DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 6, 8, 9, 14, 15 and 20-32 have been examined. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/11/2022 has been entered.

Terminal Disclaimer
The terminal disclaimer filed on 06/10/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent No. 11200316 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Amendment
Claims 1, 8 and 9 have been amended. 
Claim 32 has been newly added.
Examiner’s double patenting rejection is withdrawn in light of the terminal disclaimer filed by the applicant. 
Applicant’s arguments with respect to claim(s) 1, 9 and 15 regarding the limitations: “parsing, by a processor, a graphics file to determine a location of a graphics file signature in the graphics file; determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature” have been considered but are moot in view of the new ground of rejection presented in the current office action.
Applicant’s arguments with respect to claim(s) 1 and 9 regarding the new limitations: “subsequent to the removing the embedded data from the graphics file, setting a flag to indicate that the embedded data in the graphics file has been removed”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 32 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 32 recites: “wherein the parsing a graphics file to determine a location of a graphics file signature in the graphics file is based on determining the first eight bytes of the graphics file is not a graphics file signature.” The examiner has not found support for this limitation in the specification of the instant application. Paragraph [0056] of the pg-pub specification states: “Steganographic criteria may include determining whether there is data before a pre-fix graphics file signature or after a post-fix graphics file signature in the body of the graphics file. Such determination may include the steganalyzer identifying the location of the graphics file signature, which could be the first eight bytes of the body of the graphics file but may vary from one graphics file format to another.”, i.e., the specification recites that the location of the graphics file signature may be first eight bytes of the graphics file but varies based on the format of the graphics file. However, the specification does not state that determining the location of the graphics file signature is dependent on determining that the first eight bytes is not a graphics file signature. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 6, 9, 14, 21, 22, 24 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20180351969 to MacLeod et al (hereinafter MacLeod), prior art of record PNG File Decoding Optimization Based Embedded System by Mao et al (hereinafter Mao) and US 11200320 to Chelarescu et al (hereinafter Chelarescu).
As per claims 1 and 9, MacLeod teaches:
A method, comprising: 
parsing, by a processor, a graphics file to determine a location of a graphics file signature in the graphics file (MacLeod: Steganography may be used to conceal information in a picture, mp3, or exe file. For example, a 128 Byte text message may be hidden in a 4 MB picture. [0115]: To determine the size of the PE file, the file is parsed and analyzed. A DOS header 700 of the file is read from a storage device 155. It is determined whether the DOS header 700 begins with “MZ” to determine whether the file is an executable file. [0117] The number “MZ” (first few bytes of the file) is the magic number. A pointer obtained by verifying the magic number leads to a portion in the file where information is located. If the value does not match the DOS signature, the file is not a DOS or Windows executable. Additional instructions may be executed to determine what format the file might be such as DOC, DOCX, PPT, PPTX, XLS, XLSX, MP3, GIF, JPG, PNG and so forth. Once the magic number is verified, a pointer to a section header is obtained. [0118] In one embodiment, the pointer may be dereferenced and compared to the IMAGE_NT_SIGNATURE (0x00004550). If the value of the dereferenced pointer does not match the IMAGE_NT_SIGNATURE signature, the file is not a Windows executable. Additional instructions may be executed to determine what format the file might be such as DOC, DOCX, PPT, PPTX, XLS, XLSX, MP3, GIF, JPG, PNG and so forth, i.e., the file is parsed to locate the signature); 
determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature (MacLeod: [0117]: Since the DOS magic number is verified, the e_lfanew member may be used to create a pointer to the Windows PE header. The IMAGE_NT_HEADERS32 pointer is calculated by adding the size of the memory buffer to the e_lfanew value. The pointer to the PE header should read “01 00h.” This location contains a PE signature which should be the number “50 45 00h.” [0119] In one embodiment, the location of IMAGE SECTION HEADER is determined using the size of the IMAGE_NT_HEADERS32. The IMAGE_NT_HEADER member FileHeader is dereferenced to access the IMAGE FILE HEADER that contains the number of sections in the PE image. For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file, i.e., it is determined that there is embedded data at the end of the file which is a location that is after the location “01 00h” at which the file signature is located); 
in response to the determining that there is embedded data after the graphics file signature, removing, by the processor, the embedded data from the graphics file (MacLeod: [0122]: In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. The return code indicates that data has been appended so a defined policy may be executed, such as isolate, delete or strip off the appended data. The steganography detection analytics involve performing statistical functions (entropy, Chi-Square, etc.) on the file. The analytics performed depend on the file type. If a GIF file, hidden data concealed in a ZIP file is searched for); 
MacLeod teaches determining the location of PE file signature but does not explicitly teach determine a location of a graphics file signature in the graphics file. Also, MacLeod does not teach:  subsequent to the removing the embedded data from the graphics file, setting a flag to indicate that the embedded data in the graphics file has been removed. However, Mao teaches:
determine a location of a graphics file signature in the graphics file (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature). Due to the definition of the data block structure, the IEND chunk length is always 0 (00 00 00 00, unless adding information artificially); data identification is always IEND (49 45 4E 44). Page 4, left column: A. Optimization of PNG file signature: In the PNG file decoding process, the 8 bytes file signature is needed to establish the PNG file. The array named png_sig_and_info_array[ ] is used to store the 8 bytes data. After the first decoding process the PNG file, the signature is stored in the array. III. PNG FILE DECODING: According the standard chunk of PNG image mentioned in the previous section, PNG decoding process is divided into the following steps: …Page 4, Left column, line 11: 5. Read the IEND chunk and end the decoding process, i.e., the PNG file is parsed to locate the IEND chunk which contains the post-fix signature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Mao in the invention of MacLeod to include the above limitations. The motivation to do so would be to optimize the decoding process (Mao: Abstract).
MacLeod in view of Mao does not teach: subsequent to the removing the embedded data from the graphics file, setting a flag to indicate that the embedded data in the graphics file has been removed. However, Chelarescu teaches: 
subsequent to the removing the embedded data from the graphics file, setting a flag to indicate that the embedded data in the graphics file has been removed (Chelarescu: column 10, lines 15-26: In operation 404, the client ransomware detection application 110 provides the detection event information (e.g., information about the locally impacted file) and remediation flag (e.g., flag indicates that the client device 102 has successfully cleaned the impacted file)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Chelarescu in the invention of MacLeod in view of Mao to include the above limitations. The motivation to do so would be to provide the detection event information and the remediation flag to the server-side ransomware coordinating module (Chelarescu: column 10, lines 24-26).

As per claims 6 and 14, MacLeod in view of Mao and Chelarescu teaches: 
The method of claim 1, wherein the graphics file comprises a portable network graphics (PNG) file, and  wherein the graphics files signature comprises hexadecimal values comprising "00 00 00 00 49 45 4E 44 AE 42 60 82" (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature)). 
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claims 1 and 9 above.

As per claim 21, MacLeod in view of Mao and Chelarescu teaches:
The method of claim 1, wherein the step of parsing, by the processor, a graphics file to determine the location of a graphics file signature in the graphics file comprises parsing, by the processor, the graphics file to determine a location of a post-fix graphics file signature (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature). Due to the definition of the data block structure, the IEND chunk length is always 0 (00 00 00 00, unless adding information artificially); data identification is always IEND (49 45 4E 44). III. PNG FILE DECODING: According the standard chunk of PNG image mentioned in the previous section, PNG decoding process is divided into the following steps: …Page 4, Left column, line 11: 5. Read the IEND chunk and end the decoding process, i.e., the PNG file is parsed to locate the IEND chunk which contains the post-fix signature), and wherein the step of determining, by the processor, whether there is embedded data in the graphics file after the graphics file signature comprises determining whether there is embedded data in the graphics file after the post-fix graphics file signature (MacLeod: [0117]: The number “MZ” (first few bytes of the file) is the magic number. A pointer obtained by verifying the magic number leads to a portion in the file where information is located. Once the magic number is verified, a pointer to a section header is obtained. The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file (after the PE signature)).
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claim 1 above.

As per claim 22, MacLeod in view of Mao and Chelarescu teaches:
The method of claim 21, wherein the step of parsing, by the processor, a graphics file to determine the location of a graphics file signature in the graphics file comprises parsing, by the processor, the graphics file to determine a location of a post- fix graphics file signature (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature). Due to the definition of the data block structure, the IEND chunk length is always 0 (00 00 00 00, unless adding information artificially); data identification is always IEND (49 45 4E 44). III. PNG FILE DECODING: According the standard chunk of PNG image mentioned in the previous section, PNG decoding process is divided into the following steps: …Page 4, Left column, line 11: 5. Read the IEND chunk and end the decoding process, i.e., the PNG file is parsed to locate the IEND chunk which contains the post-fix signature), and wherein the step of determining whether there is embedded data in the graphics file after a post-fix graphics file signature comprises determining whether there is embedded data in the graphics file after the post-fix graphics file signature at an end of a body of the graphics file (MacLeod: [0117]: The number “MZ” (first few bytes of the file) is the magic number. A pointer obtained by verifying the magic number leads to a portion in the file where information is located. Once the magic number is verified, a pointer to a section header is obtained. The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file).
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claim 1 above.

As per claim 24, MacLeod teaches:
The information handling system of claim 9, wherein the memory further comprises code stored thereon that, when executed by the processor. performs a method comprising: determining, by a processor, to scan the graphics file for potential steganographic content, wherein the determining whether to analyze the graphics file for potential steganography includes determining whether at least one of a plurality of steganographic criteria is satisfied (MacLeod: [0119]: For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. Also, [0060]).  

As per claim 26, MacLeod in view of Mao and Chelarescu teaches:
The information handling system of claim 9, wherein the step of determining whether there is embedded data in the graphics file after the graphics file signature comprises determining whether there is embedded data in the graphics file after a post-fix graphics file signature at an end of a body of the graphics file (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. The metadata may also be present in other areas, e.g., at the end of the file, depending on the file format or the type of data contained. [0117]: The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature)).
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claim 9 above. 

Claims 8 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod in view of Mao and Chelarescu as applied to claims 1 and 9 above, and further in view of prior art of record US 20180349400 to Boutnaru (hereinafter Boutnaru).
As per claim 8, MacLeod in view of Mao and Chelarescu teaches: 
The method of claim 1, further comprising determining, by a processor, to scan the graphics file for potential steganographic content, wherein the determining includes determining whether at least one of a plurality of steganographic criteria is satisfied (MacLeod: [0119]: For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. Also, [0060]), 
MacLeod in view of Mao and Chelarescu does not teach the rest of the limitations. However, Boutnaru teaches:
wherein the plurality of steganographic criteria includes at least one of: a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been downloaded; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been replicated; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been backed up; or a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been restored (Boutnaru: [0033]. [0039]: the file may be a file that the system has applied steganography (or multiple iterations and/or different steganography) over at some point in time. The system may check whether the file has been altered through checksums and/or hash values to determine whether the file has been altered. If the file has not been altered the system may allow the file through, otherwise the system may continue to operation 306. [0040]: At operation 306, the system may detect the steganography method used on the file. [0048] Process 300 may include operation 309, wherein the system may apply the generated obscuring algorithm of operation 308 onto the received file. The system may then allow the file modified at operation 308 through at operation 303. The modified file having sufficiently obscured the data hidden in the file by applying the obscuring methods generated at operation 308. Additionally, in some examples, the system may maintain records of files that have gone through the obscuring processes in operation 309. In some examples, the records may be a checksum and/or a hash of the file (field associated with the file). The hash could identify the file and/or ensure that the file has not changed since the last time the system applied obscuring steganography).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Boutnaru in the invention of MacLeod in view of Mao and Chelarescu to include the above limitations. The motivation to do so would be to prevent hidden messages from being passed through steganography techniques by implementing a jumbling technique (Boutnaru: [0009]).

As per claim 25, MacLeod in view of Mao and Chelarescu does not teach the limitations of claims. However, Boutnaru teaches:
wherein the plurality of steganographic criteria includes at least one of: a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been downloaded, a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been replicated; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been backed up; or a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been restored (Boutnaru: [0033]. [0039]: the file may be a file that the system has applied steganography (or multiple iterations and/or different steganography) over at some point in time. The system may check whether the file has been altered through checksums and/or hash values to determine whether the file has been altered. If the file has not been altered the system may allow the file through, otherwise the system may continue to operation 306. [0040]: At operation 306, the system may detect the steganography method used on the file. [0048] Process 300 may include operation 309, wherein the system may apply the generated obscuring algorithm of operation 308 onto the received file. The system may then allow the file modified at operation 308 through at operation 303. The modified file having sufficiently obscured the data hidden in the file by applying the obscuring methods generated at operation 308. Additionally, in some examples, the system may maintain records of files that have gone through the obscuring processes in operation 309. In some examples, the records may be a checksum and/or a hash of the file (field associated with the file). The hash could identify the file and/or ensure that the file has not changed since the last time the system applied obscuring steganography).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Boutnaru in the invention of MacLeod in view of Mao and Chelarescu to include the above limitations. The motivation to do so would be to prevent hidden messages from being passed through steganography techniques by implementing a jumbling technique (Boutnaru: [0009]).

Claims 23 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod in view of Mao and Chelarescu as applied to claims 1 and 9 above, and further in view of prior art of record US 20040145661 to Murakami et al (hereinafter Murakami).
As per claims 23 and 27, MacLeod in view of Mao and Chelarescu does not teach the limitations of the claims. However, Murakami teaches: 
further comprising: determining a hash of the embedded data after removing the embedded data from the graphics file (Murakami: [0156] When the public key used in tampered position detection is correct, the decryption unit 404 checks the value of check bits which form the watermark information w (when the check bits represent a Hash value of a 2D feature image, a Hash value is calculated from the 2D feature image contained in the watermark information w, and is compared with the check bits in the watermark information w to determine whether or not they match).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murakami in the invention of MacLeod in view of Mao and Chelarescu to include the above limitations. The motivation to do so would be to detect the tampered position or the presence/absence of tampering from an image (Murakami: [0001]).

Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over MacLeod in view of Mao and Chelarescu as applied to claim 1 above, and further in view of US 20170046023 to Kumar et al (hereinafter Kumar).
As per claim 32, MacLeod in view of Mao and Chelarescu teaches: 
The method of claim 1, further comprising parsing the graphics file to determine whether a first eight bytes of the graphics file in a header of the graphics file is a graphics file signature (Mao: Page 4: Right column: III. PNG FILE DECODING According the standard chunk of PNG image mentioned in the previous section, PNG decoding process is divided into the following steps: (1) Read data block signature to make sure the file type is PNG. Page 4, left column: Fig. 3, A. Optimization of PNG file signature: In the PNG file decoding process, the 8 bytes file signature is needed to establish the PNG file. The array named png_sig_and_info_array[ ] is used to store the 8 bytes data), 
MacLeod in view of Mao and Chelarescu does not teach: wherein the parsing a graphics file to determine a location of a graphics file signature in the graphics file is based on determining the first eight bytes of the graphics file is not a graphics file signature. However, Kumar teaches:
wherein the parsing a graphics file to determine a location of a graphics file signature in the graphics file is based on determining the first eight bytes of the graphics file is not a graphics file signature (Kumar: A source file of multimedia content, which is in a form of bytes or byte data, may include a signature that is an array of unique bytes or byte identifier used by a media player to identify Multipurpose Internet Mail Extensions (MIME). For example, the source file may include a following signature. [0106] 89 50 4E 47 0D 0A 1A 0A Hex Signature for PNG format. [0108] FF D8 FF E0 hex signature for jpg or jpeg. [0109]: When the web browser downloads a resource, data arrives at the web browser in bytes or byte format and may be easily interpreted by the web browser to identify a type of a source file of downloaded multimedia content, i.e., when the first 8 bytes do not match the hex signature of the PNG format, the web browser determines the format of the downloaded file based on locating a signature matching a different format such as a jpeg file).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kumar in the invention of MacLeod in view of Mao and Chelarescu to include the above limitations. The motivation to do so would be to enable an operating system (OS) to decide which application is to be used to open a certain file (Kumar: [0109]).

Claims 15, 20, 28 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over MacLeod and Mao.
As per claim 15, MacLeod teaches:
A non-transitory computer-readable medium including code for performing a method, the method comprising: 
parsing, by a processor, a graphics file to determine a location of a graphics file signature in the graphics file (MacLeod: Steganography may be used to conceal information in a picture, mp3, or exe file. For example, a 128 Byte text message may be hidden in a 4 MB picture. [0115]: To determine the size of the PE file, the file is parsed and analyzed. A DOS header 700 of the file is read from a storage device 155. It is determined whether the DOS header 700 begins with “MZ” to determine whether the file is an executable file. [0117] The number “MZ” (first few bytes of the file) is the magic number. A pointer obtained by verifying the magic number leads to a portion in the file where information is located. If the value does not match the DOS signature, the file is not a DOS or Windows executable. Additional instructions may be executed to determine what format the file might be such as DOC, DOCX, PPT, PPTX, XLS, XLSX, MP3, GIF, JPG, PNG and so forth. Once the magic number is verified, a pointer to a section header is obtained. [0118] In one embodiment, the pointer may be dereferenced and compared to the IMAGE_NT_SIGNATURE (0x00004550). If the value of the dereferenced pointer does not match the IMAGE_NT_SIGNATURE signature, the file is not a Windows executable. Additional instructions may be executed to determine what format the file might be such as DOC, DOCX, PPT, PPTX, XLS, XLSX, MP3, GIF, JPG, PNG and so forth, i.e., the file is parsed to locate the signature); 
determining, by the processor, whether there is embedded data at a location in the graphics file that is after the determined location of the graphics file signature (MacLeod: [0117]: Since the DOS magic number is verified, the e_lfanew member may be used to create a pointer to the Windows PE header. The IMAGE_NT_HEADERS32 pointer is calculated by adding the size of the memory buffer to the e_lfanew value. The pointer to the PE header should read “01 00h.” This location contains a PE signature which should be the number “50 45 00h.” [0119] In one embodiment, the location of IMAGE SECTION HEADER is determined using the size of the IMAGE_NT_HEADERS32. The IMAGE_NT_HEADER member FileHeader is dereferenced to access the IMAGE FILE HEADER that contains the number of sections in the PE image. For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file, i.e., it is determined that there is embedded data at the end of the file which is a location that is after the location “01 00h” at which the file signature is located); and
in response to the determining that there is embedded data after the graphics file signature, removing, by the processor, the embedded data from the graphics file (MacLeod: [0122]: In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. The return code indicates that data has been appended so a defined policy may be executed, such as isolate, delete or strip off the appended data. The steganography detection analytics involve performing statistical functions (entropy, Chi-Square, etc.) on the file. The analytics performed depend on the file type. If a GIF file, hidden data concealed in a ZIP file is searched for).
MacLeod teaches determining the location of PE file signature but does not explicitly teach determine a location of a graphics file signature in the graphics file. However, Mao teaches:
determine a location of a graphics file signature in the graphics file (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature). Due to the definition of the data block structure, the IEND chunk length is always 0 (00 00 00 00, unless adding information artificially); data identification is always IEND (49 45 4E 44). Page 4, left column: A. Optimization of PNG file signature: In the PNG file decoding process, the 8 bytes file signature is needed to establish the PNG file. The array named png_sig_and_info_array[ ] is used to store the 8 bytes data. After the first decoding process the PNG file, the signature is stored in the array. III. PNG FILE DECODING: According the standard chunk of PNG image mentioned in the previous section, PNG decoding process is divided into the following steps: …Page 4, Left column, line 11: 5. Read the IEND chunk and end the decoding process, i.e., the PNG file is parsed to locate the IEND chunk which contains the post-fix signature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Mao in the invention of MacLeod to include the above limitations. The motivation to do so would be to optimize the decoding process (Mao: Abstract).

As per claim 20, MacLeod in view of Mao teaches:
The non-transitory computer-readable medium of claim 15, wherein the graphics file comprises a portable network graphics (PNG) file, and wherein the graphics files signature comprises hexadecimal values comprising "00 00 00 00 49 45 4E 44 AE 42 60 82" (Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature)). 
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claim 15 above. 

As per claim 28, MacLeod in view of Mao teaches:
The non-transitory computer-readable medium of claim 15, further comprising code for performing: determining to scan the graphics file for potential steganographic content, wherein the determining includes determining whether at least one of a plurality of steganographic criteria is satisfied (MacLeod: [0119]: For each section, the section's name and attributes are validated. The size of the file is determined as the SizeOfRawData member of the section and the size of the pointer. This process may be repeated for each section. The last section's size is the number of bytes in the SizeOfRawData member. This result is the number of bytes the PE image should occupy on the storage device. Section by section analysis is used to compute the entire size of file. [0120] From a file system, a stored filesize of the file is retrieved. [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. [0122] Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. In one embodiment, the appended data is analyzed to determine its file format and if it is encrypted. Also, [0060]).

As per claim 30, MacLeod in view of Mao teaches:
The non-transitory computer-readable medium of claim 15, wherein the step of determining whether there is embedded data in the graphics file after the graphics file signature comprises determining whether there is embedded data in the graphics file after a post-fix graphics file signature at an end of a body of the graphics file (MacLeod: [0057] The malware analytics module 140 reads a header of the file. The header of the file may include metadata typically stored at the start of the file. The metadata may also be present in other areas, e.g., at the end of the file, depending on the file format or the type of data contained. [0117]: The pointer to the PE header should read "01 00h." This location contains a PE signature which should be the number "50 45 00h." [0121] The determined size of the file is compared to the stored filesize of the file. In one embodiment, if the determined size of the file is greater than the stored filesize, data may be appended to the end of the PE file. Mao: Page 3: left column, last 4 lines: D. IEND: IEND (image trailer chunk) is used to mark the PNG file or data stream has ended, and it must be at the end of the file. Right column, lines 1-10: There will be 12 characters in the IEND: 00 00 00 00 49 45 4E 44 AE 42 60 82 (post-fix signature)).
The examiner provides the same rationale to combine prior arts MacLeod and Mao as in claim 15 above. 

Claim 29 is rejected under 35 U.S.C. 103 as being unpatentable over MacLeod in view of Mao as applied to claim 15 above, and further in view of Boutnaru.
As per claim 29, MacLeod in view of Mao does not teach the limitations of claim 29. However, Boutnaru teaches:
wherein the plurality of steganographic criteria includes at least one of: a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been downloaded; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been replicated; a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been backed up; or a field associated with the graphics file indicates that the graphics file has been modified after the graphics file has been restored (Boutnaru: [0033]. [0039]: the file may be a file that the system has applied steganography (or multiple iterations and/or different steganography) over at some point in time. The system may check whether the file has been altered through checksums and/or hash values to determine whether the file has been altered. If the file has not been altered the system may allow the file through, otherwise the system may continue to operation 306. [0040]: At operation 306, the system may detect the steganography method used on the file. [0048] Process 300 may include operation 309, wherein the system may apply the generated obscuring algorithm of operation 308 onto the received file. The system may then allow the file modified at operation 308 through at operation 303. The modified file having sufficiently obscured the data hidden in the file by applying the obscuring methods generated at operation 308. Additionally, in some examples, the system may maintain records of files that have gone through the obscuring processes in operation 309. In some examples, the records may be a checksum and/or a hash of the file (field associated with the file). The hash could identify the file and/or ensure that the file has not changed since the last time the system applied obscuring steganography).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Boutnaru in the invention of MacLeod in view of Mao to include the above limitations. The motivation to do so would be to prevent hidden messages from being passed through steganography techniques by implementing a jumbling technique (Boutnaru: [0009]).

Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over MacLeod in view of Mao as applied to claim15 above, and further in view of Murakami.
As per claim 31, MacLeod in view of Mao does not teach the limitations of claim 31. However, Murakami teaches:  
further comprising code for performing: determining a hash of the embedded data after removing the embedded data from the graphics file (Murakami: [0156] When the public key used in tampered position detection is correct, the decryption unit 404 checks the value of check bits which form the watermark information w (when the check bits represent a Hash value of a 2D feature image, a Hash value is calculated from the 2D feature image contained in the watermark information w, and is compared with the check bits in the watermark information w to determine whether or not they match).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murakami in the invention of MacLeod to include the above limitations. The motivation to do so would be to detect the tampered position or the presence/absence of tampering from an image (Murakami: [0001]).

Conclusions
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438