Claims 1, 2, 4, 5, 7, and 10-34 are pending.  
Claims 10-34 remain withdrawn from consideration.  
Claims 1, 2, 4, 5, and 7 are rejected below.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 10/11/2022 have been fully considered but they are not persuasive.
Applicant alleges, with respect to the claim 112 rejections, “Claim has been amended to address the present rejection.  Withdrawal of the rejection is requested.”  However, claim 1 still has many of the same issues.  This is at least the fourth time the same rejections are being set forth.  Applicant must amend the claims properly and/or provide specific arguments with respect to each individual 112 issue in response to this office action.  
Applicant alleges “claim 1 (as previously amended), includes the limitation not taught of suggested in Shukla or Yun of:” “capturing the additional information about a registers and a system state, wherein the register value is examined at runtime;’”.  This was not previously amended into this limitation.  Applicant is once again providing false statements.  Applicant is hereby respectfully requested to refrain from providing false statements.  Furthermore, this is not even a limitation that is present in the claims.  There are multiple differences between the actual claim limitation, as currently amended, and what Applicant is arguing.  Further still, Applicant ignores the Saunders reference, cited in the rejection of this limitation.  Saunders discloses capturing the additional information about a register and a system state, wherein a register value of the register is examined at runtime in Exemplary Citations: for example, Column 3, lines 31-47; Column 5, line 20 to Column 6, line 32; Column 6, line 37 to Column 8, line 34; and associated figures; in Saunders’ disclosure of any information about registers and the code being run on the system, for example.  The intended use of wherein a register value of the register is examined at runtime has no patentable weight and need not be rejected, however, is met by any examination (e.g., reading, executing, modifying, writing, etc.) any value in any register, which occurs within Saunders simply in viewing any information about registers, for example.  Applicant has not argued this reference whatsoever.  Therefore, this stands as fact.  
Applicant then alleges “The Applicants have reviewed the present prior art references and do not find the new added limitations.  Accordingly, claim 1 (as amended) includes limitations not found in the two cited references.”  Again, there are three references cited in the combination and Applicant simply ignores the Saunders reference.  Furthermore, Applicant has already erroneously alleged that the language “wherein the register value of the register is examined at runtime” was previously amended.  As noted above, this is incorrect, as proven by Applicant’s own admission that there are “new added limitations”.  As shown above, the actual combination discloses this new subject matter.  Furthermore, Applicant provides no actual argument here and, rather, simply provides a general allegation.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  
Applicant then alleges “Accordingly, Applicants respectfully submit that one of ordinary skill in the art would find that Shukla’s scanning of a module binary does not teach disassembling the executable binary code application.”  It is unclear what this argument has to do with anything.  With respect to the disassembling limitation, which is over 20 limitations before the limitation argued above, Shukla discloses disassembling an executable binary code application in Shukla’s disclosure of making any analysis on a portion of code and/or determining what any portion of code is doing, calling, or the like, for example.  Also, it has previously been explained more in-depth how Shukla, in particular exemplary embodiment(s), discloses the disassembling:
Applicant also alleges “that one of ordinary skill in the art would find that Shukla’s scanning of a module binary does not teach disassembling the executable binary code application.”  To the contrary, Shukla clearly discloses disassembling an executable binary code application, for example, in determining where various calls are, such as JMP, CALL, return, API calls by name, replacing JMP instructions with other JMP instructions, and the like.  These calls are not in binary and, thus, have been disassembled.  Additionally, other forms of disassembly are also discussed, such as dividing the image in paragraph 77, translating an on disk image to an in memory image, and the like.  
Moreover, this is simply a general allegation with no actual argument.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 2, 4, 5, and 7 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  
The claims are replete with antecedent basis issues and other 112(b) issues for indefiniteness.  In some cases, it is unclear if certain subject matter is the same as the subject matter already set forth or different.  For example, “the API call location” as described below with respect to claim 4.  It is unclear which of the API call locations from claim 1 is being referenced.  The Examiner notes that, due to use of both “an API call location” and “an API call return location”, it would be best to differentiate both of these clearly instead of just adding a word to the middle of one of them.  As it stands, there are 2 API call locations in claim 1 that can be referenced and all references thereto must be clear as to which is being referenced.  If intended to be different, they must be referenced completely separately (e.g., a first API call return location and a second API call return location).  The following is an exemplary list of such issues:
Claim 1, “loading” limitation: “the memory of the validation code”, “an API call type”, “an API call target”, “an API call location”, “an API call return location”, “a privileged instruction type”, and “a privileged instruction location”.  
Claim 1, “transmitting” limitation: “the event stating a type, a location address, a target address, and a return address”.  
Claim 1, “implementing” limitation: “an event”.  
Claim 4: “the API call location”.  
Claim 5: “the API call location”, “the argument”, “the disassembled structure”, and “the binary executable”.  
Furthermore, the final limitation of claim 1 is confusing.  For example, it is unclear what is meant by “using the additional information to resolve used in invoking the API calls”.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 5, and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla (U.S. Patent Application Publication 2008/0016339) in view of Yun (U.S. Patent 9,619,649) and Saunders (U.S. Patent 8,533,836).
Regarding Claim 1,
Shukla discloses a method for monitoring and validating an execution of an executable binary code, comprising the steps of:
With at least one computer processor, disassembling an executable binary code application (Exemplary Citations: for example, Paragraphs 32, 37-39, 41-43, 45, 46, 56, 58, 60-64, 68-70, 73, 74, 77, 79, 80, and associated figures; making any analysis on a portion of code and/or determining what any portion of code is doing, calling, or the like, for example);
Detecting and obtaining an API call or a system call that is executed by the executable binary code (Exemplary Citations: for example, Paragraphs 32, 37-39, 41-43, 45, 46, 56, 58, 60-64, 68-70, 73, 74, 77, 79, 80, and associated figures);
Listing a type of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; API function type (e.g., file manipulation, process creation, network access, etc.), for example);
Listing a location of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; any address or other location associated with the API call, for example);
Listing a target of the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; target address or next API call in a sequence of calls, for example);
Listing a location of return from the API call (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; return address, for example);
Detecting a privileged instruction that is executed by the executable binary code (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; any instruction is privileged somehow, for example);
Obtaining the privileged instruction that is executed by the executable binary code (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures);
Listing a type of the privileged instruction (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; types similar to the above, for example);
Listing a location of the privileged instruction (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; location, module, or the like, for example);
Creating a rule set for validating the API call and the privileged instruction execution by the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-82, and associated figures; generating rules and/or the entirety of the system of Shukla, for example);
Transmitting the rule set to a validation code at an enforcement point (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; ruleset being given to the system to be protected, for example);
Loading the rule set in a memory of the validation code, wherein the rule set pertains to an API call type, an API call target, an API call location, an API call return location, a privileged instruction type and a privileged instruction location (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; loading the ruleset, for example);
During an execution of the executable binary code application, monitoring the executable binary code to determine a conformity of the API call and the privileged instruction made by the executable binary code application with the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; monitoring API calls, for example);
Inserting a monitoring and validation code that, during execution of the executable binary code application, generates an event based on the API call or the privileged instruction (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; injecting module into application or kernel-level component that validates API calls and creates events, for example);
Transmitting an event stating a type, location address, target address, and return address for an observed API call or the location of the privileged instruction (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; recorded events with addresses similar to those discussed above sent to memory or other entity, for example);
Transmitting the event based on the API call or the privileged instruction to a validator application, wherein the validator application validates the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures);
With the validator application (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures):
Checking a conformity of the event based on an API call or the privileged instruction with the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; validating API call, for example);
Implementing a default action when a rule violation is detected for an event associated with the API call or a privileged instruction during an execution of the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures; any action, such as finding and deleting the malware.  Further subject matter related to this found in paragraphs 94-109, for example);
Applying an additional validation for the API call and the privileged instruction in the executable binary code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures);
Wherein a rule list is used to validate the API call and the privileged instruction executed by the application (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures); and
Using the additional information to resolve used in invoking the API calls, wherein an observed value of the additional information is used (Exemplary Citations: for example, Paragraphs 32, 34, 38, 39, 41-46, 56, 58, 62-64, 68-70, 77, 79, and associated figures; any information related to API calls, for example);
But does not explicitly disclose that the API call and the privileged instruction is reported to a rule server and a corresponding rule is received, that the rule list is downloaded from a rule server, that an additional information about a system state is reported to the rule server, and capturing the additional information about a register and a system state, where a register value of the register is examined at runtime, and that the additional information is used to create the rule locally or reported to the rule server.  
Yun, however, discloses that the API call and the privileged instruction is reported to a rule server and a corresponding rule is received (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; parameter, API call, system call, etc. being sent/reported to server, for example);
Wherein a rule list is downloaded from a rule server and used to validate the API call and the privileged instruction executed by the application (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; list of parameters, information, black list, or the like, as examples);
Wherein an additional information about a system state is reported to the rule server (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures; any additional information, for example);
Capturing the additional information about a system state (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures); and
Using the additional information to resolve used in invoking the API calls, wherein an observed value of the additional information is used to create the rule locally or reported to the rule server (Exemplary Citations: for example, Column 3, line 60 to Column 4, line 10; Column 8, lines 9-21; Column 8, line 58 to Column 10, line 11; Column 10, lines 54-67; Column 11, lines 21-52; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the network based malicious parameter distribution techniques of Yun into the malware detection, prevention, and removal system of Shukla in order to warn and/or notify computing devices within a security vendor’s user base of malicious/suspicious call information, improve the ability of devices to detect potentially malicious applications, and/or increase security in the system.  
Saunders, however, discloses with at least one computer processor, disassembling an executable binary code application (Exemplary Citations: for example, Column 3, lines 31-47; Column 5, line 20 to Column 6, line 32; Column 6, line 37 to Column 8, line 34; and associated figures; disassembling binary to assembly, for example);
Capturing the additional information about a register and a system state, wherein a register value of the register is examined at runtime (Exemplary Citations: for example, Column 3, lines 31-47; Column 5, line 20 to Column 6, line 32; Column 6, line 37 to Column 8, line 34; and associated figures; any information about registers and the code being run on the system, for example.  The intended use of wherein a register value of the register is examined at runtime has no patentable weight and need not be rejected, however, is met by any examination (e.g., reading, executing, modifying, writing, etc.) any value in any register, which occurs within Saunders simply in viewing any information about registers, for example); and
Using the additional information to resolve used in invoking the calls, wherein an observed value of the additional information is used to create the rule locally or reported to the rule server (Exemplary Citations: for example, Column 3, lines 31-47; Column 5, line 20 to Column 6, line 32; Column 6, line 37 to Column 8, line 34; and associated figures; converting to intermediate code, displaying information to user, etc., as examples).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the execution behavior identification techniques of Saunders into the malware detection, prevention, and removal system of Shukla as modified by Yun in order to reduce the complexity of analyzing the behavior of binary code, allow the system to track parameter paths, allow the system to track register usage, to provide additional information to a user, and/or to increase the code analysis capabilities of the system.  
Regarding Claim 2,
Shukla as modified by Yun and Saunders discloses the method of claim 1, in addition, Shukla discloses that the executable binary code comprises an application, a dynamic loaded library, a kernel module, a hypervisor, a set of firmware, or a memory page (Exemplary Citations: for example, Paragraphs 32, 37-39, 41-43, 45, 46, 56, 58, 60-64, 68-70, 73, 74, 77, 79, 80, and associated figures).  
Regarding Claim 4,
Shukla as modified by Yun and Saunders discloses the method of claim 1, in addition, Shukla discloses that the API call location or the privileged instruction location is validated with a specified disassembled structure of the binary executable code (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures).  
Regarding Claim 5,
Shukla as modified by Yun and Saunders discloses the method of claim 1, in addition, Shukla discloses that the API call location is validated by verifying the argument used via analysis of the disassembled structure of the binary executable (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures).  
Regarding Claim 7,
Shukla as modified by Yun and Saunders discloses the method of claim 1, in addition, Shukla discloses that a dynamic analysis is performed to determine the API call and the privileged instruction executed by the application and to create the rule set (Exemplary Citations: for example, Paragraphs 32-34, 36-46, 48, 56-58, 60-64, 68-70, 72-77, 79-83, and associated figures).  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432