DETAILED ACTION
Amendments submitted on July 5, 2022 for Application No. 16/811837 are presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed July 5, 2022 have been considered but they are not persuasive. In the remarks applicant argues:
I)	On page 9, Applicant argues that the Double Patenting rejection will be addressed at a later time.
The Examiner agrees that the Double Patenting rejection may be removed later due to claim amendments; however, the Double Patent rejection still stands for now as shown below.

II)	On page 10, Applicant argues that the cited prior art does not teach “wherein the attack correlation information items comprises at least one indication of a predicted malicious content item predicted as previously brought into the system based at least in part on the one or more attack correlation information items”.
The Examiner disagrees and in no way concedes nor subscribes to Applicant’s summarization or distillation of the art of record. It has been held "All of the disclosures in a reference must be evaluated for what they fairly teach one of ordinary skill in the art." In re Lemelson, 397 F.2d 1006, 1009 (CCPA 1968).
Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures. If the hash value matches a hash signature stored in the database, an alert is sent out and the file is quarantined as the file most likely contains some form of malicious code. The attack correlation information item is considered to be whether or not the file hash value matches a known virus signature. If the file hash does match a known virus signature then that file is considered to be the predicted malicious content that was previously brought into the system.
It has been held that a publication is good for all it teaches to persons of ordinary skill in the art. In re Fritch, 972 F.2d 1260, 1264 (Fed. Cir. 1992). A reference is good for all it teaches. In re Meinhardt, 392 F.2d 273, 280 (CCPA 1968). Finally, it is well established that a reference is good for all it fairly teaches a person having ordinary skill in the art, even when the teaching is a cursory mention. E.g., In re Mills, 470 F.2d 649, 651 (CCPA 1972).

III)	On pages 10-11, Applicant further argues that the cited prior art does not teach the dependent claims such as new dependent claims 22-24.
Applicants arguments are considered moot based on the new grounds of rejection as set forth below. 

Claim Objections
Claims 23-24 are objected to because of the following informalities:
Claim 23 recites “the prediction malicious content item”, which should be “the predicted malicious content item”. 
Claim 24 recites “the file has”, which should be “the file hash”. Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 8, 15, and 22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claims 1, 8, and 15 recite “wherein the attack correlation information items comprises at least one indication of a predicted malicious content item predicted as previously brought into the system based at least in part on the one or more attack correlation information items”; however, it is unclear how the “attack correlation items” can contain an indication based on the “attack correlation items”. This seems circular in that the “attack correlation items” are based on itself. Therefore, this limitation is considered as being indefinite. 
Claim 22 recites “the second phase before the first phase based at least in part on the attack tree mapping”. It is unclear what “the second phase before the first phase” is intended to mean. Does this mean that the second phase is performed prior to the first phase or does this mean something else? For the purpose of examination, the examiner will interpret this to mean that multiple phases are performed.

The examiner has cited particular examples of 35 U.S.C. 112 rejections above. It is respectfully requested that, in preparing responses, the applicant check the claims for further 35 U.S.C. 112 rejections in the event that it was inadvertently missed by the examiner to advance prosecution. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-16, 19, and 21-24 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/590793. Although the claims at issue are not identical, they are not patentably distinct from each other because they are both drawn towards comparing a current hash value to a known malicious hash value to determine if something is malicious or not.
This is a provisional nonstatutory double patenting rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-4, 7-11, 14-16, 21, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Fielding (US 2004/0172551) in view of Falk (EP 2963578).

As per claims 1, 8, and 15, Fielding discloses A computer-implemented method for malicious content detection and attack prediction in an industrial control system, comprising: 
receiving a hash query associated with a system from a secure media exchange node, wherein the hash query comprises a file hash generated at the secure media exchange node based at least in part on one or more files received at the secure media exchange node (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches receiving a file system event and initiating a virus check on the file in question by hashing the file and comparing the hash to a database of known virus signatures. As the hash is generated and compared an instruction/query to perform this action must have been initiated. Also, as this even is associated with the file system of a computer/system, it is considered as being associated with a system.); 
querying a cyberattack case studies information database based on the hash query to generate one or more attack correlation information items associated with at least one of the one or more files by comparing the hash query with file hashes stored in the cyberattack case studies information database (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures. If the hash value matches a hash signature stored in the database, the file is quarantined as the file most likely contains some form of malicious code. The attack correlation information item is considered to be whether or not the file hash value matches a known virus signature.); 
generating a file security analysis regarding the one or more files based on the one or more attack correlation information items, wherein the attack correlation information items comprises at least one indication of a predicted malicious content item predicted as previously brought into the system based at least in part on the one or more attack correlation information items (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures. If the hash value matches a hash signature stored in the database, an alert is sent out and the file is quarantined as the file most likely contains some form of malicious code. The alert notifies one or more users that a malicious file has been identified. The attack correlation information item is considered to be whether or not the file hash value matches a known virus signature. If the file hash does match a known virus signature then that file is considered to be the predicted malicious content that was previously brought into the system.); and 
outputting the file security analysis …  for authorization of the one or more files (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches that an alert or notification is sent out and the file is quarantined as the file most likely contains some form of malicious code. The alert notifies one or more users that a malicious file has been identified. If the comparison does not result in a match between a known virus signature, the file is allowed to continue processing.)
However, Fielding does not specifically teach outputting the file security analysis to a secure media exchange threat intelligence portal associated with the secure media exchange node.
Falk discloses outputting the file security analysis to a secure media exchange threat intelligence portal associated with the secure media exchange node (Falk, Figure 1 and associated texts such as paragraphs 6, 9, 57-59, 67-68, 72, and 76, teaches performing multiple types of analysis on a file and presenting the results of the analysis to an analyst to allow the analyst to determine if the file is malicious or not, determine the type of malware, and threat level of the malware based on the analysis. Falk, paragraphs 62-65, also teaches sending the file out for external analysis and the results are given to the analyst.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Falk with the teachings of Fielding. Fielding teaches generating a hash value of a file and comparing the hash value to a database of known malicious hash signatures to determine if the file is malicious or not. Falk teaches performing multiple types of analysis on a file and presenting the results to an analyst to allow the analyst to make the determination on whether or not the file is malicious. Therefore, it would have been obvious to have improved upon the teachings of Fielding by adding the teachings of Falk for the purpose of allowing a human to make the decision on whether or not the file is malicious based on various analyses and indicators as this would provide a more accurate analysis.

As per claims 2, 9, and 16, Fielding in view of Falk discloses wherein the cyberattack case studies information database comprises a historical threat intelligence database configured to store at least one or more historically received file hashes representing one or more malicious content items, and wherein querying the cyberattack case studies information database further comprises: querying the historical threat intelligence database with the hash query; and upon determining that the file hash in the hash query matches at least one of the one or more historically received file hashes, generating one or more historical threat indicators representing the one or more malicious content items, wherein the one or more attack correlation information items comprise the one or more historical threat indicators (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures. If the hash value matches a hash signature stored in the database, an alert is sent out and the file is quarantined as the file most likely contains some form of malicious code. The attack correlation information item and historical threat indicators are considered to be whether or not the current file hash value matches a historical known virus signature.)

As per claims 3 and 10, Fielding in view of Falk discloses wherein the one or more malicious content items are each associated with one of the one or more file hashes (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches that the database contains hash signatures of known malicious files.)  

As per claims 4 and 11, Fielding in view of Falk discloses wherein the one or more malicious content items are one or more of: one or more known viruses, one or more malware tools, or one or more software tools historically utilized in connection with a cyberattack (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches that the database contains hash signatures of known malicious files such as viruses.)

As per claims 7, 14, and 21, Fielding in view of Falk discloses outputting a notification associated with the file security analysis to a user device of a user associated with the secure media exchange node (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches that an alert or notification is sent out and the file is quarantined as the file most likely contains some form of malicious code. The alert notifies one or more users that a malicious file has been identified.)

As per claim 23, Fielding in view of Falk discloses The computer-implemented method according to claim 1, wherein the prediction malicious content item comprises a non-malicious content item determined to be associated with at least one malicious content item based at least in part on historical file hashes (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures to determine if the file is malicious or not. Falk, paragraph 6, teaches analyzing a suspected malicious file. Falk, paragraph 9, also teaches that related malware data files are associated with each other. Falk, paragraph 57, teaches providing to the analyst previous information about the suspected file (i.e. historical data), which can include hash values as shown in Figure 1 and paragraphs 57-59. Falk, paragraphs 72 and 76, teaches that the analyst can review all of the information and determine that the file is malicious or is not malicious i.e. the file is suspected as being malicious but can later be found to be non-malicious by the analyst.)

Claims 5-6, 12-13, 19, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Fielding in view of Falk and further in view of NPL “Attack Detection Application with Attack Tree for Mobile System using Log Analysis” hereinafter referred to as Kim.

As per claims 5, 12, and 19, Fielding in view of Falk discloses wherein the cyberattack case studies information database comprises a cyberattack correlation and prediction database configured to store one or more hashes associated with one or more malicious content items, and wherein querying the cyberattack case studies information database further comprises: querying the cyberattack correlation and prediction database with the hash query; receiving one or more predictive indicators, wherein each of the one or more predictive indicators are … associated with the hash file; and generating the file security analysis based at least on the one or more predictive indicators (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches hashing the file and comparing the hash to a database of known virus signatures to determine if the file is malicious or not. Falk, Figures 1 and 2C and associated texts such as paragraphs 6, 9, 57-59, 62-65, 67-68, 70, 72, and 76, teaches performing multiple types of analysis on a file and presenting the results of the analysis to an analyst to allow the analyst to determine if the file is malicious or not, determine the type of malware, and threat level of the malware based on the analysis. This includes various indicators such as file size, fuzzy hash value, related data files, results of external analysis, etc… Falk, Figure 2H and paragraph 73, also teaches displaying a chart/tree to the analyst.)
However, Fielding in view of Falk does not specifically teach “an attack tree mapping”.
Kim discloses wherein each of the one or more predictive indicators are based on an attack tree mapping associated with the hash file (Kim, abstract and Sections 2-3, teaches creating an attack tree that is used to detect an attack, predict the type of attack, and stop the attack.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Fielding in view of Falk. Fielding in view of Falk teaches performing multiple analysis on a file, such as generating a hash value of a file and comparing the hash value to a database of known malicious hash signatures, to determine if the file is malicious or not. Kim also teaches performing multiple types of analysis to detect an attack, but Kim specifically uses an attack tree to perform the detection. Therefore, it would have been obvious to have used the attack tree of Kim as one of the multiple types of file analysis for attack detection as this would have been a simple substitution of one know form of attack detection for another to yield the predictable results of detecting an attack.

As per claims 6 and 13, Fielding in view of Falk and Kim discloses wherein the one or more predictive indicators include one or more of: an indication of one or more attack phases, and an indication of one or more additional file hashes associated with the file hash (Falk, Figure 2C and paragraph 70, teaches displaying other related data files to the analyst. Kim, abstract and Sections 2-3, teaches creating an attack tree that is used to detect an attack, predict the type of attack, and stop the attack. Kim also detects the phase/progress of the attack as shown in Figures 7-8.)

As per claim 22, Fielding in view of Falk discloses The computer-implemented method according to claim 1, the computer-implemented method further comprising: identifying a first phase associated with the one or more attack correlation information items … associated with the hash file; and predicting the at least one indication of the predicted malicious content item associated with a second phase, the second phase before the first phase … (Fielding, Figures 1 and 3-4 and associated texts such as paragraphs 9-13, 39, 43-44, 46-47, and 53, teaches performing multiple steps/phases to determine if a file is malicious or not. Fielding teaches hashing the file, which could be considered as one phase, and comparing the hash to a database of known virus signatures to detect a malicious file, which could be considered as another phase. If the hash value matches a hash signature stored in the database, an alert is sent out and the file is quarantined as the file most likely contains some form of malicious code. The alert notifies one or more users that a malicious file has been identified. The attack correlation information item is considered to be whether or not the file hash value matches a known virus signature. If the file hash does match a known virus signature then that file is considered to be the predicted malicious content that was previously brought into the system.)  
However, Fielding in view of Falk does not specifically teach “an attack tree mapping”.
Kim discloses based on an attack tree mapping associated with the hash file (Kim, abstract and Sections 2-3, teaches creating an attack tree that is used to detect an attack, predict the type of attack, and stop the attack. Kim also detects the phase/progress of the attack as shown in Figures 7-9.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Fielding in view of Falk. Fielding in view of Falk teaches performing multiple analysis on a file, such as generating a hash value of a file and comparing the hash value to a database of known malicious hash signatures, to determine if the file is malicious or not. Kim also teaches performing multiple types of analysis to detect an attack, but Kim specifically uses an attack tree to perform the detection. Therefore, it would have been obvious to have used the attack tree of Kim as one of the multiple types of file analysis for attack detection as this would have been a simple substitution of one know form of attack detection for another to yield the predictable results of detecting an attack.

Allowable Subject Matter
Claim 24 is objected to as being allowable, but would be allowable if the Double Patenting and 35 USC 112 Rejections are overcome. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “generating an attack tree based at least in part on a combination of a first hash for a first file and a second hash for a second file based on a determination that the first hash and the second hash historically were received in the same hash query, wherein the querying the cyberattack case studies information database further comprises receiving at least one predictive indicator based at least in part on the attack tree, and wherein the file security analysis comprises data representing that the file has indicates the one or more files comprises the first file and the second file". The closest prior art of record includes:
Fielding (US 2004/0172551) – teaches hashing a file and comparing the file hash to a database of known virus signatures to determine if the file is malicious or not.
Falk (EP 2963578) – teaches analyzing a file and sending the file analysis to an analyst to allow the analyst to determine if the file is malicious or not.
Kim (NPL “Attack Detection Application with Attack Tree for Mobile System using Log Analysis”) – teaches using an attack tree to detect an attack.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
EP 2819053 – teaches generating a hash of a file and comparing the hash value to a database of known good files in order to detect unauthorized/unwanted changes to the files.
Joram (US 2016/0323295) – teaches comparing a hash of a file to hashes of known malicious files.
De Jesus (US 2020/0344248) – teaches using an attack tree.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498