Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
No foreign priority is claimed.


Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 03/02/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Martini et al. (US 9,390,268 B1, Martini hereinafter).
For claim 1, Martini teaches a network endpoint comprising: one or more processors; and one or more non-transitory computer-readable media comprising instructions (col. 3 lines 16-24; col. 21 lines 54-62; Fig. 3A, 6) that, upon execution by the one or more processors, are to cause the network endpoint to: identify, based on a signature that identifies a file, a first parameter of the file (col. 1 line 59 - col. 2 line 14 - teaches that the attributes/parameters including program name are identified for matching with preconfigured values in the application (file) signature that identifies the application - “…determining if the one or more attributes match a preconfigured value in an application signature. The one or more attributes includes at least one of the groups consisting of a Secure Hash Algorithm (SHA) value, an MD5 value, and a program name”);
identify, based on a behavior of the file that occurs if the file is executed, a second parameter of the file (col. 3 line 31 - col. 4 line 6 - second parameter identified as operations being executed, and matching those with the operations in the respective program signature); 
identify a first value based on the first parameter (col. 1 lines 59-64 - for each match score value is identified for the signature and for the underlying attributes or parameters in turn) and a second value based on the second parameter (col. 3 line 31 - col. 4 line 6 - second value or match scores based on execution operations; col. 20 line 58 - col. 21 line 16 - match score value and weightings identified as a second parameter for further use in malware likelihood determination); 
identify, based on the first value and the second value, a probability that the file is malware; and output an indication of the probability (both of the above match scores or the first and the second values are added to the total score, which is utilized to determine the likelihood (col. 3 lines 45-54; col. 10 lines 27-65; col. 22 lines 25-38 - total score and adjustable weights as values that determine the likelihood of classification into a particular application type such as malware).

For claim 2, Martini teaches wherein the instructions to identify the probability that the file is malware include instructions to compare a score value to a threshold value, wherein the score value is based on the first value and the second value (Abstract; col. 3 lines 45-54; col. 11 lines 17-33 - total score is based on first and second values or match scores depending on various factors such as attributes and execution operations, compared to thresholds for maliciousness determination).

For claim 3, Martini teaches wherein the signature of the file is a name of a file, an identifier of a publisher of the file, or a hash of the file (col. 1 line 59 - col. 2 line 14 - “…determining if the one or more attributes match a preconfigured value in an application signature. The one or more attributes includes at least one of the groups consisting of a Secure Hash Algorithm (SHA) value, an MD5 value, and a program name” - teaches that one or more attributes/parameters including program name and/or hash that are identified for matching with preconfigured values in the application (file) signature that identifies the application).

For claim 4, Martini teaches wherein the instructions to identify the second parameter of the file include instructions to simulate execution of the file to identify the behavior of the file (col. 19 lines 56-65 - execution behavior analysis in sandbox may be emulator).

For claim 5, Martini teaches the network endpoint of claim 4, wherein the instructions to simulate execution of the file include instructions to execute the file on a virtual machine in a sandbox environment (col. 3 line 31 - col. 4 line 6; col. 6 lines 49-62; col. 19 lines 56-65 - Sandbox virtual machine environment).

For claim 6, Martini teaches wherein the first parameter is a signature-related type of the file (col. 9 lines 4-12 - type of software application in the associated signature).

For claim 7, Martini teaches wherein the second parameter is a behavior-related type of the file (col. 8 lines 29-52; Table in col. 11 and col. 12 - type of file that indicates certain behavior of the file based on the content).

For claim 8, Martini teaches wherein the instructions to output the indication of the probability includes instructions to facilitate output of a graphical indication of the probability on a display device that is communicatively coupled with the network endpoint (col. 21 line 54 - col. 22 line 19 - GUI to facilitate any output including notifications of maliciousness detection).

For claim 9, the claim limitations are similar to those of claim 1 except claim 9 is drawn to a method performed by the network endpoint of claim 1. Therefore claim 9 is rejected according to claim 1 above.

For claim 10, Martini teaches wherein the method further includes determining whether to perform the identification of the second parameter of the file based on the signature that identifies the file (col. 1 lines 59-64 - for each match score value is identified for the signature and for the underlying attributes or parameters in turn; col. 3 line 31 - col. 4 line 6 - second value or match scores based on execution operations; col. 20 line 58 - col. 21 line 16 - match score value and weightings identified as a second parameter for further use in malware likelihood determination).

For claim 11, Martini teaches wherein the identifying the probability that the file is malware includes comparing, by the electronic device, a score value to a threshold value, wherein the score value is based on the first value and the second value (Abstract; col. 3 lines 45-54; col. 11 lines 17-33 - total score is based on first and second values or match scores depending on various factors such as attributes and execution operations, compared to thresholds for maliciousness determination).

For claim 12, Martini teaches wherein the signature of the file is a name of a file, an identifier of a publisher of the file, or a hash of the file (col. 1 line 59 - col. 2 line 14 - “…determining if the one or more attributes match a preconfigured value in an application signature. The one or more attributes includes at least one of the groups consisting of a Secure Hash Algorithm (SHA) value, an MD5 value, and a program name” - teaches that one or more attributes/parameters including program name and/or hash that are identified for matching with preconfigured values in the application (file) signature that identifies the application).

For claim 13, Martini teaches wherein the identifying the second value includes simulating, by a virtual machine running on the electronic device, execution of the file (col. 19 lines 56-65 - execution behavior analysis in sandbox may be emulator).

For claim 14, Martini teaches the method of claim 13, wherein the behavior includes an attempted unauthorized alteration of another file based on the simulated execution of the file (col. 10 lines 51-66; col. 21 lines 27-50 - unauthorized access or program modification is monitored and used for signature determination).

For claim 15, the claim limitations are similar to those of claim 1 except claim 15 is drawn to one or more non-transitory computer-readable media comprising instructions that, upon execution by one or more processors of a network endpoint, are to cause the network endpoint to perform the method of claim 1. Therefore claim 15 is rejected according to claim 1 above.

For claim 16, the claim limitations are similar to those of claim 10. Therefore claim 16 is rejected according to claim 10 above.

For claims 17-19, the claim limitations are similar to those of claims 2-4 respectively. Therefore claims 17-19 are rejected according to claims 2-4 resp. as above.

For claim 20, the claim limitations are similar to those of claim 8. Therefore claim 20 is rejected according to claim 8 above.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433