Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1-20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3, 5 – 11, 15, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Avasarala et al. (Ava’), US 2014/0090061 A1 in view of Sayfullina et al. (Say’), “Efficient detection of zero-day Android Malware using Normaized Bernoulli Naïve Bayes”.

Regarding claim 1, Say’ discloses:
A computing device comprising: a memory configured to store instructions; and a processor configured to execute the instructions from the memory (e.g. Ava’, Claim 24) to perform operations comprising: 
determining a first file type of a first file … (e.g. Ava’, par. 37 – herein the system determines a type of file).
Ava’ discloses a malware classification system for analyzing a plurality of files to identify features or attributes which may indicate that the files are malware or benign (e.g. Avasarala, Abstract).  However, Avasarala fails to disclose identifying attributes from a plurality of files included within an application file package comprising two or more different file types.  
Say’ also discloses a malware classification system for analyzing a plurality of files to identify features or attributes which may indicate that the files are malware or benign (e.g. Say’, Abstract).  Furthermore, Say’ discloses identifying attributes from a plurality of files included within an application file package comprising two or more different file types (e.g. Say’, Abstract; sect. II, par. 1).  
It would have been obvious to one of ordinary skill in the art to include the malware classification and attribute identification teachings of Say’ within the malware classification system of Ava’.  This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that there is a need for an automated classification of applications from application platforms, such as Android (e.g. Say’, Abstract; sect. 1, par. 1; sect.  II, par. 1).
Thus, the combination enables:
… of a file package, the file package including multiple files of two or more different file types (e.g. Say’, Abstract; sect. 1, par. 1; sect.  II, par. 1);
generating, based on the first file type of the first file, a first feature vector based on features extracted from the first file (e.g. Ava’, fig. 4B:”naïve n-gram-specific FV”; par. 39, 53); 
and generating classification data associated with the file package, the classification data indicating whether the file package includes malware, wherein the classification data is generated based on the first feature vector (e.g. Ava’, fig. 4B:427; Say’, Abstract).

Regarding claim 2, the combination enables:
determining a second file type of a second file of the file package, the second file type distinct from the first file type (e.g. Ava’, par. 37; Say’, sect. II, par. 1 – herein the system determines a ‘first’, ‘second’, ‘third’, etc. type of file within the package); 
and generating, based on the second file type of the second file, a second feature vector based on features extracted from the second file, wherein the features extracted from the second file are distinct from the features extracted from the first file (e.g. , e.g. Ava’, fig. 4B:”naïve n-gram-specific FV”; par. 39, 53; e.g. Say’, table 1); wherein the classification data associated with the file package is generated further based on the second feature vector (e.g. Ava’, fig. 4B:427; Say’, Abstract)..

Regarding claim 3, the combination enables:
wherein the first file type is an executable file type and the second file type is a non-executable file type (e.g. Ava’, par. 37; Say’, sect. II, par. 1).

Regarding claim 5, the combination enables:
wherein the second feature vector is based on occurrences of attributes in the second file (e.g. Ava’, par. 50, 57; Say’, sect. III – i.e. binary and/or numerical existence of features, i.e. “attributes”).

Regarding claim 6, Ava’ does not appear to explicitly disclose, however, Say’ does disclose, that the plurality of files may indicate “system permissions” (e.g. Say, table 1).  It would have been obvious to one of ordinary skill in the art to include the permission teachings of Say’ within the malware classification system of Ava’.  This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that there is a need for an automated classification of applications from application platforms, such as Android (e.g. Say’, Abstract; sect. 1, par. 1; sect.  II, par. 1).
Thus, the combination enables:
  
wherein the attributes include requests for system permissions indicated by the second file (e.g. Say’, table 1).

Regarding claim 7, the combination enables:
wherein the second feature vector includes a Boolean vector indicating whether each system permission of a particular group of system permissions is requested by the second file (e.g. Say’, table 1; sect. III, par. 3 – e.g. binary, i.e. “Boolean”, features).

Regarding claim 8, the combination enables:
wherein the attributes include references to application programming interface (API) classes associated with an operating system executed by the processor, the references to the API classes indicated by the second file (e.g. Ava’, par. 50; Say’, sect. V, par. 4).

Regarding claim 9, the combination enables:
wherein the second feature vector indicates that particular information is present in the second file e.g. Ava’, par. 50, 57; Say’, sect. III).

Regarding claim 10, the combination enables:
wherein the operations further comprise initiating performance of one or more malware protection operations based on the classification data indicating that the file package includes malware (e.g. Ava’, Abstract; fig. 3:327).

Regarding claim 11, the combination enables:
wherein the file package corresponds to an application file package of a mobile device application (e.g. Say’, abstract).

Regarding claims 15, 16, 19, and 20, they are method and medium claims essentially corresponding to the above, and they are rejected, at least, for the same reasons.

Claims 4, 14, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Avasarala et al. (Ava’), US 2014/0090061 A1 in view of Sayfullina et al. (Say’), “Efficient detection of zero-day Android Malware using Normaized Bernoulli Naïve Bayes” in view of Kolter, “Learning to Detect and Classify Malicious Executables in the Wild”.

Regarding claims 4 and 14, Ava’ discloses a malware classification system for analyzing a plurality of files to identify features or attributes represented as n-grams (e.g. Ava’, Abstract, par. 40).  However, Ava’ fails to disclose processing the files to generate “printable” characters. 
Kolter also discloses a malware classification system for analyzing a plurality of files to identify features or attributes represented as n-grams (e.g. Kolter, Abstract).  Furthermore, Kolter disclose processing the files to generate “printable” characters (e.g. Kolter, pg. 2724, par. 2-4; pg. 2726, par. 4).  
It would have been obvious to one of ordinary skill in the art to include the printable character teachings of Kolter within the malware classification system of the prior art.  This would have been obvious because one of ordinary skill in the art would have been motivated by the prior art’s reference to the teachings of Kolter (e.g. Avasarala, par. 40).
Thus, the combination enables:
wherein the first feature vector is generated based on: zero-skip n-gram data indicating occurrences of adjacent characters in printable characters representing the first file; skip n-gram data indicating occurrences of non-adjacent characters in the printable characters representing the first file; and n-gram data indicating occurrences of groups of entropy indicators in a first set of entropy indicators derived from first file entropy data for the first file, each entropy indicator of the first set of entropy indicators having a value representing entropy of a corresponding chunk of the first file (e.g. Kolter, pg. 2724, par. 2-4; pg. 2726, par. 4)..

Regarding claim 17, the combination enables:
processing the first subset of files to generate printable characters representing the first subset of files; and processing the printable characters to generate zero-skip n-gram data and skip n-gram data (e.g. Kolter, pg. 2724, par. 2-4; pg. 2726, par. 4). 

Claims 18 is rejected under 35 U.S.C. 103 as being unpatentable over Avasarala et al. (Avas’), US 2014/0090061 A1 in view of Sayfullina et al. (Say’), “Efficient detection of zero-day Android Malware using Normaized Bernoulli Naïve Bayes” in view of Kolter, “Learning to Detect and Classify Malicious Executables in the Wild”in view of Bhatkar et al. (Bhatkar), US 10,007,786 B1.

Regarding 18, the combination discloses creating feature vectors using n-grams (e.g. Avasarala, par. 40).  However, the combination does not appear to explicitly disclose applying a hash function to the n-grams.
However, Bhatkar also discloses creating feature vectors using n-grams (e.g. Bhatkar, fig. 3:306).  Furthermore, Bhatkar discloses applying a hash function to the n-grams (e.g. Bhatkar, fig. 7:710).
It would have been obvious to one of ordinary skill in the art to apply the teachings of Bhatkar because one of ordinary skill in the art would have been motivated by the teaching that a hash function will map n-grams to a reduced space and therefore provide advantages in efficiency (e.g. Bhatkar, 4:1-12; 11:13-28).
Thus, the combination enables: 
applying a hash function to the character n-grams to generate a reduced character n-gram representation (e.g. Bhatkar, 4:1-12; 11:13-28), and wherein the first feature vector includes a Boolean vector indicating the occurrences of character n-grams in the reduced character n-gram representation (e.g. Bhatkar, 11:31-43; Avasarala, par. 50). 




Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEFFERY L WILLIAMS/          Primary Examiner, Art Unit 2495