Ex Parte Mohandas et alDownload PDFPatent Trials and Appeals BoardMay 31, 201914497757 - (D) (P.T.A.B. May. 31, 2019) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/497,757 09/26/2014 152506 7590 06/04/2019 Patent Capital Group - McAfee, LLC 2816 Lago Vista Lane Rockwall, TX 75032 FIRST NAMED INVENTOR Rahul Mohandas UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 04796-1218 (P71222) 7639 EXAMINER POWERS, WILLIAMS ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 06/04/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): eofficeaction@appcoll.com P AIR_152506@patcapgroup.com Monica_Maluste@mcafee.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte RAHUL MOHANDAS, LIXIN LU, SAKTHIKUMAR SUBRAMANIAN, SARA V ANAN MOHANKUMAR, ANAND TRIP A THI, BHARATH KUMAR, ASHISH MISHRA, SIMON HUNT, JENNIFER MANKIN, and JEFFREY ZIMMERMAN Appeal2018-008084 1 Application 14/497,757 Technology Center 2400 Before ALLEN R. MACDONALD, MICHAEL J. ENGLE, and IFTIKHAR AHMED, Administrative Patent Judges. AHMED, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 1-3, 5-16, and 18-25, which are all of the claims pending in the application. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 According to Appellants, the real party in interest is McAfee, LLC. App. Br. 2. Appeal2018-008084 Application 14/497,757 Technology The application relates to "the field of computer security, and more particularly to a system and method for taxonomic malware detection and mitigation." Spec. ,i 1. Illustrative Claim Claim 1 is illustrative and reproduced below with certain limitations at issue emphasized: 1. A computing apparatus comprising: a processor; and one or more logic elements comprising a classification engine operable for: disassembling an object under analysis; creating an assembly language listing of the object under analysis; comparing the assembly language listing to a known object, the known object belonging to a family in an object taxonomy; classifying the object under analysis as belonging to the family in the object taxonomy, comprising computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing and identifying a known malicious subroutine or function within the call trace; and taking a computer security action responsive to the classifying. Rejections Claims 1-3, 11, 13-16 and 23 stand rejected under 35 U.S.C. § 103 as obvious over the combination Griffin (US 8,239,948 Bl; Aug. 7, 2012), Oliver (US 8,375,450 Bl; Feb. 12, 2013), Alme (US 2008/0263669 Al; Oct. 2 Appeal2018-008084 Application 14/497,757 23, 2008), and Keohane (US 2005/0257263 Al; Nov. 17, 2005). Final Act. 4. Claims 5-8 and 18-20 stand rejected under 35 U.S.C. § 103 as obvious over the combination Griffin, Oliver, Alme, Keohane, and Bruschi (Danilo Bruschi et al., Using Code Normalization for Fighting Self-Mutating Malware). Final Act. 8. Claims 9, 10, and 21 stand rejected under 35 U.S.C. § 103 as obvious over the combination Griffin, Oliver, Alme, Keohane, and Tan (US 2006/0184556 Al; Aug. 17, 2006). Final Act. 9. Claims 12 and 22 stand rejected under 35 U.S.C. § 103 as obvious over the combination Griffin, Oliver, Alme, Keohane, and Tamersoy (US 9,185,119 Bl; Nov. 10, 2015). Final Act. 10. Claims 24 and 25 stand rejected under 35 U.S.C. § 103 as obvious over the combination Griffin, Keohane, and Bruschi. Final Act. 11. ISSUES 1. Did the Examiner err in concluding that the combination of Griffin and Oliver teaches or suggests "comparing the assembly language listing to a known object, the known object belonging to a family in an object taxonomy," as recited in claim 1? 2. Did the Examiner err in concluding that the combination of Alme and Keohane teaches or suggests "computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing" as recited in claim 1? 3. Did the Examiner err in finding a person of ordinary skill in the art would have had reason to combine Griffin, Oliver, Alme, and Keohane in the manner recited by the limitations of claim 1? 3 Appeal2018-008084 Application 14/497,757 ANALYSIS Comparing the assembly language listing to a known object Independent claim 1 recites "comparing the assembly language listing to a known object, the known object belonging to a family in an object taxonomy."2 App. Br. 10 (emphasis added). The Examiner finds that Oliver teaches this limitation because Oliver discloses that a "comparison [of the suspect file] is made to determine the family the code is related to." Final Act. 5 (citing Oliver 8:51-62). The Examiner further finds that Griffin teaches disassembling an object under analysis to create an assembly language listing of the object, and teaches classifying those objects into goodware and malware. Id. (citing Griffin 6:60-67, Fig. 3). The Examiner determines that "one of ordinary skill in the art at the time the invention was made would have been motivated to implement the malware classification system of Griffin with the code comparison and classification of Oliver in order to identify potential malware as suggested by Oliver." Id. Appellants contend that "the cited portion of Oliver teaches string matching to classify the 'suspect file' (i.e., not a disassembled subroutine)," and that "the matching in the claim is not the string matching described by Oliver." App. Br. 7. According to Appellants, these are "manifestly different constructs in the computer arts: one ( a subroutine) being a logical programming construct, the other (a file) being a unit of a file system." Reply Br. 2. Appellants point to the Specification of the present application 2 Appellants present arguments only as to the Examiner's§ 103 rejection of claim 1, finding that claim to be "a representative example." App. Br. 5. Arguments that Appellants could have made but chose not to have not been considered and are deemed waived. See 37 C.F.R. § 41.37(c)(l)(iv) (2013). 4 Appeal2018-008084 Application 14/497,757 as "expressly illustrat[ing] that file-level classification can fail." Id. ( citing discussion of possible failures of a checksum comparison at Spec ,i,i 18-19). The Examiner's Answer notes that "Appellant[ s] ha[ ve] offered no support that 'a dissembled subroutine' cannot be considered a file," and that "Oliver uses the term[ s] 'suspect malware file' and 'suspect file' interchangeably throughout the reference." Ans. 3 (citing Oliver 2:21, 7:2- 3, 7:24, 7:36). The Examiner therefore sees no "patentable distinction between the phrase 'suspect file' and a 'dissembled subroutine' and considers this a semantic argument." Id. We are not persuaded of error. Contrary to Appellants' assertion (App. Br. 7; Reply. Br. 2), the claim limitation does not require comparing a "dissembled subroutine," but rather "comparing the assembly language listing to a known object." We agree with the Examiner that the combination of Griffin and Oliver teaches or suggests that limitation. Griffin teaches "disassembl[ing] an executable file of a malware entity in order to generate a sequence of assembly language instructions," and teaches "generat[ing] candidate malware signatures formed of subsequences of the sequence" of assembly language instructions. Griffin 6:63-67 ( emphasis added). Griffin further teaches storing the candidate malware signatures in a malware database. Id. at 7:7-9. Oliver teaches more than just comparing "suspect files"; it specifically teaches comparing "the first N bytes of the suspect file ( starting at the offset provided in the leaf node)" against a known common substring of N bytes of a given malware family. Oliver 8:51-53 ( emphasis added). Oliver further explains that the use of an N byte substring is a "rapid step ... before a more lengthy analysis is performed." Id. at 8:53-58. We are not persuaded of error in the Examiner's determination 5 Appeal2018-008084 Application 14/497,757 that one of ordinary skill in the art would have been motivated to implement code comparison, as taught by Oliver, using the disassembled malware, as taught by Griffin. We also disagree with Appellants' contention that their own Specification makes a distinction between a subroutine and a file. Reply Br. 2 ( citing Spec. ,-J,-J 18-19). Instead, the cited portion of the Specification discusses the benefits of the use of a fuzzy fingerprint over a checksum in malware detection. 3 The Examiner however relies on the combination of Griffin and Oliver as teaching an assembly language listing comparison, not a checksum comparison. Final Act. 5. Next, Appellants argue that Oliver does not teach "disassembling an object under analysis" and that "Oliver teaches string matching to classify a 'suspect file,' not for the purpose of 'computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing.'" Reply Br. 2. Those arguments, however, fail to address the rejection as articulated, in which the Examiner relies on Griffin as teaching the disassembling limitation, and on the combination of Alme and Keohane as teaching or suggesting the fuzzy fingerprint limitation of the claim 1. Final Act. 6. We therefore agree with the Examiner that the combination of Griffin and Oliver teaches "comparing the assembly language listing to a known object, the known object belonging to a family in an object taxonomy," as recited in claim 1. 3 Notably, the Specification (,-J 19) refers to the object under analysis as a "malware object" or "executable object," which as the Examiner explains, are terms synonymous with "suspect malware file," as used in Oliver. See Ans. 3. 6 Appeal2018-008084 Application 14/497,757 Computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing Claim 1 recites "classifying the object under analysis as belonging to the family in the object taxonomy comprising computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing and identifying a known malicious subroutine or function within the call trace." App. Br. 10 ( emphasis added). The Examiner finds that Alme teaches "generating fuzzy fingerprints of known malware and the potential malware for comparison purposes." Final Act. 6 (citing Alme Abstract, ,i 20). According to the Examiner, Alme's "fuzzy fingerprints encompass a variety ofmetadata." Id. (citing Alme ,i,i 29-32). The Examiner further finds that Keohane teaches "generating call traces of suspect code" and teaches "identifying a known malicious subroutine or function within the call trace (virus identified in call trace using, among other techniques, pattern matching)." Id. (citing Keohane ,i,i 50-52, 44). The Examiner determines that one of ordinary skill in the art at the time the invention was made would have been motivated to combine the two references. Id. Appellants argue that Alme fails to teach or suggest "a fuzzy fingerprint based on a call trace of an assembly listing," and that Keohane does not use call traces "for computing a fuzzy fingerprint of a malware subroutine." App. Br. 7. Appellants' argument however fails to address Examiner's rationale to combine the references to yield the fuzzy fingerprinting limitation. By arguing that neither Alme nor Keohane alone teaches all aspects of the limitation at issue, Appellants do not address the rejection as articulated, in which the Examiner relies on certain combined teachings of the prior art. See Final Act. 6; see also In re Keller, 642 F.2d 413,425 (CCPA 1981) ("[T]he test [for obviousness] is what the combined 7 Appeal2018-008084 Application 14/497,757 teachings of the references would have suggested to those of ordinary skill in the art."). Appellants agree that Keohane teaches call tracing. App. Br. 7. Specifically, Keohane teaches a comparison of previously "generated call traces from both the infected computing system ... and the immune computing system" in order to "identify a point at which the computer virus takes over the processing in the infected computer system," and teaches that the "method/routine name provided in the call trace at this point may be used to identify a particular process that is being exploited by the computer virus." Keohane ,i 51 (emphasis added). Keohane therefore teaches constructing a call trace and "identifying a known malicious subroutine or function within the call trace," as recited in claim 1. As Appellants admit, "Alme teaches fuzzy fingerprinting of a malware file." App. Br. 7. The Examiner points out that Alme teaches "generating fuzzy fingerprints of known malware and the potential malware for comparison purposes," wherein "fuzzy fingerprint[ s] encompass a variety ofmetadata." Final Act. 6 (citing Alme ,i,i 29-32). This metadata includes information such as "the file's size and media type, a malware name to be assigned on match, and a set of entities reflecting a complexity approximation and weighting for blocks of data and code included in the file." Alme ,i 29. Alme further teaches that "machine code 218 is a likely point in file 202 to include programming causing file 202 to be malware," and that an "entry point 226 may be chosen in code 218 for a starting point for comparing blocks used in the fuzzy executable fingerprint for file 202." Id. ,i 40 (referring to Fig. 2). We agree with the Examiner that one of ordinary skill in the art would have understood that replacing the metadata 8 Appeal2018-008084 Application 14/497,757 and machine code teaching of Alme with the call trace approach of Keohane would result in "computing a fuzzy fingerprint comprising constructing a call trace of the assembly language listing and identifying a known malicious subroutine or function within the call trace," as recited in claim 1. Reason to combine Appellants contend that in rejecting claim 1 as obvious over the combination of Griffin, Oliver, Alme and Keohane, the Examiner failed to establish a prima facie case of obviousness because "there is no inherent or explicit teaching or motivation to combine the present references," and "[t]here is also insufficient evidence that the cited references teach every limitation of the claims, particularly not in the context that those elements are used in the claims." App. Br. 6. Appellants complain that the "Examiner has merely assembled a pile of references that at best teach that disassembly exists, that object taxonomies exist, that (string) matching exists, that fuzzy fingerprints exist, and that call traces exist." Id. at 7. "Even granting, arguendo, that these references teach those things" that the Examiner finds, Appellants argue, "the Examiner has failed to show how these references interact with one another to teach the system as claimed, or that they are properly combined." Id. Appellants contend that the Examiner's reasons "amount[] to a statement that the cited references exist in the same broad field of computer security," and "this falls far short of the Examiner's burden of making a prima facie case." Reply Br. 3. In rejecting claims under 35 U.S.C. § 103, the Examiner bears the initial burden of establishing a prima facie case of obviousness. In re Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992); see also In re Piasecki, 745 9 Appeal2018-008084 Application 14/497,757 F.2d 1468, 1472 (Fed. Cir. 1984). An Examiner's rejection establishes a prima facie case when it provides notice of the reasons for the rejection, and the rejection is deficient when it "is so uninformative that it prevents the applicant from recognizing and seeking to counter the grounds for rejection." In re Jung, 637 F.3d 1356, 1362 (Fed. Cir. 2011) (citations omitted). If this initial burden is met, the burden of coming forward with evidence or argument shifts to Appellants. See Oetiker, 977 F.2d at 1445. Obviousness is then determined on the basis of the evidence as a whole and the relative persuasiveness of the arguments. Id. We are not persuaded by Appellants' arguments that the Examiner's rejection fails to establish a prim a facie case of obviousness. The Examiner provided sufficient notice of the reasons for the rejection, explaining that a person of ordinary skill would have been motivated to modify "the malware classification system of Griffin with the code comparison and classification of Oliver in order to identify potential malware as suggested by Oliver." Final Act. 5. The Examiner further explains that a person of skill would have been motivated to further modify that system "with the fuzzy fingerprint generation of known malware and potential malware in order to better detect possible malware as suggested by Alme" (id. at 6), and "with the call tracing of Keohane in order to protect and repair computer systems affected by malware as suggested by Keohane." Id. The Examiner explains that "the Examiner did not merely assemble 'a pile of references' 4 without 4 We also reject Appellants' objection to the "pile of references" relied upon by the Examiner. "The large number of cited references does not negate the obviousness of the combination," where, as here, "the prior art uses the various elements for the same purposes as they are used by appellants, 10 Appeal2018-008084 Application 14/497,757 regard to the overall teachings of each and every one of the references"; instead, "[ e Jach reference deals with detecting and reacting to malware and/or hackers' attacks into computing systems." Id. We find the Examiner's reasoning sufficient to make a prima facie case of obviousness. As the Examiner points out (Ans. 4), Appellants fail to address the Examiner's reasons with any evidence or argument beyond a mere assertion that there is no motivation to combine the references. App. Br. 6. We are also not persuaded by Appellants' argument that the Examiner has failed to show how these references are properly combined to teach the system as claimed. App. Br. 7. Specifically, Appellants allege "[t]he Examiner has failed to show, for example, how a reference that teaches string matching to assign a file to a family in a taxonomy is properly combined with a reference that teaches the bare fact of call tracing and a reference that teaches the bare fact of (file-level, not subroutine-level or call- trace-based) fuzzy fingerprinting." Id. The Examiner responds that "[t]he combined references should be considered under 35 USC§ 103 and should not be interpreted in piecemeal fashion." Ans. 4. We agree. The fact that certain modifications might be required for a person of ordinary skill to integrate the teachings of multiple prior-art references does not mean that the combination of those references is unpredictable or cannot support an obviousness rejection. MCM Portfolio LLC v. Hewlett-Packard Co., 812 F.3d 1284, 1294 (Fed. Cir. 2015) ("The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference." (quoting Keller, 642 F.2d at 425)); In re making the claimed invention as a whole obvious in terms of 35 U.S.C. § 103." In re Gorman, 933 F.2d 982, 987 (Fed. Cir. 1991). 11 Appeal2018-008084 Application 14/497,757 ICON Health & Fitness, Inc., 496 F.3d 1374, 1382 (Fed. Cir. 2007) ("[W]e do not ignore the modifications that one skilled in the art would make to a device borrowed from the prior art."); In re Sneed, 710 F.2d 1544, 1550 (Fed. Cir. 1983) ("[I]t is not necessary that the inventions of the references be physically combinable to render obvious the invention under review."). Appellants fail to show that the differences between the cited references undermine the Examiner's findings and conclusions regarding obviousness. For example, Appellants do not contend the proposed combination is beyond the level of skill of one of ordinary skill in the art, or the modifications are more than the use of known elements to yield predictable results. Contrary to the bicycle analogy offered by Appellants (App. Br. 7-8), the Examiner found each of the references cited relates to identifying malware signatures and malicious subroutines/functions. Final Act. 6 ( citing Keohane ,-J 44; Griffin, 1 :21-29; Oliver, Abstract; and Alme, Abstract). Appellants do not allege error in this finding. Further, the Examiner identified a purpose or reason to make modifications to each of references in arriving at the claimed invention. Id. at 5-6. We are persuaded that a person of ordinary skill would have recognized the techniques proposed by each of the references for detecting malware signature or subroutines as alternatives or improvements to the others' systems. See KSR Int'! Co. v. Teleflex Inc., 550 U.S. 398,417 (2007) ("[I]f a technique has been used to improve one device, and a person of ordinary skill in the art would recognize that it would improve similar devices in the same way, using the technique is obvious unless its actual application is beyond his or her skill."). 12 Appeal2018-008084 Application 14/497,757 Therefore, based upon the findings above, on this record, we are not persuaded of error in the Examiner's reliance on the cited prior art combination to teach or suggest the disputed limitations of claim 1, nor do we find error in the Examiner's resulting legal conclusion of obviousness. Accordingly, we sustain the Examiner's obviousness rejection of independent claim 1, and claims 2-3, 5-16, and 18-25, which Appellants argue are patentable for similar reasons. See App. Br. 9; 37 C.F.R. § 41.37(c)(l)(iv). DECISION For the reasons above, we affirm the Examiner's decision rejecting claims 1-3, 5-16, and 18-25. No time for taking subsequent action in connection with this appeal may be extended under 37 C.F.R. § l.136(a). See 37 C.F.R. § 41.50(±). AFFIRMED 13 Copy with citationCopy as parenthetical citation