Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 08-26-2022, 05-20-2022, 09-16-2021 and 06-10-2021 have been considered. Please see attached PTO-1449. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 16 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. 
Claim is directed to a system claim, but improperly depends on the method claim 5.
For the purpose of examination examiner considers the claim to be a dependent of system claim 15. 
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims  1, 8, 15 and  16  are rejected under 35 U.S.C. 103 as being unpatentable over Sun et al. (US (Publication No. 2012/0260343 ) in view of Fang et al. (US Patent No.11,003,773).
	As per claim 1, 8, 15, Sun discloses a method for characterizing the spread of malware, the method comprising: receiving a set of computer data that includes instructions executable by a processor (paragraph [0049], [0072] “runtime behavior analyzer 201B monitors the environment (e.g., controlled environment) in which unknown files run and logs the behavior of the unknown files in execution”); classifying the instructions included in the set of computer data as a new set of malware program code based an identification that one or more actions performed by the execution of the instructions by the processor are malicious (paragraph [0060], [0073], “incoming unknown files are classified…an incoming unknown file classifier …can be used to identify an incoming files as having a particular malware classification”); generating [data] a malware signature associated with [the set of requirements] the classification (paragraph [0074], “a malware signature is generated based on the classification”); and sending the generated [data] signature  to one or more assets such that the one or more assets can detect the new set of malware program code (paragraph [0077], “transmitting the malware signature to a client system”).
	Sun does not explicitly disclose, but in an analogous art, Fang discloses, identifying a set of requirements for detecting the new set of malware program code (column 9, lines 52-55, based on receipt of the events 152 included in the Event report 150 the rule generation system 120 generates one or more malware detection rule recommendation, column 10, lines 46-48, provisional malware detection rules are generated from the malware detection rule recommendation), the identification of the set of requirements based on the one or more actions performed by the execution of the malicious instructions (column 9, lines 34-37, 52-56, “the rule generation system 120 further receives an event summary 150, namely a plurality of events being monitored and detected during processing of a particular object…based on the receipt of the events 152 included in the Event report …the rule generation system 120 generates one or more malware detection recommendations”); generating data associated with the set of requirements; and sending the generated data to one or more assets such that the one or more assets can detect the new set of malware program code (column 10, lines 46-55, “provisional malware detection rules 190 are generated from the finalized rule recommendation.[t]he analytic system 170 transmits the provisional malware detection rules 190 via network 195 to one or more of the cybersecurity systems”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sun to include identifying a set of requirements for detecting the new set of malware program code, the identification of the set of requirements based on the one or more actions performed by the execution of the malicious instructions; generating data associated with the set of requirements; and sending the generated data to one or more assets such that the one or more assets can detect the new set of malware program code, as disclosed by Fang. This would have been obvious because one of ordinary skill in the art would have been motivated to automatically generate malware detection rule recommendations based on monitored events.
	As per claim 16, Sun furthermore discloses at least one asset of the one or more assets (paragraph [0022], client computer comprising  one or more computer programs, anti-virus computer program).
	

	Claims  2, 9, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sun, in view of Fang, further in view of Stiekes et al., (US Publication No. 2016/0308905).
	As per claim 2, 9 and  17, Sun further disclose, generating a signature that can be used to identify the set of malware program code (paragraph [0074], “a malware signature is generated based on the classification”); and identify the one or more assets that protects computer data by matching signature, wherein the generated signature is the data sent to the one or more assets (paragraph [0077], “transmitting the malware signature to a client system”).
	Sun in view of Fang does not explicitly disclose, but in an analogous art Stiekes discloses  identifying an asset of the one or more assets (paragraph [0046], “identify a security device , such as security device 438, having a security engine based on the suspicion level of traffic”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sun and Fang with Stiekes. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to implement a particular security device in filtering network traffic based on a specific security protocol.
	As per claim 19, Sun furthermore discloses, wherein the analysis computer: generates a signature from the received set of computer data when the one or more requirements identify that the new set of malware program code can be identified using a signature analysis (paragraph [0072], [0074],  [0075], incoming unknow files are analyzed based on behavior and content and classified,  malware signature are generated based on the classification of the unknown file in accordance with predefined signature generation rules) ; and compares the generated signature to a set of signatures known to identify the previously characterized sets of malware program code, the comparison identifying that the generated signature identifies the new set of malware program code (paragraph [0058], “strings can be collected and associated with respective malware families in string database 201D’; paragraph [0067], “string based malware signature validation techniques can involve examining a prospective signature for special strings that are prevalent in certain malware families…such strings can be predefined in rules for malware signature validation…a validation decision can be based on a comparison between a generated malware signature and entries in string database 201D’”).

	Claims  4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Sun, in view of Fang, in view of Stiekes, further in view of Gluck et al., (US Patent No. 5,948,104).
	As per claim 4 and 11, Sun in view of Fang and Stiekes  discloses all limitations of claim as applied to claim 2 and 9 above. Sun in view of Fang Stiekes does not explicitly disclose comparing the generated signature to signatures included in a set malware program code signatures; and identifying that the generated signature does not match any signature in the set of malware program code signatures based on the comparison. However, comparing the generated signature to signatures included in a set malware program code signatures; and identifying that the generated signature does not match any signature in the set of malware program code signatures based on the comparison is old and well known in the art as illustrated by Gluck (column 8, lines 28-31, “the processor determines that at least one of the virus signature updated files in not found in the virus signature file”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sun, Fang and Stiekes  to include the well know feature of comparing the generated signature to the signature  and identifying the signature do not match, in order to achieve the predictable result of updating signature file when the generated signature and the virus signature file mismatch.
	
	Claims  3, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sun, in view of Fang, in view of Desai et al., (US Publication No. 2018/0139235), further in view of Stiekes
	As per claim 3, 10 and 18, Sun further discloses, identifying a malicious action performed by the execution of the instructions included in the received set of computer data (paragraph [0049], behavior analyzer monitors the environment in which unknown files run and logs the behavior  of the unknown files in execution. The logged behavior includes behavior associated with malicious files such as, modification to memory, disk and registry resources , API called), identifying one or more assets that protect computer data by executing instructions from a set of instrumentation program code (paragraph [0077], “transmitting the malware signature to a client system”).
	Sun in view of Fang does not explicitly disclose identifying an asset of the one or more assets, wherein the data sent to the one or more assets identifies the malicious action and updates the instrumentation program code at the one or more assets. 
	However, in an analogous art, Desai discloses wherein the data sent to the one or more assets identifies the malicious action and updates the instrumentation program code at the one or more assets (paragraph [0040], authority mode manager automatically transmits the updated threat data and detection processing filter to other processing node 110. Threat data and the detection processing filter for new threats as the new threats are encountered is automatically distributed to processing node110).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sun and Fang with Desal. This would have been obvious because one of ordinary skill in the art would have been motivated  to protect the network devices from attacks by identify new malwares and malicious activities.
	Sun in view of Fang and Desal does not explicitly disclose, but in an analogous art, Stiekes discloses  identifying an asset of the one or more assets (paragraph [0046], “identify a security device , such as security device 438, having a security engine based on the suspicion level of traffic”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sun,  Fang and Desal with Stiekes. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to implement a particular security device in filtering network traffic based on a specific security protocol.

	Claims  5, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sun, in view of Fang, further in view of Orhan (US Patent No. 10,607,011).
	As per claim 5, 12 and 20, Sun in view of Fang disclose identifying a malicious action performed by execution of the instructions included in the received set of computer data (Fang, column 3, lines 4-14).  Sun in view of Fang does not explicitly disclose but in an analogous art, Orhan discloses comparing the action performed by the execution of the instructions with a set of actions performed by previously characterized sets of malware program code, the comparison identifying that the identified malicious action is a new malicious action (column 3, lines 1-16, “a zero-day malware (new malicious) which is generated as a variant of a malware family could be detected by only comparing its behaviors to the family’s behaviors).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sun and Fang with Orhan. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to identify and detect zero-day malware applications based on their behaviors.

	Claims  6, 7, 13 and 14  are rejected under 35 U.S.C. 103 as being unpatentable over Sun, in view of Fang, further in view of Bogorad et al.  (US Patent No. 8,875,292).
	As per claim 6 and 13, Sun in view of Fang discloses all limitations of claim as applied to claim 1 and 8 above. Sun in view of Fang does not explicitly disclose but in an analogous art, Bogorad discloses  wherein the data sent to the one or more assets includes a first set of data  that is sent to a first set of assets (column 8, lines 16-18, “provisioning module 104  may provide set of active malware signature 123 to a first set of clients”) based on the first set of data including a signature that identifies the new set of malware program code (column 7, lines 25-27, active malware signature refers to  malware signature associated with an active malware threat) and based on the first set of assets performing signatures analysis on received sets of computer data (column 4, lines 56-59, clients use the malware signature for scanning for malware).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sun and Fang  with Bogorad. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to provide a more efficient and effective mechanism for managing malware databases.
	AS per claim 7 and 14, Bogorad furthermore discloses, wherein a second set of data is sent to a second set of assets of the one or more assets (column 8, lines 16-19, “ provisioning module 104 may provide…set of dormant malware signature 124 to a second set of clients”) based on the second set of data identifying a malicious action performed by the execution of the instructions included in the received set of program code  (column 7, lines 25-27, active malware signature refers to  malware signature associated with an active malware threat) and based on the second set of assets executing the set of instrumentation program code (column 4, lines 56-59, clients use the malware signature for scanning for malware). The motivation is similar to the motivation provided in claim 6.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Abbasi et al. (US Publication No. 2017/0083703) discloses, a malware classification scheme operating with an electronic device, configured with one or more hardware processors and a memory that stores the software handling the malware classification scheme that is conducted through analysis of behavior-based rules. 
	Thakar et al. (US Patent No. 10,104,101) discloses, a scanner server is used to scan an endpoint device for malware. Various attributes and behaviors of the endpoint device are identified in retrieved scan data and evaluated according to a malware detection framework. In this manner, potential security risks associated with the malware may be identified. 
Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/ALI S ABYANEH/Primary Examiner, Art Unit 2437