Ex Parte TreadwellDownload PDFPatent Trial and Appeal BoardAug 28, 201811961390 (P.T.A.B. Aug. 28, 2018) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 11/961,390 12/20/2007 69603 7590 08/30/2018 Bank of America c/o Moore and Van Allen, PLLC P.O. Box 13706 3015 Carrington Mill Boulevard, Suite 400 RESEARCH TRIANGLE PARK, NC 27709 FIRST NAMED INVENTOR William S. Treadwell UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 2440US 1.014033.286 6190 EXAMINER LOUIE, OSCAR A ART UNIT PAPER NUMBER 2445 NOTIFICATION DATE DELIVERY MODE 08/30/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): boauspto@mvalaw.com usptomail@mvalaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte WILLIAM S. TREADWELL Appeal2016-006531 Application 11/961,390 1 Technology Center 2400 Before JASON V. MORGAN, MATTHEW J. McNEILL, and ALEX S. YAP, Administrative Patent Judges. MORGAN, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE This is an appeal under 35 U.S.C. § 134(a) from the Examiner's Final Rejection of claims 1-5, 7, 9-15, 17, 19-21, 23, and 24. Claims 6, 8, 16, 18, and 22 are canceled. App. Br. 18-20, Claims App. We have jurisdiction under 35 U.S.C. § 6(b ). We AFFIRM-IN-PART. 1 Appellant identifies Bank of America Corporation as the real party in interest. App Br. 1. Appeal 2016-006531 Application 11/961,390 Invention Appellant discloses preventing malicious code execution by detecting a request to execute a file, scanning the file for risk before processing the request, assigning a risk score, and either allowing or prohibiting execution of the file responsive to the risk score. Abstract. Exemplary Claim 1 below (key limitations emphasized) 1. A method for prevention of malicious code execution comprising: emulating, via a computing device processor, a virtual computing environment and a debugger tool; while the virtual computing environment and debugger are emulating, detecting, via a computing device processor, a request for execution of a file by intercepting a call to a software function application program interface (AP I); in response to intercepting the call, scanning, via a computing device processor, the file for risk before processing the request; determining, via a computing device processor, a risk score for the file as a result of the scanning of the file for risk, wherein the risk score is based on an interface identifier (IID) associated with the file, obfuscation techniques of the file, and entropy of the file; and performing one of allowing or prohibiting execution of the file responsive to the risk score. Rejections The Examiner rejects claim 1, 2 under 3 5 U.S. C. § 112, second paragraph, as being indefinite for failing to particularly point out and 2 Claims 2-5, 7, 9, and 10 have the disputed recitations and should have been similarly rejected. Claim 2 even includes a step directed to "providing, 2 Appeal 2016-006531 Application 11/961,390 distinctly claim the subject matter which the inventor regards as the invention. Final Act. 3. The Examiner rejects claims 1-5, 7, 9-15, 17, 19-21, 23, and 24 under 35 U.S.C. § I03(a) as being unpatentable over Shukla (US 2008/0016339 Al; published Jan. 17, 2008), Akira Mori, et al., A Tool for Analyzing and Detecting Malicious Mobile Code, Procs. of the 28th Int'l Conference on Software Engineering, Shanghai, China, 831-34 (2006) ("Mori"), Goldfeder et al. (US 2004/0230835 Al; published Nov. 18, 2004) ("Goldfeder"), Hubbard et al. (US 2008/0133540 Al; published June 5, 2008) ("Hubbard"), Vella (US 2003/0212913 Al; published Nov. 13, 2003), and Provos et al. (US 2009/0094175 Al; published Apr. 9, 2009) ("Provos"). Final Act. 4--13. 35 U.S.C. § 112, SECOND PARAGRAPH Findings and Contentions The Examiner concludes claim 1 is indefinite because "it is not clear whether 'a computing device processor' in the limitation 'emulating, via a computing device processor ... ' is the same or different as 'a computing device processor' in the limitation '[]detecting, via a computing device processor, a request."' Final Act. 3 ( emphases added). The Examiner makes clear the alleged ambiguity arises from the re-introduction of "a computing device processor" several times in claim 1. See Ans. 13-14 ( emphasis added). That is, according to the Examiner, an artisan of ordinary via a computing device processor, an alert" ( emphasis added). Thus, claim 2 introduces another recitation that raises the same issue discussed herein. In the event of further prosecution, if the deficiency of claim 1 is not remedied, the Examiner should also reject the claims that depend from claim 1 under 35 U.S.C. § 112, second paragraph. 3 Appeal 2016-006531 Application 11/961,390 skill would not be reasonably apprised whether claim 1 is limited to a single computing device processor performing the claimed emulating, detecting, scanning, and determining steps, or whether claim 1 more broadly encompasses multiple computing device processors that perform these steps. Id. Appellant submits claim 1 "should be interpreted as using a single processor or multiple processors" and "asserts that the term 'computing device processor' could be either a single processor or multiple processors." App. Br. 15. Analysis Appellant's argument that "computing device processor" has definite meaning (App. Br. 15) fails to address the basis of the Examiner's rejection that claim 1 introduces "a computing device processor" multiple times. Final Act. 3; see also Ans. 13-14. We agree with the Examiner that these re-introductions make the scope of claim 1 ambiguous. Although Appellant argues the claim should be interpreted broadly to encompass "either a single processor or multiple processors," the recitations identified by the Examiner merely refer to "a computing device processor" multiple times rather than to any recitations directed to "a single processor or multiple processors." App. Br. 15. The Examiner's suggested claim language would capture Appellant's intended meaning in a manner the current claim language does not. Ans. 13 For these reasons, we sustain the Examiner's 35 U.S.C. § 112, second paragraph, rejection of claim 1. 4 Appeal 2016-006531 Application 11/961,390 35 U.S.C. § 103(a) Findings and Contentions In rejecting claim 1 as obvious, the Examiner relies on Mori's processing of external application programming interface function calls when simulating execution of instructions to teach or suggest "detecting a request for execution of a file by intercepting a call to a software function application program interface." Final Act. 5 (citing Mori 832-33) ( emphasis added); see also Ans. 5. Appellant contends the Examiner erred because Mori merely describes "an emulating method that involves loading dummy library files with stub functions, virtually generating the side effects of executing the functions, and checking the resultant behavior of the functions." App. Br. 8. Appellant argues this differs from the claimed invention, which involves "intercepting a call to a software function" and potentially "prohibiting execution of [a] file responsive to [a] risk score." Id. at 9; see also Reply Br. 3--4. Analysis We agree with Appellant the Examiner erred. Rather than intercept a call to a software function, Mori' s simulator calls "a dummy function ( called a 'stub function'), instead of a real API function." Mori 832 ( emphasis added). That is, a call to the real API function is not intercepted. Rather, the call in Mori is to a dummy function that has the same interface as the real API function. The dummy function is either generated through mechanical processing or through the use of emulation code. Id. at 832-33. Furthermore, Mori's simulation, notably, is directed to enabling analysis of the behavior of self-encrypting and polymorphic viruses in the 5 Appeal 2016-006531 Application 11/961,390 code being simulated, not to assessing the risk of a file that the code being simulated requests to have executed. Id. at 832. This misalignment in what is being analyzed in Mori and in the claimed invention further undermines the Examiner's conclusion that Mori teaches or suggests modifying the teachings and suggestions of the other cited references to render obvious "detecting ... a request for execution of a file by intercepting a call to a software function application program interface (API)," as recited in claim 1. Moreover, the Examiner's findings do not show that the other references cure the noted deficiency. Accordingly, we do not sustain the Examiner's 35 U.S.C. § 103(a) rejection of claim 1, and of claims 2-5, 7, 9-15, 17, 19-21, 23, and 24, which contain similar recitations. DECISION We affirm the Examiner's decision rejecting claim 1. We reverse the Examiner's decision rejecting claims 2-5, 7, 9-15, 17, 19-21, 23, and 24. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(±). AFFIRMED-IN-PART 6 Copy with citationCopy as parenthetical citation