12550025 (P.T.A.B. Jul. 22, 2015)

Ex Parte Hicks

Patent Trial and Appeal BoardJul 22, 2015

12550025 (P.T.A.B. Jul. 22, 2015)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 12/550,025 08/28/2009 Ryan Hicks 134176.00301 1110 21269 7590 07/23/2015 PEPPER HAMILTON LLP ONE MELLON CENTER, 50TH FLOOR 500 GRANT STREET PITTSBURGH, PA 15219 EXAMINER ALATA, AYOUB ART UNIT PAPER NUMBER 2494 MAIL DATE DELIVERY MODE 07/23/2015 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte RYAN HICKS ____________________ Appeal 2013-005429 Application 12/550,025 Technology Center 2400 ____________________ Before ROBERT E. NAPPI, NATHAN A. ENGELS, and WILLIAM M. FINK, Administrative Patent Judges. ENGELS, Administrative Patent Judge. DECISION ON APPEAL Appellant appeals under 35 U.S.C. § 134(a) from a rejection of claims 1–6, 8–10, and 12–23. Claims 7 and 11 are canceled. No other claims are pending. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE Appellant’s invention is directed to system and method for the detection of malware. Claims 1, 13, and 15, reproduced below with emphasis added, are illustrative of the claimed subject matter: 1. A method of automatically identifying malware, the method comprising: Appeal 2013-005429 Application 12/550,025 2 receiving, by an expert system knowledge base of a computing device, an assembly language sequence from a binary file; identifying an instruction sequence from the received assembly language sequence; classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non- classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence, wherein classifying the instruction sequence as threatening comprises determining that the instruction sequence is unable to be traversed from start to finish; if the instruction sequence is classified as threatening, transmitting information to a code analysis component, wherein the information comprises a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence and one or more of the following: the instruction sequence, and a label comprising an indication that the instruction sequence is threatening; and notifying a user that the binary file includes malware. 13. A method of automatically identifying malware, the method comprising: analyzing, by a code analysis component, a binary file to generate an assembly language sequence and a corresponding instruction sequence; transmitting the instruction sequence to an expert system knowledge base; receiving, from the expert system knowledge base, classification information associated with the instruction sequence; if the classification information identifies the instruction sequence as threatening: identifying one or more other assembly language sequences from the binary file that comprise at least a portion of the instruction sequence, and Appeal 2013-005429 Application 12/550,025 3 transmitting at least one of the identified assembly language sequences to the expert system knowledge base; if the classification information identifies the instruction sequence as non-threatening, transmitting a second instruction sequence to the expert system knowledge base; and if the classification information identifies the instruction sequence as non-classifiable: reanalyzing the assembly language sequence to produce a new instruction sequence, and transmitting the new instruction sequence to the expert system knowledge base. 15. A system for automatically identifying malware, the system comprising: a code analysis component configured to identify an assembly language sequence from a binary file, wherein the assembly language sequence comprises one or more instruction sequences; and an expert system knowledge base in communication with the code analysis component, wherein the expert system knowledge base is configured to classify the instruction sequence as threatening, non-threatening or non-classifiable using one or more rules, wherein the expert system knowledge base is configured to classify the instruction sequence as threatening in response to determining that the instruction sequence is unable to be traversed from start to finish, wherein the expert system knowledge base is configured to classify the instruction sequence as non-threatening in response to determining that the instruction sequence is able to be traversed from start to finish. APPELLANT’S CONTENTIONS Appellant contends that the Examiner erred in rejecting claims 12–14 under 35 U.S.C. §102(b) as anticipated by Mangione-Smith (US 2007/0094734 A1; Apr. 26, 2007). Appeal 2013-005429 Application 12/550,025 4 Appellant also contends that the Examiner erred in rejecting under 35 U.S.C. § 103(a) claims 1–6, 8, 10, and 15–23 in view of the combination of Mangione-Smith and Szor (US 2005/0022018 A1; Jan. 27, 2005) and claim 9 in view of the combination of Mangione-Smith, Szor, and Gheorghescu (2006/0123244 A1; June 8, 2006). ANALYSIS Method Claims 1–6, 8–10, 12–14, and 23 Independent claims 1, 10, 12, and 13 are method claims that require classification of an instruction sequence in one of three categories: threatening, non-threatening, or non-classifiable. App. Br. 30–32. Each claim additionally recites certain steps that are to be performed depending on which of the three conditions is met. Claim 1, for example, recites a transmitting step that is to be performed only when the classifying step results in an instruction sequence classified as threatening. Performing the method of claim 1 does not require performance of the transmitting step when the classifying step results in an instruction sequence classified as non-threatening or non-classifiable. Similarly, claim 13 recites three distinct sets of steps to be performed depending on an instruction sequence’s classification, with only one set of steps to be performed for a given instruction sequence. The broadest reasonable interpretations of each of claims 1, 10, 12, and 13 include instances in which the classifying step returns each potential outcome such that practicing each claim does not always require performance of steps that are conditioned a particular one of the recited classifications. See Ex parte Katz, 2011 WL 514314, at *4–5 (BPAI Jan. 27, Appeal 2013-005429 Application 12/550,025 5 2011) (the broadest reasonable interpretation of a conditional step in a method claim includes instances in which the conditional step would not be invoked), 2011 WL 1211248, at *2 (BPAI Mar. 25, 2011) (denying request for rehearing); see also In re Johnston, 435 F.3d 1381, 1384 (Fed. Cir. 2006) (“optional elements do not narrow the claim because they can always be omitted”). Likewise, the Examiner need not cite art for each of the potential conditions, so long as the Examiner applies the prior art to each claim for one potential outcome. See In re Johnston, 435 F.3d at 1384. Having reviewed Appellant’s arguments for the patentability of independent claims 1, 10, 12, and 13, we find Appellant’s arguments unpersuasive as the arguments are not commensurate with the broadest reasonable interpretation of the claims in light of the recited conditional limitations. See Katz, 2011 WL 514314, at *4–5. Appellant argues, for example, that Mangione-Smith fails to disclose the steps of claim 13 that are predicated upon classification of the instruction sequence as threatening or non-classifiable (App. Br. 11–13), but Appellant does not challenge the Examiner’s finding (Final Act. 6–8) that Mangione-Smith discloses the steps performed when an instruction sequence is classified as non-threatening (see App. Br. 11–13). As the Examiner’s findings are unrebutted and demonstrate that Mangione-Smith discloses each step of claim 13 when an instruction sequence is classified as non-threatening, we affirm the Examiner’s rejection of claim 13. Further, we find Appellant’s arguments regarding each of independent claims 1, 10, and 12 similarly unpersuasive and affirm the Examiner’s rejections of those claims, as well as dependent claims 2–6, 8, 9, and 23, for the same reasons. Appeal 2013-005429 Application 12/550,025 6 System Claims 15–22 Appellant argues that the combination of Mangione-Smith and Szor fail to teach or suggest the underlined limitations shown in the reproduction of claim 15 above. App. Br. 22. Specifically, Appellants argue that Szor fails to teach or suggest “classifying an instruction sequence as threatening because it cannot be traversed from start to finish” (App. Br. 24 (underline and bold omitted)) and that “there is no indication that Szor classifies the instruction sequence as threatening based upon an inability to traverse the instruction sequence from start to finish” (App. Br. 24). We disagree because the Examiner cites Mangione-Smith, not Szor, for disclosure of an expert system knowledge base configured to classify an instruction sequence as required by claim 15. See Final Act. 17–18; Ans. 8– 9. The Examiner cites Szor as teaching an instruction sequence of a malicious code that cannot be traversed from start to finish, stating that “[a]s known to one of ordinary skill in the art at the time the invention was made, software which includes an infinite loop has the property of being unable to complete execution of the software from start to finish.” Ans. 8 (citing Szor ¶¶ 54 (“For example, in the case of a slammer worm, the replication code calls sentto() API in an endless loop.”), 90). Appellant’s Reply argues that “[f]ailing to completely traverse code (i.e., being unable to traverse the code from start to finish) is not the equivalent of traversing code and getting stuck in an endless loop where the code is traversed from start to finish an infinite number of times” (Reply Br. 17), but we find Appellant’s arguments unpersuasive. We agree with the Examiner that a person of ordinary skill in the art would have understood that an endless loop within a software program, such as the Slammer worm Appeal 2013-005429 Application 12/550,025 7 disclosed in Szor, is an example of software that cannot be traversed from start to finish and would have been classified as threatening in accordance with the teachings of the combination of Mangione-Smith and Szor.1 We also agree with the Examiner that the combination of references teaches or suggests classifying an instruction sequence as non-threatening in response to determining that the instruction sequence is able to be traversed from start to finish. Accordingly, we sustain the Examiner’s rejection of claim 15, as well as claims 16–22, which are not separately argued. DECISION For the above reasons, the Examiner’s rejection of claims 1–6, 8–10, 12–23 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended. 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED em 1 We note that claim 15 is a system claim and unlike the method claims discussed above, the broadest reasonable interpretation of the claim requires the expert system to be configured to perform each of the classifications.