Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.


Drawings

The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: Fig. 1:122.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the features of “a first process”, “first child process”, “second child process”, “parent process”, “child process” must be shown or the feature(s) canceled from the claim(s).  No new matter should be entered.  Specifically, the examiner notes that the applicant’s drawings fail to show any separate and distinct “first”/”parent”/”child” processes that are separate and distinct from the clearly illustrated parent and child virtual machines.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 – 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

	Regarding claims 1, 2, 4, 6, 7 – 10, 12, 13, 15 – 17, and 19, they recite the terminology of  “a first process”/“first child process”/“second child process”/ “parent process”/“child process”  separately and distinctly from the claimed “first”/”second”/”plurality of”/”parent”/”child” virtual machines, thus rendering the scope of the claims unclear and ambiguous.  Specifically, it is unclear to one of ordinary skill in the art as to the distinction, if any exists, between the recited ‘processes’ and that of the recited ‘virtual machines’.  
The disclosed invention is directed towards “forking” (i.e. wherein an original process creates a copy of itself) of virtual machines.  One of ordinary skill in the art recognizes that the disclosed and claimed virtual machines are themselves processes executing within the system.  Even the applicant’s own specification teaches that the virtual machines correspond to processes (e.g. Specification, par. 5; fig. 1; fig. 2).  Therefore, it is unclear as to how any of the recited processes are separate and distinct from any of the recited virtual machines.

Regarding claim 8, the recitation “quiescing the first virtual machine” lacks standard meaning within the art, and therefore renders the scope of the claim indefinite.

Depending claims are rejected by virtue of dependency.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ismael, US 2014/0337836 A1 in view of Tarasuk-Levin et al. (Levin), US 2018/0060104 A1.

	Regarding claim 1, as best determined in view of the above noted deficiencies of clarity, Ismael discloses:
A method comprising: based on indication of a first software sample for malware analysis (e.g. Ismael, fig. 3:320; 32), identifying a first virtual machine of a plurality of virtual machines having installed a first guest operating system compatible with the first software sample (e.g. Ismael, par. 13, 33, 45-47; targeted operating system environment).
While Ismael discloses “cloning” virtual machines, Ismael does not appear to explicitly teach that such “cloning” is performed by “forking”.
Levin, however, teaches the cloning of virtual machines, wherein such cloning is performed by forking (e.g. Levin, par. 12, 16).  
It would have been obvious to one of ordinary skill in the art to recognize the “forking” teachings of Levin, and the operations associated with the forking, within the virtual machine cloning system of Ismael.  This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that forking a VM is an appropriate method for cloning the VM (i.e. Levin, par. 16 – “…forking, or cloning, …”).  
Thus, the combination enables:
forking a first process of the first virtual machine to create a first child process with a second virtual machine based, at least in part, on the first virtual machine (e.g. Ismael, par. 14-16; Levin, par. 16); 
loading the first software sample into the second virtual machine (e.g. Ismael, par. 35, 47, 53); 
and based on analysis of behavior of the first software sample in the second virtual machine, indicating whether the first software sample is malware (e.g. Ismael, par. 54).

Regarding claim 2, the combination enables:
identifying a third virtual machine having installed a second guest operating system compatible with the first software sample (e.g. Ismael, par. 13, 33, 45-47; herein a plurality of virtual machine instances – i.e. “second”, “third”, etc. may be identified for the creation of clones); 
forking a second process of the third virtual machine to create a second child process with a fourth virtual machine based, at least in part, on the third virtual machine (e.g. Ismael, par. 14-16; Levin, par. 16); 
and loading the first software sample into the fourth virtual machine, wherein indicating whether the first software sample is malware is also based on analysis of behavior of the first software sample in the fourth virtual machine (e.g. Ismael, par. 35, 47, 53. 54).

Regarding claim 3, the combination enables:
wherein the first and second guest operating systems compatible with the first software sample are different versions of a same operating system (e.g. Ismael, par. 58).

Regarding claim 4, the combination enables:
further comprising collecting log data from the second virtual machine, wherein the log data comprise indications of the behavior of the first software sample in the second virtual machine (e.g. Ismael, par. 60, 67, 68).

Regarding claim 5, the combination enables:
wherein the analysis of the behavior is based on analysis of the log data (e.g. Ismael, par. 60, 67, 68).

Regarding claim 6, the combination enables:
wherein forking the first process comprises marking physical memory pages mapped by virtual pages of the first process as read-only (Levin, par. 54, 91; Ismael, par. 33, 60).

Regarding claim 7, the combination enables:
wherein forking the first process comprises generating a read-only version of a virtual disk of the first process and generating a delta disk for the first child process (Levin, par. 13, 21, 91; Ismael, par. 33, 60).

Regarding claim 8, the combination enables:
further comprising quiescing the first virtual machine (e.g. Ismael, par. 47-49).

Regarding claim 9, the combination enables:
further comprising creating the plurality of virtual machines and installing a guest operating system on each of the plurality of virtual machines based, at least in part, on a configuration file indicating one or more guest operating systems and operating system versions (e.g. Ismael, par. 33, 47, 48).

Regarding claim 10, the combination enables:
determining a type of the first software sample, wherein identifying the first virtual machine is based, at least in part, on the determined type of the first software sample (e.g. Ismael, par. 2, 46, 39, 72).

Regarding claim 11, the combination enables:
inserting, based on the determined type of the first software sample, the first software sample into a first queue of a plurality of queues each of which corresponds to a different software type; and determining a set of one or more operating systems compatible with the first software sample based on insertion of the first software sample into the first queue (e.g. Ismael, par. 33, 39, 47-49, 72).

	Regarding claims 12 – 20, they are medium and apparatus claims, essentially corresponding to the method claims above, and they are rejected, at least, for the same reasons.  Furthermore, Ismael discloses the recited medium, instructions, and processor (e.g. Ismael, par. 20, 21).

Regarding claim 12, the combination enables:
A non-transitory, machine-readable medium having instructions stored thereon that are executable by a computing device, the instructions to (e.g. Ismael, par. 20, 21): 
determine a set of one or more operating systems compatible with a first software sample indicated for malware analysis (e.g. Ismael, par. 13, 33, 45-47; targeted operating system environment); 
identify which of a plurality of virtual machines has installed the set of one or more compatible operating systems as a guest operating system (e.g. Ismael, par. 13, 33, 45-47); 
for each identified virtual machine of the plurality of virtual machines, fork a child process from a parent process corresponding to the identified virtual machine, which creates a child virtual machine based on the identified virtual machine (e.g. Ismael, par. 14-16; Levin, par. 16); 
and load the first software sample into each created child virtual machine for malware analysis in each created child virtual machine (e.g. Ismael, par. 35, 47, 53).

Regarding claim 13, the combination enables:
further comprising instructions to indicate whether the first software sample is malware based on analysis of log data generated by each child virtual machine, wherein the log data comprise indications of behavior of the first software sample (e.g. Ismael, par. 60, 67, 68).

Regarding claim 14, the combination enables:
further having instructions to determine type of the first software sample, wherein the instructions to determine the set of compatible operating systems comprise the instructions to determine the set of compatible operating systems based on the type of the first software sample (e.g. Ismael, par. 39, 72).

Regarding claim 15, the combination enables:
wherein the instructions to fork the child process from the parent process comprise instructions to mark physical memory pages mapped by virtual pages of the identified virtual machine corresponding to the parent process as read-only (Levin, par. 54, 91; Ismael, par. 33, 60).

Regarding claim 16, the combination enables:
wherein the instructions to fork the child process from the parent process comprise instructions to generate a read-only version of a virtual disk of the identified virtual machine corresponding to the parent process and generate a delta disk for the corresponding child virtual machine (Levin, par. 13, 21, 91; Ismael, par. 33, 60).

Regarding claim 17, the combination enables:
An apparatus comprising: a processor; and a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to (e.g. Ismael, par. 20, 21), based on identification of a software sample indicated for malware analysis, determine at least a first virtual machine of a plurality of virtual machines having installed a guest operating system with which the software sample is compatible (e.g. Ismael, par. 13, 33, 45-47); 
fork a process of the first virtual machine to create a child process (e.g. Ismael, par. 14-16; Levin, par. 16); 
create a second virtual machine in the child process based, at least in part, on providing a read-only version of a virtual disk and memory corresponding to the process of the first virtual machine for access by the child process (Levin, par. 54, 91; Ismael, par. 33, 60); 
and load the software sample into the second virtual machine for monitoring of behavior (e.g. Ismael, par. 35, 47, 53).

Regarding claim 18, the combination enables:
further comprising instructions executable by the processor to cause the apparatus to determine the guest operating system with which the software sample is compatible based, at least in part, on a type of the software sample (e.g. Ismael, par. 2, 46, 39, 72).

Regarding claim 19, the combination enables:
further comprising instructions executable by the processor to cause the apparatus to indicate whether the software sample is malware based on analysis of monitored behavior of the software sample in the second virtual machine (e.g. Ismael, par. 54).

Regarding claim 20, the combination enables:
further comprising instructions executable by the processor to cause the apparatus to collect log data generated by the second virtual machine, wherein the log data comprise indications of monitored behavior of the software sample, and wherein the analysis of monitored behavior is based on the log data (e.g. Ismael, par. 60, 67, 68).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JEFFERY L WILLIAMS/          Primary Examiner, Art Unit 2495