Jump to content

Patent Application 18497689 - AUTOMATED CODE SIGNATURE GENERATION FOR WINDOWS - Rejection

From WikiPatents

Patent Application 18497689 - AUTOMATED CODE SIGNATURE GENERATION FOR WINDOWS

Title: AUTOMATED CODE SIGNATURE GENERATION FOR WINDOWS .NET BINARIES

Application Information

  • Invention Title: AUTOMATED CODE SIGNATURE GENERATION FOR WINDOWS .NET BINARIES
  • Application Number: 18497689
  • Submission Date: 2025-05-14T00:00:00.000Z
  • Effective Filing Date: 2023-10-30T00:00:00.000Z
  • Filing Date: 2023-10-30T00:00:00.000Z
  • National Class: 726
  • National Sub-Class: 001000
  • Examiner Employee Number: 86000
  • Art Unit: 2491
  • Tech Center: 2400

Rejection Summary

  • 102 Rejections: 2
  • 103 Rejections: 0

Cited Patents

The following patents were cited in the rejection:

Office Action Text


    DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2025-03-24 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed.  Cir.  1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed.  Cir.  1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed.  Cir.  1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.  See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA .  A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection.  A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action.  Even where the NSDP rejection is provisional the reply must be complete.  See MPEP § 804, subsection I.B.1.  For a reply to a non-final Office action, see 37 CFR 1.111(a).  For a reply to final Office action, see 37 CFR 1.113(c).  A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration.  See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used.  Please visit www.uspto.gov/patent/patents-forms.  The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.

Claims 1-25 are rejected on the ground of nonstatutory double patenting over US Patents 9992214, 12107831, 12153676, and 12174959 in view of the prior art of record.
Although the claims at issue are not identical to the parent patents, they are not patentably distinct from each other because the claim limitations of the instant application are obvious over the issued related patents.  For example, the related patents all relate to fuzzy hashing and determining whether a file is malware based on the hashing.  The only feature in the independent claims of the instant application that is not anticipated by the related patents is that the file for which a signature is generated is a “.NET binary” as an intended use; however, aside from being a common executable file type, this process of creating signatures for .NET binaries is rendered obvious by the prior art of record (Sinclair et al.; EP-2560120-B1).  Any limitations of the dependent claims of the Instant Application not disclosed in the related patents are obvious in view of Sinclair.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 25 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; specifically, it is directed towards software, per se.
Claim 25 is directed towards software, per se.  The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO.  See In re ZIetz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow).  The broadest reasonable interpretation of a claim drawn to a “computer program product embodied in a non-transitory computer readable medium for generating a signature for a Windows .NET binary, and the computer program product comprising computer instructions” typically covers forms of hardware, software per se, and combinations thereof in view of the ordinary and customary meaning of “computer program product”, particularly when the specification is silent; See MPEP 2111.01.  When the broadest reasonable interpretation of a claim covers software per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter, as software per se does not fall within at least one of the four categories of patent eligible subject matter recited in 35 U.S.C. 101 (process, machine, manufacture, or composition of matter).  Software is descriptive material that can be considered statutory ONLY if it is both functional and clearly embodied as structural, non-transitory matter; See MPEP § 2106.03(I).  Even if the software of the claim(s) is functional, it is not clearly defined as being embodied as structural, non-transitory matter and is therefore not statutory.
Further note that the recitation of “a non-transitory computer readable medium” (CRM) is insufficient to limit to claimed invention to hardware, as the claimed computer program product does not comprise the CRM but is instead merely “embodied in” the CRM.

Claims 1-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea (35 U.S.C. 101 Judicial Exception) without significantly more.  The claims recite hashing and classifying code, a form of observation, evaluation, judgment, and/or opinion, which is a concept performed in the human mind and thus grouped as mental processes.  This judicial exception is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer.  The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements, when considered separately and in combination, do not add significantly more to the abstract idea, as they are well-understood, routine, conventional computer functions as recognized by the courts.
Based upon consideration of all the relevant factors with respect to the claimed invention as a whole, the claims are determined to be directed to an abstract idea without significantly more.  The rationale for this determination is explained infra:
The following are Principles of Law:
A patent may be obtained for “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof”; 35 U.S.C. § 101.  The Supreme Court has consistently held that this provision contains an important implicit exception: laws of nature, natural phenomena, and abstract ideas are not patentable; See Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347, 2354 (2014); Gottschalk v. Benson, 409 U.S. 63, 67 (1972) (“Phenomena of nature, though just discovered, mental processes, and abstract intellectual concepts are not patentable, as they are the basic tools of scientific and technological work.”).  Notwithstanding that a law of nature or an abstract idea, by itself, is not patentable, an application of these concepts may be deserving of patent protection; See Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1293–94 (2012).  In Mayo, the Court stated that “to transform an unpatentable law of nature into a patent-eligible application of such a law, one must do more than simply state the law of nature while adding the words ‘apply it.’” Mayo, 132 S. Ct. at 1294 (citation omitted).
In Alice, the Court reaffirmed the framework set forth previously in Mayo “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications of these concepts.” Alice, 134 S. Ct. at 2355.  The test for determining subject matter eligibility requires a first step of determining whether the claims are directed to a process, machine, manufacture, or composition of matter.  If the claims are directed to one of the four patent-eligible subject matter categories, then the Examiner must perform a two-part analysis to determine whether a claim that is directed to a judicial exception recites additional elements that amount to significantly more than the exception.  The first part of the second step in the analysis is to “determine whether the claims at issue are directed to one of those patent-ineligible concepts.” Id.  If the claims are directed to a patent-ineligible concept, then the second part of the second step in the analysis is to consider the elements of the claims “individually and ‘as an ordered combination”’ to determine whether there are additional elements that “‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo, 132 S. Ct. at 1298, 1297).  In other words, the second step in the analysis is to “search for an ‘inventive concept’‒ i.e., an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent on the [ineligible concept] itself.’” Id. (brackets in original) (quoting Mayo, 132 S. Ct. at 1294).  The prohibition against patenting an abstract idea “cannot be circumvented by attempting to limit the use of the formula to a particular technological environment or adding insignificant post-solution activity.”  Bilski v. Kappos, 561 U.S. 593, 610–11 (2010) (citation and internal quotation marks omitted).  The Court in Alice noted that “[s]imply appending conventional steps, specified at a high level of generality,” was not “enough” [in Mayo] to supply an “‘inventive concept.’” Alice, 134 S. Ct. at 2357 (quoting Mayo, 132 S. Ct. at 1300, 1297, 1294).
In the “2019 Revised Patent Subject Matter Eligibility Guidance” (2019 PEG), the USPTO has prepared revised guidance for use by USPTO personnel in evaluating subject matter eligibility based upon rulings by the courts.
The Examiner is bound by and applies the framework as set forth by the Court in Mayo and reaffirmed by the Court in Alice and follows the 2019 PEG for determining whether the claims are directed to patent-eligible subject matter.
Step 1: Are the claims at issue directed to a process, machine, manufacture, or composition of matter?
The Examiner finds that the claims are directed to one of the four statutory categories or (for claim 25) could be amended such that they are directed to one of the four statutory categories.
Step 2A – Prong One: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
The Examiner finds that the claims are directed to the abstract idea of hashing and classifying code, a form of observation, evaluation, judgment, and/or opinion, which is a concept performed in the human mind and thus grouped as mental processes.
Step 2A – Prong Two: Does the claim recite additional elements that integrate the Judicial Exception into a practical application?
The abstract idea is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer.
In determining whether the abstract idea was integrated into a practical application, the Examiner has considered whether there were any limitations indicative of integration into a practical application, such as:
(1) Improvements to the functioning of a computer, or to any other technology or technical field; See MPEP § 2106.05(a) 
(2) Applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition; See Vanda Memo (Recent Subject Matter Eligibility Decision: Vanda Pharmaceuticals Inc. v. West-Ward Pharmaceuticals)
(3) Applying the judicial exception with, or by use of, a particular machine; See MPEP § 2106.05(b) 
(4) Effecting a transformation or reduction of a particular article to a different state or thing; See MPEP § 2106.05(c)  
(5) Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception; See MPEP § 2106.05(e) and Vanda Memo
The Examiner notes that clam features of: hashing and classifying do not improve the functioning of a computer or technical field, do not effect a particular treatment or prophylaxis for a disease or medical condition, do not apply or use a particular machine, do not effect a transformation or reduction of a particular article to a different state or thing, and do not apply or use the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception.
Instead of a practical application, the claim features of hashing and classifying merely use a general-purpose computer as a tool to perform the abstract idea (See MPEP § 2106.05(f)) and merely generally link the use of the abstract idea to a field of use (See MPEP § 2106.05(h)).  Thus, the Examiner finds that the claimed invention does not recite additional elements that integrate the Judicial Exception into a practical application.
Step 2B: Is there something else in the claims that ensures that they are directed to significantly more than a patent-ineligible concept?
The claims, as a whole, require nothing significantly more than generic computer implementation or can be performed entirely by a human.  The additional element(s) or combination of element(s) in the claims other than the abstract idea per se amount to no more than recitation of generic computer structure (e.g. processor and memory) that serves to perform generic computer functions (e.g. hashing and classifying) that are well-understood, routine, and conventional activities previously known to the pertinent industry.  The claimed .NET binary, file signature, code, sample, rule, threshold are all numbers, data structures, or datum.  Each of these elements are individually dispositive of patent eligibility because of the following legal holdings:
“Data in its ethereal, non-physical form is simply information that does not fall under any of the categories of eligible subject matter under section 101.” Digitech Image Techs., LLC v. Electronics for Imaging, Inc., 758 F.3d 1344, 1350 (Fed. Cir. 2014).
The Supreme Court has also explained that “[a]bstract software code is an idea without physical embodiment,” i.e., an abstraction. Microsoft Corp. v. AT&T Corp., 550 U.S. 437, 449 (2007). 
A claim that recites no more than software, logic, or a data structure (i.e., an abstract idea) – with no structural tie or functional interrelationship to an article of manufacture, machine, process or composition of matter does not fall within any statutory category and is not patentable subject matter; data structures in ethereal, non-physical form are non-statutory subject matter. In re Warmerdam, 33 F.3d 1354, 1361 (Fed. Cir. 1994); see Nuijten, 500 F.3d at 1357.
Furthermore, the claimed invention does not have a specific asserted improvement in computer capabilities, nor is it a specific implementation of a solution to a problem in the software arts; See Enfish, LLC v. Microsoft Corp., 822 F.3d 1327 (Fed. Cir. 2016).  Rather, the claims are merely directed towards hashing and classifying code, which is similar to ideas that the courts have found to be abstract, as noted supra, and the claims are without a “practical application” or anything “significantly more”.
Considering each of the claim elements in turn, the function performed by the computer system at each step of the process does no more than require a generic computer to perform a well-understood, routine, and conventional activity at a high level of generality.  For example, hashing and classifying are merely forms of performing repetitive calculations, which has been found by the courts to be a well-understood, routine, conventional activity in computers; See e.g. Flook, 437 U.S. at 594, 198 USPQ2d at 199 (recomputing or readjusting alarm limit values); Bancorp Services v. Sun Life, 687 F.3d 1266, 1278, 103 USPQ2d 1425, 1433 (Fed. Cir. 2012) (“The computer required by some of Bancorp’s claims is employed only for its most basic function, the performance of repetitive calculations, and as such does not impose meaningful limits on the scope of those claims.”).  Further note that the abstract idea of hashing and classifying code to which the claimed invention is directed has a prior art basis outside of a computing environment, e.g. ordering people to line up in groups (classifying) by first letter of name (hashing).
The prohibition against patenting an abstract idea “cannot be circumvented by attempting to limit the use of the formula to a particular technological environment or adding insignificant post-solution activity.”  Bilski v. Kappos, 561 U.S. 593, 610–11 (2010) (citation and internal quotation marks omitted).  The Court in Alice noted that “[s]imply appending conventional steps, specified at a high level of generality,” was not “enough” [in Mayo] to supply an “‘inventive concept.’”  Alice, 134 S. Ct. at 2357 (quoting Mayo, 132 S. Ct. at 1300, 1297, 1294).
Viewed as a whole, the claims simply recite the steps of using generic computer components.  The claims do not purport, for example, to improve the functioning of the computer system itself.  Nor does it effect an improvement in any other technology or technical field.  Instead, the claims amount to nothing significantly more than an instruction to implement the abstract idea using generic computer components.  This is insufficient to transform an abstract idea into a patent-eligible invention.
The dependent claims likewise incorporate the deficiencies of a claim upon which they ultimately depend and are also directed to non-patent-eligible subject matter.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by a general-purpose computer.
The Examiner notes that the United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO; See In re ZIetz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow); See also MPEP 2111.01.  It is noted that claims are directed towards a system comprising a memory coupled to the one or more processors and configured to provide the one or more processors with instructions” and “one or more processors configured to” perform the recited acts.  As opposed to, e.g., a processor and memory with instructions that, when executed by the processor, causes the processor to perform acts, the instant claim merely recites a processor “configured to” perform the following steps and memory configured to provide the one or more processors with instructions (which don’t necessarily require storage or correlation with the steps the processor is configured to perform).  That is, the claim does not require that the computer be programmed to perform the steps that follow (i.e., the claim does not require that the memory actually store the instructions that when executed perform the steps and that executing the instructions performs the steps; instead, the claim encompasses embodiments such as a generic, non-programmed computer that could be programmed or operated to perform the steps.  Thus, the claim is met by any general-purpose computer with sufficient hardware and instruction set that could be operable to perform the claimed acts vs a computer programmed to perform the recited acts.  Thus, the claims are clearly anticipated by any general-purpose computing machine with sufficient hardware and instruction set that is operable to perform the claimed steps.

Claims 1-25 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sinclair et al. (EP-2560120-B1, hereinafter “Sinclair”).

With respect to independent claim 1, Sinclair discloses a system for generating a signature for a Windows .NET binary {paras. 0016-0018 & 0070: characterizing an “executable program” (a “binary”) such as a “portable executable (PE)” which can be “can be designed in or by means of .Net Framework”; Also is an intended usage limitation, which suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure, and thus does not limit the scope of a claim or claim limitation; See MPEP § 2103(I)(C)}, comprising:
one or more processors {paras. 0031-0033: “a processor”} configured to:
generate a file signature based on code using a hashing technique {para. 0048: “identification of samples” using “the binary level fuzzy hashing association”}.
classify a sample using the file signature based on the code {paras. 0034 and 0046-0048: “identify associations among the samples processed by sample processor” such as for “malware classification”}.
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions {paras. 0031-0033: “memory may be configured to store information used by the processor to perform certain functions”}.

With respect to dependent claim 2, Sinclair discloses wherein the code corresponds to a Windows NET binary {paras. 0016-0018 & 0070: characterizing an “executable program” (a “binary”) such as a “portable executable (PE)” which can be “can be designed in or by means of .Net Framework”}.

With respect to dependent claim 3, Sinclair discloses wherein the hashing technique is an MD5 hash function {para. 0048: “hashes such as MD5”}.

With respect to dependent claim 4, Sinclair discloses wherein the hashing technique is an SSDeep hash function {para. 0048: “the use of SSDeep hashes allows for the identification of samples”}.

With respect to dependent claim 5, Sinclair discloses wherein the hashing technique is a TLSH hash function {paras. 0048-0049: common fuzzy hash functions (such as TLSH) are “at once envisaged” given the need for “hashes allows for the identification of samples that are closely related but do not match bit-for-bit”; See MPEP § 2131.02(III)}.

With respect to dependent claim 6, Sinclair discloses wherein classifying the sample using the file signature based on the code comprises: determining that the sample is a malicious sample based at least in part on the file signature {paras. 0034 and 0046-0048: “identify associations among the samples processed by sample processor” such as for “malware classification”}.

With respect to dependent claim 7, Sinclair discloses wherein classifying the sample using the file signature based on the code comprises: determining that the sample is a benign sample based at least in part on the file signature {paras. 0034 and 0046-0048: “identify associations among the samples processed by sample processor” such as for “malware classification”}.

With respect to dependent claim 8, Sinclair discloses wherein the one or more processors are further configured to: handle the sample based at least in part on a sample classification {para. 0067: “may generate data used to display the associations and/or groups”}.

With respect to dependent claim 9, Sinclair discloses wherein the sample is handled based at least in part on a predefined security policy {para. 0067: “where the reference sample is a known malware sample, metadata association system 100 may also generate an alert when the reference sample shares associations with any stored samples”}.

With respect to dependent claim 10, Sinclair discloses wherein handling the sample comprises performing an active measure in response to determining that the sample corresponds to a malicious sample {para. 0067: “where the reference sample is a known malware sample, metadata association system 100 may also generate an alert when the reference sample shares associations with any stored samples”}.

With respect to dependent claim 11, Sinclair discloses wherein the one or more processors are further configured to parse the Windows .NET binary, and disassemble methods implemented by the Windows .NET binary into the code {para. 0048: “Cryptographic hashes such as MD5 and SHA-1 are normally used in files for security purposes”; the hashes parse objects into fixed-size data blocks}.

With respect to dependent claim 12, Sinclair discloses wherein the code corresponds to code for one or more methods implemented by the Windows .NET binary {paras. 0016-0018 & 0070: characterizing an “executable program” (a “binary”) such as a “portable executable (PE)” which can be “can be designed in or by means of .Net Framework”}.

With respect to dependent claim 13, Sinclair discloses:
the code is obtained based on parsing the Windows .NET binary {paras. 0016-0018, 0048, and 0070: “Cryptographic hashes such as MD5 and SHA-1 are normally used in files for security purposes”; the hashes parse objects into fixed-size data blocks; the objects include an “executable program” (a “binary”) such as a “portable executable (PE)” which can be “can be designed in or by means of .Net Framework”}.
the code for the one or more methods are transformed into one or more transformation results based on a unified format {para. 0048: “Cryptographic hashes such as MD5 and SHA-1 are normally used in files for security purposes”; in SHA-1, the interim hashing states include a series of fixed (i.e., uniformly) sized data blocks (both as the input and at each of the hashing rounds for each block)}.
the transformation one or more transformation results are hashed to obtain one or more hash results and file signature is generated based on the one or more hash results {para. 0048: “Cryptographic hashes such as MD5 and SHA-1 are normally used in files for security purposes”; in SHA-1, the interim series of fixed (i.e., uniformly) sized data blocks are subjected to a plurality of rounds, each round output is used in a final hashing result that includes a fixed-size output that is used for “the binary level fuzzy hashing association”}.

With respect to dependent claim 14, Sinclair discloses wherein the one or more hash results correspond to intermediate hashes, and a final hash result is obtained based on concatenating the intermediate hashes to obtain a concatenated hash and performing a hash with respect to a concatenated hash {para. 0048: “Cryptographic hashes such as MD5 and SHA-1 are normally used in files for security purposes”; in SHA-1, the output of each compression function is added to the previous block’s output, effectively chaining the results, and then the final output is effectively a final hash (since addition is modulo the block size)}.

With respect to dependent claim 15, Sinclair discloses wherein the hashing technique to obtain the concatenated hash is an SSDeep hash function or a TLSH hash function {para. 0048: “the use of SSDeep hashes allows for the identification of samples”}.

With respect to dependent claim 16, Sinclair discloses wherein one or more transformation results use a wildcard of operands in the corresponding method and are data independent {para. 0048: “the use of SSDeep hashes”; SSDeep supports wildcards and can be used for any data}.

With respect to dependent claim 17, Sinclair discloses wherein the one or more processors are further configured to: generate a Yara rule to identify a known malware function method based on the one or more transformation results {paras. 0012 & 0049: the broadest reasonable interpretation of YARA rules includes any logical expressions used to classify and identify malware samples by defining specific textual or binary malware detection patterns, which is thus anticipated by “association engine 147 may identify relationships of samples by looking at the reuse of strings within samples”, wherein the samples include “malware samples”}.

With respect to dependent claim 18, Sinclair discloses wherein the file signature is used in connection with one or more of malware learning, malware detection, and malware clustering {paras. 0034 and 0046-0048: “identify associations among the samples processed by sample processor” such as for “malware classification”}.

With respect to dependent claim 19, Sinclair discloses wherein a set of signatures for a set of files are clustered in response to determining that the signatures have a similarity score higher than a predefined similarity threshold {para. 0053: “groups may constitute samples that have a high level of confidence in their association”, such as by “a collaborative match level of at least 0.90”}.

With respect to dependent claim 20, Sinclair discloses wherein the predefined similarity threshold is greater than 95 percent {para. 0053: “a collaborative match level of at least 0.90”; any high-percentage threshold of required confidence is clearly envisaged; See MPEP § 2131.03(II)}.

With respect to dependent claim 21, Sinclair discloses wherein a set of signatures for trusted or benign code samples is clustered in connection with generating a white list of code {paras. 0066-0067: “Once the associations and/or groups are determined, the intelligence data may be stored”; since there are instances where “the reference sample is a known malware sample”, the remaining instances of groups may be considered safe}.

With respect to dependent claim 22, Sinclair discloses wherein the sample is determined to be malware based on the file signature matching a signature for a known malware {para. 0067: “where the reference sample is a known malware sample, metadata association system 100 may also generate an alert when the reference sample shares associations with any stored samples”}.

With respect to dependent claim 23, Sinclair discloses wherein the sample is deemed to be benign code based on the file signature matching a signature for known benign code {paras. 0066-0067: “Once the associations and/or groups are determined, the intelligence data may be stored”; since there are instances where “the reference sample is a known malware sample”, the remaining instances of groups may be considered safe}.

With respect to claims 24-25, a corresponding reasoning as given earlier in this section with respect to claim 1 applies, mutatis mutandis, to the subject matter of claims 24-25; therefore, claims 24-25are rejected, for similar reasons, under the grounds as set forth for claim 1.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin Bechtel whose telephone number is 571-270-5436.  The examiner can normally be reached Monday - Friday, 09:00 - 17:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William (“Bill”) Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center.  Unpublished application information in Patent Center is available to registered users.  To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov.  Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format.  For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Kevin Bechtel/
Primary Examiner, Art Unit 2491


Retrieved from "https://wikipatents.org/index.php?title=Patent_Application_18497689_-_AUTOMATED_CODE_SIGNATURE_GENERATION_FOR_WINDOWS_-_Rejection&oldid=596588"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.