Patent Grant
9785773
Embodiments of the present disclosure generally related to automatic analysis of data items, and specifically to automatic analysis of malware-related data items.
Malware may include any software program (and/or group of software programs) installed on a computer system and/or a network of computer systems maliciously and/or without authorization. When executed, an item of malware may take any number of undesirable actions including, for example, collection of private or sensitive information (for example, personal data and information, passwords and usernames, and the like), transmission of the collected information to another computing device, destruction or modification of data (for example, accessing, modifying, and/or deleting files), communication with other malware, transmission or replication of malware onto other connected computing devices or systems, transmission of data so as to attack another computing device or system (for example, a Distributed Denial of Service Attack), and/or hijacking of processing power, just to name a few.
The systems, methods, and devices described herein each have several aspects, no single one of which is solely responsible for its desirable attributes. Without limiting the scope of this disclosure, several non-limiting features will now be discussed briefly.
Embodiments of the present disclosure relate to a data analysis system (also referred to herein as “the system”) that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) (also referred to herein as file data item(s)) may include one or more automatic analysis techniques. Automatic analysis of a file data item may include production and gathering of various items of information (also referred to herein as “analysis information data items” and/or “analysis information items”) related to the file data item including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information items may be automatically associated with the file data item, and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the file data item. For example, the analyst may quickly determine one or more characteristics of the file data item, whether or not the file data item is malware, and/or a threat level of the file data item.
In various embodiments, the system may receive suspected malware files from various users. The system may automatically analyze submitted file data items, associate the file data items with analysis information items, and/or store the file data item and analysis information items in one or more data stores. The system may generate a submission data item with each submission of a file data item, which submission data item may be associated with the submitted file data item. The system may automatically determine whether or not a particular submitted data item was previously submitted to the system and, if so, may associate a new submission data item with the previously submitted file data item. Further, in an embodiment, the system may not re-analyze a previously submitted file data item. Accordingly, in various embodiments, the system may associate a file data item with various submission data items such that information regarding, for example, a number of submissions and/or time of submission may be presented to the analyst. Additionally, information regarding users who submitted the suspected malware files may be associated with the submission file data items, and may be presented to the analyst in connection with the respective file data items.
In various embodiments, file data items and related information may be shared by the system with one or more third-party systems, and/or third-party systems may share file data items and related information with the system.
As described, some embodiments of the present disclosure related to a system designed to provide interactive, graphical user interfaces (also referred to herein as “user interfaces”) for enabling an analyst to quickly and efficiently analyze and evaluate suspected malware data files. The user interfaces are interactive such that a user may make selections, provide inputs, and/or manipulate outputs. In response to various user inputs, the system automatically analyzes suspected malware data files, associates related malware data files, and provides outputs to the user include user interfaces and various analysis information related to the analyzed malware data files. The outputs, including various user interfaces, may be automatically updated based on additional inputs provided by the user.
This application is related to the following U.S. Patent Applications:
The entire disclosure of each of the above items is hereby made part of this specification as if set forth fully herein and incorporated by reference for all purposes, for all that it contains.
According to an embodiment, a computer system comprises: one or more computer readable storage devices configured to store: a plurality of computer executable instructions; and a plurality of file data items and submission data items, each submission data item associated with at least one file data item; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the computer system to automatically: in response to receiving a new file data item: determine whether the received new file data item was previously received by comparing the received new file data item to the plurality of file data items; and generate a new submission data item; in response to determining that the new file data item was not previously received: initiate an analysis of the new file data item, wherein the analysis of the new file data item generates analysis information items, wherein initiating the analysis of the new file data item comprises: initiating an internal analysis of the new file data item including at least calculation of a hash of the file data item; and initiating an external analysis of the new file data item by one or more third party analysis systems; associate the analysis information items with the new file data item; associate the new submission data item with the new file data item; and generate a user interface including one or more user selectable portions presenting various of the analysis information items.
According to another embodiment, the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: in response to determining that the new file data item was previously received: determine a storage location of the file data item that was previously received; retrieve the analysis information items associated with the file data item that was previously received; associate the new submission data item with the file data item that was previously received; and generate a user interface including one or more user selectable portions presenting various of the analysis information items associated with the file data item that was previously received, the user interface usable by the analyst to determine one or more characteristics of the file data item that was previously received.
According to yet another embodiment, further in response to determining that the new file data item was previously received, the analyst is notified via the user interface that the new file data item was previously received.
According to another embodiment, determining whether the received new file data item was previously received comprises: calculating a hash of the received new file data item and comparing the calculated hash to previously calculated hashes associated with the plurality of file data items.
According to yet another embodiment, the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the computer system to: in response to an analyst input selecting to view a graph of the new file data item, generating a graph including at least a first node representing the new file data item, a second node representing the new submission data item, and an edge connecting the first and second nodes and representing the association between the new file data item and the new submission data item.
According to another embodiment, the graph further includes additional nodes representing other file data items and/or submission data items associated with the new file data item, and additional edges connecting the additional nodes and the first node and representing associations between the other file data items and/or submission data items and the new file data item.
According to yet another embodiment, the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the new file data item, calculation of a SHA-1 hash of the new file data item, calculation of a SHA-256 hash of the new file data item, calculation of an SSDeep hash of the new file data item, or calculation of a size of the new file data item.
According to another embodiment, the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the new file data item in a sandboxed environment and analysis of the new file data item by a third-party malware analysis service.
According to yet another embodiment, any payload provided by the new file data item after execution of the new file data item in the sandboxed environment is associated with the new file data item.
According to another embodiment, the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the computer system to: in response to an analyst input, sharing the new file data item and associated analysis information items with a second computer systems via a third computer system.
According to yet another embodiment, a computer-implemented method comprises: storing on one or more computer readable storage devices: a plurality of computer executable instructions; and a plurality of file data items and submission data items, each submission data item associated with at least one file data item; in response to receiving a new file data item: determining, by one or more hardware computer devices configured with specific computer executable instructions, whether the received new file data item was previously received by comparing the received new file data item to the plurality of file data items; and generating, by the one or more hardware computer devices, a new submission data item; and in response to determining that the new file data item was not previously received: initiating, by the one or more hardware computer devices, an analysis of the new file data item, wherein the analysis of the new file data item generates analysis information items, wherein the initiating analysis of the new file data item comprises initiating an internal analysis of the new file data item including at least calculation of a hash of the file data item; associating, by the one or more hardware computer devices, the analysis information items with the new file data item; associating, by the one or more hardware computer devices, the new submission data item with the new file data item; and generating, by the one or more hardware computer devices, a user interface including one or more user selectable portions presenting various of the analysis information items, the user interface usable by an analyst to determine one or more characteristics of the new file data item.
According to another embodiment, the method further comprises: in response to determining that the new file data item was previously received: determining, by the one or more hardware computer devices, a storage location of the file data item that was previously received; retrieving, by the one or more hardware computer devices, the analysis information items associated with the file data item that was previously received; associating, by the one or more hardware computer devices, the new submission data item with the file data item that was previously received; and generating, by the one or more hardware computer devices, a user interface including one or more user selectable portions presenting various of the analysis information items associated with the file data item that was previously received.
According to yet another embodiment, further in response to determining that the new file data item was previously received, the analyst is notified via the user interface that the new file data item was previously received.
According to another embodiment, the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the new file data item, calculation of a SHA-1 hash of the new file data item, calculation of a SHA-256 hash of the new file data item, calculation of an SSDeep hash of the new file data item, or calculation of a size of the new file data item.
According to yet another embodiment, the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the new file data item in a sandboxed environment and analysis of the new file data item by a third-party malware analysis service.
According to another embodiment, a non-transitory computer-readable storage medium is disclosed, the non-transitory computer-readable storage medium storing software instructions that, in response to execution by a computer system having one or more hardware processors, configure the computer system to perform operations comprising: storing on one or more computer readable storage devices: a plurality of computer executable instructions; and a plurality of file data items and submission data items, each submission data item associated with at least one file data item; in response to receiving a new file data item: determining whether the received new file data item was previously received by comparing the received new file data item to the plurality of file data items; and generating a new submission data item; and in response to determining that the new file data item was not previously received: initiating an analysis of the new file data item, wherein the analysis of the new file data item generates analysis information items, wherein the initiating analysis of the new file data item comprises initiating an internal analysis of the new file data item including at least calculation of a hash of the file data item; associating the analysis information items with the new file data item; associating the new submission data item with the new file data item; and generating a user interface including one or more user selectable portions presenting various of the analysis information items, the user interface usable by an analyst to determine one or more characteristics of the new file data item.
According to yet another embodiment, the software instructions further configure the computer system to perform operations comprising: in response to determining that the new file data item was previously received: determining a storage location of the file data item that was previously received; retrieving the analysis information items associated with the file data item that was previously received; associating the new submission data item with the file data item that was previously received; and generating a user interface including one or more user selectable portions presenting various of the analysis information items associated with the file data item that was previously received.
According to another embodiment, further in response to determining that the new file data item was previously received, the analyst is notified via the user interface that the new file data item was previously received.
According to yet another embodiment, the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the new file data item, calculation of a SHA-1 hash of the new file data item, or calculation of a size of the new file data item.
According to another embodiment, the initiating analysis of the new file data item further comprises: initiating an external analysis of the new file data item, wherein the external analysis includes execution of the new file data item in a sandboxed environment and analysis of the new file data item by a third-party malware analysis service.
The following drawings and the associated descriptions are provided to illustrate embodiments of the present disclosure and do not limit the scope of the claims. Aspects and many of the attendant advantages of this disclosure will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
Although certain preferred embodiments and examples are disclosed below, inventive subject matter extends beyond the specifically disclosed embodiments to other alternative embodiments and/or uses and to modifications and equivalents thereof. Thus, the scope of the claims appended hereto is not limited by any of the particular embodiments described below. For example, in any method or process disclosed herein, the acts or operations of the method or process may be performed in any suitable sequence and are not necessarily limited to any particular disclosed sequence. Various operations may be described as multiple discrete operations in turn, in a manner that may be helpful in understanding certain embodiments; however, the order of description should not be construed to imply that these operations are order dependent. Additionally, the structures, systems, and/or devices described herein may be embodied as integrated components or as separate components. For purposes of comparing various embodiments, certain aspects and advantages of these embodiments are described. Not necessarily all such aspects or advantages are achieved by any particular embodiment. Thus, for example, various embodiments may be carried out in a manner that achieves or optimizes one advantage or group of advantages as taught herein without necessarily achieving other aspects or advantages as may also be taught or suggested herein.
Terms
In order to facilitate an understanding of the systems and methods discussed herein, a number of terms are defined below. The terms defined below, as well as other terms used herein, should be construed broadly to include, without limitation, the provided definitions, the ordinary and customary meanings of the terms, and/or any other implied meanings for the respective terms. Thus, the definitions below do not limit the meaning of these terms, but only provide example definitions.
Ontology: Stored information that provides a data model for storage of data in one or more databases. For example, the stored data may comprise definitions for object types and property types for data in a database, and how objects and properties may be related.
Database: A broad term for any data structure for storing and/or organizing data, including, but not limited to, relational databases (for example, Oracle database, mySQL database, and the like), spreadsheets, XML files, and text file, among others. The various terms “database,” “data store,” and “data source” may be used interchangeably in the present disclosure.
Data Item (Item), Data Object (Object), or Data Entity (Entity): A data container for information representing specific things in the world that have a number of definable properties. For example, a data item may represent an item such as a person, a place, an organization, an account, a computer, an activity, a market instrument, or other noun. A data item may represent an event that happens at a point in time or for a duration. A data item may represent a document or other unstructured data source such as an e-mail message, a news report, or a written paper or article. Each data item may be associated with a unique identifier that uniquely identifies the data item. The data item's attributes (for example, metadata about the data item) may be represented in one or more properties. The terms “data item,” “data object,” “data entity,” “item,” “object,” and “entity” may be used interchangeably and/or synonymously in the present disclosure.
Item (or Entity or Object) Type: Type of a data item (for example, Person, Event, or Document). Data item types may be defined by an ontology and may be modified or updated to include additional data item types. An data item definition (for example, in an ontology) may include how the data item is related to other data items, such as being a sub-data item type of another data item type (for example, an agent may be a sub-data item of a person data item type), and the properties the data item type may have.
Properties: Also referred to as “metadata,” includes attributes of a data item that represent individual data items. At a minimum, each property of a data item has a property type and a value or values. Properties/metadata associated with data items may include any information relevant to that object. For example, properties associated with a person data item may include a name (for example, John Doe), an address (for example, 123 S. Orange Street), and/or a phone number (for example, 800-0000), among other properties. In another example, metadata associated with a computer data item may include a list of users (for example, user1, user 2, and the like), and/or an IP (internet protocol) address, among other properties.
Property Type: The type of data a property is, such as a string, an integer, or a double. Property types may include complex property types, such as a series data values associated with timed ticks (for example, a time series), and the like.
Property Value: The value associated with a property, which is of the type indicated in the property type associated with the property. A property may have multiple values.
Link: A connection between two data objects, based on, for example, a relationship, an event, and/or matching properties. Links may be directional, such as one representing a payment from person A to B, or bidirectional.
Link Set: Set of multiple links that are shared between two or more data objects.
Overview
Embodiments of the present disclosure relate to a data analysis system (also referred to herein as “the system”) that may automatically analyze a suspected malware file, or group of files, and present analysis information to an analyst via a user interface. Malware files may include any software program file (and/or group of software program file) that may be installed on a computer system and/or a network of computer systems maliciously and/or without authorization. When executed, a malware file may take any number of undesirable actions including, for example, collection of private or sensitive information (for example, personal data and information, passwords and usernames, and the like), transmission of the collected information to another computing device, destruction or modification of data (for example, accessing, modifying, and/or deleting files), communication with other malware, transmission or replication of malware onto other connected computing devices or systems, transmission of data so as to attack another computing device or system (for example, a Distributed Denial of Service Attack), and/or hijacking of processing power, just to name a few. In most cases such malware infects a computing device via a network connection (for example, a connection to the Internet), and communicates with another computing device or system (for example, another Internet-connected computing device) to accomplish its purpose. Oftentimes malware is well hidden in the infected computing device such that it may not be detectable to an average user of the computing device.
Detection and removal of malware from infected computing devices and/or systems is a highly desirable, but oftentimes challenging task. Detection of malware is of particular importance to organizations (for example, businesses) that maintain internal networks of computing devices that may be connected to various external networks of computing devices (for example, the Internet) because infection of a single computing device of the internal network may quickly spread to other computing devices of the internal network and may result in significant data loss and/or financial consequences.
Detection of malware may be enabled by accurate and thorough information regarding the malware. Further, whether or not a particular file or program is an item of malware, and an accurate assessment of threat posed by the item of malware, may be enabled by such accurate and thorough information. Previously, determination and collection of information about a suspected malware file was a labor intensive task. For example, an analyst may have had to isolate the suspected malware file, manually run tests and analyses on the suspected malware file, and compile any information gleaned from such tests and analyses. The compiled information may be in varying formats and difficult to analyze. Further, a given suspected malware file may be analyzed multiple times in such a manual process, unbeknownst to the analyst (because, for example, the suspected malware file may have been found in multiple disjoint incidents).
Embodiments of the data analysis system described herein may overcome the limitations and deficiencies of previous methods of gathering information about suspected malware files. For example, an analyst may simply provide a suspected malware file, or group of files, to the data analysis system for automatic analysis and generation of a user interface by which the analyst may efficiently evaluate the analysis and the suspected malware file. In various embodiments, the system, by way of automatic analysis of file data items, may generate accurate and thorough information regarding the file data items. Automatic analysis of the suspected malware file(s) (also referred to herein as file data item(s)) may include one or more automatic analysis techniques, including, for example, determination of various properties of the file data item, execution of the file data item in a sandbox environment to determine payloads (e.g., files exposed and/or created by execution of the malware, which may be referred to as “payloads,” “drop files,” and/or “dropped file data items”) and behaviors, and/or submission of the file data item to one or more third-party analysis providers, just to name a few. Automatic analysis of a file data item may include production and gathering of various items of information (also referred to herein as “analysis information data items” and/or “analysis information items”) related to the file data item including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information items may be automatically associated with the file data item by the system, and a user interface may be generated in which the various analysis information items are presented to the analyst such that a human analyst may quickly and efficiently evaluate the file data item. For example, the analyst may quickly determine one or more characteristics of the file data item, whether or not the file data item is malware, and/or a threat level of the file data item.
In various embodiments, the system may receive suspected malware files from various users. The system may automatically analyze submitted file data items, associate the file data items with analysis information items, and store the file data item and analysis information items in one or more data stores. The system may generate a submission data item with each submission of a file data item, which submission data item may be associated with the submitted file data item. The system may automatically determine whether or not a particular submitted data item was previously submitted to the system and, if so, may associate a new submission data item with the previously submitted file data item. Further, in an embodiment, the system may not re-analyze a previously submitted file data item. Accordingly, in various embodiments, the system may associate a file data item with various submission data items such that information regarding, for example, a number of submissions and/or time of submission may be presented to the analyst. Additionally, information regarding users who submitted the suspected malware files may be associated with the submission file data items, and may be presented to the analyst in connection with the respective file data items.
In various embodiments, file data items and related information may be shared by the system with one or more third-party systems, and/or third-party systems may share file data items and related information with the system.
In various embodiments, file data items may be submitted and evaluated by a single person (for example, the user submitting the file data item, and the analyst evaluating the results of the system's analysis, may be the same person), or may be submitted by a first person and evaluated by a second person.
In various embodiments, the data analysis system as described herein may be used in conjunction with additional systems and/or components to enable automatic clustering of various data items related to an analyzed file data item. Examples of such clustering, and further analysis of data clusters and generation of associated user interfaces are described in U.S. patent application Ser. No. 14/473,920, titled “EXTERNAL MALWARE DATA ITEM CLUSTERING AND ANALYSIS,” previously incorporated by reference herein. Accordingly, in various embodiments, the data analysis system may enable automatic, efficient, and effective detection, analysis, and evaluation (by an analyst) of likely malware on computing devices and/or network.
Description of the Figures
Embodiments of the disclosure will now be described with reference to the accompanying Figures, wherein like numerals refer to like elements throughout. The terminology used in the description presented herein is not intended to be interpreted in any limited or restrictive manner, simply because it is being utilized in conjunction with a detailed description of certain specific embodiments of the disclosure. Furthermore, embodiments of the disclosure described above and/or below may include several novel features, no single one of which is solely responsible for its desirable attributes or which is essential to practicing the embodiments of the disclosure herein described.
In the embodiment of the flowchart of
The user interface 202 further includes a submit button (or other user interface element) 206 that the user may select to submit the file data item and initiate an automatic analysis of the file data item, as described below. An “add to graph” button may also be provided that, when selected, may cause the system to, before or after analysis, add the file data item to a graph and/or view the file data item and other related data items in a graph or other visualization, similar to the description below in reference to
In other embodiments, file data items may be automatically received by, or submitted to, the system based on one or more factors, such as when a file data item is stored, accessed, and/or updated on a storage device of the system.
Returning to the flowchart of
If the system determines that the file data item was previously received, at block 116 the system provides a previously determined analysis to the analyst and notifies the analyst that the file data item was previously received (via, for example, a popup window). For example, the system may retrieve a previous analysis of the previously submitted file data item from a data store of the system, and as shown at block 114 (and as described below), provide a user interface to the analyst with the previous analysis information. At block 118, a new submission data item associated with the current submission is generated by the system and associated with the previously submitted file data item. The submission data item may include, for example, the various information provided in the user interface of
If the system determines that the file data item was not previously received, the system proceeds with an automatic analysis of the file data item.
At block 106 the system initiates a basic analysis of the received file data item. The basic analysis (also referred to herein as an “internal analysis”) is generally performed by the system and may include various analyses of the received file data item. Examples of the various analyses performed on the received file data item include, for example, calculation of hash values 106a (for example, calculation of MD5, SHA-1, SHA256, and/or the like) of the file data item, calculation of fuzzy hash values 106b (for example, calculation of SSDeep and/or the like) of the file data item, calculation of other hashes of the file data item, determination of a file size of the file data item (as shown at block 106c), determination of a file type of the file data item, determination of a file name of the file data item, and/or the like. Any information provided by the basic analysis processes may be referred to herein as basic analysis information items, and such basic analysis information items are associated with the file data item analyzed. In various embodiments, as described below, the basic analysis information may be provided to one or more external analysis services to enable more efficient analysis of the file data item. Further, the basic analysis information may be used by the analyst to evaluate the file data item. For example, the analyst may determine, based on the file size of the file data item, that the file data item is less likely to be a malware file.
In an embodiment, when a file data item received by the system is compressed and/or encrypted (for example, contained in a “zip”-type file), the system may automatically un-compress and/or un-encrypt the file data item prior to the basic analysis (such that, for example, the actual file data item of interest may be analyzed, and not a compressed version of the file data item). For example, when necessary the system may request an encryption key from the user upon determination that the file data item is encrypted and/or when the file data item is submitted (for example, via the user interface 202). In an embodiment, the system may automatically determine that a submitted file data item is compressed and/or encrypted. Similarly, the system may automatically un-compress and/or un-encrypt the file data item prior to the external analysis described below. In an embodiment, the file data item may be kept uncompressed and/or unencrypted during both basic analysis and external analysis, and/or during any further analysis. Alternatively, the file data item may be re-compressed and/or re-encrypted (by the same or different algorithms as were used in the initial compression and/or encryption) between the basic analysis and the external analysis such that the file data item may be, for example, safely transmitted to an external service (as described below). In an embodiment, after analyzing the file data item, the system may automatically re-compress and/or re-encrypt (by the same or different algorithms as were used in the initial compression and/or encryption) the file data item prior to storing the file data item.
Returning to the flowchart of
As mentioned above, external analysis may include academic analysis 108a. Academic analysis may include, for example, transmission and/or submission of the file data item to an academic team and/or academic system for analysis, such as a graduate program at a university with a focus on improved malware detection techniques. The academic analysis may include one or more cutting edge analysis techniques, the results of which may be transmitted back to the data analysis system for association with the file data item. The results of the academic analysis may then be presented in a user interface of the system such as the user interface of
As also mentioned above, external analysis may include execution of the file data item in a sandbox environment 108b. A sandbox environment may be a secure computing environment specially designed for execution and analysis of an item of malware. The sandbox is generally walled off from any other computing system so as to prevent damage or infection of any other computing systems by malware when the malware is executed. For example, a sandbox may include a virtual machine executing on a computing system, which has no access to the operating system executing the virtual machine, any data outside of the virtual machine, any networks, etc.
The data analysis system may automatically provide the file data item to such a sandbox environment, which may then execute the file data item. The system may then analyze and record any actions taken or initiated by the file data item upon execution (or such information may be obtained from a sandbox environment external to the system that executes the file data item). For example, the file data item may attempt to contact one or more URLs or domains, may make modifications to files and/or a file system, may make modification to an operating system registry, may deliver one or more payloads (for example, additional files or programs written to the computing system on which the file data item is executed, and/or executed by the file data item on the computing system on which the file data item is executed), and/or the like. The data analysis system may then record such analysis information, including payloads provided by the file data item, and associate them with the file data item. The portion 216 of the user interface of
As also mentioned above, external analysis may include transmission and/or submission of the file data item to one or more third-party analysis providers for analysis. Examples of such third-party analysis providers include FireEye (block 108c), and VirusTotal (block 108d). The one or more third-party analysis providers may then transmit one or more analysis information items back to the system, where it may be associated with the file data item and displayed to the analyst.
As also mentioned above, the external analysis block 108 may include gathering of various data items (for example, other file data items) by the system that may be related to the file data item. Examples of such files may include submission data items (for example, as generated each time the file data item has been submitted to the system, as described above and below), other files submitted to the system by users and designated as related to the file data item, payloads gathered from execution of the file data item in a sandbox environment, and/or the like.
Returning to the flowchart of
At block 114 the user interface (for example, the user interface of
Returning to the flowchart of
In an embodiment, the data analysis system encrypts and/or otherwise secures stored file data items such that they may not be executed by the system when not being analyzed and/or outside of a sandbox environment.
In an embodiment, an analyst may add notes and/or tags to a file data item via a user interface of the system. For example, the analyst may, after reviewing the analysis, make a determination regarding the type of malware and/or threat level of the malware of the file data item, and may add notes and/or tags to that effect to be associated with the file data item. In this embodiment, other analysts may then be able to review the notes and/or tags when accessing the file data item. Additionally, the analyst and/or other analysts may be able to determine any previous times a particular malware file has appeared on a network and details about those instances. In an embodiment, a notification of the previous instances a malware file has been found and/or analyzed may be provided to the analyst. In an embodiment, the analyst may mark the file data item as likely malware (or, for example, “malicious”) or not likely malware.
Data Item-Centric Data Model
To provide a framework for the description of specific systems and methods provided above and below, an example database system 1210 using an ontology 1205 will now be described in reference to
In one embodiment, a body of data is conceptually structured according to data item-centric data model represented by ontology 1205. The conceptual data model is independent of any particular database used for durably storing one or more database(s) 1209 based on the ontology 1205. For example, each object of the conceptual data model may correspond to one or more rows in a relational database or an entry in Lightweight Directory Access Protocol (LDAP) database, or any combination of one or more databases.
Different types of data items may have different property types. For example, a “file” data item (as described above) may have various property types as described above (for example, various hash property types, associated file property types, various external analysis property types, and/or the like), a “Person” data item may have an “Eye Color” property type, and an “Event” data item may have a “Date” property type. Each property 1203 as represented by data in the database system 1210 may have a property type defined by the ontology 1205 used by the database 1205. Properties of data items may, in an embodiment, themselves be data items and/or associated with data items. For example, file data items may be associated with various analysis information items, as described above. Analysis information items may comprise data items and/or properties associated with data items (for example, file data items).
Items may be instantiated in the database 1209 in accordance with the corresponding data item definition for the particular data item in the ontology 1205. For example, a specific monetary payment (e.g., an item of type “event”) of US$30.00 (e.g., a property of type “currency”) taking place on Mar. 27, 2009 (e.g., a property of type “date”) may be stored in the database 1209 as an event data item with associated currency and date properties as defined within the ontology 1205.
The data objects defined in the ontology 1205 may support property multiplicity. In particular, a data item 1201 may be allowed to have more than one property 1203 of the same property type. For example, a “Person” data item may have multiple “Address” properties or multiple “Name” properties.
Each link 1202 represents a connection between two data items 1201. In one embodiment, the connection is either through a relationship, an event, or through matching properties. A relationship connection may be asymmetrical or symmetrical. For example, “Person” data item A may be connected to “Person” data item B by a “Child Of” relationship (where “Person” data item B has an asymmetric “Parent Of” relationship to “Person” data item A), a “Kin Of” symmetric relationship to “Person” data item C, and an asymmetric “Member Of” relationship to “Organization” data item X. The type of relationship between two data items may vary depending on the types of the data items. For example, “Person” data item A may have an “Appears In” relationship with “Document” data item Y or have a “Participate In” relationship with “Event” data item E. As an example of an event connection, two “Person” data items may be connected by an “Airline Flight” data item representing a particular airline flight if they traveled together on that flight, or by a “Meeting” data item representing a particular meeting if they both attended that meeting. In one embodiment, when two data items are connected by an event, they are also connected by relationships, in which each data item has a specific relationship to the event, such as, for example, an “Appears In” relationship.
As an example of a matching properties connection, two “Person” data items representing a brother and a sister, may both have an “Address” property that indicates where they live. If the brother and the sister live in the same home, then their “Address” properties likely contain similar, if not identical property values. In one embodiment, a link between two data items may be established based on similar or matching properties (e.g., property types and/or property values) of the data items. These are just some examples of the types of connections that may be represented by a link and other types of connections may be represented; embodiments are not limited to any particular types of connections between data items. For example, a document might contain references to two different items. For example, a document may contain a reference to a payment (one item), and a person (a second item). A link between these two items may represent a connection between these two entities through their co-occurrence within the same document.
Each data item 1201 may have multiple links with another data item 1201 to form a link set 1204. For example, two “Person” data items representing a husband and a wife could be linked through a “Spouse Of” relationship, a matching “Address” property, and one or more matching “Event” properties (e.g., a wedding). Each link 1202 as represented by data in a database may have a link type defined by the database ontology used by the database.
In accordance with the discussion above, the example ontology 1205 comprises stored information providing the data model of data stored in database 1209, and the ontology is defined by one or more data item types 1310, one or more property types 1316, and one or more link types 1330. Based on information determined by the parser 1302 or other mapping of source input information to item type, one or more data items 1201 may be instantiated in the database 209 based on respective determined item types 1310, and each of the items 1201 has one or more properties 1203 that are instantiated based on property types 1316. Two data items 1201 may be connected by one or more links 1202 that may be instantiated based on link types 1330. The property types 1316 each may comprise one or more data types 1318, such as a string, number, etc. Property types 1316 may be instantiated based on a base property type 1320. For example, a base property type 1320 may be “Locations” and a property type 1316 may be “Home.”
In an embodiment, a user of the system uses a item type editor 1324 to create and/or modify the item types 1310 and define attributes of the item types. In an embodiment, a user of the system uses a property type editor 1326 to create and/or modify the property types 1316 and define attributes of the property types. In an embodiment, a user of the system uses link type editor 1328 to create the link types 1330. Alternatively, other programs, processes, or programmatic controls may be used to create link types and property types and define attributes, and using editors is not required.
In an embodiment, creating a property type 1316 using the property type editor 1326 involves defining at least one parser definition using a parser editor 1322. A parser definition comprises metadata that informs parser 1302 how to parse input data 1300 to determine whether values in the input data can be assigned to the property type 1316 that is associated with the parser definition. In an embodiment, each parser definition may comprise a regular expression parser 1304A or a code module parser 1304B. In other embodiments, other kinds of parser definitions may be provided using scripts or other programmatic elements. Once defined, both a regular expression parser 1304A and a code module parser 1304B can provide input to parser 1302 to control parsing of input data 1300.
Using the data types defined in the ontology, input data 1300 may be parsed by the parser 1302 determine which item type 1310 should receive data from a record created from the input data, and which property types 1316 should be assigned to data from individual field values in the input data. Based on the item/object-property mapping 1301, the parser 1302 selects one of the parser definitions that is associated with a property type in the input data. The parser parses an input data field using the selected parser definition, resulting in creating new or modified data 1303. The new or modified data 1303 is added to the database 1209 according to ontology 205 by storing values of the new or modified data in a property of the specified property type. As a result, input data 1300 having varying format or syntax can be created in database 1209. The ontology 1205 may be modified at any time using item/object type editor 1324, property type editor 1326, and link type editor 1328, or under program control without human use of an editor. Parser editor 1322 enables creating multiple parser definitions that can successfully parse input data 1300 having varying format or syntax and determine which property types should be used to transform input data 300 into new or modified input data 1303.
The properties, data items, and links (e.g. relationships) between the data items can be visualized using a graphical user interface (“GUI”). For example,
For example, in
Relationships between data items may be stored as links, or in some embodiments, as properties, where a relationship may be detected between the properties. In some cases, as stated above, the links may be directional. For example, a payment link may have a direction associated with the payment, where one person data item is a receiver of a payment, and another person data item is the payer of payment.
In various embodiments, data items may further include malware analysis metadata and/or links. Such malware analysis metadata may be accessed by the data analysis system for displaying objects and features on the user interface (as described above).
In addition to visually showing relationships between the data items, the user interface may allow various other manipulations. For example, the data items within database 1108 may be searched using a search interface 1450 (e.g., text string matching of data item properties), inspected (e.g., properties and associated data viewed), filtered (e.g., narrowing the universe of data items into sets and subsets by properties or relationships), and statistically aggregated (e.g., numerically summarized based on summarization criteria), among other operations and visualizations.
Implementation Mechanisms
According to an embodiment, the data analysis system and other methods and techniques described herein are implemented by one or more special-purpose computing devices. The special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques. The special-purpose computing devices may be desktop computer systems, server computer systems, portable computer systems, handheld devices, networking devices or any other device or combination of devices that incorporate hard-wired and/or program logic to implement the techniques.
Computing device(s) are generally controlled and coordinated by operating system software, such as iOS, Android, Chrome OS, Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server, Windows CE, Unix, Linux, SunOS, Solaris, iOS, Blackberry OS, VxWorks, or other compatible operating systems. In other embodiments, the computing device may be controlled by a proprietary operating system. Conventional operating systems control and schedule computer processes for execution, perform memory management, provide file system, networking, I/O services, and provide a user interface functionality, such as a graphical user interface (“GUI”), among other things.
For example,
Computer system 800 also includes a main memory 806, such as a random access memory (RAM), cache and/or other dynamic storage devices, coupled to bus 802 for storing information and instructions to be executed by processor 804. Main memory 806 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 804. Such instructions, when stored in storage media accessible to processor 804, render computer system 800 into a special-purpose machine that is customized to perform the operations specified in the instructions.
Computer system 800 further includes a read only memory (ROM) 808 or other static storage device coupled to bus 802 for storing static information and instructions for processor 804. A storage device 810, such as a magnetic disk, optical disk, or USB thumb drive (Flash drive), and/or any other suitable data store, is provided and coupled to bus 802 for storing information (for example, file data items, analysis information data items, submission data items, and/or the like) and instructions.
Computer system 800 may be coupled via bus 802 to a display 812, such as a cathode ray tube (CRT), LCD display, or touch screen display, for displaying information to a computer user and/or receiving input from the user. An input device 814, including alphanumeric and other keys, is coupled to bus 802 for communicating information and command selections to processor 804. Another type of user input device is cursor control 816, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 804 and for controlling cursor movement on display 812. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane. In some embodiments, the same direction information and command selections as cursor control may be implemented via receiving touches on a touch screen without a cursor.
Computing system 800 may include a user interface module, and/or various other types of modules to implement one or more graphical user interface of the data analysis system, as described above. The modules may be stored in a mass storage device as executable software codes that are executed by the computing device(s). This and other modules may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
In general, the word “module,” as used herein, refers to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software modules configured for execution on computing devices may be provided on a computer readable medium, such as a compact disc, digital video disc, flash drive, magnetic disc, or any other tangible medium, or as a digital download (and may be originally stored in a compressed or installable format that requires installation, decompression or decryption prior to execution). Such software code may be stored, partially or fully, on a memory device of the executing computing device, for execution by the computing device. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware devices (such as processors and CPUs) may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage. In various embodiments, aspects of the methods and systems described herein may be implemented by one or more hardware devices, for example, as logic circuits. In various embodiments, some aspects of the methods and systems described herein may be implemented as software instructions, while other may be implemented in hardware, in any combination.
As mentioned, computer system 800 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 800 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 800 in response to processor(s) 804 executing one or more sequences of one or more modules and/or instructions contained in main memory 806. Such instructions may be read into main memory 806 from another storage medium, such as storage device 810. Execution of the sequences of instructions contained in main memory 806 causes processor(s) 804 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
The term “non-transitory media,” and similar terms, as used herein refers to any media that store data and/or instructions that cause a machine to operate in a specific fashion. Such non-transitory media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as storage device 810. Volatile media includes dynamic memory, such as main memory 806. Common forms of non-transitory media include, for example, a floppy disk, a flexible disk, hard disk, solid state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge, and networked versions of the same.
Non-transitory media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between nontransitory media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 802. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 804 for execution. For example, the instructions may initially be carried on a magnetic disk or solid state drive of a remote computer. The remote computer can load the instructions and/or modules into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 800 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 802. Bus 802 carries the data to main memory 806, from which processor 804 retrieves and executes the instructions. The instructions received by main memory 806 may optionally be stored on storage device 810 either before or after execution by processor 804.
Computer system 800 also includes a communication interface 818 coupled to bus 802. Communication interface 818 provides a two-way data communication coupling to a network link 820 that is connected to a local network 822. For example, communication interface 818 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 818 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN (or WAN component to communicated with a WAN). Wireless links may also be implemented. In any such implementation, communication interface 818 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
Network link 820 typically provides data communication through one or more networks to other data devices. For example, network link 820 may provide a connection through local network 822 to a host computer 824 or to data equipment operated by an Internet Service Provider (ISP) 826. ISP 826 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 828. Local network 822 and Internet 828 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 820 and through communication interface 818, which carry the digital data to and from computer system 800, are example forms of transmission media.
Computer system 800 can send messages and receive data, including program code, through the network(s), network link 820 and communication interface 818. In the Internet example, a server 830 might transmit a requested code for an application program through Internet 828, ISP 826, local network 822 and communication interface 818. For example, in an embodiment various aspects of the data analysis system may be implemented on one or more of the servers 830 and may be transmitted to and from the computer system 800. For example, submitted malware data items may be transmitted to one of the servers 830, aspects of the basic analysis may be implemented on one or more of the servers 830, and/or aspects of the external analysis may be implemented on one or more of the servers 830. In an example, requests for external analyses of file data items may be transmitted to one or more third-party servers 830 (from, for example, the computer system 800 and/or another server 830 of the system), and analysis data may then be transmitted back from third-party servers 830.
In an embodiment, the data analysis system may be accessible by the user through a web-based viewer, such as a web browser. In this embodiment, the user interfaces of the system may be generated by a server (such as one of the servers 830) and/or the computer system 800 and transmitted to the web browser of the user. The user may then interact with the user interfaces through the web-browser. In an embodiment, the computer system 800 may comprise a mobile electronic device, such as a cell phone, smartphone, and/or tablet. The system may be accessible by the user through such a mobile electronic device, among other types of electronic devices.
While the foregoing is directed to various embodiments, other and further embodiments may be devised without departing from the basic scope thereof. For example, aspects of the present disclosure may be implemented in hardware or software or in a combination of hardware and software. An embodiment of the disclosure may be implemented as a program product for use with a computer system. The program(s) of the program product define functions of the embodiments (including the methods described herein) and may be contained on a variety of computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, flash memory, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is stored. Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The processes and algorithms may alternatively be implemented partially or wholly in application-specific circuitry.
The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and subcombinations are intended to fall within the scope of this disclosure. In addition, certain method or process blocks may be omitted in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state. The example blocks or states may be performed in serial, in parallel, or in some other manner. Blocks or states may be added to or removed from the disclosed example embodiments. The example systems and components described herein may be configured differently than described. For example, elements may be added to, removed from, or rearranged compared to the disclosed example embodiments.
Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.
The term “comprising” as used herein should be given an inclusive rather than exclusive interpretation. For example, a general purpose computer comprising one or more processors should not be interpreted as excluding other computer components, and may possibly include such components as memory, input/output devices, and/or network interfaces, among others.
Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art.
It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the invention may be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the invention with which that terminology is associated. The scope of the invention should therefore be construed in accordance with the appended claims and any equivalents thereof.
Any and all applications for which a foreign or domestic priority claim is identified in the Application Data Sheet as filed with the present application are hereby incorporated by reference under 37 CFR 1.57. This application is a continuation of U.S. patent application Ser. No. 14/473,860, filed Aug. 29, 2014, titled “MALWARE DATA ITEM ANALYSIS,” which application claims benefit of U.S. Provisional Patent Application No. 62/020,905, filed Jul. 3, 2014, titled “MALWARE DATA ITEM ANALYSIS.” The entire disclosure of each of the above items is hereby made part of this specification as if set forth fully herein and incorporated by reference for all purposes, for all that it contains.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5109399 | Thompson | Apr 1992 | A |
| 5329108 | Lamoure | Jul 1994 | A |
| 5548749 | Kroenke et al. | Aug 1996 | A |
| 5632009 | Rao et al. | May 1997 | A |
| 5670987 | Doi et al. | Sep 1997 | A |
| 5708828 | Coleman | Jan 1998 | A |
| 5765171 | Gehani et al. | Jun 1998 | A |
| 5781704 | Rossmo | Jul 1998 | A |
| 5845300 | Comer | Dec 1998 | A |
| 5870761 | Demers et al. | Feb 1999 | A |
| 6057757 | Arrowsmith et al. | May 2000 | A |
| 6091956 | Hollenberg | Jul 2000 | A |
| 6098078 | Gehani et al. | Aug 2000 | A |
| 6161098 | Wallman | Dec 2000 | A |
| 6190053 | Stahlecker et al. | Feb 2001 | B1 |
| 6202085 | Benson et al. | Mar 2001 | B1 |
| 6216140 | Kramer | Apr 2001 | B1 |
| 6219053 | Tachibana et al. | Apr 2001 | B1 |
| 6232971 | Haynes | May 2001 | B1 |
| 6247019 | Davies | Jun 2001 | B1 |
| 6279018 | Kudrolli et al. | Aug 2001 | B1 |
| 6317754 | Peng | Nov 2001 | B1 |
| 6341310 | Leshem et al. | Jan 2002 | B1 |
| 6366933 | Ball et al. | Apr 2002 | B1 |
| 6369835 | Lin | Apr 2002 | B1 |
| 6374252 | Althoff et al. | Apr 2002 | B1 |
| 6456997 | Shukla | Sep 2002 | B1 |
| 6539381 | Prasad et al. | Mar 2003 | B1 |
| 6549944 | Weinberg et al. | Apr 2003 | B1 |
| 6560620 | Ching | May 2003 | B1 |
| 6567936 | Yang et al. | May 2003 | B1 |
| 6581068 | Bensoussan et al. | Jun 2003 | B1 |
| 6594672 | Lampson et al. | Jul 2003 | B1 |
| 6631496 | Li et al. | Oct 2003 | B1 |
| 6642945 | Sharpe | Nov 2003 | B1 |
| 6714936 | Nevin, III | Mar 2004 | B1 |
| 6775675 | Nwabueze et al. | Aug 2004 | B1 |
| 6807569 | Bhimani et al. | Oct 2004 | B1 |
| 6816941 | Carlson et al. | Nov 2004 | B1 |
| 6828920 | Owen et al. | Dec 2004 | B2 |
| 6839745 | Dingari et al. | Jan 2005 | B1 |
| 6877137 | Rivette et al. | Apr 2005 | B1 |
| 6976210 | Silva et al. | Dec 2005 | B1 |
| 6980984 | Huffman et al. | Dec 2005 | B1 |
| 6985950 | Hanson et al. | Jan 2006 | B1 |
| 7036085 | Barros | Apr 2006 | B2 |
| 7043702 | Chi et al. | May 2006 | B2 |
| 7055110 | Kupka et al. | May 2006 | B2 |
| 7072911 | Doman | Jul 2006 | B1 |
| 7139800 | Bellotti et al. | Nov 2006 | B2 |
| 7158878 | Rasmussen et al. | Jan 2007 | B2 |
| 7162475 | Ackerman | Jan 2007 | B2 |
| 7167877 | Balogh et al. | Jan 2007 | B2 |
| 7168039 | Bertram | Jan 2007 | B2 |
| 7171427 | Witkowski et al. | Jan 2007 | B2 |
| 7225468 | Waisman et al. | May 2007 | B2 |
| 7269786 | Malloy et al. | Sep 2007 | B1 |
| 7278105 | Kitts | Oct 2007 | B1 |
| 7290698 | Poslinski et al. | Nov 2007 | B2 |
| 7333998 | Heckerman et al. | Feb 2008 | B2 |
| 7370047 | Gorman | May 2008 | B2 |
| 7373669 | Eisen | May 2008 | B2 |
| 7379811 | Rasmussen et al. | May 2008 | B2 |
| 7379903 | Caballero et al. | May 2008 | B2 |
| 7426654 | Adams et al. | Sep 2008 | B2 |
| 7437664 | Borson | Oct 2008 | B2 |
| 7451397 | Weber et al. | Nov 2008 | B2 |
| 7454466 | Bellotti et al. | Nov 2008 | B2 |
| 7467375 | Tondreau et al. | Dec 2008 | B2 |
| 7487139 | Fraleigh et al. | Feb 2009 | B2 |
| 7502786 | Liu et al. | Mar 2009 | B2 |
| 7525422 | Bishop et al. | Apr 2009 | B2 |
| 7529727 | Arning et al. | May 2009 | B2 |
| 7546245 | Surpin | Jun 2009 | B2 |
| 7558677 | Jones | Jul 2009 | B2 |
| 7574428 | Leiserowitz et al. | Aug 2009 | B2 |
| 7579965 | Bucholz | Aug 2009 | B2 |
| 7596285 | Brown et al. | Sep 2009 | B2 |
| 7614006 | Molander | Nov 2009 | B2 |
| 7617232 | Gabbert et al. | Nov 2009 | B2 |
| 7620628 | Kapur et al. | Nov 2009 | B2 |
| 7627812 | Chamberlain et al. | Dec 2009 | B2 |
| 7634717 | Chamberlain et al. | Dec 2009 | B2 |
| 7640173 | Surpin et al. | Dec 2009 | B2 |
| 7676788 | Ousterhout et al. | Mar 2010 | B1 |
| 7703021 | Flam | Apr 2010 | B1 |
| 7712049 | Williams et al. | May 2010 | B2 |
| 7716067 | Surpin et al. | May 2010 | B2 |
| 7716077 | Mikurak | May 2010 | B1 |
| 7725547 | Albertson et al. | May 2010 | B2 |
| 7730082 | Sah et al. | Jun 2010 | B2 |
| 7730109 | Rohrs et al. | Jun 2010 | B2 |
| 7770100 | Chamberlain et al. | Aug 2010 | B2 |
| 7783658 | Bayliss | Aug 2010 | B1 |
| 7805457 | Viola et al. | Sep 2010 | B1 |
| 7809703 | Balabhadrapatruni et al. | Oct 2010 | B2 |
| 7814102 | Miller et al. | Oct 2010 | B2 |
| 7818297 | Peleg et al. | Oct 2010 | B2 |
| 7818658 | Chen | Oct 2010 | B2 |
| 7877421 | Berger et al. | Jan 2011 | B2 |
| 7894984 | Rasmussen et al. | Feb 2011 | B2 |
| 7899611 | Downs et al. | Mar 2011 | B2 |
| 7917376 | Bellin et al. | Mar 2011 | B2 |
| 7920963 | Jouline et al. | Apr 2011 | B2 |
| 7933862 | Chamberlain et al. | Apr 2011 | B2 |
| 7962281 | Rasmussen et al. | Jun 2011 | B2 |
| 7962495 | Jain et al. | Jun 2011 | B2 |
| 7962848 | Bertram | Jun 2011 | B2 |
| 7970240 | Chao et al. | Jun 2011 | B1 |
| 7971150 | Raskutti et al. | Jun 2011 | B2 |
| 7984374 | Caro et al. | Jul 2011 | B2 |
| 8001465 | Kudrolli et al. | Aug 2011 | B2 |
| 8001482 | Bhattiprolu et al. | Aug 2011 | B2 |
| 8010545 | Stefik et al. | Aug 2011 | B2 |
| 8010886 | Gusmorino et al. | Aug 2011 | B2 |
| 8015151 | Lier et al. | Sep 2011 | B2 |
| 8015487 | Roy et al. | Sep 2011 | B2 |
| 8019709 | Norton et al. | Sep 2011 | B2 |
| 8024778 | Cash et al. | Sep 2011 | B2 |
| 8036632 | Cona et al. | Oct 2011 | B1 |
| 8046362 | Bayliss | Oct 2011 | B2 |
| 8082172 | Chao et al. | Dec 2011 | B2 |
| 8103543 | Zwicky | Jan 2012 | B1 |
| 8134457 | Velipasalar et al. | Mar 2012 | B2 |
| 8135679 | Bayliss | Mar 2012 | B2 |
| 8135719 | Bayliss | Mar 2012 | B2 |
| 8145703 | Frishert et al. | Mar 2012 | B2 |
| 8185819 | Sah et al. | May 2012 | B2 |
| 8196184 | Amirov et al. | Jun 2012 | B2 |
| 8214361 | Sandler et al. | Jul 2012 | B1 |
| 8214764 | Gemmell et al. | Jul 2012 | B2 |
| 8225201 | Michael | Jul 2012 | B2 |
| 8229947 | Fujinaga | Jul 2012 | B2 |
| 8230333 | Decherd et al. | Jul 2012 | B2 |
| 8239668 | Chen et al. | Aug 2012 | B1 |
| 8266168 | Bayliss | Sep 2012 | B2 |
| 8280880 | Aymeloglu et al. | Oct 2012 | B1 |
| 8290942 | Jones et al. | Oct 2012 | B2 |
| 8290990 | Drath et al. | Oct 2012 | B2 |
| 8301464 | Cave et al. | Oct 2012 | B1 |
| 8301904 | Gryaznov | Oct 2012 | B1 |
| 8302193 | Gardner | Oct 2012 | B1 |
| 8312367 | Foster | Nov 2012 | B2 |
| 8312546 | Alme | Nov 2012 | B2 |
| 8316060 | Snyder et al. | Nov 2012 | B1 |
| 8321943 | Walters et al. | Nov 2012 | B1 |
| 8347398 | Weber | Jan 2013 | B1 |
| 8352881 | Champion et al. | Jan 2013 | B2 |
| 8368695 | Howell et al. | Feb 2013 | B2 |
| 8380659 | Zunger | Feb 2013 | B2 |
| 8397171 | Klassen et al. | Mar 2013 | B2 |
| 8411046 | Kruzensiki et al. | Apr 2013 | B2 |
| 8412707 | Mianji | Apr 2013 | B1 |
| 8447674 | Choudhuri et al. | May 2013 | B2 |
| 8447722 | Ahuja et al. | May 2013 | B1 |
| 8452790 | Mianji | May 2013 | B1 |
| 8463036 | Ramesh et al. | Jun 2013 | B1 |
| 8484168 | Bayliss | Jul 2013 | B2 |
| 8489331 | Kopf et al. | Jul 2013 | B2 |
| 8489641 | Seefeld et al. | Jul 2013 | B1 |
| 8495077 | Bayliss | Jul 2013 | B2 |
| 8498969 | Bayliss | Jul 2013 | B2 |
| 8498984 | Hwang et al. | Jul 2013 | B1 |
| 8514082 | Cova et al. | Aug 2013 | B2 |
| 8515207 | Chau | Aug 2013 | B2 |
| 8515912 | Garrod et al. | Aug 2013 | B2 |
| 8527461 | Ducott, III et al. | Sep 2013 | B2 |
| 8554579 | Tribble et al. | Oct 2013 | B2 |
| 8554709 | Goodson et al. | Oct 2013 | B2 |
| 8577911 | Stepinski et al. | Nov 2013 | B1 |
| 8589273 | Creeden et al. | Nov 2013 | B2 |
| 8600872 | Yan | Dec 2013 | B1 |
| 8620641 | Farnsworth et al. | Dec 2013 | B2 |
| 8621634 | Turbin | Dec 2013 | B2 |
| 8646080 | Williamson et al. | Feb 2014 | B2 |
| 8639757 | Adams et al. | Mar 2014 | B1 |
| 8676597 | Buehler et al. | Mar 2014 | B2 |
| 8683322 | Cooper | Mar 2014 | B1 |
| 8688749 | Ducott, III et al. | Apr 2014 | B1 |
| 8689108 | Duffield et al. | Apr 2014 | B1 |
| 8695097 | Mathes et al. | Apr 2014 | B1 |
| 8707185 | Robinson et al. | Apr 2014 | B2 |
| 8713467 | Goldenberg et al. | Apr 2014 | B1 |
| 8726379 | Stiansen et al. | May 2014 | B1 |
| 8739278 | Varghese | May 2014 | B2 |
| 8742934 | Sarpy et al. | Jun 2014 | B1 |
| 8745516 | Mason et al. | Jun 2014 | B2 |
| 8756224 | Dassa et al. | Jun 2014 | B2 |
| 8781169 | Jackson et al. | Jul 2014 | B2 |
| 8787939 | Papakipos et al. | Jul 2014 | B2 |
| 8788405 | Sprague et al. | Jul 2014 | B1 |
| 8788407 | Singh et al. | Jul 2014 | B1 |
| 8799799 | Cervelli et al. | Aug 2014 | B1 |
| 8799812 | Parker | Aug 2014 | B2 |
| 8806625 | Berger | Aug 2014 | B1 |
| 8812960 | Sun et al. | Aug 2014 | B1 |
| 8818892 | Sprague et al. | Aug 2014 | B1 |
| 8830322 | Nerayoff et al. | Sep 2014 | B2 |
| 8832594 | Thompson et al. | Sep 2014 | B1 |
| 8832832 | Visbal et al. | Sep 2014 | B1 |
| 8868486 | Tamayo | Oct 2014 | B2 |
| 8868537 | Colgrove et al. | Oct 2014 | B1 |
| 8898788 | Aziz | Nov 2014 | B1 |
| 8917274 | Ma et al. | Dec 2014 | B2 |
| 8924872 | Bogomolov et al. | Dec 2014 | B1 |
| 8937619 | Sharma et al. | Jan 2015 | B2 |
| 8938686 | Erenrich et al. | Jan 2015 | B1 |
| 9027140 | Watkins | May 2015 | B1 |
| 9112850 | Eisen | Aug 2015 | B1 |
| 9244679 | Arellano | Jan 2016 | B1 |
| 9311479 | Manni | Apr 2016 | B1 |
| 9323863 | Krajec | Apr 2016 | B2 |
| 9336389 | Okereke | May 2016 | B1 |
| 9361353 | Aristides | Jun 2016 | B1 |
| 9367687 | Warshenbrot | Jun 2016 | B1 |
| 9413721 | Morris | Aug 2016 | B2 |
| 20010021936 | Bertram | Sep 2001 | A1 |
| 20020033848 | Sciammarella et al. | Mar 2002 | A1 |
| 20020065708 | Senay et al. | May 2002 | A1 |
| 20020091707 | Keller | Jul 2002 | A1 |
| 20020095658 | Shulman | Jul 2002 | A1 |
| 20020116120 | Ruiz et al. | Aug 2002 | A1 |
| 20020130907 | Chi et al. | Sep 2002 | A1 |
| 20020174201 | Ramer et al. | Nov 2002 | A1 |
| 20030028560 | Kudrolli et al. | Feb 2003 | A1 |
| 20030039948 | Donahue | Feb 2003 | A1 |
| 20030084017 | Ordille | May 2003 | A1 |
| 20030088654 | Good et al. | May 2003 | A1 |
| 20030097330 | Hillmer et al. | May 2003 | A1 |
| 20030144868 | MacIntyre et al. | Jul 2003 | A1 |
| 20030163352 | Surpin et al. | Aug 2003 | A1 |
| 20030182313 | Federwisch et al. | Sep 2003 | A1 |
| 20030187932 | Kennedy | Oct 2003 | A1 |
| 20030200217 | Ackerman | Oct 2003 | A1 |
| 20030225755 | Iwayama et al. | Dec 2003 | A1 |
| 20030229848 | Arend et al. | Dec 2003 | A1 |
| 20040032432 | Baynger | Feb 2004 | A1 |
| 20040064256 | Barinek et al. | Apr 2004 | A1 |
| 20040085318 | Hassler et al. | May 2004 | A1 |
| 20040095349 | Bito et al. | May 2004 | A1 |
| 20040103124 | Kupkova | May 2004 | A1 |
| 20040111390 | Saito et al. | Jun 2004 | A1 |
| 20040111410 | Burgoon et al. | Jun 2004 | A1 |
| 20040126840 | Cheng et al. | Jul 2004 | A1 |
| 20040143602 | Ruiz et al. | Jul 2004 | A1 |
| 20040153418 | Hanweck | Aug 2004 | A1 |
| 20040163039 | Gorman | Aug 2004 | A1 |
| 20040181554 | Heckerman et al. | Sep 2004 | A1 |
| 20040193600 | Kaasten et al. | Sep 2004 | A1 |
| 20040205524 | Richter et al. | Oct 2004 | A1 |
| 20040250124 | Chesla et al. | Dec 2004 | A1 |
| 20040260702 | Cragun et al. | Dec 2004 | A1 |
| 20050027705 | Sadri et al. | Feb 2005 | A1 |
| 20050028094 | Allyn | Feb 2005 | A1 |
| 20050080769 | Gemmell | Apr 2005 | A1 |
| 20050086207 | Heuer et al. | Apr 2005 | A1 |
| 20050125715 | Franco et al. | Jun 2005 | A1 |
| 20050162523 | Darrell et al. | Jul 2005 | A1 |
| 20050180330 | Shapiro | Aug 2005 | A1 |
| 20050182793 | Keenan et al. | Aug 2005 | A1 |
| 20050183005 | Denoue et al. | Aug 2005 | A1 |
| 20050193024 | Beyer et al. | Sep 2005 | A1 |
| 20050222928 | Steier et al. | Oct 2005 | A1 |
| 20050229256 | Banzhof | Oct 2005 | A2 |
| 20050246327 | Yeung et al. | Nov 2005 | A1 |
| 20050251786 | Citron et al. | Nov 2005 | A1 |
| 20050262556 | Waisman et al. | Nov 2005 | A1 |
| 20060020599 | Martin | Jan 2006 | A1 |
| 20060026120 | Carolan et al. | Feb 2006 | A1 |
| 20060026170 | Kreitler et al. | Feb 2006 | A1 |
| 20060045470 | Poslinski et al. | Mar 2006 | A1 |
| 20060059139 | Robinson | Mar 2006 | A1 |
| 20060069912 | Zheng et al. | Mar 2006 | A1 |
| 20060074866 | Chamberlain et al. | Apr 2006 | A1 |
| 20060074881 | Vembu et al. | Apr 2006 | A1 |
| 20060080619 | Carlson et al. | Apr 2006 | A1 |
| 20060129746 | Porter | Jun 2006 | A1 |
| 20060139375 | Rasmussen et al. | Jun 2006 | A1 |
| 20060142949 | Helt | Jun 2006 | A1 |
| 20060149596 | Surpin et al. | Jul 2006 | A1 |
| 20060155945 | McGarvey | Jul 2006 | A1 |
| 20060190497 | Inturi et al. | Aug 2006 | A1 |
| 20060203337 | White | Sep 2006 | A1 |
| 20060206866 | Eldrige et al. | Sep 2006 | A1 |
| 20060218637 | Thomas et al. | Sep 2006 | A1 |
| 20060241974 | Chao et al. | Oct 2006 | A1 |
| 20060242040 | Rader | Oct 2006 | A1 |
| 20060242630 | Koike et al. | Oct 2006 | A1 |
| 20060265747 | Judge | Nov 2006 | A1 |
| 20060271277 | Hu et al. | Nov 2006 | A1 |
| 20060279630 | Aggarwal et al. | Dec 2006 | A1 |
| 20070005707 | Teodosiu et al. | Jan 2007 | A1 |
| 20070011150 | Frank | Jan 2007 | A1 |
| 20070016363 | Huang et al. | Jan 2007 | A1 |
| 20070026373 | Suriyanarayanan et al. | Feb 2007 | A1 |
| 20070038962 | Fuchs et al. | Feb 2007 | A1 |
| 20070057966 | Ohno et al. | Mar 2007 | A1 |
| 20070078832 | Ott et al. | Apr 2007 | A1 |
| 20070083541 | Fraleigh et al. | Apr 2007 | A1 |
| 20070112887 | Liu et al. | May 2007 | A1 |
| 20070168516 | Liu et al. | Jul 2007 | A1 |
| 20070174760 | Chamberlain et al. | Jul 2007 | A1 |
| 20070180075 | Chasman et al. | Aug 2007 | A1 |
| 20070192265 | Chopin et al. | Aug 2007 | A1 |
| 20070208497 | Downs et al. | Sep 2007 | A1 |
| 20070208498 | Barker et al. | Sep 2007 | A1 |
| 20070208736 | Tanigawa et al. | Sep 2007 | A1 |
| 20070220067 | Suriyanarayanan et al. | Sep 2007 | A1 |
| 20070220328 | Liu et al. | Sep 2007 | A1 |
| 20070233756 | D'Souza et al. | Oct 2007 | A1 |
| 20070240062 | Christena et al. | Oct 2007 | A1 |
| 20070266336 | Nojima et al. | Nov 2007 | A1 |
| 20070294200 | Au | Dec 2007 | A1 |
| 20070294643 | Kyle | Dec 2007 | A1 |
| 20070294766 | Mir et al. | Dec 2007 | A1 |
| 20070299887 | Novik et al. | Dec 2007 | A1 |
| 20080027981 | Wahl | Jan 2008 | A1 |
| 20080033753 | Canda et al. | Feb 2008 | A1 |
| 20080040684 | Crump | Feb 2008 | A1 |
| 20080051989 | Welsh | Feb 2008 | A1 |
| 20080052142 | Bailey et al. | Feb 2008 | A1 |
| 20080077597 | Butler | Mar 2008 | A1 |
| 20080077642 | Carbone et al. | Mar 2008 | A1 |
| 20080086718 | Bostick et al. | Apr 2008 | A1 |
| 20080104019 | Nath | May 2008 | A1 |
| 20080126951 | Sood et al. | May 2008 | A1 |
| 20080133567 | Ames et al. | Jun 2008 | A1 |
| 20080155440 | Trevor et al. | Jun 2008 | A1 |
| 20080162616 | Gross et al. | Jul 2008 | A1 |
| 20080195417 | Surpin et al. | Aug 2008 | A1 |
| 20080195608 | Clover | Aug 2008 | A1 |
| 20080222295 | Robinson et al. | Sep 2008 | A1 |
| 20080229422 | Hudis et al. | Sep 2008 | A1 |
| 20080243951 | Webman et al. | Oct 2008 | A1 |
| 20080255973 | El Wade et al. | Oct 2008 | A1 |
| 20080263468 | Cappione et al. | Oct 2008 | A1 |
| 20080263669 | Alme | Oct 2008 | A1 |
| 20080267107 | Rosenberg | Oct 2008 | A1 |
| 20080276167 | Michael | Nov 2008 | A1 |
| 20080278311 | Grange et al. | Nov 2008 | A1 |
| 20080288306 | Maclntyre et al. | Nov 2008 | A1 |
| 20080301643 | Appleton et al. | Dec 2008 | A1 |
| 20080320299 | Wobber et al. | Dec 2008 | A1 |
| 20090002492 | Velipasalar et al. | Jan 2009 | A1 |
| 20090018940 | Wang et al. | Jan 2009 | A1 |
| 20090027418 | Maru et al. | Jan 2009 | A1 |
| 20090030915 | Winter et al. | Jan 2009 | A1 |
| 20090044279 | Crawford et al. | Feb 2009 | A1 |
| 20090055251 | Shah et al. | Feb 2009 | A1 |
| 20090076845 | Bellin et al. | Mar 2009 | A1 |
| 20090083184 | Eisen | Mar 2009 | A1 |
| 20090088964 | Schaaf et al. | Apr 2009 | A1 |
| 20090103442 | Douville | Apr 2009 | A1 |
| 20090119309 | Gibson et al. | May 2009 | A1 |
| 20090125369 | Kloostra et al. | May 2009 | A1 |
| 20090125459 | Norton et al. | May 2009 | A1 |
| 20090132921 | Hwangbo et al. | May 2009 | A1 |
| 20090132953 | Reed et al. | May 2009 | A1 |
| 20090144262 | White et al. | Jun 2009 | A1 |
| 20090144274 | Fraleigh et al. | Jun 2009 | A1 |
| 20090164934 | Bhattiprolu et al. | Jun 2009 | A1 |
| 20090171939 | Athsani et al. | Jul 2009 | A1 |
| 20090172511 | Decherd et al. | Jul 2009 | A1 |
| 20090177962 | Gusmorino et al. | Jul 2009 | A1 |
| 20090179892 | Tsuda et al. | Jul 2009 | A1 |
| 20090192957 | Subramanian et al. | Jul 2009 | A1 |
| 20090199090 | Poston et al. | Aug 2009 | A1 |
| 20090222400 | Kupershmidt et al. | Sep 2009 | A1 |
| 20090222760 | Halverson et al. | Sep 2009 | A1 |
| 20090234720 | George et al. | Sep 2009 | A1 |
| 20090249244 | Robinson et al. | Oct 2009 | A1 |
| 20090281839 | Lynn et al. | Nov 2009 | A1 |
| 20090285483 | Guven | Nov 2009 | A1 |
| 20090287470 | Farnsworth et al. | Nov 2009 | A1 |
| 20090292626 | Oxford | Nov 2009 | A1 |
| 20090328222 | Helman et al. | Dec 2009 | A1 |
| 20100011282 | Dollard et al. | Jan 2010 | A1 |
| 20100042922 | Bradateanu et al. | Feb 2010 | A1 |
| 20100057716 | Stefik et al. | Mar 2010 | A1 |
| 20100070523 | Delgo et al. | Mar 2010 | A1 |
| 20100070842 | Aymeloglu et al. | Mar 2010 | A1 |
| 20100070897 | Aymeloglu et al. | Mar 2010 | A1 |
| 20100077481 | Polyakov et al. | Mar 2010 | A1 |
| 20100077483 | Stolfo et al. | Mar 2010 | A1 |
| 20100100963 | Mahaffey | Apr 2010 | A1 |
| 20100103124 | Kruzeniski et al. | Apr 2010 | A1 |
| 20100114887 | Conway et al. | May 2010 | A1 |
| 20100122152 | Chamberlain et al. | May 2010 | A1 |
| 20100125546 | Barrett et al. | May 2010 | A1 |
| 20100131457 | Heimendinger | May 2010 | A1 |
| 20100145909 | Ngo | Jun 2010 | A1 |
| 20100162176 | Dunton | Jun 2010 | A1 |
| 20100185691 | Irmak et al. | Jul 2010 | A1 |
| 20100191563 | Schlaifer et al. | Jul 2010 | A1 |
| 20100198684 | Eraker et al. | Aug 2010 | A1 |
| 20100199225 | Coleman et al. | Aug 2010 | A1 |
| 20100228812 | Uomini | Sep 2010 | A1 |
| 20100235915 | Memon et al. | Sep 2010 | A1 |
| 20100250412 | Wagner | Sep 2010 | A1 |
| 20100262688 | Hussain et al. | Oct 2010 | A1 |
| 20100280857 | Liu et al. | Nov 2010 | A1 |
| 20100287084 | Roberts | Nov 2010 | A1 |
| 20100293174 | Bennett et al. | Nov 2010 | A1 |
| 20100306029 | Jolley | Dec 2010 | A1 |
| 20100306713 | Geisner et al. | Dec 2010 | A1 |
| 20100321399 | Ellren et al. | Dec 2010 | A1 |
| 20100323829 | Cross | Dec 2010 | A1 |
| 20100325526 | Ellis et al. | Dec 2010 | A1 |
| 20100325581 | Finkelstein et al. | Dec 2010 | A1 |
| 20100330801 | Rouh | Dec 2010 | A1 |
| 20110010342 | Chen et al. | Jan 2011 | A1 |
| 20110047159 | Baid et al. | Feb 2011 | A1 |
| 20110060753 | Shaked et al. | Mar 2011 | A1 |
| 20110061013 | Bilicki et al. | Mar 2011 | A1 |
| 20110074811 | Hanson et al. | Mar 2011 | A1 |
| 20110078055 | Faribault et al. | Mar 2011 | A1 |
| 20110078173 | Seligmann et al. | Mar 2011 | A1 |
| 20110087519 | Fordyce, III et al. | Apr 2011 | A1 |
| 20110107424 | Singh | May 2011 | A1 |
| 20110117878 | Barash et al. | May 2011 | A1 |
| 20110119100 | Ruhl et al. | May 2011 | A1 |
| 20110137766 | Rasmussen et al. | Jun 2011 | A1 |
| 20110153384 | Horne et al. | Jun 2011 | A1 |
| 20110161096 | Buehler et al. | Jun 2011 | A1 |
| 20110167105 | Ramakrishnan et al. | Jul 2011 | A1 |
| 20110167493 | Song et al. | Jul 2011 | A1 |
| 20110170799 | Carrino et al. | Jul 2011 | A1 |
| 20110173032 | Payne et al. | Jul 2011 | A1 |
| 20110173093 | Psota et al. | Jul 2011 | A1 |
| 20110178842 | Rane et al. | Jul 2011 | A1 |
| 20110208724 | Jones et al. | Aug 2011 | A1 |
| 20110218934 | Elser | Sep 2011 | A1 |
| 20110219450 | McDougal | Sep 2011 | A1 |
| 20110225198 | Edwards et al. | Sep 2011 | A1 |
| 20110231223 | Winters | Sep 2011 | A1 |
| 20110238510 | Rowen et al. | Sep 2011 | A1 |
| 20110238570 | Li et al. | Sep 2011 | A1 |
| 20110258158 | Resende et al. | Oct 2011 | A1 |
| 20110270705 | Parker | Nov 2011 | A1 |
| 20110291851 | Whisenant | Dec 2011 | A1 |
| 20110307382 | Siegel et al. | Dec 2011 | A1 |
| 20110310005 | Chen et al. | Dec 2011 | A1 |
| 20110314007 | Dassa et al. | Dec 2011 | A1 |
| 20120002839 | Niemela | Jan 2012 | A1 |
| 20120005159 | Wang et al. | Jan 2012 | A1 |
| 20120019559 | Siler et al. | Jan 2012 | A1 |
| 20120036013 | Neuhaus et al. | Feb 2012 | A1 |
| 20120036106 | Desai et al. | Feb 2012 | A1 |
| 20120036434 | Oberstein | Feb 2012 | A1 |
| 20120066296 | Appleton et al. | Mar 2012 | A1 |
| 20120072825 | Sherkin et al. | Mar 2012 | A1 |
| 20120079363 | Folting et al. | Mar 2012 | A1 |
| 20120079596 | Thomas | Mar 2012 | A1 |
| 20120084135 | Nissan et al. | Apr 2012 | A1 |
| 20120084866 | Stolfo | Apr 2012 | A1 |
| 20120106801 | Jackson | May 2012 | A1 |
| 20120110633 | An et al. | May 2012 | A1 |
| 20120110674 | Belani et al. | May 2012 | A1 |
| 20120117082 | Koperda et al. | May 2012 | A1 |
| 20120131512 | Takeuchi et al. | May 2012 | A1 |
| 20120144335 | Abeln et al. | Jun 2012 | A1 |
| 20120159307 | Chung et al. | Jun 2012 | A1 |
| 20120159362 | Brown et al. | Jun 2012 | A1 |
| 20120159399 | Bastide et al. | Jun 2012 | A1 |
| 20120173985 | Peppel | Jul 2012 | A1 |
| 20120196557 | Reich et al. | Aug 2012 | A1 |
| 20120196558 | Reich et al. | Aug 2012 | A1 |
| 20120208636 | Feige | Aug 2012 | A1 |
| 20120215898 | Shah et al. | Aug 2012 | A1 |
| 20120221511 | Gibson et al. | Aug 2012 | A1 |
| 20120221553 | Wittmer et al. | Aug 2012 | A1 |
| 20120221580 | Barney | Aug 2012 | A1 |
| 20120245976 | Kumar et al. | Sep 2012 | A1 |
| 20120246148 | Dror | Sep 2012 | A1 |
| 20120254129 | Wheeler et al. | Oct 2012 | A1 |
| 20120266245 | McDougal | Oct 2012 | A1 |
| 20120290879 | Shibuya et al. | Nov 2012 | A1 |
| 20120296907 | Long et al. | Nov 2012 | A1 |
| 20120304244 | Xie | Nov 2012 | A1 |
| 20120310831 | Harris et al. | Dec 2012 | A1 |
| 20120310838 | Harris et al. | Dec 2012 | A1 |
| 20120323888 | Osann, Jr. | Dec 2012 | A1 |
| 20120330801 | McDougal | Dec 2012 | A1 |
| 20120330973 | Ghuneim et al. | Dec 2012 | A1 |
| 20130006725 | Simanek et al. | Jan 2013 | A1 |
| 20130019306 | Lagar-Cavilla et al. | Jan 2013 | A1 |
| 20130024307 | Fuerstenberg et al. | Jan 2013 | A1 |
| 20130024339 | Choudhuri et al. | Jan 2013 | A1 |
| 20130046842 | Muntz et al. | Feb 2013 | A1 |
| 20130055338 | McDougal | Feb 2013 | A1 |
| 20130060786 | Serrano et al. | Mar 2013 | A1 |
| 20130061169 | Pearcy et al. | Mar 2013 | A1 |
| 20130067017 | Carriere et al. | Mar 2013 | A1 |
| 20130073377 | Heath | Mar 2013 | A1 |
| 20130073454 | Busch | Mar 2013 | A1 |
| 20130078943 | Biage et al. | Mar 2013 | A1 |
| 20130097482 | Marantz et al. | Apr 2013 | A1 |
| 20130101159 | Chao et al. | Apr 2013 | A1 |
| 20130111320 | Campbell et al. | May 2013 | A1 |
| 20130117651 | Waldman et al. | May 2013 | A1 |
| 20130139260 | McDougal | May 2013 | A1 |
| 20130139268 | An et al. | May 2013 | A1 |
| 20130145470 | Richard | Jun 2013 | A1 |
| 20130150004 | Rosen | Jun 2013 | A1 |
| 20130151148 | Parundekar et al. | Jun 2013 | A1 |
| 20130152202 | Pak | Jun 2013 | A1 |
| 20130157234 | Gulli et al. | Jun 2013 | A1 |
| 20130160120 | Malaviya et al. | Jun 2013 | A1 |
| 20130173540 | Qian et al. | Jul 2013 | A1 |
| 20130176321 | Mitchell et al. | Jul 2013 | A1 |
| 20130179420 | Park et al. | Jul 2013 | A1 |
| 20130191336 | Ducott et al. | Jul 2013 | A1 |
| 20130211985 | Clark et al. | Aug 2013 | A1 |
| 20130224696 | Wolfe et al. | Aug 2013 | A1 |
| 20130232045 | Tai et al. | Sep 2013 | A1 |
| 20130238616 | Rose et al. | Sep 2013 | A1 |
| 20130246170 | Gross et al. | Sep 2013 | A1 |
| 20130251233 | Yang et al. | Sep 2013 | A1 |
| 20130262527 | Hunter et al. | Oct 2013 | A1 |
| 20130263019 | Castellanos et al. | Oct 2013 | A1 |
| 20130268520 | Fisher et al. | Oct 2013 | A1 |
| 20130276117 | Hwang | Oct 2013 | A1 |
| 20130279757 | Kephart | Oct 2013 | A1 |
| 20130282696 | John et al. | Oct 2013 | A1 |
| 20130290011 | Lynn et al. | Oct 2013 | A1 |
| 20130290825 | Arndt et al. | Oct 2013 | A1 |
| 20130297619 | Chandrasekaran et al. | Nov 2013 | A1 |
| 20130311375 | Priebatsch | Nov 2013 | A1 |
| 20130318594 | Hoy et al. | Nov 2013 | A1 |
| 20130339218 | Subramanian et al. | Dec 2013 | A1 |
| 20130346444 | Makkar et al. | Dec 2013 | A1 |
| 20140006109 | Callioni et al. | Jan 2014 | A1 |
| 20140019936 | Cohanoff | Jan 2014 | A1 |
| 20140032506 | Hoey et al. | Jan 2014 | A1 |
| 20140033010 | Richardt et al. | Jan 2014 | A1 |
| 20140040182 | Gilder et al. | Feb 2014 | A1 |
| 20140040371 | Gurevich et al. | Feb 2014 | A1 |
| 20140040714 | Siegel et al. | Feb 2014 | A1 |
| 20140047357 | Alfaro et al. | Feb 2014 | A1 |
| 20140059038 | McPherson et al. | Feb 2014 | A1 |
| 20140059683 | Ashley | Feb 2014 | A1 |
| 20140068487 | Steiger et al. | Mar 2014 | A1 |
| 20140095509 | Patton | Apr 2014 | A1 |
| 20140108068 | Williams | Apr 2014 | A1 |
| 20140108380 | Gotz et al. | Apr 2014 | A1 |
| 20140108985 | Scott et al. | Apr 2014 | A1 |
| 20140114972 | Ducott et al. | Apr 2014 | A1 |
| 20140123279 | Bishop | May 2014 | A1 |
| 20140129518 | Ducott et al. | May 2014 | A1 |
| 20140143009 | Brice et al. | May 2014 | A1 |
| 20140156527 | Grigg et al. | Jun 2014 | A1 |
| 20140157172 | Peery et al. | Jun 2014 | A1 |
| 20140164502 | Khodorenko et al. | Jun 2014 | A1 |
| 20140189536 | Lange et al. | Jul 2014 | A1 |
| 20140195515 | Baker et al. | Jul 2014 | A1 |
| 20140195887 | Ellis et al. | Jul 2014 | A1 |
| 20140267294 | Ma | Sep 2014 | A1 |
| 20140267295 | Sharma | Sep 2014 | A1 |
| 20140279824 | Tamayo | Sep 2014 | A1 |
| 20140310282 | Sprague et al. | Oct 2014 | A1 |
| 20140316911 | Gross | Oct 2014 | A1 |
| 20140333651 | Cervelli et al. | Nov 2014 | A1 |
| 20140337772 | Cervelli et al. | Nov 2014 | A1 |
| 20140366132 | Stiansen et al. | Dec 2014 | A1 |
| 20150019394 | Unser et al. | Jan 2015 | A1 |
| 20150046870 | Goldenberg et al. | Feb 2015 | A1 |
| 20150089424 | Duffield et al. | Mar 2015 | A1 |
| 20150096024 | Haq | Apr 2015 | A1 |
| 20160300216 | Godsey et al. | Oct 2016 | A1 |
| 20170053115 | Healy et al. | Feb 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| 101729531 | Jun 2010 | CN |
| 103281301 | Sep 2013 | CN |
| 10 2014 103 482 | Sep 2014 | DE |
| 102014215621 | Feb 2015 | DE |
| 0 816 968 | Jan 1996 | EP |
| 1 191 463 | Mar 2002 | EP |
| 1 672 527 | Jun 2006 | EP |
| 2 551 799 | Jan 2013 | EP |
| 2 778 977 | Sep 2014 | EP |
| 2 778 983 | Sep 2014 | EP |
| 2 779 082 | Sep 2014 | EP |
| 2835745 | Feb 2015 | EP |
| 2835770 | Feb 2015 | EP |
| 2838039 | Feb 2015 | EP |
| 2846241 | Mar 2015 | EP |
| 2851852 | Mar 2015 | EP |
| 2858014 | Apr 2015 | EP |
| 2858018 | Apr 2015 | EP |
| 2 516 155 | Jan 2015 | GB |
| 2518745 | Apr 2015 | GB |
| 2012778 | Nov 2014 | NL |
| 2013306 | Feb 2015 | NL |
| WO 00009529 | Feb 2000 | WO |
| WO 2005104736 | Nov 2005 | WO |
| WO 2008011728 | Jan 2008 | WO |
| WO 2009061501 | May 2009 | WO |
| WO 2010000014 | Jan 2010 | WO |
| WO 2010030913 | Mar 2010 | WO |
| WO 2011161565 | Dec 2011 | WO |
| WO 2012009397 | Jan 2012 | WO |
| WO 2013010157 | Jan 2013 | WO |
| WO 2013102892 | Jul 2013 | WO |
| WO 2013126281 | Aug 2013 | WO |
| Entry |
|---|
| Official Communication in British Application No. GB1408025.3 dated Nov. 6, 2014. |
| Official Communication in New Zealand Application No. 622513 dated Apr. 3, 2014. |
| Official Communication in New Zealand Application No. 628161 dated Aug. 25, 2014. |
| Palmas, et al., “An Edge-Bundling Layout for Interactive Parallel Coordinates,” Proceedings of the 2014 IEEE Pacific Visualization Symposium, Mar. 2014, pp. 57-64. |
| Baker et al., “The Development of a Common Enumeration of Vulnerabilities and Exposures,” Presented at the Second International Workshop on Recent Advances in Intrusion Detection, Sep. 7-9, 1999, pp. 35. |
| Crosby et al., “Efficient Data Structures for Tamper-Evident Logging,” Department of Computer Science, Rice University, 2009, pp. 17. |
| European Search Report in Application No. 13152370.6, dated Jun. 3, 2013. |
| European Search Report in Application No. 14159535.5, dated May 22, 2014. |
| International Search Report and Written Opinion in Application No. PCT/US2011/043794, dated Feb. 24, 2012. |
| Lee et al., “A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions,” Lecture Notes in Computer Science, vol. 1907 Nov. 11, 2000, pp. 49-65. |
| Official Communication in New Zealand Application No. 612705, dated Jul. 9, 2013. |
| Official Communication in Australian Application No. 2012238282, dated Jan. 30, 2014. |
| Official Communication in Australian Application No. 2012238282, dated Jun. 6, 2014. |
| Official Communication in New Zealand Application No. 624212, dated May 5, 2014. |
| Official Communication in European Application No. EP 14158861.6, dated Jun. 16, 2014. |
| Official Communication in New Zealand Application No. 622517, dated Apr. 3, 2014. |
| Official Communication in New Zealand Application No. 624557, dated May 14, 2014. |
| Official Communication in New Zealand Application No. 628585, dated Aug. 26, 2014. |
| Official Communication in New Zealand Application No. 628495, dated Aug. 19, 2014. |
| Official Communication in New Zealand Application No. 628263, dated Aug. 12, 2014. |
| Official Communication in Great Britain Application No. 1404457.2, dated Aug. 14, 2014. |
| Official Communication in New Zealand Application No. 622181, dated Mar. 24, 2014. |
| Official Communication in New Zealand Application No. 627962, dated Aug. 5, 2014. |
| Official Communication in New Zealand Application No. 628840, dated Aug. 28, 2014. |
| Official Communication in European Patent Application No. 14159464.8 dated Jul. 31, 2014. |
| “A First Look: Predicting Market Demand for Food Retail using a Huff Analysis,” TRF Policy Solutions, Jul. 2012, pp. 30. |
| “A Quick Guide to UniProtKB Swiss-Prot & TrEMBL,” Sep. 2011, pp. 2. |
| Acklen, Laura, “Absolute Beginner's Guide to Microsoft Word 2003,” Dec. 24, 2003, pp. 15-18, 34-41, 308-316. |
| Alfred, Rayner “Summarizing Relational Data Using Semi-Supervised Genetic Algorithm-Based Clustering Techniques”, Journal of Computer Science, 2010, vol. 6, No. 7, pp. 775-784. |
| Ananiev et al., “The New Modality API,” http://web.archive.org/web/20061211011958/http://java.sun.com/developer/technicalArticles/J2SE/Desktop/javase6/modality/, Jan. 21, 2006, pp. 8. |
| Bluttman et al., “Excel Formulas and Functions for Dummies,” 2005, Wiley Publishing, Inc., pp. 280, 284-286. |
| Bugzilla@Mozilla, “Bug 18726—[feature] Long-click means of invoking contextual menus not supported,” http://bugzilla.mozilla.org/show—bug.cgi?id=18726, printed Jun. 13, 2013 in 11 pages. |
| Canese et al., “Chapter 2: PubMed: The Bibliographic Database,” The NCBI Handbook, Oct. 2002, pp. 1-10. |
| Chen et al., “Bringing Order to the Web: Automatically Categorizing Search Results,” CHI 2000, Proceedings of the SIGCHI conference on Human Factors in Computing Systems, Apr. 1-6, 2000, The Hague, The Netherlands, pp. 145-152. |
| Conner, Nancy, “Google Apps: The Missing Manual,” Sharing and Collaborating on Documents, May 1, 2008, pp. 93-97, 106-113 & 120-121. |
| Delcher et al., “Identifying Bacterial Genes and Endosymbiont DNA with Glimmer,” BioInformatics, vol. 23, No. 6, 2007, pp. 673-679. |
| Dramowicz, Ela, “Retail Trade Area Analysis Using the Huff Model,” Directions Magazine, Jul. 2, 2005 in 10 pages, http://www.directionsmag.com/articles/retail-trade-area-analysis-using-the-huff-model/123411. |
| FireEye, http://www.fireeye.com/ printed Jun. 30, 2014 in 2 pages. |
| FireEye—Products and Solutions Overview, http://www.fireeye.com/products-and-solutions printed Jun. 30, 2014 in 3 pages. |
| GIS-NET 3 Public—Department of Regional Planning. Planning & Zoning Information for Unincorporated LA County. Retrieved Oct. 2, 2013 from http://gis.planning.lacounty.gov/GIS-NET3—Public/Viewer.html. |
| Goswami, Gautam, “Quite ‘Writely’ Said!” One Brick at a Time, Aug. 21, 2005, pp. 7. |
| Griffith, Daniel A., “A Generalized Huff Model,” Geographical Analysis, Apr. 1982, vol. 14, No. 2, pp. 135-144. |
| Hansen et al., “Analyzing Social Media Networks with NodeXL: Insights from a Connected World”, Elsevier Science, Sep. 2010, Ch. 4 & 10, pp. 53-67 & 143-164. |
| Hibbert et al., “Prediction of Shopping Behavior Using a Huff Model Within a GIS Framework,” Healthy Eating in Context, Mar. 18, 2011, pp. 16. |
| Holliday, JoAnne, “Replicated Database Recovery using Multicast Communication,” IEEE 2002, pp. 11. |
| Huff et al., “Calibrating the Huff Model Using ArcGIS Business Analyst,” ESRI, Sep. 2008, pp. 33. |
| Huff, David L., “Parameter Estimation in the Huff Model,” ESRI, ArcUser, Oct.-Dec. 2003, pp. 34-36. |
| Kahan et al., “Annotea: An Open RDF Infrastructure for Shared WEB Annotations”, Computer Networks, 2002, vol. 39, pp. 589-608. |
| Keylines.com, “An Introduction to KeyLines and Network Visualization,” Mar. 2014, http://keylines.com/wp-content/uploads/2014/03/KeyLines-White-Paper.pdf downloaded May 12, 2014 in 8 pages. |
| Keylines.com, “KeyLines Datasheet,” Mar. 2014, http://keylines.com/wp-content/uploads/2014/03/KeyLines-datasheet.pdf downloaded May 12, 2014 in 2 pages. |
| Keylines.com, “Visualizing Threats: Improved Cyber Security Through Network Visualization,” Apr. 2014, http://keylines.com/wp-content/uploads/2014/04/Visualizing-Threats1.pdf downloaded May 12, 2014 in 10 pages. |
| Kitts, Paul, “Chapter 14: Genome Assembly and Annotation Process,” The NCBI Handbook, Oct. 2002, pp. 1-21. |
| Lamport, “Time, Clocks and the Ordering of Events in a Distributed System,” Communications of the ACM, Jul. 1978, vol. 21, No. 7, pp. 558-565. |
| Liu, Tianshun, “Combining GIS and the Huff Model to Analyze Suitable Locations for a New Asian Supermarket in the Minneapolis and St. Paul, Minnesota USA,” Papers in Resource Analysis, 2012, vol. 14, pp. 8. |
| Loeliger, Jon, “Version Control with Git,” O'Reilly, May 2009, pp. 330. |
| Madden, Tom, “Chapter 16: The BLAST Sequence Analysis Tool,” The NCBI Handbook, Oct. 2002, pp. 1-15. |
| Manno et al., “Introducing Collaboration in Single-user Applications through the Centralized Control Architecture,” 2010, pp. 10. |
| Manske, “File Saving Dialogs,” http://www.mozilla.org/editor/ui—specs/FileSaveDialogs.html, Jan. 20, 1999, pp. 7. |
| Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.bing.com. |
| Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.google.com. |
| Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.yahoo.com. |
| Microsoft—Developer Network, “Getting Started with VBA in Word 2010,” Apr. 2010, http://msdn.microsoft.com/en-us/library/ff604039%28v=office.14%29.aspx printed Apr. 4, 2014 in 17 pages. |
| Microsoft Office—Visio, “About connecting shapes,” http://office.microsoft.com/en-us/visio-help/about-connecting-shapes-HP085050369.aspx printed Aug. 4, 2011 in 6 pages. |
| Microsoft Office—Visio, “Add and glue connectors with the Connector tool,” http://office.microsoft.com/en-us/visio-help/add-and-glue-connectors-with-the-connector-tool-HA010048532.aspx?CTT=1 printed Aug. 4, 2011 in 1 page. |
| Mizrachi, Ilene, “Chapter 1: GenBank: The Nuckeotide Sequence Database,” The NCBI Handbook, Oct. 2002, pp. 1-14. |
| O'Sullivan, Bryan, “Making Sense of Revision Control Systems,” Communications of the ACM, Sep. 2009, vol. 52, No. 9, pp. 57-62. |
| Parker, Jr. et al., “Detection of Mutual Inconsistency in Distributed Systems,” IEEE Transactions in Software Engineering, May 1983, vol. SE-9, No. 3, pp. 241-247. |
| Rouse, Margaret, “OLAP Cube,” http://searchdatamanagement.techtarget.com/definition/OLAP-cube, Apr. 28, 2012, pp. 16. |
| Shah, Chintan, “Periodic Connections to Control Server Offer New Way to Detect Botnets,” Oct. 24, 2013 in 6 pages, http://www.blogs.mcafee.com/mcaffe-labs/periodic-links-to-control-server-offer-new-way-to-detect-botnets. |
| Sigrist, et al., “PROSITE, a Protein Domain Database for Functional Characterization and Annotation,” Nucleic Acids Research, 2010, vol. 38, pp. D161-D166. |
| Sirotkin et al., “Chapter 13: The Processing of Biological Sequence Data at NCBI,” The NCBI Handbook, Oct. 2002, pp. 1-11. |
| “The FASTA Program Package,” fasta-36.3.4, Mar. 25, 2011, pp. 29. |
| VirusTotal—About, http://www.virustotal.com/en/about/ printed Jun. 30, 2014 in 8 pages. |
| Wiggerts, T.A., “Using Clustering Algorithms in Legacy Systems Remodularization,” Reverse Engineering, Proceedings of the Fourth Working Conference, Netherlands, Oct. 6-8, 1997, IEEE Computer Soc., pp. 33-43. |
| Chung, Chin-Wan, “Dataplex: An Access to Heterogeneous Distributed Databases,” Communications of the ACM, Association for Computing Machinery, Inc., vol. 33, No. 1, Jan. 1, 1990, pp. 70-80. |
| Definition “Identify” downloaded Jan. 22, 2015, 1 page. |
| Definition “Overlay” downloaded Jan. 22, 2015, 1 page. |
| Glaab et al., “EnrichNet: Network-Based Gene Set Enrichment Analysis,” Bioinformatics 28.18 (2012): pp. i451-i457. |
| Hardesty, “Privacy Challenges: Analysis: It's Surprisingly Easy to Identify Individuals from Credit-Card Metadata,” MIT News on Campus and Around the World, MIT News Office, Jan. 29, 2015, 3 pages. |
| Hogue et al., “Thresher: Automating the Unwrapping of Semantic Content from the World Wide Web,” 14th International Conference on World Wide Web, WWW 2005: Chiba, Japan, May 10-14, 2005, pp. 86-95. |
| Hur et al., “SciMiner: web-based literature mining tool for target identification and functional enrichment analysis,” Bioinformatics 25.6 (2009): pp. 838-840. |
| Nierman, “Evaluating Structural Similarity in XML Documents,” 2002, 6 pages. |
| Olanoff, Drew, “Deep Dive with the New Google Maps for Desktop with Google Earth Integration, It's More than Just a Utility,” May 15, 2013, pp. 1-6, retrieved from the internet: http://web.archive.org/web/20130515230641/http://techcrunch.com/2013/05/15/deep-dive-with-the-new-google-maps-for-desktop-with-google-earth-integration-its-more-than-just-a-utility/. |
| Wikipedia, “Federated Database System,” Sep. 7, 2013, retrieved from the internet on Jan. 27, 2015 http://en.wikipedia.org/w/index/php?title=Federated—database—system&oldid=571954221. |
| Yang et al., “HTML Page Analysis Based on Visual Cues,” 2001, pp. 859-864. |
| Zheng et al., “GOEAST: a web-based software toolkit for Gene Ontology enrichment analysis,” Nucleic acids research 36.suppl 2 (2008): pp. W385-W363. |
| Notice of Allowance for U.S. Appl. No. 14/102,394 dated Aug. 25, 2014. |
| Notice of Allowance for U.S. Appl. No. 14/108,187 dated Aug. 29, 2014. |
| Notice of Allowance for U.S. Appl. No. 14/135,289 dated Oct. 14, 2014. |
| Notice of Allowance for U.S. Appl. No. 14/268,964 dated Dec. 3, 2014. |
| Notice of Allowance for U.S. Appl. No. 14/473,860 dated Jan. 5, 2015. |
| Notice of Allowance for U.S. Appl. No. 14/192,767 dated Dec. 16, 2014. |
| Notice of Allowance for U.S. Appl. No. 14/294,098 dated Dec. 29, 2014. |
| Official Communication for Great Britain Patent Application No. 1404574.4 dated Dec. 18, 2014. |
| Official Communication for Great Britain Patent Application No. 1411984.6 dated Dec. 22, 2014. |
| Official Communication for Great Britain Patent Application No. 1413935.6 dated Jan. 27, 2015. |
| Official Communication for European Patent Application No. 14180281.9 dated Jan. 26, 2015. |
| Official Communication for European Patent Application No. 14187996.5 dated Feb. 12, 2015. |
| Official Communication for European Patent Application No. 14180142.3 dated Feb. 6, 2015. |
| Official Communication for European Patent Application No. 14186225.0 dated Feb. 13, 2015. |
| Official Communication for European Patent Application No. 14189344.6 dated Feb. 20, 2015. |
| Official Communication for Australian Patent Application No. 2014201511 dated Feb. 27, 2015. |
| Official Communication for European Patent Application No. 14189347.9 dated Mar. 4, 2015. |
| Official Communication for European Patent Application No. 14199182.8 dated Mar. 13, 2015. |
| Official Communication for Australian Patent Application No. 2014202442 dated Mar. 19, 2015. |
| Official Communication for U.S. Appl. No. 14/289,596 dated Jul. 18, 2014. |
| Official Communication for U.S. Appl. No. 14/289,599 dated Jul. 22, 2014. |
| Official Communication for U.S. Appl. No. 14/225,160 dated Jul. 29, 2014. |
| Official Communication for U.S. Appl. No. 14/268,964 dated Sep. 3, 2014. |
| Official Communication for U.S. Appl. No. 14/225,084 dated Sep. 2, 2014. |
| Official Communication for U.S. Appl. No. 14/294,098 dated Aug. 15, 2014. |
| Official Communication for U.S. Appl. No. 14/148,568 dated Oct. 22, 2014. |
| Official Communication for U.S. Appl. No. 14/225,006 dated Sep. 10, 2014. |
| Official Communication for U.S. Appl. No. 14/294,098 dated Nov. 6, 2014. |
| Official Communication for U.S. Appl. No. 14/306,138 dated Sep. 23, 2014. |
| Official Communication for U.S. Appl. No. 14/306,154 dated Sep. 9, 2014. |
| Official Communication for U.S. Appl. No. 14/306,147 dated Sep. 9, 2014. |
| Official Communication for U.S. Appl. No. 14/319,765 dated Nov. 25, 2014. |
| Official Communication for U.S. Appl. No. 14/323,935 dated Nov. 28, 2014. |
| Official Communication for U.S. Appl. No. 14/326,738 dated Dec. 2, 2014. |
| Official Communication for U.S. Appl. No. 14/225,160 dated Oct. 22, 2014. |
| Official Communication for U.S. Appl. No. 14/504,103 dated Feb. 5, 2015. |
| Official Communication for U.S. Appl. No. 14/289,596 dated Jan. 26, 2015. |
| Official Communication for U.S. Appl. No. 14/319,765 dated Feb. 4, 2015. |
| Official Communication for U.S. Appl. No. 14/225,160 dated Feb. 11, 2015. |
| Official Communication for U.S. Appl. No. 14/306,138 dated Feb. 18, 2015. |
| Official Communication for U.S. Appl. No. 14/306,147 dated Feb. 19, 2015. |
| Official Communication for U.S. Appl. No. 14/225,084 dated Feb. 20, 2015. |
| Official Communication for U.S. Appl. No. 14/225,006 dated Feb. 27, 2015. |
| Official Communication for U.S. Appl. No. 14/473,552 dated Feb. 24, 2015. |
| Official Communication for U.S. Appl. No. 14/486,991 dated Mar. 10, 2015. |
| Official Communication for U.S. Appl. No. 14/306,154 dated Mar. 11, 2015. |
| Official Communication for U.S. Appl. No. 13/831,791 dated Mar. 4, 2015. |
| Official Communication for U.S. Appl. No. 14/504,103 dated Mar. 31, 2015. |
| Official Communication for U.S. Appl. No. 14/323,935 dated Mar. 31, 2015. |
| Official Communication for U.S. Appl. No. 14/326,738 dated Mar. 31, 2015. |
| Official Communication for U.S. Appl. No. 14/280,490 dated Jul. 24, 2014. |
| Official Communication for U.S. Appl. No. 14/479,863 dated Dec. 26, 2014. |
| Official Communication for U.S. Appl. No. 14/490,612 dated Jan. 27, 2015. |
| Official Communication for U.S. Appl. No. 14/490,612 dated Mar. 31, 2015. |
| Official Communication for U.S. Appl. No. 15/235,551 dated Nov. 2, 2016. |
| Official Communication for U.S. Appl. No. 15/235,551 dated Jan. 30, 2017. |
| Official Communication for New Zealand Patent Application No. 622513 dated Apr. 3, 2014. |
| Official Communication for European Patent Application No. 15175106.2 dated Nov. 5, 2015. |
| Number | Date | Country | |
|---|---|---|---|
| 20160004864 A1 | Jan 2016 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62020905 | Jul 2014 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 14473860 | Aug 2014 | US |
| Child | 14668833 | US |
