DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-17 are pending and have been examined.

Priority
3.		Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be
the same under either status.  

5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

7.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

8.	Claims 1, 3, 6, 7, 9, 11, 14, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Korea Internet and Security Agency (Henceforth KISA): Korean Patent Application Publication No. 10-2016-0031589A (Submitted with the Applicant’s IDS), and Korea Electronics Telecom (Henceforth KET) Korean Patent Application Publication 10-2016-0028724A (Submitted with the Applicant’s IDS).



	As for claim 1, KISA teaches:
	an electronic device [0023], comprising: 
	a processor [0023]; and a memory electrically connected to the processor [0023],
	wherein the processor is configured to: 
	obtain a plurality of first parameters associated with an attribute of at least one malicious code and a plurality of second parameters associated with a system ([0078] “For classification, the detection server 100 may refer to the received application's string of dangerous APIs, dangerous commands, and dangerous permissions and API-related permissions (hereinafter, dangerous permissions and API-related permissions together as 'important permissions')  to calculate the representative signature and similarity score of each of the already classified malicious application groups”);
	obtain a similarity between the at least one malicious code based on a first comparison result according to a first comparison scheme between the plurality of first parameters and a second comparison result according to a second comparison scheme between the plurality of second parameters; and classify the at least one malicious code into at least one group based on the similarity between the at least one malicious code ([0078], [0079]-[0087]: The similarity of Risk API’s is calculated by comparing strings, the similarity of Dangerous Commands is calculated using Jaccard Coefficients, “The detection server 100 may calculate the degree of similarity with the representative signature of each group and classify the application into the corresponding group if it is greater than or equal to a specified threshold).”
	KET teaches the features not explicitly taught by KISA, namely where the at least one malicious code is executed ([0047]: “The malicious code DNA extraction unit 22 extracts malicious code characteristic information from the malicious code analysis information extracted through the dynamic analysis unit 18 and the static analysis unit 20 . In more detail, the malicious code DNA extraction unit 22 uses the dynamic analysis unit 18 to call APICALL information, network information (IP address, DNS information), IMPORT, EXPORT, Mutex, DROP, which are called during the operation of the malicious code. Extracts files, file creation and file open information, registry change information, string information, etc.”).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of KISA. It would have been desirable to do so since the use of dynamic analysis as taught by KET where code is executed during analysis would increase the effectiveness of KISA’s system by providing data not readily apparent by static analysis alone. 

	As for claim 3, the combination of KISA and KET teaches the electronic device of claim 1. KISA teaches the additional features wherein the processor is configured to obtain the plurality of second parameters by comparing strings of call sequences generated when the malicious code is executed on the system ([0047]: “the malicious code DNA extraction unit extracts information about APICALLs called in a malicious code operation procedure by the dynamic analysis unit).
	As for claim 6, the combination of KISA and KET teaches the electronic device of claim 1. KISA teaches the additional feature wherein the processor is configured to obtain the similarity based on an average of the first comparison result and the second comparison result ([0078]: equation 3: “For classification, the detection server 100 may refer to the received application's string of dangerous APIs, dangerous commands, and dangerous permissions and API-related permissions (hereinafter, dangerous permissions and API-related permissions together as 'important permissions'). ) to calculate the representative signature and similarity score of each of the already classified malicious application groups”).

	As for claim 7, the combination of KISA and KET teaches the electronic device of claim 1. KISA teaches the additional feature wherein the processor is configured to, when a similarity between a first malicious code and second malicious code of the at least one malicious code is a threshold or more, classify the first malicious code and the second malicious code into the same group ([0078]: “The detection server 100 classifies the application as belonging to a group in which the calculated similarity is greater than or equal to a specific threshold (e.g., 0.7, etc.) or to a group having the highest similarity even though the calculated similarity is greater than or equal to the threshold”).

	As for claims 9, 11, 14, and 15, these claims are drawn to the method corresponding to the device of claims 1, 3, 6, and 7 and are rejected on the same basis.

	As for claim 17, this claim is drawn to the computer program product embodied in a computer readable memory medium that corresponds to the device of claim 1 and is rejected on the same basis. 

9.	Claims 2 and 10  are rejected under 35 U.S.C. 103 as being unpatentable over KISA, KET, and further in view of “A Module-based System for Measuring Similarity of Windows Executable File”, Yesol Kim et. al, Journal of The Korean Society for Software Appraisal No. 10, No. 2, pages 9-15, Feb. 2014.

	As for claim 2, the combination of KISA and KET teaches the electronic device of claim 1. Yesol Kim teaches the additional feature not taught by KISA and KET wherein the plurality of first parameters is determined based on at least one of a name, file type, file size, and header information of the at least one malicious code (page 10-12: parameters are derived from strings extracted from and rdata section and a data section. Parameters such as filename and filesize are used in measuring similarity between programs using Jaccard analysis (see pages 10-12). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention represented by the combination of KISA and KET. It would have been desirable to do so since the use of such parameters would increase the effectiveness of the system by providing additional data for analysis in detecting malware. 
	
	As for claim 10, this claim is drawn to the method that corresponds to the device of claim 2 and is rejected on the same basis.

10.	Claims 4, 5, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over KISA, KET, and further in view of Jonathan Oliver et al, “TLSH-A Locality Sensitive Hash” (2017) (Submitted with the Applicant’s IDS. 
	
	As for claim 4, the combination of KISA and KET teaches the electronic device of claim 1. KISA teaches the feature wherein the first comparison scheme includes a Jaccard similarity measurement scheme ([0078], [0079]-[0087]: “…the similarity of Dangerous Commands is calculated using Jaccard Coefficients”).
	Oliver teaches the feature not taught by the combination of KISA and KET, namely wherein the second comparison scheme includes a Nilsimsa similarity measurement scheme (page 4, 13: “The Nilsimsa scheme is a bit sampling LSH which uses the hamming distance between the digests as the similarity measure, and a Nilsimsa score of 128 can be interpreted as meaning the files are completely different, while a score of 256 means the files are very similar”).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention represented by the combination of KISA and KET. It would have been desirable to do so since the use of a comparison based on a Nilsimsa scheme would increase the effectiveness of the system by providing additional data for analysis in detecting malware.

	As for claim 5, the combination of KISA, KET, and Oliver teaches the electronic device of claim 4. KISA teaches the additional feature wherein the processor is configured to obtain a ratio of an intersection to union of a set of the plurality of first parameters of a first malicious code of the at least one malicious code and a set of the plurality of first parameters of a second malicious code of the at least one malicious code, as a Jaccard similarity ([0078], [0079]-[0087]: “…the similarity of Dangerous Commands is calculated using Jaccard Coefficients”). 

	As for claims 12 and 13, these claims are drawn to the method that corresponds to the device of claims 4 and 5 and are rejected on the same basis.
11.	Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over KISA, KET, and further in view of Korea Internet and Security Agency Korean (Henceforth KISA2) Patent Application Publication No. KR10181596801 (Submitted with the Applicant’s IDS).

	As for claim 8, the combination of KISA and KET teaches the electronic device of claim 1. KISA2 teaches the additional features not taught by the combination of KISA and KET wherein the processor is configured to generate a network graph of the at least one malicious code based on the similarity between the at least one malicious code and the at least one group ([0056], fig. 2: “…forming an edge between malicious codes that form similarities by applying network graph properties, and classifying the malicious codes produced as a single graph through the edge into the same group”). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention represented by the combination of KISA and KET. It would have been desirable to do so since the use of a network graph scheme in analysis of the data would increase the effectiveness of the system by providing additional data for analysis in detecting malware.

	As for claim 16, this claim is drawn to the method that corresponds to the device of claim 8 and is rejected on the same basis.

Conclusion
12.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Netskope Inc. US 2018/0048658 A1:	The use of Jaccard Analysis in the comparison of extracted strings in malware detection is taught at, for example, paragraph [0084].

Palo Alto Networks, Inc. US 20170251003A1:  The use of Jaccard Analysis using extracted artifacts in making a similarity threshold determination regarding a potential malware file is taught in, for example  paragraphs [0346]-[0347].

13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul E. Callahan whose telephone number is (571) 272-3869.  The examiner presently works a part-time schedule and can normally be reached from 9am to 5pm on the first Monday and Tuesday and the second Thursday and Friday of the USPTO bi-week schedule.
The examiner’s email address is: Paul.Callahan1@USPTO.GOV
If attempts to reach the examiner by telephone are unsuccessful, the Examiner's supervisor, Kristine Kincaid, can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is: (571) 273-8300.
          Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PAUL E CALLAHAN/Examiner, Art Unit 2437