DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 8/11/2022 has been entered. Claims 1-17 are currently amended. Claim 18 is currently cancelled. Claims 1-17 are pending in the application.
The objection of claims 1-2, 6, 8-10, 14, 16-18 due to informalities has been withdrawn in light of applicant’s amendment and cancellation to the claim. See updated Claim Objections due to new concerns.
The rejection of claims 1, 3-4, 7, 9, 11-13, 15 under 35 USC 112(b) due to insufficient antecedent basis has been withdrawn in light of applicant’s amendment to the claims. 
The rejection of claims 9-17 rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s arguments, see pg. 8-11 of the Remarks filed 8/11/2022 regarding claim rejection over prior arts has been fully considered and asserted not persuasive due to following reason. 
Regarding the rejection of independent claims 1, 9 and 17, applicant argued references Liu in combination of Wright fails to teach or suggest loading (external) code module and limitation(s) reciting “determining that said new process requires external code modules” and “observing the times at which one or more of the external code modules required by the new process are loaded relative to the new process starting time” as recited in claim 1 and similarly in claims 9 and 17. See pages 8-9 of the Remarks. Examiner acknowledged applicant’s prospective however respectively disagrees. 
First, claims are interpreted with broadest reasonable interpretation in light of applicant’s specification but not importing limitation from the specification (see MPEP 2111.01 I, II). In this case, external code module can be software program outside of a sandbox environment as taught by Liu (see e.g. para [37]). Calling interface from the sandbox for software program can then be interpreted as loading external code module. Further regarding to delay duration related to the process starting time, examiner asserts applicant’s argument is not persuasive. As suggested by Liu in para. [6] that Liu’s solution is to detect to-be-detected malicious software that is intended to delay malicious process to evade detection. Liu’s method is to use delay length parameter of called interface to compare the to-be-detected software (in sandbox) with reference malicious behavior, thereby detecting the malicious software.
Applicant’s further argument on reference Wright is not persuasive. Even though Liu does not specifically teach taking further action in response to detected process being anomalous, it is well known and obvious to one ordinary skilled in the art that a further action may be taken after the malicious software is detected by Liu, in this case, Wright’s teachings accomplishes what Liu does not expressly teach, i.e. taking further action. Therefore, examiner asserts applicant’s argument regarding Wright (see page 9 of the Remarks) is not convincing.
Applicant’s further arguments regarding dependent claims are also not persuasive since the arguments appear to base on assumption that the independent claims are patentable.
Applicant is encouraged to recite innovative features into independent claims to advance the case. 
Claim Objections
Claims 1, 9, 17 are objected to because of the following informalities:  
Claim 1 line 5, “… are loaded relative to the new process starting time” is suggested to read “… are loaded relative to a start of the new process” or more appropriate form.
Similarly, for claim 9 line 9; claim 17 line 8.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 9-10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Liu (US20170220797A1-IDS by applicant, hereinafter, “Liu”), in view of Wright (US20110023115A1, hereinafter, “Wright”).
Regarding claim 1, Liu teaches:
A method of threat detection (Liu, discloses a malware detection method and apparatus, see [Abstract]), the method comprising: 
5detecting a new process that starts at a network node of a computer network (Liu, referring to Fig. 1 step 100, and [0009] running to-be-detected software in a sandbox. And [0011] …obtaining usage of a central processing unit of a device (a network node) on which the sandbox is located. Examiner notes, “to-be-detected software” is the new process to be ran in the sandbox, in another words, the new process is to run the to-be-detected software in the sandbox of the device); 
determining that said new process requires external code modules (Liu, [0009] when it is detected that any one of the interface is called, also see Fig. 1A step 110, [0033] detect whether at least one interface (i.e. external code modules) that has a delay attribute in the sandbox is called. And [0037] The interface … is a programmable interface that is provided by an operating system for a third-party application software developer… Examiner notes, calling interface is interpreted as requiring external code modules since the claim does not limit what external code modules are); 
observing the times at which one or more of the external code modules required by the new process are loaded relative to the new process starting time (Liu, [0034] Step 120: When it is detected that any one of the interface is called, determine whether delay duration corresponding to a first delay length parameter of the called interface is greater than the preset duration); 
determining that usage of an external code module required by the new 10process is anomalous when the time elapsed between the start of the new process and the loading of said external code module lies outside predetermined expected boundaries (Liu, referring to Fig. 1A, steps 120-140, [0034] determine whether delay duration corresponding to a first delay length parameter of the called interface is greater than the preset duration (i.e. outside predetermined expected boundaries), and [0036] Step 140: Compare the at least one recorded operation with an operation of a malicious behavior, and determine, based on a comparison result that an operation that matches the operation of the malicious behavior exists in the at least one recorded operation, that the to-be-detected software is malware); 
While Liu does not expressly teach taking further action after determining anomalous process however in the same field of endeavor Wright teaches:
and taking further action to protect the network node and/or the computer network based on the determining that the usage of the external code module required by the 15detected new process is anomalous (Wright, discloses threat detection using a behavioral-based host-intrusion prevention method by monitoring user interaction with a computer, see [Abstract]. And referring to Fig. 3 step 310, and [0074] At step 310, an action is caused based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype, and [0075] and performing an action to protect the computer network based at least in part on the user interaction. Such protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior and monitoring a computer code process executing during the usage session for an indication of a code operation).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wright in the malware detection method of Liu by taking preventive action after determining the executing computer process being type of malicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform further preventive action to protect the computer network after determining user interaction with computer being type of malicious act (Wright, [Abstract]). 

Regarding claim 9, claim 9 recites A computer apparatus (Liu, discloses a malware detection method and apparatus, see [Abstract]) comprising: a memory comprising computer-executable instructions; and one or more processors (Liu, Fig. 4, The malware detection apparatus 3000 includes at least one processor 401, Memory 403) configured to execute the computer-executable instructions and cause the computer system to perform a method of threat detection that causes the computer system to: perform method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 17, claim 17 recites A non-transitory computer readable medium comprising instructions (Liu, Fig. 4, Executable program, [0100] The memory 403 is configured to store executable program code. By executing the program code…) which, when run on a computer apparatus to perform a method of threat detection, the non-transitory computer readable medium comprising instructions to perform method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 2, similarly claim 10, Liu-Wright combination further teaches:
The method according to claim 1, the computer apparatus according to claim 9, 
wherein the new process comprises execution of one or more of: a code module, a dynamic load library, a shared object (Wright, [0007] Such protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior and monitoring a computer code (i.e. code module) process executing during the usage session for an indication of a code operation).  

Claims 3, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Mayo (US20180089430A1, hereinafter, “Mayo”).
Regarding claim 3, similarly claim 11, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Mayo teaches:
further comprising determining whether a related executable image for the new process is known clean, wherein the step of determining whether the related executable image for the new process is known clean comprises determining whether the executable image satisfies one or more predetermined whitelisting criteria (Mayo, discloses security profiling files on a computer system [Abstract]. And [0027] The present invention provides a computer security profiling system and related methods that allow an executable program file (i.e. executable image), for example an unrecognized file found in a scan like the one described, to be compared to a software file on the computer system already identified as safe, for example whitelisted, and to determine whether those files are similar or related).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mayo in the malware detection method of Liu-Wright by comparing executable file to whitelisted software application to determine whether the executable file can be run in the computer system. This would have been obvious because the person having ordinary skill in the art would have been motivated to scan the executable program file to determine whether the executable program file is a security threat to the computer system (Mayo, [Abstract], [0002]). 

Claims 4-5, 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Copley (US20070056035A1, hereinafter, “Copley”).
Regarding claim 4, similarly claim 12, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Copley teaches:
the method further comprising: processing file contents of a related executable image for retrieving a list of expected external code modules that could be used by the new process (Copley, discloses method for detection of forged computer files, see [Abstract]. And [0017] A purported system file may be examined based on the file content to determine the presence of executable code and to compare the function of any executable code to the expected and/or acceptable parameters based on the system file type, file originator [like MICROSOFT.RTM.], or the file scope including the range of functions that may be called and/or executed. And [0018] The file contents of a suspect file may be analyzed in many different ways in order to compare against the file contents of known good files).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Copley in the malware detection method of Liu-Wright by examining file content to determine the presence of executable code. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine if the suspect file is malicious file for improved security performance (Copley, [Abstract], [0007]). 

Regarding claim 5, similarly claim 13, Liu-Wright-Copley combination further teaches:
The method according to claim 4, the computer apparatus according to claim 12,	wherein the step of processing the file contents comprises one or more of: processing import tables, processing code, extracting various artefacts (Copley, [0030] In Engine 114, "Dynamic analysis" involves parsing the file in such a manner in which the instructions of the file may be run (i.e. processing code) directly or "virtually". This type of analysis is useful for cutting through iterations of code which have a end result that is the same, but the actual code itself is obscured through a variety of means of redirection so that the code in question might be obscured, and therefore escape analysis through static means).  

Claims 6, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright-Copley combination as applied above, further in view of Satish et al (US20080010538A1, hereinafter, “Satish”).
Regarding claim 6, similarly claim 14, Liu-Wright-Copley combination teaches:
The method according to claim 4, the computer apparatus according to claim 12,
While Liu-Wright-Copley combination does not expressly teach the following limitation(s), in the same field of endeavor Satish teaches:
the method further comprising collecting 35information about new code modules being loaded or unloaded and in relation to every new code module load or unload the method further comprises increasing the level of10 suspiciousness of the new process if the new code modules loaded or unloaded are not in the list of expected external code modules (Satish, discloses detecting suspicious embedded malicious content, see [Abstract]. And [0024] malicious code detector 160 represents a software module configured to execute a method for detecting (i.e. at least collecting) malicious code in the form of embedded machine code in a benign type data file. Also [0025] malicious code detector 160 may include routines for determining the application program 170 loading a file 202. And [0026] Since a benign type of data file is a data file in which the presence of executable code is not expected under any normal circumstances (i.e. not in the list of expected external code modules) …, the presence of any encoded executable code in a benign file type data file may be interpreted as an indication of the file being at least suspicious (i.e. increasing the level of10 suspiciousness), if not malicious).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Satish in the malware detection method of Liu-Wright-Copley by identifying malicious code in form of embedded machine code as not as expected and interpreting as indication of at least suspicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the malicious code detector to identify data file presented as executable file as malicious code to detect suspicious embedded malicious content in benign file formats (Satish, [Abstract], [0026]). 

Claims 7, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Edwards (US20130276119A1, hereinafter, “Edwards”) and Pottinger (US20170039211A1, hereinafter, “Pottinger”).
Regarding claim 7, similarly claim 15, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Edwards teaches:
wherein the step of determining whether the 5usage of an external code module required by the new process is anomalous is further based on determining that the external code module required by the new process belongs to a group of known processes having sufficiently similar properties (Edwards, discloses method of detection of attempt by an unknown process to control a known process [Abstract]. And [0038] For example, in the case that malicious code associated with the first process 406 attempts to perform an action that may trigger file or registry rules, then the second process 408 may be blocked because the process may no longer be trusted. If code associated with the first process 406 is determined not to be malicious, then the second process 408 may be allowed to perform required operations (i.e. first and second process having similar properties with content of having malicious code)) [on the basis of comparing file names of the executable images for the processes and/or comparing portions of the content of the executable images for the processes] (See Pottinger below for teachings of limitation(s) in bracket).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Edwards in the malware detection method of Liu-Wright by determining to allow second process to be performed based on whether first process is associated with malicious code. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine known process based on whether the process is trusted or not, i.e. based on determination whether malicious code is associated with process (Edwards, [Abstract], [0038]),
The combination of Liu-Wright-Edwards does not expressly teach, however Pottinger in the similar field of endeavor teaches:
on the basis of comparing file names of executable images for new processes and/or comparing portions of the content of the executable images for the new processes (Pottinger, discloses method for determining content similarity using hash value, see [Abstract]. And [0026] The hash values generated by this hash function can be used to determine whether any files including JavaScript code are identical or similar to one another. In another example, a separate hash function can be built to generate hash values for files that include text… this hash function can be built to generate hash values based on the respective content corresponding to the different text files).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pottinger in the malware detection method of Liu-Wright-Edwards by determining content similarity based on hash values. This would have been obvious because the person having ordinary skill in the art would have been motivated to use hash function to generate hash values based on respective content of text files (such as code) to determine whether the text files are identical or similar to one another (Pottinger, [Abstract], [0026]).

Claims 8, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Liu-Wright combination as applied above to claim 1, claim 9 respectively, further in view of Cohen et al (US20180234435A1, hereinafter, “Cohen”).
Regarding claim 8, similarly claim 16, Liu-Wright combination teaches:
The method according to claim 1, the computer apparatus according to claim 9,
While Liu-Wright combination does not expressly teach the following limitation(s), in the same field of endeavor Cohen teaches:
wherein the step of taking further action to secure the computer network and/or any related network node comprises one or more of: preventing one or more of the network nodes from being switched off; 15switching on a firewall at one or more of the network nodes; warning a user of one or more of the network nodes that signs of a security breach have been detected; and/or sending a software update to one or more of the network nodes (Cohen, discloses method for proactively predicting cyber-security threats, [Abstract]. In particular, [0054] The mitigation action may include instructing an end-point security device to perform the action, e.g., activating the host based firewall to block communication).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Cohen in the malware detection method of Liu-Wright by activating firewall to block network traffic to mitigate the malicious activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to activate firewall on network device to mitigate the malicious activity in network after potential cyber-security threat been identified (Cohen, [Abstract], [0054]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Vincent (US10706149B1) discloses method and system to detect delayed activation malware.
Liu et al (US9413774B1) discloses techniques for performing malware analysis of a URL using browser executed in an instrumented virtual machine environment.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436