Patent Grant
10121105
Interconnected systems, such as, for example, the global Internet, can deliver information to more people at a faster speed and is important in the current global economy. However, as recent history has shown, these interconnected systems are often dealing with security risk issues. Security risks include, but are not limited to, for example, identity theft and theft of proprietary information.
However, previous approaches are unable to detect variations of an original file in memory (RAM). Furthermore, previous approaches are not efficient in detecting executables in RAM, particularly if some parts of the executable portions are altered at runtime. Additionally, previous approaches are not efficient in detecting variants of the same malware or malware protected by a packer or encryptor. Malware is typically is software designed to infiltrate or damage a computer system without the owner's informed consent. Therefore, the current technology is limited in its capabilities and suffers from at least the above constraints and deficiencies.
Non-limiting and non-exhaustive embodiments of the present invention are described with reference to the following figures, wherein like reference numerals refer to like parts throughout the various views unless otherwise specified.
In the description herein, numerous specific details are provided, such as examples of components and/or methods, to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that an embodiment of the invention can be practiced without one or more of the specific details, or with other apparatus, systems, methods, components, materials, parts, and/or the like. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of embodiments of the invention.
The device 105 includes standard hardware elements 115 that are used in computing operations or data transmissions. For example, the hardware elements 115 includes a processor 120, one or more memory devices 125, storage devices 130 such as disks, ports 140, a disk driver 145, a network driver 150, and/or other known hardware elements that are used in computing devices.
The device 105 also includes software elements 152 such as, for example, an operating system 155 that performs management functions and other functions that are known to those skilled in the art. Other standard hardware, software, or firmware components that can be used in the device 105 are not shown in
In an embodiment of the invention, the processor 120 can execute a digital DNA sequencing engine 160 that performs various steps in the methods discussed below. The engine 160 is formed by software code based on a standard programming language (e.g., C, C++, or other suitable languages). The code in the engine 160 can be varied in order to vary, implement, or remove the various functions that will be discussed below.
As will be described below in the additional details or examples, the digital DNA sequencing engine 160 will evaluate any data object 165 that is received by the device 105 via the network 110. Alternatively, the data object 165 to be evaluated by the engine 160 is any object that is already represented (already existent or introduced) in physical memory associated with device 105, regardless of how that object 165 was received in or stored in the physical memory. The engine 160 will evaluate the data object 165 based upon rules that may be stored in a database or stored in the device 105 itself or in other suitable storage devices. For example, the rules can be stored in a memory 125 in the device 105 itself, in a portable memory device 170 that can be connected to the device 105, or in a computing device 172 that communicates via link 174 with the device 105. The portable memory device 105 can be, for example, a compact disk, portable disk drive, memory disk, USB-coupled memory chip, or other types of portable memory devices. The external link 171 to the portable memory device 170 can be, for example, USB.
The computing device 172 can be, for example, a server or another type of computing device. The link 174 can be a wired or wireless link and can also be, for example, a type of network connection such as, e.g., a LAN or private network.
Based on the evaluation of the data object 165, the engine 160 will then generate a digital DNA sequence which permits the data object 165 to be classified into an object type. The data object 165 can be any suitable digital objects that can be received by the device 105 (or data object 165 that is already in physical memory) such as, for example, but not limited to, data files such as Microsoft Word files, pdf files, modules, downloadable computer programs, html pages or other web pages, and/or other known suitable digital objects. Therefore the engine 160 provides a method of classifying a data object and provides a means for scanning the data object, means for evaluating contents of data objects base on at least one selected rule, and means for generating a digital DNA sequence that classifies at least some contents in the data object.
In the example of
When the engine 160 performs the scanning 105 and comparison 215, the engine 160 will generate 224 a digital DNA sequence 225 for any string (or value) in field 210 that matches any string (or value) that are referenced by the rules 220. In the example of
In an embodiment of the invention, each expressed trait includes a control code (C) and trait code (TC). For example, the expressed trait 230(1) has the control code 235 and trait code 240. The trait code 240 is a digital hash value that references or be used to locate a trait description and trait matching rule in a data storage device (e.g., server or database 172). For example, the trait code 240 will reference the trait description 245 and trait matching rule 250 of rule 220(1). The trait description 245 will describe a characteristic of the string in a human-readable form (e.g., text form). For example, the trait description 245 will indicate that the matching string is, e.g., is a string that appears in a malware file (or other suspicious code or malicious code) or spyware file, a string that relates to intellectual property data, or a string indicating that the file is a Microsoft Word file, or computer viruses, or confidential information such as credit card numbers or other financial information, or other types of data objects. The trait matching rule 250 will identify a string to be searched for a matching string in the data object field 210. The string can be an attribute or data value associated with data content that is to be matched and detected (e.g., string found in malware, spyware, intellectual property data, or other files to be detected and identified by the engine 160). Typically, for a given data object to be classified into a class/category such as, e.g., malware, spyware, virus, file type such as Word, or other data objects, a plurality of rules 220 (i.e., a plurality of traits) will have to fire. However, for a given data object to be classified into other particular types of class/category, only one rule 220 may be required to fire.
The control code 235 is also set in value in the match rule field 250 and the details of the control code 235 will be discussed below with reference to
Referring again to the trait 230(1), the control code 235 is typically a byte value. The trait code 240 can be a 16-bit hash value, although other sizes can be used for the trait code 240 as well. As an example, the trait 230(1) can have the following values:
The control value traits 235 are 00 in this example. The trait code 240 is “E3 86” in this example.
Referring first to
The mode field 310 sets the mode of the control code 235 as either Match Definition mode (first mode) or Expression mode (second mode). In the example of
Note also that other Boolean operators, such as, for example, exclusive-OR and exclusive-AND, can be added to the fields in the control code 235 or can be substituted in the Boolean fields that are shown in
As one example, assume that the NOT field 325 is set at “0” and the AND/OR field 330 is set at “0” by the engine 160 (
As another example, if field 325 is “0” and field 330 is “1”, then the Boolean operator “OR” will be applied to the corresponding rule 220(1). Since rule 220(1) is subject to the OR operator, if the rule 220(1) does fire based on comparison with values (strings) in the data object field 210, then the engine 160 will indicate in the sequence 225 that a match in the data object field 210 has been found with the rule 220(1) and with any other rule (subject to the OR operator) that has fired, irrespective of whether or not other rules 220 had fired.
In
The weight values −15 through +15 are confidence values that indicate if a data object 165 should belong or should not belong to a set/class/type/category of data objects. For example, a set could represent a particular class of data objects such as a particular malware, particular spyware, intellectual property data, software modules, particular files such as Microsoft Word or Powerpoint, or any other category of data objects or files that are known to those skilled in the art.
In the example of
A higher negative value indicates a higher confidence that a data object is a not member of a class. As a further example, a −15 negative weight value indicates a higher confidence that a data object is not member of a class and a lower negative weight value (e.g., −8 weight value) indicates a lower confidence (as compared to the −15 greater negative weight value) that the data object is not a member of that class.
Note that the granularity of the confidence value is not limited to integer values. Therefore, the engine 160 can be configured to generate more fine granularity of confidence values (e.g., +8.0, +8.5, +0.5, −0.8, −8.9, and the like). Additionally, in
The rules, Rule1220(1), Rule2220(2), Rule3220(3), and Rule4220(4), are each in an associated trait. Assume in the example of
If the rules 220(1)-220(4) do fire, due to a positive match in the data fields 210 of data object 165, then the engine 160 will generate the digital DNA sequence 225 (
As another example, the engine 160 also generates a Threat5 output which indicates a high likelihood (based on the W=−15 weight value) that the data object is not a data object in a class that is defined by Rule5220(5). As an example, this class defined by Rule5 is the pdf type documents.
Discrete Weight Decay Algorithm
A single trait (single rule) can only be weighted from a given range (e.g., −15 to +15), but the overall weight for a given Digital DNA sequence 225 can be much larger because all weights of traits (rules) that have fired are summed in the DDNA sequence 225. In other words, all weights in a sequence 225 are summed to arrive at a final weight Σ. This discrete weight decay algorithm is used to diminish the effects of a single repeating weight value, as will be shown in the example below with reference to
In
This algorithm can be generically shown as a two step arithmetic process:
new_sequence_weight=old_sequence_weight+(trait_weight*weight_multipliertrait_weight), (1)
new_weight_multipliertrait_weight=old_weight_multipliertrait_weight−decay_constanttrait_weight (2)
The weight_multiplieritrait_weight indicates the weight multiplier assigned to a given bucket for that given trait weight, and decay_constanttrait_weight indicates the decay constant assigned to the bucket for that given trait weight. The trait_weight variable is the trait weight that corresponds for a given bucket and is associated with a rule. The new_sequence_weight variable is the new weight value of a DDNA sequence and is dependent on the previous weight value of the DDNA sequence (old_sequence_weight) and on the trait weight for the given bucket and the weight multiplier for the given bucket.
The variable Tn is the weight of the trait at position n in the sequence (n is limited to the range −15 to +15 in this example), LTn is the weight multiplier for the bucket assigned to weight Tn, and DTn is the decay constant for the bucket assigned to weight Tn.
In the example of
Assume that the weight multiplier for bucket B+5 is L+5=1.0, while the other buckets B+8 and B+15 have the weight multiplier L+8 and L+15, respectively. The L+5 value is a programmable variable that can be set at any value by the engine 160. The weight multipliers L+8 and L+15 can be separate programmable values and therefore can have the same value as L+5 or can be set at other values.
Assume that the decay constant for bucket B+5 is D+5=0.1, while the other buckets B+8 and B+15 have the decay constants D+8 and D+15, respectively. The D+5 value is a programmable variable that can be set at any value by the engine 160. The decay constants B+8 and D+15 can be separate programmable values and therefore can have the same value as D+5 or can be set at other values.
In this example, assume also that the weight T+5=+5 is assigned to the rule 220(1) and, therefore, the trait weight T+5=+5 assigned to traits of rule 220(1). The other trait weights can be assigned to other rules, while other trait weights are not assigned to any rules. For example, T+8=+5 is assigned to the rule 220(2) and T+15=+15 is assigned to the rule 220(3). For purposes of clarity, in this example, weights T−15 to T+4, T+6 to T+7, T+9 to T+14 are unassigned to any rules. However, the engine 160 is programmable to set any weight to any of the rules 220.
At time t=1, assume that the rules 220(1), 200(2), and 220(3) had fired, indicating a match between these rules and the data object field 210 of a data object 165 that has been scanned by the engine 160.
Therefore, at time t=1, the sequence weight of the DDNA sequence 225 would be expressed by equation (3):
The discrete weight decay effect of the algorithm for a repeating trait weight Tn is now shown.
At subsequent time t=2, assume that the rule 220(1) again fires, indicating a match between this rules and the data object field 210 of a data object 165. In contrast, at time t=s, the rules 200(2) and 220(3) do not fire, indicating a mismatch between these rules and the data object field 210.
The discrete weigh decay effect is based on equation (2) above. In this example, the following values in equation (4) would be applicable to bucket B+5 which is assigned to the firing rule 220(1):
Therefore, a rule that again fires will have its associated weight multiplier LTn to be reduced. Since, the weight multiplier for bucket B+5 has decayed from 1.0 to 0.9, the new sequence weight of DDNA sequence 225 is shown in equation (5):
The old_sequence_weight for DDNA sequence 225 was previously +28 as shown in equation (3) above. Without the decay effect of the algorithm, the new_sequence_weight of DDNA sequence 225 would be equal to the value 33 (33=+28++5), instead of the decayed value of 32.5 in equation (5).
If at subsequent time t=3, the rule 220(1) again fires, and the rules 200(2) and 220(3) do not fire, then the weight multiplier of bucket B+5 again decays as shown in equation (6) where the old_weight_multipliertrait_weight variable is shown in equation (4) above:
Since, the weight multiplier for bucket B+5 has decayed from 0.9 to 0.8, the new sequence weight of DDNA sequence 225 is shown in equation (7):
As rule 220(1) continues to fire in the future, the trait_weight*weight_multipliertrait_weight variable will eventually become zero (0) in value. As a result, when this variable becomes zero, when rule 220(1) fires, this rule will not add additional weight to the sequence weight of the DDNA sequence 225. Therefore, the discrete weight decay algorithm permits weight settings and weight decay to be set on particular rules, so that selected rules that fire multiple times would have less effect or minimal or no effect on the final or resultant sequence weight of the DDNA sequence 225.
Trait Generation
Trait generation is controlled via a matching expression. The matching expression is used to determine if the trait applies to the data set of the data object 165 that is being scanned. If there is a match occurrence, then the trait is included in the generated DDNA sequence 225. As discussed above, that trait is known as an expressed trait.
A rule 600 has three components as shown in
The function of the rule type 605 is not limited to the examples disclosed herein, and can be configured to any desired search and match function that can be designed by the user for the engine 160.
The Rule Body 610 indicates the criteria for a match, and is coupled to (and dependent on) the Rule type 605 that is being used. As an example, the rule body 610 may indicate in text “substring HXD”, in which case, the expression 600 will be used to match for the text “substring HXD” in the data object field 210.
The Rule Restrictions 615 is an optional feature in the expression 600. The rule restrictions 615 indicate optional controls to be placed on the rule to be applied by the expression 600, and are dependent upon both the Rule Body 610 and Rule type 605. For example, a restrictor 615 can indicate if the text to be matched will be case sensitive or case insensitive, or if the text to be searched is in the kernel address or user address, or if the text has to occur in a process of a given name. Other restriction functionalities can be programmed for a restrictor 615.
For example, the rule type, B, is a straight byte search to be performed in the content of the data object field 210, and the rule type, S, is a string search to be performed in the content of the data object field 210.
As another example, the rule type, T, permits an expression 600 to reference one or more additional expressions. For example, a trait of an expression 600 could references a trait A, trait B, and trait C, all of which would be applied to the content of the data object field 210. If each of the traits A, B, and C fires, then the trait for expression 600 (with the rule type T) would also fire.
As also mentioned above, the traits of the different rule types can be combined via Boolean operators. Also weights can be assigned to each trait of rule types, and the discrete weight decay algorithm can be used with one or more traits as discussed above. The use of Boolean operators and weights provided flexibility in detecting for suspicious data objects and improved classification of data objects.
As an example, a high weight (e.g., +15) could be given to the expression 600 (with rule type T) that fires, while low weights (e.g., between 0 through +8) could be given to each of the traits A, B, and C that fire. Therefore, an embodiment of the invention provides flexibility by allowing a first weight value to be assigned to a set comprising a plurality of firing rules (i.e., the set of firing traits A, B, and C) in this example, and allowing different weight values for each individual rule (each of the individual traits A, B, and C).
As another example, the rule type, Z, permits an expression 600 to generate a fuzzy hash value based on a search of the content of the data object field 210. Typically, the fuzzy hash value is a sequence of bytes (e.g., hexadecimal bytes). A fuzzy hash is a special form of hash that can be calculated against varied data streams and can then be used to determine the percentage of match between those data streams. For example, in
F92EC292021302C252C76ECECDF12E5DADA34BA94456D.
There are multiple restrictors 810 and 820 that are operated by the Boolean operator 815 “AND”. The restrictor 810 is the text, k, at the end of the fuzzy hash string, indicating that the kernel mode is applicable for the content being scanned (i.e., the comparison is with content in the kernel module or kernel region). The restrictor 820 indicates the match percentage value against the fuzzy hash. In this example, the match percentage value must be approximately 80% or better between the fuzzy hash and the hash of the content of the data object field 210. The restrictor(s) can be programmed via engine 160 to other values. As an example operation, the engine 160 would calculate hash values of substrings in the data object field 210 and compare these calculated hash values with the fuzzy hash 805. If there is a given match percentage value (e.g., 80% in this example) is satisfied between the calculated hash values of the substrings and the fuzzy hash 805, then the expression 600 would fire, indicating a match occurrence. A fuzzy hash value can be calculated by, for example, an MD5 checksum operation, although other suitable hash operations may be used instead.
Extended Qualifiers
Some rule types 605 may need more specific restrictions 615, which can be called an “extended qualifier”.
C“KeAttachProcess”k{extended qualifier}.
The field 910 contains the rule type, C, which indicates from Table 1 that rule 900 searches for a function call in, for example, the code in the data object field 210. The field 915 indicates that the function call is known by the name, KeAttachProcess. The field 920 is a restrictor indicating that the function call, KeAttachProcess” must exist in a kernel module or kernel address space.
The field 905 is the extended qualifier field, which is an argument (or arguments) for the restrictor 920. Any suitable arguments with use of suitable syntax components can be placed in the extended qualifier field 905, in order to place more specific restrictions on a given rule type 605.
Module Name Rules
The term, “modules”, in the vocabulary of this document, can refer to, e.g., the loaded programs, executables, libraries, and drivers of a running computer system. Modules typically are assigned human readable names. The rule type, N, simply compares the module name to the given string.
For example,
N“eggdrop.exe”iu.
Rules can also be written in a longhand form. For example, the shorthand form of Rule1000A of
(N=“eggdrop.exe”i AND % RING %=“usermode”).
The restrictor, i, in field 1010 (
As another example, the shorthand form of Rule1000A of
(% NAME %=“eggdrop.exe”i AND % RING %=“usermode”).
The rule type, N, in field 1020 (
Module Import Rules
Imports are named functions that are used in one module, but implemented in another module. As such, they represent a named connection between two modules. These functions are commonly used with libraries. Furthermore, each import name is typically associated with known software behaviors. As such, they make ideal rules for determining software behavior. For example, in
I“KeAttachProcess”k AND % DRIVERCHAIN %=“NDIS”.
The above example specifies the import must be in kernel-mode (field 1110) and that the driver module must be part of the “NDIS” driver chain (field 1115). The name of the driver chain in this example is NDIS which stands for Network Device Interface Specification. In the Windows operating system, device drivers are linked by chains. Therefore, other device drivers (e.g., keyboard driver, USB port, video drivers, and other drivers) will each have a linked chain.
Function Hook Rules
Functions are discrete units of software computation and have very specific and identifiable behaviors. Use of functions can reveal software behaviors. Some malicious software attempts to bypass or alter the behavior of existing functions via a technology known as hooking. Therefore, detecting hooks on specific named functions is an effective method to detect malicious software. Function hook rules can be used to detect hooks on various named functions. For example,
H“EnumServiceGroupW”u.
A hook must be detected on the named function (as noted in field 1210), and the restrictor in field 1215 indicates user-mode only.
Byte Sequence Rules
In a very general form of rule, any data sequence of bytes can be detected. This rule form can be used to detect code sequences as well, since code sequences are ultimately encoded as data. For example, in
B[60 9C E8 ?? ?? ?? ?? 9D 61]c.
The field 1310 between the brackets indicates the hexadecimal values to be matched with the scanned data object. This rule is displaying the use of wildcard characters. The wildcard character, ??, indicates that any byte may exist at those particular locations in field 1310.
The restrictor, c, in field 1315 indicates that the search will be for code sequences only.
In the figure, the DDNA sequences can be seen on the left side of the screenshot, and a summary describing each trait found in an individual sequence is shown on the right side of the screenshot. The descriptions are looked up in a database using the hash code of the trait. The color of the trait indicates the weight of the trait. The DDNA sequences themselves are also showing their weights. For example, there is a very high scoring DDNA sequence on the module named “iimo.sys” (having a weight of 92.7 as shown on the left side of the screenshot).
An embodiment of the invention could also be applied to an Enterprise system and can be used to monitor many nodes in the Enterprise system.
This application is a continuation of U.S. patent application Ser. No. 12/386,970, filed Apr. 24, 2009, the entire contents of which is incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5923872 | Chrysos et al. | Jul 1999 | A |
| 6683546 | Torrubia-Saez | Jan 2004 | B1 |
| 7233935 | Chandler | Jun 2007 | B1 |
| 7711779 | Goodman et al. | May 2010 | B2 |
| 7882128 | Bollinger | Feb 2011 | B2 |
| 8055599 | Werth | Nov 2011 | B1 |
| 8103875 | Ramzan et al. | Jan 2012 | B1 |
| 8335750 | Werth | Dec 2012 | B1 |
| 8904540 | Kalle | Dec 2014 | B1 |
| 20020188859 | Dollens | Dec 2002 | A1 |
| 20030065926 | Schultz et al. | Apr 2003 | A1 |
| 20030078899 | Shanahan | Apr 2003 | A1 |
| 20050060643 | Glass et al. | Mar 2005 | A1 |
| 20050235154 | Serret-Avila | Oct 2005 | A1 |
| 20060020397 | Kermani | Jan 2006 | A1 |
| 20060029975 | Barber et al. | Feb 2006 | A1 |
| 20070092103 | Mihcak et al. | Apr 2007 | A1 |
| 20070180262 | Benson | Aug 2007 | A1 |
| 20070240217 | Tuvell | Oct 2007 | A1 |
| 20080040505 | Britto et al. | Feb 2008 | A1 |
| 20080127336 | Sun | May 2008 | A1 |
| 20080184367 | McMillan et al. | Jul 2008 | A1 |
| 20090094175 | Provos et al. | Apr 2009 | A1 |
| 20090126012 | Treadwell et al. | May 2009 | A1 |
| 20090165131 | Treadwell | Jun 2009 | A1 |
| 20090271454 | Anglin et al. | Oct 2009 | A1 |
| 20100030996 | Butler, II | Feb 2010 | A1 |
| 20100046809 | Marvasti | Feb 2010 | A1 |
| 20110093426 | Hoglund | Apr 2011 | A1 |
| Number | Date | Country |
|---|---|---|
| WO2004061698 | Jul 2004 | WO |
| WO2005059720 | Jun 2005 | WO |
| Entry |
|---|
| Hoglund, U.S. Office Action dated Mar. 27, 2012, directed towards U.S. Appl. No. 12/386,970; 21 pages. |
| Hoglund, U.S. Office Action dated Jan. 2, 2013, directed to U.S. Appl. No. 12/386,970; 18 pages. |
| Hoglund, U.S. Office Action dated Oct. 3, 2012, directed to U.S. Appl. No. 12/459,203; 11 pages. |
| Patent Examination Report No. 1 dated Oct. 9, 2014, directed to AU Application No. 2010239696; 3 pages. |
| International Search Report and Written Opinion dated Nov. 4, 2010, directed towards International Application No. PCT/US10/01211, 9 pages. |
| International Preliminary Report on Patentability dated Apr. 26, 2011, directed towards International Application No. PCT/US10/01211, 6 pages. |
| International Search Report and Written Opinion of the International Searching Authority dated Oct. 4, 2010, directed towards International Application No. PCT/US10/01826, 7 pages. |
| International Preliminary Report on Patentability dated Jan. 4, 2012, directed towards International Application No. PCT/US10/01826, 6 pages. |
| Hoglund Greg, “Volatile Systems”, by Greg Hoglund. Dated Aug. 21, 2007, 1 page. http://volatilesystems.blogspot.com/search?q=greg+hoglund. |
| Kornblum, J., “Identifying Almost Identical Files Using Context Triggered Piecewise Hashing”, Digital Investigations 3S, 2006, pp. 1-7. |
| Roussev, V. et al., “md5bloom: Forensic file system hashing revisited” by V. Roussev et al., © 2006. Retrieved from the Internet: http://dfrws.org/2006/proceedings/11-Roussev.pdf. Total pgs. 9. |
| Roussev V. e al., “Multi-resolution similarity hashing” by V. Roussev, et al., © 2006. Retrieved from the Internet: http://www.dfrws.org/2007/proceedings/p105-roussev.pdf. Total pgs. 9. |
| Roussev, V., “Hashing and Data Fingerprinting in Digital Forensics,” IEEE Digital Forensics, Mar. 2009, pp. 49-55. |
| Stein, B., “Fuzzy-Fingerprints for Text-Based Information Retrieval,” Journal of Universal Computer Science, 2005, pp. 572-579. |
| Wiehe et al., “Quantitative Analysis of Efficient Antispam Techniques,” IEEE Workshop on Information Assurance, 2006, pp. 1-7. |
| HBGary, Inc., Extended European Search Report dated Oct. 28, 2015 directed to EP Application No. 10767436.8, 8 pgs. |
| HBGary, Inc., Communication Pursuant to Rules 70(2) and 70a(2) EPC, EP10767436.8, dated Nov. 13, 2015, 1 pg. |
| HBGary, Inc., Certificate of Grant, IL215774, dated Oct. 31, 2015, 3 pgs. |
| Hoglund, Notice of Allowance, U.S. Appl. No. 12/459,203, dated Mar. 12, 2013, 9 pgs. |
| HBGary, Inc., Office Action, IL239553, dated Feb. 9, 2016, 7 pgs. |
| HBGary, Inc., Office Action, CA 2,759,279, dated Jun. 6, 2016, 4 pgs. |
| Hbgary, Inc., Extended European Search Report dated Feb. 24, 2017 directed to EP Application No. 10792455.7, 11 pgs. |
| Hbgary, Inc., Certificate of Grant, AU20100239696, dated Sep. 29, 2016, 1 pg. |
| Hbgary, Inc., Notice of Allowance, IL216933, dated Jan. 3, 2017, 4 pgs. |
| Hbgary, Inc., Certificate of Patent, IL216933, Jul. 31, 2017, 4 pgs. |
| HBGary, Inc., Patent Examination Report No. 1, AU2015258293, dated Oct. 17, 2016, 2 pgs. |
| HBGary, Inc., Office Action, CA2,759,279, dated May 11, 2017, 4 pgs. |
| HBGary, Inc., Letters Patent, CA2,765,485, Aug. 22, 2017, 1 pg. |
| HBGary, Inc., Office Action, IL239553, dated Feb. 14, 2017, 7 pgs. |
| HBGary, Inc., Office Action, IL251366, dated Mar. 28, 2017, 10 pgs. |
| HBGary, Inc., Notice of Allowance, CA2,759,279, dated Apr. 10, 2018, 1 pg. |
| Number | Date | Country | |
|---|---|---|---|
| 20150058271 A1 | Feb 2015 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 12386970 | Apr 2009 | US |
| Child | 14317958 | US |
