DETAILED ACTIONNotice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-15 are rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-6 and 8-14 of U.S. Patent No. 10,992,703 B2 in view of Friedrichs (US 2012/0210423 A1). The patent claims are substantially identical to those of instant claims 1-15, except that the patent claims are drawn to a whitelist and files being clean, rather than to a blacklist and files being malicious. Accordingly, the patent claims are considered to teach the instant claims other than “blacklist” and “malicious” language (e.g., exemplary claims 1-6 as mapped below). However, it is known within the art that whitelisting and blacklisting functionality is substitutable. For instance, at least [0078], [0101]-[0102] of Friederichs concerning whitelists and blacklists being interchangeable. Therefore it would have been obvious to one of ordinary skill in the art to modify the patent claims to concern blacklisting rather than whitelisting functionality because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time.
Independent claim 9 is substantially similar to independent claim 1 above, and is therefore likewise rejected. Dependent claims 10-14 are substantially similar to claims 2-6 and are likewise rejected. Further, since dependent claims 2-8 and 10-15 depend on rejected parent claims, they are likewise rejected by virtue of their dependency.
Instant Application
US 10,992,703 B2
1. A method comprising: receiving a first full hash and a first plurality of subhashes from a client, wherein the first full hash is a hash of a first file and each subhash in the first plurality of subhashes is a hash of a facet of the first file; 




determining whether the first full hash is blacklisted; 

responsive to determining the first full hash is blacklisted, updating, for each subhash in the first plurality of subhashes, an associated malicious count, wherein the malicious count tracks a historic number of blacklisted files with which the subhash is associated; 

responsive to a first malicious count of the malicious counts exceeding a threshold malicious count, adding the subhash associated with the first malicious count to a subhash blacklist; 

receiving a second full hash and a second plurality of subhashes from the client, wherein the second full hash is a hash of a second file and each subhash in the second plurality of subhashes is a hash of a facet of the second file; 

determining whether the second full hash is blacklisted; responsive to determining the second full hash is not blacklisted, determining whether a subhash in the second plurality of subhashes is included in the subhash blacklist; 

responsive to determining a subhash in the second plurality of subhashes is included in the subhash blacklist, determining the second file is blacklisted; and 

reporting that the second file is blacklisted to the client.
1. A method comprising:
receiving a first full hash and a first plurality of subhashes from a client, wherein the first full hash is a hash of an entire first file and each subhash in the first plurality of subhashes is a hash of a facet of the first file, wherein a file comprises a code portion and a non-code portion and a facet is at least part of the non-code portion of the file;

determining whether the first full hash is whitelisted;

responsive to determining the first full hash is whitelisted, updating, for each subhash in the first plurality of subhashes, an associated clean count, wherein the clean count tracks a historic number of whitelisted files with which the subhash is associated;

responsive to a first clean count of the clean counts exceeding a threshold clean count, adding the subhash associated with the first clean count to a subhash whitelist;

receiving a second full hash and a second plurality of subhashes from the client, wherein the second full hash is a hash of an entire second file and each subhash in the second plurality of subhashes is a hash of a facet of the second file;

determining whether the second full hash is whitelisted;
responsive to determining the second full hash is not whitelisted, determining whether a subhash in the second plurality of subhashes is included in the subhash whitelist;

responsive to determining a subhash in the second plurality of subhashes is included in the subhash whitelist, determining the second file is whitelisted; and

reporting that the second file is whitelisted to the client.
2. The method of claim 1, further comprising: receiving a third plurality of subhashes from the client, wherein each subhash in the third plurality of subhashes is a hash of a facet of a third file; determining that the third file is malicious; and removing a subhash in the third plurality of subhashes from a subhash whitelist.
2. The method of claim 1, further comprising:
receiving a third plurality of subhashes from the client, wherein each subhash in the third plurality of subhashes is a hash of a facet of a third file;
determining that the third file is malicious; and
removing a subhash in the third plurality of subhashes from the subhash whitelist.




3. The method of claim 2, wherein removing the subhash in the third plurality of subhashes from the subhash whitelist is responsive to a malicious count associated with the subhash in the third plurality of subhashes comprising a nonzero value.
3. The method of claim 2, further comprising:
responsive to determining that the third file is malicious, incrementing, for each subhash in the third plurality of subhashes, an associated malicious count;
wherein removing the subhash in the third plurality of subhashes from the subhash whitelist is responsive to a malicious count associated with the subhash in the third plurality of subhashes comprising a nonzero value.
4. The method of claim 1, further comprising: receiving a third plurality of subhashes of facets of a third file from a second client; determining whether at least one subhash in the third plurality of subhashes is included in the subhash blacklist, comprising: determining whether a subhash in the third plurality of subhashes is the subhash associated with the first malicious count; and 

reporting a result of determining whether at least one subhash in the third plurality of subhashes is included in the subhash blacklist to the second client.
4. The method of claim 1, further comprising:
receiving a third plurality of subhashes of facets of a third file from a second client;
determining whether at least one subhash in the third plurality of subhashes is included in the subhash whitelist, comprising:
determining whether a subhash in the third plurality of subhashes is the subhash associated with the first clean count; and
reporting a result of determining whether at least one subhash in the third plurality of subhashes is included in the subhash whitelist to the second client.
5. The method of claim 1, further comprising: receiving a third plurality of subhashes from the client, wherein each subhash in the third plurality of subhashes is a hash of a facet of a third file; determining whether at least one subhash in the third plurality of subhashes is included in a subhash whitelist; and responsive to determining at least one subhash included in the third plurality of subhashes is included in the subhash whitelist, reporting that the third file is clean to the client.
5. The method of claim 1, further comprising:
receiving a third plurality of subhashes from the client, wherein each subhash in the third plurality of subhashes is a hash of a facet of a third file;
determining whether at least one subhash in the third plurality of subhashes is included in a subhash blacklist; and
responsive to determining at least one subhash included in the third plurality of subhashes is included in the subhash blacklist, reporting that the third file is malicious to the client.
6. The method of claim 1, wherein reporting that the second file is blacklisted to the client comprises reporting that the second file is blacklisted to a protection application at the client.
6. The method of claim 1, wherein reporting that the second file is whitelisted to the client comprises reporting that the second file is whitelisted to a protection application at the client.


Claims 16-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over at least claim 1 of U.S. Patent No. 10,992,703 B2 . Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the patent are considered to anticipate those of instant application (e.g., see the mapping below). Claims 17-20 depend on claim 16, and are therefore likewise rejected by virtue of their dependency.

Instant Application
US 10,992,703 B2
16. A method, comprising: 









..wherein a subhash is included in the subhash whitelist responsive to a clean count associated with the subhash exceeding a threshold value, the clean count indicating a number of previous instances of a respective full hash being whitelisted…






receiving a full hash and a plurality of subhashes, wherein the full hash is a hash of a file and each subhash in the plurality of subhashes is a hash of a facet of the file; 


determining whether the full hash is whitelisted;
responsive to determining the full hash is not whitelisted, determining whether a subhash in the plurality of subhashes is included in a subhash whitelist, 

 responsive to determining a subhash in the plurality of subhashes is included in the subhash whitelist, determining the file is whitelisted; and 

reporting that the file is whitelisted.
1. A method comprising:
receiving a first full hash and a first plurality of subhashes from a client, wherein the first full hash is a hash of an entire first file and each subhash in the first plurality of subhashes is a hash of a facet of the first file, wherein a file comprises a code portion and a non-code portion and a facet is at least part of the non-code portion of the file;

determining whether the first full hash is whitelisted;

responsive to determining the first full hash is whitelisted, updating, for each subhash in the first plurality of subhashes, an associated clean count, wherein the clean count tracks a historic number of whitelisted files with which the subhash is associated;
responsive to a first clean count of the clean counts exceeding a threshold clean count, adding the subhash associated with the first clean count to a subhash whitelist;

receiving a second full hash and a second plurality of subhashes from the client, wherein the second full hash is a hash of an entire second file and each subhash in the second plurality of subhashes is a hash of a facet of the second file;

determining whether the second full hash is whitelisted;
responsive to determining the second full hash is not whitelisted, determining whether a subhash in the second plurality of subhashes is included in the subhash whitelist;

responsive to determining a subhash in the second plurality of subhashes is included in the subhash whitelist, determining the second file is whitelisted; and

reporting that the second file is whitelisted to the client.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


	Claims 1-5, 7-13, and 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mathematical concept (mathematical relationships, formulas / equations, or calculations) without significantly more. For instance, the claims may be interpreted as being drawn to following directions for pen-and-paper calculations and logging. The claim(s) recite(s) the following abstract idea limitations (e.g., exemplary independent claim 1):  A method comprising: receiving a first full hash and a first plurality of subhashes from [an entity] (i.e., the mathematical concept of a first person obtaining input values from a second person for calculations/logging—e.g., verbally or via paper), wherein the first full hash is a hash of a first file (e.g., any document and associated content, such as a pen-and-paper document) and each subhash in the first plurality of subhashes is a hash of a facet of the first file (i.e., the mathematical concept of the input having been previously prepared based on a formula/algorithm—e.g., via pen and paper); determining whether the first full hash is blacklisted (i.e., the mathematical concept of following an algorithm for calculations, inputting and comparing values—e.g., via pen and paper); responsive to determining the first full hash is blacklisted, updating, for each subhash in the first plurality of subhashes, an associated malicious count, wherein the malicious count tracks a historic number of blacklisted files with which the subhash is associated (i.e., the mathematical concept of following an algorithm for calculations, counting, comparing, and inputting values—e.g., via pen and paper based on a written algorithm); responsive to a first malicious count of the malicious counts exceeding a threshold malicious count, adding the subhash associated with the first malicious count to a subhash blacklist (i.e., the mathematical concept of following an algorithm for calculations as with the previous limitations / logging results of the calculations); receiving a second full hash and a second plurality of subhashes from the [entity], wherein the second full hash is a hash of a second file and each subhash in the second plurality of subhashes is a hash of a facet of the second file (i.e., the mathematical concept of a first person obtaining input values from a second person for calculations/logging—e.g., verbally or via paper);  determining whether the second full hash is blacklisted; responsive to determining the second full hash is not blacklisted, determining whether a subhash in the second plurality of subhashes is included in the subhash blacklist; responsive to determining a subhash in the second plurality of subhashes is included in the subhash blacklist (i.e., the mathematical concept of following an algorithm for calculations—counting, comparing, and inputting values—as with the previous limitations / logging results of the calculations); determining the second file is blacklisted; and reporting that the second file is blacklisted to the [entity] (i.e., the mathematical concept of reporting your results, e.g., verbally or via pen and paper to another person).
	The claim(s) (e.g., independent claims 1 and 9) recite(s) the following limitations which may be significantly more than the abstract idea: the [entity] being a client; A non-transitory computer-readable storage medium storing computer program instructions executable by a processor to perform operations.
	This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). In this case, the only elements which are not merely the formula and manual calculation are the client, processor, and computer-readable storage medium. However, these would appear to be essential elements of any given computer system for applying the exception. 
	The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). In this case, the only elements which are not merely the formula and manual calculation are the client, processor, and computer-readable storage medium. However, these would appear to be essential elements of any given computer system for applying the exception.
	Independent claim 9 is substantially similar to independent claim 1, and independent claim 16 is substantially similar to elements of independent claim 1. Accordingly, the independent claims are rejected for substantially the same reasons.
	Dependent claims 2-5, 7-8, 10-13, 15, and 17-20 are drawn to further elaborating the mathematical concept (e.g., additional steps in the algorithm, additional comparisons, limiting the count to a certain value, and additional input values and results to log/report). As such, they are likewise rejected under the same analysis.
	Dependent claims 6 and 14 are considered to be drawn to significantly more than the judicial exception.

 Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Friedrichs (US 2012/0210423 A1) in view of “PhishZoo: An Automated Web Phishing Detection Approach Based on Profiling and Fuzzy Matching,” hereinafter “Afroz.”

Regarding claim 16, Friedrichs discloses:  A method, comprising: 
receiving a full hash and a plurality of subhashes, wherein the full hash is a hash of a file; 
Refer to at least FIG. 1 and [0078] of Friedrichs with respect to a traditional fingerprint and fuzzy fingerprint. Further refer to at least [0079] of Friedrichs with respect to multiple specific fingerprints. 
Refer to at least [0003] of Friedrichs with respect to hashing/fingerprints.
determining whether the full hash is whitelisted; 
Refer to at least FIG. 1 and [0078] of Friedrichs with respect to determining whether an application is on a known whitelist or blacklist via traditional means (i.e., from the traditional fingerprint and fuzzy fingerprint). 
responsive to determining the full hash is not whitelisted, determining whether a subhash in the plurality of subhashes is included in a subhash whitelist, wherein a subhash is included in the subhash whitelist responsive to a clean count associated with the subhash exceeding a threshold value, the clean count indicating a number of previous instances of a respective full hash being whitelisted; 
Refer to at least FIG. 1 and [0079] of Friedrichs with respect to determining whether a threshold amount of the specific fingerprints are associated with a whitelist/blacklist.
Refer to at least [0076] and [0081] of Friedrichs with respect to determining correspondence to a whitelist/blacklist based on a count.
responsive to determining a subhash in the plurality of subhashes is included in the subhash whitelist, determining the file is whitelisted; and 
reporting that the file is whitelisted.Refer to at least [0079]-[0080] and [0076] of Friedrichs with respect to reporting the application as malicious or benign. 
Friedrichs discloses application metadata and feature vectors, but does not fully specify that: each subhash in the plurality of subhashes is a hash of a facet of the file. However, Friedrichs in view of Afroz discloses: each subhash in the plurality of subhashes is a hash of a facet of the file. 
Refer to at least the 4th paragraph in “3. APPROACH” (“To catch phishing sites…”), Figure 1, and “3.2 Profile Matching” of Afroz with respect to fuzzy hashing separately applied to various contents of a site. A site profile is first compared against a whitelist before utilizing the content fuzzy hashes.
The teachings of Friedrichs and Afroz both concern hash signatures and a 2-step comparison process based on a whitelist, and are considered to be within the same field of endeavor and combinable as such. Further, at least 2.4 of Afroz recites that its teachings can be combined with other blacklisting, heuristic, or whitelisting approaches.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Friedrichs to further include a second stage of comparing hashed application contents for at least the purpose of increasing detection accuracy (e.g., section 2.4 of Afroz).

Regarding claim 17, Friedrichs-Afroz discloses: The method of claim 16, wherein at least one facet is an author string, a product name string, a list of application programming interfaces, a file description, copyright information, or a portion of a file header.
Refer to at least [0086]-[0089] and [0099] of Friedrichs with respect to exemplary application metadata and features (e.g., file properties and referenced DLLs).
This claim would have been obvious for substantially the same reasons as claim 16 above.

Regarding claim 18, Friedrich-Afroz discloses: The method of claim 16, further comprising: receiving a plurality of files; and applying the plurality of files to a file filter to produce a subset of files comprising a subset of the plurality of files to be checked against a subhash whitelist; wherein the first file is a file in the subset of files.
Refer to at least [0060], [0068], and [0094] of Friedrich with respect to sorting applications into sets for analysis. 

Regarding claim 19, it is rejected for substantially the same reasons as claim 18 above (further see at least [0027] and [0063] of Friedrich).

Regarding claim 20, it is rejected for substantially the same reasons as claim 16 above (i.e., the citations concerning hashing and content / metadata and features).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432