DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 11/28/2021. Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Examiner Note
Claims 9, and 15 recites that “a computer readable storage medium”. The computer readable storage medium has been described on Paragraph 73 of the specification as: “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire”.
EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

 The application has been amended as follows:
Please replace claim 1 with:
1. (Currently amended) A computer-implemented method of detecting a malicious activity on a computer system, the method comprising:
identifying, by one or more processors, first process trees for a plurality of computer processes that have executed on a computer system;
vectorizing, by the one or more processors, each of the first process trees and associating, by the one or more processors, the vectorized first process trees with respective labels, each label representing an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity;
training, by the one or more processors, an artificial neural network by using the vectorized first process trees and the associated labels as training input;
vectorizing, by the one or more processors and after a completion of the training of the artificial neural network, second process trees for computer processes that are currently executing on the computer system, and providing, by the one or more processors, the vectorized second process trees as input vectors to the artificial neural network; 
in response to the artificial neural network providing an output indicating that a combination of the input vectors indicates the malicious activity, performing, by the one or more processors, a remedial action for the malicious activity;
determining, by the one or more processors and during the training the artificial neural network, a language of a first computer process based on one or more computer-based actions indicated by one or more sub-trees within a first process tree included in the first process trees, the language of the first computer process including a specification of a first launching application and a first order of first tasks performed by the first computer process; 
determining, by the one or more processors, that the language of the first computer process indicates the malicious activity;
determining, by the one or more processors, a language of a second computer process based on one or more other computer-based actions indicated by one or more other sub-trees within a second process tree included in the second process trees, the language of the second computer process including a specification of a second launching application and a second order of second tasks performed by the second computer process; 
determining, by the one or more processors, that the language of the first computer process matches the language of the second computer process by determining that the first launching application matches the second launching application and the first order of the first tasks matches the second order of the second tasks, wherein the performing the remedial action is based on the language of the first computer process indicating the malicious activity and matching the language of the second computer process;
based on the language of the second computer process, generating, by the one or more processors and using a natural language generation engine, a text in a natural language that includes a description of the malicious activity based on the one or more other computer-based actions; 
converting, by the one or more processors, the text into a voice message and sending the voice message to a human analyst, wherein the voice message includes the remedial action for the malicious activity; and
receiving, by the one or more processors, an approval of the remedial action, wherein the performing the remedial action is performed automatically in response to the receiving the approval.

Please cancel claim 2.
Please replace claim 3 with:
3. (Currently amended) The method of claim 1, 

generating, by the one or more processors, an alert that includes the text in the natural language that includes the description of the malicious activity and sending the alert to another computer system for viewing by a human analyst, wherein the alert includes one or more remedial actions for the malicious activity.

Please cancel claim 4.

Please replace claim 5 with:
5. (Currently amended) The method of claim 1, wherein vectorizing each of the first process trees includes mapping the first process trees to first text in the 

Please replace claim 8 with:
8. (Currently amended) The method of claim 1, further comprising:
providing at least one support service for at least one action selected from the group consisting of creating, integrating, hosting, maintaining, and deploying computer readable program code in a computer, the program code being executed by a processor of the computer to implement the identifying the first process trees, vectoring each of the first process trees, associating the vectorized first process trees with respective labels, training the artificial neural network, vectorizing the second process trees, providing the vectorized second process trees as the input vectors, , determining the language of the first computer process, determining that the language of the first computer process indicates the malicious activity, determining the language of the second computer process, determining that the language of the first computer process matches the language of the second computer process, generating the text in the natural language, converting the text into the voice message, sending the voice message to the human analyst, and receiving the approval of the remedial action.

Please replace claim 9 with:

9. (Currently amended) A computer program product for detecting a malicious activity on a computer system, the computer program product comprising:
a computer readable storage medium having computer readable program code stored on the computer readable storage medium, wherein the computer readable storage medium is not a transitory signal per se, the computer readable program code being executed by a central 
identifying, by the first computer system, first process trees for a plurality of computer processes that have executed on a second computer system;
vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process trees with respective labels, each label representing an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity;
training, by the first computer system, an artificial neural network by using the vectorized first process trees and the associated labels as training input;
vectorizing, by the first computer system and after a completion of the training of the artificial neural network, second process trees for computer processes that are currently executing on the second computer system, and providing, by the first computer system, the vectorized second process trees as input vectors to the artificial neural network; 
in response to the artificial neural network providing an output indicating that a combination of the input vectors indicates the malicious activity, performing, by the first computer system, a remedial action for the malicious activity;
determining, by the first computer system and during the training the artificial neural network, a language of a first computer process based on one or more computer-based actions indicated by one or more sub-trees within a first process tree included in the first process trees, the language of the first computer process including a specification of a first launching application and a first order of first tasks performed by the first computer process; 
determining, by the first computer system, that the language of the first computer process indicates the malicious activity;
determining, by the first computer system, a language of a second computer process based on one or more other computer-based actions indicated by one or more other sub-trees within a second process tree included in the second process trees, the language of the second computer process including a specification of a second launching application and a second order of second tasks performed by the second computer process; and
determining, by the first computer system, that the language of the first computer process matches the language of the second computer process by determining that the first launching application matches the second launching application and the first order of the first tasks matches the second order of the second tasks, wherein the performing the remedial action is based on the language of the first computer process indicating the malicious activity and matching the language of the second computer process;
based on the language of the second computer process, generating, by the first computer system and using a natural language generation engine, a text in a natural language that includes a description of the malicious activity based on the one or more other computer-based actions; 
converting, by the first computer system, the text into a voice message and sending the voice message to a human analyst, wherein the voice message includes the remedial action for the malicious activity; and
receiving, by the first computer system, an approval of the remedial action, wherein the performing the remedial action is performed automatically in response to the receiving the approval.

Please cancel claim 10.

Please replace claim 11 with:

11. (Currently amended) The computer program product of claim 9, 

generating, by the first computer system, 

Please cancel claim 12.

Please replace claim 13 with:

the 
Please replace claim 14 with:

14. (Currently amended) The computer program product of claim 9, wherein the method further comprises:
configuring, by the first computer system, 
determining, by the first computer system, that an amount of risk associated with the malicious activity exceeds a threshold amount of risk, wherein the performing the remedial action is performed automatically based on the policy and the amount of risk exceeding the threshold amount of risk.

Please replace claim 15 with:

15. (Currently amended) A first computer system comprising:
a central processing unit (CPU); 
a memory coupled to the CPU; and
a computer readable storage medium coupled to the CPU, the computer readable storage medium containing instructions that are executed by the CPU via the memory to implement a method of detecting a malicious activity on a second computer system, the method comprising: 

vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process trees with respective labels, each label representing an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity;
training, by the first computer system, an artificial neural network by using the vectorized first process trees and the associated labels as training input;
vectorizing, by the first computer system and after a completion of the training of the artificial neural network, second process trees for computer processes that are currently executing on the second computer system, and providing, by the first computer system, the vectorized second process trees as input vectors to the artificial neural network; 
in response to the artificial neural network providing an output indicating that a combination of the input vectors indicates the malicious activity, performing, by the first computer system, a remedial action for the malicious activity;
determining, by the first computer system and during the training the artificial neural network, a language of a first computer process based on one or more computer-based actions indicated by one or more sub-trees within a first process tree included in the first process trees, the language of the first computer process including a specification of a first launching application and a first order of first tasks performed by the first computer process; 
determining, by the first computer system, that the language of the first computer process indicates the malicious activity;
determining, by the first computer system, a language of a second computer process based on one or more other computer-based actions indicated by one or more other sub-trees within a second process tree included in the second process trees, the language of the second computer process including a specification of a second launching application and a second order of second tasks performed by the second computer process; and
determining, by the first computer system, that the language of the first computer process matches the language of the second computer process by determining that the first launching application matches the second launching application and the first order of the first tasks matches the second order of the second tasks, wherein the performing the remedial action is based on the language of the first computer process indicating the malicious activity and matching the language of the second computer process;
based on the language of the second computer process, generating, by the first computer system and using a natural language generation engine, a text in a natural language that includes a description of the malicious activity based on the one or more other computer-based actions; 
converting, by the first computer system, the text into a voice message and sending the voice message to a human analyst, wherein the voice message includes the remedial action for the malicious activity; and
receiving, by the first computer system, an approval of the remedial action, wherein the performing the remedial action is performed automatically in response to the receiving the approval.

Please cancel claim 16.
Please replace claim 17 with:
17. (Currently amended) The first computer system of claim 15, 

generating, by the one or more processors, an alert that includes the text in the natural language that includes the description of the malicious activity and sending the alert to another computer system for viewing by a human analyst, wherein the alert includes one or more remedial actions for the malicious activity.

Please cancel claim 18.

Please replace claim 19 with:
19. (Currently amended) The first computer system of claim 15, wherein the vectorizing each of the first process trees includes mapping the first process trees to first text in the 

Please replace claim 20 with:
20. (Currently amended) The first computer system of claim 15, wherein the method further comprises:
configuring, by the first computer system, 
determining, by the first computer system, that an amount of risk associated with the malicious activity exceeds a threshold amount of risk, wherein the performing the remedial action is performed automatically based on the policy and the amount of risk exceeding the threshold amount of risk.

Allowable Subject Matter
Claims 1, 3, 5-9, 11, 13-15, 17, and 19-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
The present invention relates to an approach is provided for detecting a malicious activity on a computer system. First process trees are identified for computer processes that have been executed on a computer system. Each of the first process trees are vectorized. The vectorized first process trees are associated with respective labels. Each label represents an amount by which a respective vectorized process tree reflects the malicious activity. An artificial neural network is trained by using the vectorized first process trees and the associated labels as training input. After the training of the artificial neural network is completed, second process trees for 

The closest prior art made of record are:
Anderson et al. (US 2016/0306971) teaches an automated malware identification and reverse engineering tool is provided.  Subroutine categories may be learned by machine learning.  A program may then be reverse-engineered and classified, and subroutines that are potentially indicative of malware may be identified.  These subroutines may be reviewed by a reverse engineer to determine whether the program is malware in a more directed and efficient manner.
Antonakakis et.al  (US2014/0157414) teaches A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.
Avasarala al. (US2014/0090061) teaches Improved systems and methods for automated machine-learning, zero-day malware detection.  Embodiments include a method for improved zero-day malware detection that receives a set of training files which are each known to be either malign or benign, partitions the set of training files into a plurality of categories, and trains category-specific classifiers that distinguish between malign and benign files in a category of files.  The training may include selecting one of the plurality of categories of training files, identifying features present in the training files in the selected category of training files, evaluating the identified features to determine the identified features most effective at distinguishing between malign and benign files, and building a category-specific classifier based on the evaluated features.  Embodiments also include by a system and computer-readable medium with instructions for executing the above method. 

CHEN et al. (US2018/0018456) teaches Methods, systems and devices compute and use the execution session contexts of software applications to perform behavioral monitoring and analysis operations.  A mobile device may be configured to monitor user activity and system activity of a software application, generate a shadow feature value that identifies actual execution session context of the software application during that activity, generate a behavior vector that incorporates context into the values describing behaviors, and determine whether the activity is malicious or benign based, at least in part, on the generated behavior vector.  The mobile device processor may also be configured to intelligently determine whether the execution session context of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the execution session contexts of the software applications for which such determinations are relevant.
Chistyakov et al. (US2019/01145539) teaches Disclosed are systems and methods generating a convolution function for training a malware detection model.  An example method comprises generating, by a processor, a plurality of behavior patterns based on one or more logs of commands executed on a computing device, calculating, by the processor, an effectiveness of each of a plurality of methods for machine learning based on the plurality of behavior patterns, determining, by the processor, a preferred method for machine learning from the plurality of methods for machine learning by selecting the preferred method as a method with the greatest effectiveness from the plurality of methods for machine learning, obtaining, by the processor, parameters of the malware detection model by applying convolution functions to the plurality of behavior patterns, training, by the processor, the malware detection model to detect malicious files using the preferred method for machine learning.. 
CHOI et al. (US2016/0156643) teaches An apparatus and method for generating a process activity profile are provided.  The apparatus includes a basic process profile generator configured to perform basic process profiling for generating a basic process profile recording an operation of a specific process in a system; and an extension process profile generator configured to generate an extension process profile by associating an additional basic process profile generated by executing an execution file downloaded or created while generating the basic process profile with a conventional basic process profile

Dube et al. (US2012/0260342) teaches A method, apparatus and program product are provided to recognize malware in a computing environment having at least one computer.  A sample is received.  An automatic determination is made by the at least one computer to determine if the sample is malware using static analysis methods.  If the static analysis methods determine the sample is malware, dynamic analysis methods are used by the at least one computer to automatically determine if the sample is malware.  If the dynamic analysis methods determine the sample is malware, the sample is presented to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses.  If the adjudication determines the sample is malware, a response action is initiated to recover from or mitigate a threat of the sample. 
Dzikiewicz et al. (US7,305,385) teaches N-grams (i.e., N character sequences) are used to identify documents that potentially satisfy a search query.  The documents that potentially satisfy the query are then searched (e.g., using a full text search) to determine which documents actually satisfy the query.
Kumar et al. (US2016/0241574) teaches a method of determining real-time operational integrity of an application or service operating on a computing device, the method including inspecting network traffic sent or received by the application or the service operating on the computing device, determining in real-time, by a network analyzer of an endpoint trust agent on the computing device, signaling integrity and data exchange of the application or the service based on the inspecting of the network traffic to assess trustworthiness of the signaling, and data exchange, and determining, by the network analyzer, that the application or the service is malicious based on the determined trustworthiness of the signaling and data exchange.
Muddu et al. (US 2017/0142140) teaches A method of determining real-time operational integrity of an application or service operating on a computing device, the method including inspecting network traffic sent or received by the application or the service operating on the computing device, determining in real-time, by a network analyzer of an endpoint trust agent on the computing device, signaling integrity and data exchange of the application or the service based on the inspecting of the network traffic to assess trustworthiness of the signaling, and data exchange, and determining, by the network analyzer, that the application or the service is malicious based on the determined trustworthiness of the signaling and data exchange.
Rostami et al. (US2017/0251003) teaches techniques for automatically determining whether malware samples are similar are disclosed.  In some embodiments, a system, process, and/or computer program product for automatically determining whether malware samples are similar includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; comparing the log files based on the automated malware analysis; determining whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and performing an action based on determining that at least two samples are similar.
Sai (US2018/0314983) teaches a method includes receiving one or more n-gram vectors for a file as input to a file classifier, where the one or more n-gram vectors indicate occurrences of groups of entropy indicators in a sequence of entropy indicators representing the file.  The method also includes generating, based on the one or more n-gram vectors, output including classification data associated with the file, the classification data indicating whether the file includes malware. 
Tseng et al.  (US2018/0293381) teaches a computer implemented method for malware detection that analyses a file on a per packet basis.  The method receives a packet of one or more packets associated a file, and converting a binary content associated with the packet into a digital representation and tokenizing plain text content associated with the packet.  The method extracts one or more n-gram features, an entropy feature, and a domain feature from the converted content of the packet and applies a trained machine learning model to the one or more features extracted from the packet.  The output of the machine learning method is a probability of maliciousness associated with the received packet.  If the probability of maliciousness is above a threshold value, the method determines that the file associated with the received packet is malicious.

determining, by the one or more processors and during the training the artificial neural network, a language of a first computer process based on one or more computer-based actions indicated by one or more sub-trees within a first process tree included in the first process trees, the language of the first computer process including a specification of a first launching application and a first order of first tasks performed by the first computer process; determining, by the one or more processors, that the language of the first computer process indicates the malicious activity; determining, by the one or more processors, a language of a second computer process based on one or more other computer-based actions indicated by one or more other sub-trees within a second process tree included in the second process trees, the language of the second computer process including a specification of a second launching application and a second order of second tasks performed by the second computer process; determining, by the one or more processors, that the language of the first computer process matches the language of the second computer process by determining that the first launching application matches the second launching application and the first order of the first tasks matches the second order of the second tasks, wherein the performing the remedial action is based on the language of the first computer process indicating the malicious activity and matching the language of the second computer process; based on the language of the second computer process, generating, by the one or more processors and using a natural language generation engine, a text in a natural language that includes a description of the malicious activity based on the one or more other computer-based actions; converting, by the one or more processors, the text into a voice message and sending the voice message to a human analyst, wherein the voice message includes the remedial action for the malicious activity; and receiving, by the one or more processors, an approval of the remedial action, wherein the performing the remedial action is performed automatically in response to the receiving the approval  in view of the other limitations of claims 1, 9 and 15.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497