DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the communication filed on 08/24/2020.
Claims 1-18 are pending for consideration.
Claim Rejections - 35 USC § 112The following is a quotation of 35 U.S.C. § 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 4-5, 10-11 and 16-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. § 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.	Regarding claims 4, 10 and 16, the claims recite limitation “one or more environment variables” in lines 4-5, 6-7 and 6, respectively.  It is not clear if the limitation refers to the same limitation “one or more environment variables” in the independent claims 1, 7 and 13 in lines 8-9, 10-11, and 12-13, respectively.	Dependent claims 5, 11 and 17 are rejected for the same reason as the parent claims 4, 10 and 16, respectively, since they do not cure the deficiency of the parent claims.	For the purpose of prior art examination, the limitation “one or more environment variables” in lines 4-5, 6-7 and 6, respectively, is interpreted as “another one or more environment variables”.	Regarding claims 4, the claim recites limitation “the enterprise computing network” in lines 4 and 6.  The limitation lacks antecedent basis.  It is not clear if the limitation refers to “an enterprise computing platform” recited in parent claim 1, or it refers to something else.	Dependent claim 5, is rejected for the same reason as the parent claim 4, since it does not cure the deficiency of the parent claim 4. 	For the purpose of prior art examination, the limitation “the enterprise computing network” is interpreted as “an enterprise computing network”.	Regarding claim 5, the claim recites “the enterprise computing environment” in line 1-2.   The limitation lacks antecedent basis.  It is not clear if the limitation refers to “an enterprise computing platform” recited in parent claim 1, or it refers to something else.	For the purpose of prior art examination, the limitation “the enterprise computing environment” is interpreted as “an enterprise computing environment”.	Appropriate corrections are required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 7, 9, 13 and 15 are rejected under 35 U.S.C. § 103 as being unpatentable over Jakobsson; Bjorn Markus et al. (US 11102244 B1, hereinafter Jakobsson) in view of Rowland; Craig (US 20210058412 A1, hereinafter Rowland).	Regarding claim 1, Jakobsson teaches a method comprising:
	receiving, via a communication interface of an enterprise computing platform (Jakobsson col. 3 lines 49-67, Examples of the message include an electronic mail (i.e., email); [Examiner remark: email received via network from an email server, which is an enterprise computing platform]), a plurality of electronic messages (Jakobsson abstract, A received message (e.g., malicious message) sent from a first message account (e.g., attacker) to a second message account (e.g., intended victim) is received; col. 3 lines 27-48, when a message sent from an attacker to a recipient is received, a security risk associated with the message is determined; col. 3 lines 49-67, Gateway 110 may process incoming email messages for one or more recipient users of an organization);
	identifying, by an information security platform (Jakobsson fig. 1 element 102; col. 3 lines 49-67, analysis server 102 is connected to recipient message server 106 via network 108. In some embodiments, analysis server 102 is directly embedded or implemented in recipient message server 106), an incoming message comprising executable code for execution by a processor of computing device addressed as a recipient of the message (Jakobsson abstract, col. 12 lines 15-40; analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine; Jakobsson col. 4 lines 9-21, incoming messages are filtered and analyzed for spam, viruses, spoofing, impersonation; [Examiner remark: “for execution by a processor of computing device addressed as a recipient of the message” is an intended use clause where the attacker intends to have the attachment to be run by the recipient of the email message, according to the instant spec. ¶24, “For example, the network environment scanning engine 120 may scan incoming emails and/or accessed web pages for indications of executable code or scripts”, the messages can be emails, which has email addresses]; Jakobsson col. 15 lines 15-30, The payload comprises an attachment i. The attachment is executable; col. 31 lines 29-49, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information; see also col. 31 lines 27-47);
	analyzing, ([Examiner remark: the environment variables limitation is taught below by Rowland]; col. 12 lines 15-40; analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine), the executable code to identify whether the executable code comprises [security risk] ([Examiner remark: the environment variables limitation is discussed below]; col. 12 lines 15-40; analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine; col. 38 lines 47-67, executing the unzip program associated with the zip file. It then automatically accesses the contents of the unzipped file and analyzes it for security risks, including detonating each file, determining whether any of the files match an anti-virus signature, determining whether any of the files has executable code segments in it, etc., the execution of the wrapper file causes the decryption of the encrypted file, which is then analyzed for security risks, including executable code);
	triggering, based on identification of the [security risks] (col. 11 lines 57-67 to col. 12 lines 1-14, a security action is selected among different security action options. The selected security action is performed, the security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient (e.g., allow the modified message to a message inbox of the intended recipient). Otherwise, the security risk score may indicate that the message is of high risk (e.g., risk score is above the second threshold) and the message not allowed to be accessed by the intended recipient (e.g., send the message to an administrator for further analysis); col. 24 lines 12-41, Based on the result of the analysis of the electronic message, a security action is performed).	Jakobsson teaches the analysis of message content including executing of an attached executable in a sandbox or virtual machine (see discussion above).  Jakobsson does not explicitly disclose the analysis of the executable using machine learning.  However, Jakobsson further teaches using machine learning for analyzing risk (col. 42, lines 42-67, a type of content of messages sent by the sender, a difference/regularity between content of messages sent by the sender, amount/rate of content opened/viewed by recipients of messages sent by the sender, a number/rate of messages sent by the sender that have been identified as malware, spam, and/or a virus by an analysis/filter/scanner tool, etc. The historical analysis may be performed using machine learning).	It would have been obvious to an ordinary skill in the art before the effective filing date to using Jakobsson’s teaching of using machine learning for historical analysis and to perform analysis using machine learning on the executable in the virtual environment to determine risks of the executable.	One would be motivated to do so to improve the accuracy of the detection result.	Although Jakobsson teaches the analyzing executable for risks, Jakobsson does not explicitly disclose the analysis is identifying environment variables in the executable.	On the other hand, Rowland teaches searching of processes that have environment variables (Rowland ¶338, processes that have environment variables set that indicate anti-forensics are in use. For example, the environment variable HISTFILE=/dev/null is a typical anti-forensic method. The Investigation Module 3 may be configured to analyse all running processes and if the Investigation Module 3 determines an environment variable indicates anti-forensics are in operation, the investigation module 3 returns investigation data indicating the corresponding process is suspicious).	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Rowland, which teaches analyzing running processes to determine environment variables that are suspicious, into the teaching of Jakobsson, which teaches running an executable in a virtual environment to determine risk, to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Rowland’s teaching would help improve security of users. In addition, both references teach features that are directed to analogous art, such as, analyzing running executable for security risks.
	Regarding claim 3, Jakobsson in view of Rowland teaches the method of claim 1, wherein identifying an incoming electronic message comprising executable code comprises analyzing an attachment to the electronic message Jakobsson col. 15 lines 15-30, the technical classification of the payload: a. the payload comprises a macro; Jakobsson col. 31 lines 29-49, the other types of security risk analysis include a virus threat detection, a malware threat detection, identification of risky content type (e.g., executable, file attachment, link to a website that requests login information, content that requests OAuth authentication, etc.) included in the message).	Jakobsson does not explicitly mention the analyzing of an attachment using text patterns.	However, Jakobsson further teaches analyzing other content using text pattern (Jakobsson col. 18 lines 39-67, comparing text in emails to templates. Examples of templates include a series of words that include the word “bank,” followed by a number of the length of a bank account, a routing number, or other bank account identifier such as SWIFT codes. Another example of a template is an apparent email account, the word “password,” “pwd,” or similar, and a string with the format of a potential password, e.g., a combination of letters and digits, of length between 6 and 20 characters. These, of course, are only examples of templates, and a person skilled in the art will understand that there are multiple useful templates for each type of data. Once a match is made with a template, the associated data can be automatically tested).	It would have been obvious to an ordinary skill in the art before the effective filing date to incorporate Jakobsson’s teaching of using text pattern to analyze text in the emails to analyze attachment with scripting language such as macro to result in the limitations of the claimed invention.	One of ordinary skilled would be motivated to do so as it would help detecting more potential security risk and improve user’s security.	Regarding independent claims 7 and 13, the claims are rejected for the same reasons as that of independent claim 1 because they recite essentially the same limitations as that of independent claim 1.	Regarding claims 9 and 15, the claims are rejected for the same reasons as that of claim 3 because they recite essentially the same limitations as that of claim 3.
Claims 2, 8 and 14 are rejected under 35 U.S.C. § 103 as being unpatentable over Jakobsson in view of Rowland and further in view of Buddhiraja; Prakash et al. (US 9727534 B1, hereinafter Buddhiraja).
	Regarding claim 2, Jakobsson in view of Rowland teaches the method of claim 1 (see discussion above), further comprising quarantining the electronic message Jakobsson col. 4 lines 22-34, a message sent from sending message server 104 is first received at analysis server 102 prior to being received at gateway 110 and recipient message server 106. In some embodiments, … analysis server 102 is included in gateway 110. In an alternative embodiment, analysis server 102 is included in message server 106; Jakobsson col. 4 lines 35-47, In addition to analyzing the message, analysis server 102 may block and/or modify the message or instruct another server (e.g., instruct server 106) to block and/or modify the message in the event a potential threat is detected; Jakobsson col. 12 lines 15-40; analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine; [Examiner remark: the analysis server perform the analysis inside a sandbox before it can detect potential threat, and then block the message, as a result, during that time, the message is blocked]).	Jakobsson in view of Rowland teaches the message is blocked immediately, and then analyzed in a sandbox.  However, Jakobsson in view of Rowland does not explicitly mention the immediate blocking of the message inside a virtual security environment.	On the other hand, Buddhiraja teaches quarantining the electronic message in the virtual security environment immediately upon receipt of the electronic message (Buddhiraja col. 20 lines 33-42, prior to storing a copy of the downloaded file to the target location, a copy of the downloaded file may be stored in an intermediate location. The policy data may indicate that the downloaded file should be stored at temporary location 510. Temporary location 510 may be designed to only store data downloaded from virtual machine 120A or may store data from any virtual machine in system 100; col. 20 lines 53-67, The purpose of running such analysis is to determine if the downloaded file should be deemed safe. Temporarily location 510 may, be located within a virtual machine).	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Buddhiraja, which teaches quarantining downloaded file in a virtual machine before copying the file to target location, into the teaching of Jakobsson in view of Rowland to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Buddhiraja’s teaching would help improve security of users. In addition, both references teach features that are directed to analogous art, such as, analyzing downloaded files for security risks.
	Regarding claims 8 and 14, the claims are rejected for the same reasons as that of claim 2 because they recite essentially the same limitations as that of claim 2.
Claims 4-5, 10-11 and 16-17 are rejected under 35 U.S.C. § 103 as being unpatentable over Jakobsson in view of Rowland and further in view of Jagadeesan et al.  (US 20180314619 A1, hereinafter Jagadeesan).
	Regarding claim 4, Jakobsson in view of Rowland teaches the method of claim 1 (see discussion above).	 The combination of Jakobsson and Rowland does not explicitly teach however Jagadeesan teaches:	gathering, by a machine learning based code analysis module ([0030] The test processor 145 performs unsupervised machine learning on the path identifiers and the stored values of the properties to infer normal ranges of the properties of the event-driven application), computing information associated with the enterprise computing network (par. 40 test processor 145 collecting/gathering values of properties of the instance along the execution path; par. 48 test processor can perform unsupervised machine learning on the path identifiers, fig. 1; ¶2, [0002] Network applications can be dynamically deployed in real time in an operational SDN network; ¶30, properties of the event-driven application), wherein the computing information is unique to the enterprise computing network (¶28, determines properties of the event-driven application 140 (such as packet processing times, intent submission rates, and the like) for each of the execution paths in response to termination of the corresponding execution path, e.g., by reaching a predetermined depth in the event-driven application; ¶30, the properties of the event-driven application; par. 41; execution path is “path ID” that identifies see TABLE 2 column 1 ); and
	matching, using the machine-learning based algorithm (¶30, performs unsupervised machine learning detect potential anomalies), one or more environment variables to computing information unique to the enterprise computing network (¶30, performs unsupervised machine learning detect potential anomalies, detect anomalous execution paths by comparison with the inferred normal ranges of the properties; pars. 30 & claim 19, comparing values of properties of the event-driven program executed along the first execution path to a normal range of values of properties of the event-driven program, …; and detecting an anomalous, par. 27, the test processor 145 executes instances of the event-driven application 140 and compares the properties (e.g., packet processing time or intent submission rate) of the executed instances to detect faulty or malicious variants of the event-driven application 140… the execution paths explored by the model checking algorithm);	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jagadeesan, which teaches gathering enterprise computing network information and comparing with paths of executables, into the teaching of Jakobsson in view of Rowland to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Jagadeesan’s teaching would help better detecting malicious executables. In addition, both references teach features that are directed to analogous art, such as, analyzing executables with respect to malicious code.

	Regarding claim 5, Jakobsson in view of Rowland and Jagadeesan teaches the method of claim 4, wherein the information unique to the enterprise computing environment comprises a path values, a naming convention, or a domain name (Jagadeesan ¶30, detect anomalous execution paths by comparison with the inferred normal ranges of the properties).	Regarding claims 10-11 and 16-17, the claims are rejected for the same reasons as that of claims 4-5, respectively, because they recite essentially the same limitations as that of claims 4-5, respectively.
Claims 6, 12 and 18 are rejected under 35 U.S.C. § 103 as being unpatentable over Jakobsson in view of Rowland and further in view of Aharon; Leeor et al.  (US 20070089171 A1, hereinafter Aharon).
	Regarding claim 6, Jakobsson in view of Rowland teaches the method of claim 1 further comprising:
	Analyzing by the machine learning based algorithm of an executable to determine malicious message (see discussion above).
	Jakobsson in view of Rowland does not explicitly disclose the following limitations that Aharon teaches:	identifying, whether the executable code comprises instructions targeting a known vulnerability of an operating system of the computing device identified as the recipient of the message (¶2, A worm attack is a network attack based on sending malicious code over parts of network connections where code is not expected such as during data transfer of non-executable code, e.g while browsing the Internet. An application, running on targeted computers receiving the code, is tricked into executing the malicious code using known weaknesses in the operating system and/or in the application running on the targeted computer, detection of a worm attack requires a different approach from anti-virus scanning; ¶3, An effective solution to malicious code detection will significantly improve the security of a networked computing systems; see also ¶31-¶39).	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Aharon, which teaches identifying instructions in executable code that targets known weakness in the operating system, into the teaching of Jakobsson in view of Rowland to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Aharon’s teaching would help better detecting targeted attack. In addition, both references teach features that are directed to analogous art, such as, analyzing executables with respect to malicious code.	Regarding claims 12 and 18, the claims are rejected for the same reasons as that of claim 6, respectively, because they recite essentially the same limitations as that of claim 6, respectively.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 11392697 B2 - detecting malicious code in a document. In one or more embodiments, text, metadata and/or executable code contents are extracted from the document. Categorical and numerical features are then derived from the contents. The features may be encoded as vectors. Predictions that each type of content (e.g., text, metadata and/or executable code) includes malicious code may be generated by applying supervised models to the features.
US 20210326434 A1 - the new executable code is evaluated within the virtual environment before it is permitted to be installed or executed, system may provide a secure way to perform validation testing of executable code that may reveal issues that may not be detectable based on a line-by-line analysis of the code.
US 20210081531 A1 - obtain a plurality of first parameters associated with attributes of at least one malicious code and a plurality of second parameters associated with a system in which the at least one malicious code is executed; obtain a similarity on the basis of a first comparison result according to a first comparison method between the plurality of first parameters.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/V.H.H/
Examiner, Art Unit 2497
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497