Trend Micro IncorporatedDownload PDFPatent Trials and Appeals BoardNov 30, 20212020006152 (P.T.A.B. Nov. 30, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/659,403 07/25/2017 Wen-Kwang TSAO 10033.034500 4264 168299 7590 11/30/2021 Law Office of Patrick D. Benedicto P.O. BOX 641330 SAN JOSE, CA 95164-1330 EXAMINER SALEHI, HELAI ART UNIT PAPER NUMBER 2433 MAIL DATE DELIVERY MODE 11/30/2021 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte WEN-KWANG TSAO, CHIA-YEN CHANG, and PINGHUAN WU ____________ Appeal 2020-006152 Application 15/659,403 Technology Center 2400 ____________ Before MAHSHID D. SAADAT, CATHERINE SHIANG, and NORMAN H. BEAMER, Administrative Patent Judges. BEAMER, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from the Examiner’s Non-Final Rejection of claims 1 and 4–15. Claims 2 and 3 are cancelled. We have jurisdiction over the pending rejected claims under 35 U.S.C. § 6(b). We affirm in part. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42 (2019). Appellant identifies Trend Micro Inc. as the real party in interest. (Appeal Br. 2.) Appeal 2020-006152 Application 15/659,403 2 THE INVENTION Appellant’s disclosed and claimed invention is directed to static behavior-predictive malware detection. (Abstr.) Independent claim 1, reproduced below, is illustrative of the subject matter on appeal: 1. A computer-implemented method of static behavior- predictive malware detection, the method comprising: receiving a sample of code data, wherein the sample comprises an unknown sample; extracting first static features from the sample, wherein the first static features are extracted from content of the sample and comprise a first set of character counts and/or word counts from the content of the sample; inputting the first static features to a first network trained by machine learning to generate behavior-predictive static features, wherein the behavior-predictive static features comprise a second set of character counts and/or word counts from the content of the sample; inputting the first static features and the behavior- predictive static features to a second network trained by machine learning to obtain a malicious score; comparing the malicious score with a threshold to determine whether to label the sample as malicious; and applying malicious label data to the sample when the malicious score is above the threshold. (Appeal Br. II, 2 (Claims App.).) REJECTIONS The Examiner rejected claims 1 and 4–15 under 35 U.S.C. § 103 as being unpatentable over Dube et al. (US 2012/0260342 A1, pub. Oct. 11, 2012) and Schmidtler et al. (US 2016/0335435 A1, pub. Nov. 17, 2016). (Final Act. 4–30.) Appeal 2020-006152 Application 15/659,403 3 ISSUES ON APPEAL Appellant’s arguments present the following issues:2 Issue One: Whether the Examiner erred in finding the combination of Dube and Schmidtler taught or suggested the independent claim 1 limitations, “first static features . . . comprise a first set of character counts and/or word counts,” and “behavior-predictive static features comprise a second set of character counts and/or word counts,” and the commensurate limitations of independent claims 11, 12, and 13. (Appeal Br. 6, 9–10.) Issue Two: Whether the Examiner erred in finding the combination of Dube and Schmidtler taught or suggested the independent claim 1 limitations, “inputting the first static features to a first network trained by machine learning,” and “inputting the first static features and the behavior- predictive static features to a second network trained by machine learning,” and the commensurate limitations of independent claims 11, 12, 14, and 15. (Appeal Br. 6–12.) ANALYSIS Issue One For the claim limitations falling under Issue One above, the Examiner relies on the disclosure in Dube of static analysis using “n-grams, strings and metadata.” (Non-Final act. 5; Dube Fig. 7, ¶ 39.) The Examiner also relies on the disclosure in Schmidtler of: 2 Rather than reiterate the arguments of Appellant and the positions of the Examiner, we refer to the Appeal Brief (filed June 18, 2020); the Supplemental Appeal Brief (filed June 30, 2020), the Reply Brief (filed Aug. 27, 2020); the Non-Final Office Action (mailed Mar. 31, 2020); and the Examiner’s Answer (mailed July 13, 2020) for the respective details. Appeal 2020-006152 Application 15/659,403 4 The processing and encoding executed . . . may vary depending on the identified categories and/or type (e.g., numeric values, nominal values string/byte sequences, Boolean values, etc.) of static data points . . . . As an example, string sequence data as well as byte sequence data may be parsed and processed as n- grams and/or n-gram word prediction (e.g., word-grams). For instance, for a given string all unigrams, bigrams and so forth up to a given length n are generated and the counts of the individual n-grams are determined. The resulting counts of the unique n-grams string and/or byte sequences are then used as input to a generated feature vector. (Ans. 28–29; Schmidtler ¶ 22.) Appellant argues that these disclosures make “no mention of ‘character counts’ or ‘word counts,’” and for that reason alone argue that these disclosures would not have taught or suggested the claim limitations of Issue One. (Appeal Br. 6.) However, the Examiner finds that this claim requirement is satisfied because, “[i]t would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Dube et al. n-grams with Schmidtler et al. n-grams and/or n-gram word prediction (e.g., word-grams) generated and the counts of the individual n- grams are determined.” (Ans. 29.) We not persuaded that the Examiner’s analysis is incorrect. Therefore, we conclude the Examiner did not err in finding the combination of Dube and Schmidtler taught or suggested the limitations covered by Issue One. Issue Two For the claim limitations falling under Issue Two above, the Examiner relies on the disclosure in Dube of network 18 depicted in Figure 1, together with the disclosure in Schmidtler of analyzing an executable file using Appeal 2020-006152 Application 15/659,403 5 “learning classifier” to generate a “feature vector,” (Non-Final Act. 5–8; Dube Fig. 1; Schmidtler Fig. 3, ¶¶ 55–59.) Appellant argues that network 18 of Dube “is merely a single generic data network, not two networks trained by machine learning for two different purposes,” and that the learning classifier of Schmidtler does not use two separate networks. (Appeal Br. 7–8.) The Examiner responds that, because Dube discloses that a remote computer can be connected remotely to another computer via network 18, “inputs can be done using two/multiple devices, Network 18 can be plural networks, [allowing] two different locations hence two different networks trained by machine learning for two different purposes.” (Ans. 30.) The Examiner also reiterates the reliance on the disclosed machine learning process of Schmidtler. (Ans. 32–33.) The Examiner finds: Dube in view of Schmidtler does teach two networks trained for separate purposes (one to generate behavior-predictive static features and the other to obtain a malicious score) and linked in a particular way (by providing both input and output of the first network as the input of the second network). (Ans. 33.) In reply, Appellant argues that network 18 of Dube is a conventional data network, not a machine learning network as required, and that there is no suggestion in Schmidtler that the single disclosed “learning classifier” of performing the two separate steps of first inputting static features to a first network trained by machine learning to generate behavior-predictive static features, and then inputting the first static features and the behavior- predictive static features to a second network trained by machine learning to obtain a malicious score. (Reply Br. 3–5.) Appeal 2020-006152 Application 15/659,403 6 We are persuaded by Appellant’s arguments. Network 18 of Dube is a generic network used for communications, not a “network trained by machine learning” as required by the claims. Although Schmidtler generally uses machine leaning techniques to detect threats, there is not suggestion in the cited portions of Schmidtler to use two networks trained by machine learning in the manner recited by the claims. Accordingly, we conclude the Examiner erred in finding the combination of Dube and Schmidtler taught or suggested the limitations covered by Issue Two. DECISION SUMMARY Our decision with respect to Issue Two above requires us to reverse the Examiner’s rejections of independent claims 1, 11, 12, 14, and 15, as well as claims 4–10, which depend from claim 1. Because independent claim 13 does not require two networks trained by machine learning, and given our decision regarding Issue One above, we sustain the Examiner’s rejection of claim 13. In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1, 4–15 103 Dube, Schmidtler 13 1, 4–12, 14, 15 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED IN PART Copy with citationCopy as parenthetical citation
