memory dump… data accessed by the content specimen, embedded content extracted or downloaded during the execution]; and 
analyzing the memory dump for malware characteristics [Ha, column 6, lines 21-37, Unexpected or anomalous behavior can be used in classifying the specimen as malware].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3 are rejected under 35 U.S.C. 103 as being unpatentable over Ha as applied to claim 1 above, and further in view of Chen, (US Publication No. 2019/0042743).

Regarding claim 2, Ha does not disclose, however Chen teaches
wherein analyzing the memory dump comprises artificial intelligence analysis [Chen, paragraph 27, artificial neural network].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use the well-known artificial intelligence neural network to assist in malware detection in order to provide a more efficient and secure system.

Regarding claim 3, Ha-Chen further discloses
wherein the artificial intelligence analysis [Chen, paragraph 27, artificial neural network] comprises computer vision [Ha, column 3, lines 1-2].

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Ha as applied to claim 1 above, and further in view of Varma et al., (US Publication No. 2019/0173946), hereinafter “Varma”.

Regarding claim 4, Ha teaches the memory dump which may be stored within the associated VM disk, but does not disclose, however Varma teaches
converting the memory dump to an image [Varma, paragraph 35, converting data into an image].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to convert data into an image in order to search an image for security reasons.

Claims 5-10, 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ha, and further in view of Chen and Varma.

Regarding claim 5, Ha discloses
a processor [Ha, column 5, lines 1-6]; 
a memory [Ha, column 5, lines 1-6]; and 
instructions encoded within the memory to instruct the processor to: 
receive a malware sample for analysis [Ha, column 5, lines 62-67, column 6, lines 1-6]; 
cause a sandbox to receive the malware sample, unpack the malware sample into a local memory of the sandbox, and dump the malware sample [Ha, column 6, lines7-10,  21-37, memory dump… data accessed by the content specimen, embedded content extracted or downloaded during the execution];
to visually inspect the image file [Ha, column 6, lines 21-37, Unexpected or anomalous behavior can be used in classifying the specimen as malware].

Ha does not specifically disclose, however Chen teaches
cause a neural network Chen, paragraph 27, artificial neural network].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use the well-known artificial intelligence neural network to assist in malware detection in order to provide a more efficient and secure system.

Ha-Chen does not specifically disclose, however Varma teaches
dump the malware sample to a binary memory image [Varma, paragraph 35, converting data into an image];
cause the binary memory image to be converted to an image file [Varma, paragraph 35, converting data into an image].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to convert data into an image in order to search an image for security reasons.

Regarding claim 6, Ha-Chen-Varma further discloses
wherein the visual inspection of the image file by the neural network comprises artificial intelligence analysis [Chen, paragraph 27, artificial neural network].

Regarding claim 7, Ha-Chen-Varma further discloses
wherein the artificial intelligence analysis comprises computer vision [Ha, column 3, lines 1-2].

Regarding claim 8, Ha-Chen-Varma further discloses
wherein the image file is an 8-bit grayscale image [Chen, paragraphs 31, 32, 8-bit; greyscale].

Regarding claim 9, Ha-Chen-Varma further discloses
wherein converting the binary memory image to an image file comprises converting the binary memory image to an 8-bit vector format [Chen, paragraphs 31, 32, 8-bit; greyscale; may include converting the binary file to a vector, such as, for example, a vector of 8-bit].

Regarding claim 10, Ha-Chen-Varma further discloses
wherein the sandbox runs a native operating system of the malware sample [Ha, column 4, lines 62-67, column 6, lines 7-39].

Regarding claim 16, Ha-Chen-Varma further discloses
a hardware platform [Ha, column 4, line 62 – column 5, line 6]; 
a guest infrastructure to run on the hardware platform [Ha, column 4, line 62 – column 5, line 6]; 
a first guest to operate on the guest infrastructure and provide a sandbox [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37, memory dump… data accessed by the content specimen, embedded content extracted or downloaded during the execution], the sandbox including instructions to receive an object file, extract the object file into guest memory, [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37, memory dump… data accessed by the content specimen, embedded content extracted or downloaded during the execution] and dump the memory to a binary image [Varma, paragraph 35, converting data into an image]; and 
a second guest to operate on the guest infrastructure and provide an analyzer, the analyzer including instructions to visually analyze [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37, one or more virtual machines; memory dump… data accessed by the content specimen, embedded content extracted or downloaded during the execution] the binary image according to an artificial intelligence subroutine [Chen, paragraph 27, artificial neural network].

Regarding claim 17, Ha-Chen-Varma further discloses
wherein the sandbox is a virtual machine [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37].

Regarding claim 18, Ha-Chen-Varma further discloses
wherein the virtual machine is a Windows virtual machine [Ha, column 7, lines 16-22].

Regarding claim 19, Ha-Chen-Varma further discloses
wherein the guest infrastructure provides containerization [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37].

Regarding claim 20, Ha-Chen-Varma further discloses
wherein the sandbox includes a virtual machine and the analyzer includes a container [Ha, column 4, line 62 – column 5, line 6; column 6, lines7-10,  21-37].

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Ha-Chen-Varma, and further in view of Burtscher, (US Publication No. 2008/0028388).

Regarding claim 11, Ha-Chen-Varma does not disclose, however Burtscher teaches
wherein unpacking the malware sample into the local memory comprises operating an unpacker [Burtscher, paragraph 16, operating system packer].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use the packer provided by the operating system to maintain security.

Regarding claim 12, Ha-Chen-Varma-Burtscher further discloses
wherein the unpacker is an operating system-native unpacker [Burtscher, paragraph 16, operating system packer].

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Ha-Chen-Varma, and further in view of Adams, (US Publication No. 2010/0077476).


Regarding claim 13, Ha-Chen-Varma does not disclose, however Adams teaches
wherein the malware sample is a Windows portable executable (PE) [Adams, paragraph 17, tests PE for malware].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to test a Windows PE file for malware in order to screen out malware for security purposes.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Ha-Chen-Varma, and further in view of Chiriac, (US Publication No. 2008/0040710).

Regarding claim 14, Ha-Chen-Varma does not disclose, however Chiriac teaches
wherein the malware sample is a Unix or Linux executable and linkable format (ELF) file [Chiriac, paragraph 40 Linux Executable and linking format type].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to test a Linux/Unix file for malware in order to screen out malware for security purposes.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Ha-Chen-Varma, and further in view of Upchurch, (US Publication No. 2017/0300691).

Regarding claim 15, Ha-Chen-Varma does not disclose, however Upchurch teaches
wherein the malware sample is a Macintosh Mach-O file [Upchurch, paragraph 32 Mach-O].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to test a Mach-O file for malware in order to screen out malware for security purposes.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433