Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 16, 21 – 24 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

Election/Restrictions

Applicant’s election without traverse of claims 1-16 in the reply filed on 11/23/20 is acknowledged.

Drawings

The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the features of a “rolling map” and “connection map” must be shown or the feature(s) canceled from the claim(s).  No new matter should be entered.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, 

Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1 – 16 are 21 – 24 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Regarding claims 1, 7, 9, 15, and 21, the applicant’s specification fails to reasonably describe the scope or meaning of “protected device”.  The examiner notes that this term is not standard within the art, and the applicant’s specification merely recites the term “protected device” without providing any definition or examples as to why or how the device is qualified as protected.

Regarding claims 1, 9, and 21, the applicant’s specification fails to reasonably describe the scope or meaning of “rolling map”.  The examiner notes that this term is not standard within the art, and the applicant’s specification simply recites the term “rolling map” as having a purpose of providing a temporal snapshot.  However, the applicant’s specification fails to provide any reasonable or clear definition as to the structure or subject matter constituting a “rolling map”.  

Regarding claims 1, 3, 4, 9, 11, 12, 21, 23, and 24, the applicant’s specification fails to reasonably describe the scope or meaning of “connection map”.  The examiner notes that this term is not standard within the art, and the applicant’s specification simply recites the term “connection map” as having a purpose for identifying a malware threat.  However, the applicant’s specification fails to provide any reasonable or clear definition as to the structure or subject matter constituting a “connection map”.  


Regarding claims 4, 12, and 24, the applicant’s specification fails to reasonably describe the recitation of “applying a probability function”.  Specifically, the examiner notes that the applicant’s specification simply recites applying a probability function without describing any nature, method, or example of the application of a probability function.   

Depending claims are rejected by virtue of dependency.



The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 – 16, 21 – 24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

	Regarding claims 1, 7, 9, 15, and 21, the applicant’s recitation “protected device” renders the scope of the claims indefinite.  Specifically, the examiner notes that this term is not standard within the art, and the applicant’s specification merely recites the term “protected device” without providing any definition or examples as to why or how the device is qualified as protected.  Thus, the subject matter of devices falling inside or outside the scope of “protected” is rendered indefinite.

Regarding claims 1, 9, and 21, the applicant’s recitation “rolling map” renders the scope of the claims indefinite.  Specifically, the examiner notes that this term is not standard within the art, and the applicant’s specification merely describes a “rolling map” in terms of purpose without providing any clear definition or example as to the structure or makeup of the claimed “rolling map”.  Thus, the subject matter falling inside or outside the scope of a “rolling map” is rendered indefinite.

Regarding claims 1, 3, 4, 9, 11, 12, 21, 23, and 24, the applicant’s recitation “connection map” renders the scope of the claims indefinite.  Specifically, the examiner notes that this term is not standard within the art, and the applicant’s specification merely describes a “connection map” in terms of a utility or purpose without providing any clear definition or example as to the structure or makeup of the claimed “connection 

Regarding claim 6, the term “weak” is a relative term that renders the scope of the claims indefinite.  Specifically, the term “weak connection” is not standard within the art, the term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of a “weak connection”.  

Regarding claims 1, 9, and 21, the limitation “rolling map configured to” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Specifically, as noted above, the applicant’s specification fails to describe any specific structure identifiable as a “rolling map”. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.


Regarding claims 1, 9, and 21, the limitation “map classifier to determine that the connection map …” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Specifically, as noted above, the applicant’s 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 


Depending claims are rejected by virtue of dependency.


Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3 – 9, 11 – 21, 23, and 24 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Agranonik et al. (Agranonik), US 10,581,888 B1.

Regarding claim 1, as best interpreted in view of the above noted deficiencies, Agranonik discloses:
A computing apparatus, comprising: a hardware platform; and a storage medium having stored thereon executable instructions to provide an inference engine (e.g. Agranonik, fig. 1; 2:46-52; claim 18) configured to: 
receive a new suspicious fragment object from a protected device (e.g. Agranonik, Abstract, fig. 1:110; 1:29-39; 2:46-53; 4:17-23).  Herein, the system receives potentially malicious scripts (i.e. “new suspicious fragment object”) from “protected” client devices that are protected by the threat detection and remediation system. 
add the new suspicious fragment object to a rolling map configured to provide a temporal snapshot of suspicious fragment objects over a time span (e.g. Agranonik, 5:10-13; 10:29-37, 11:64-67).  Herein, the new fragment is added to data collected over a period of epochs within a continuous vector space (i.e. a “rolling map”); 
determine a connection between the new suspicious fragment object and an existing suspicious fragment object within the rolling map (e.g. Agranonik, 7:4-11; 10:6-10, 38-43).  Herein, similarities (i.e. “connections”) are determined between the new fragment and existing fragments are determined.
apply the connection to a connection map (e.g. Agranonik, fig. 3:313; 11:16-22).  Herein, the newly connected data is passed to a fully connected layer (i.e. “connection map”) of a neural network.
and operate a map classifier to determine that the connection map represents a probable computer security threat (e.g. Agranonik, fig. 3:315; 11:22-29).  Herein, the system executes a classification algorithm upon the connection map. 

Regarding claim 3, Agranonik discloses:
wherein determining that the connection map represents a probable computer security threat comprises static analysis of content and metadata of the new suspicious fragment compared to the existing suspicious fragment object (e.g. Agranonik, 9:19-28, 46-50; 9:66-10:10).  Herein, the command (i.e. “content”) as well as the location or positions of the commands (i.e. “metadata”) is compared against previous command sequences (i.e. “static analysis”).

Regarding claim 4, Agranonik discloses:
wherein determining that the connection map represents a probable computer security threat comprises applying a probability function based on a probability function trained from known threat samples (e.g. Agranonik, fig. 3:315).  The softmax function is a probability function. 

Regarding claim 5, Agranonik discloses:
wherein determining the connection comprises identifying a verified connection between the new suspicious fragment object and the existing suspicious fragment object (e.g. Agranonik, 3:9-24).  Herein, connections of a new fragment are made to existing classified fragments (i.e. “verified connections”). 

Regarding claim 6, Agranonik discloses:
wherein determining the connection comprises identified a weak connection between the new suspicious fragment object and the existing suspicious fragment object (e.g. Agranonik, 3:9-24).  Herein, connections of a new fragment are made to known but unclassified fragments (i.e. “weak connections”). 

Regarding claim 7, Agranonik discloses:
wherein the inference engine further comprises a fragment predictor to predict a fragment to occur on the protected device, and to provide a message to the protected device to search for the predicted fragment (e.g. Agranonik, 3:46-4:6).  Herein, the inference engine comprises means to identity a potentially malicious script (i.e. a “fragment predictor”) and alerts a client device to review or identify such scripts for remediation. 

Regarding claim 8, Agranonik discloses:
wherein the new suspicious fragment is selected from the group consisting of a windows management instrumentation (WMI) entry, a registry entry, an environment variable, a cookie, a macro, a shortcut, a link, and a scheduled task (e.g. Agranonik, 7:61-8:20).  Herein, suspicious fragments may comprise scripts, such as powershell scripts (i.e. “macros” or “scheduled tasks”), link libraries, OS primitives (i.e. “environmental variables”), or registry entries.

.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 10, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Agranonik et al. (Agranonik), US 10,581,888 B1 in view of Oliner et al. (Oliner), US 2019/0306184 A1.


However, Oliner also discloses a machine learning system for detecting malware, and furthermore disclose that the machine learning should occurs over a time span of at least one hour (e.g. Oliner, par. 235, 259, 269).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of applicant’s invention, to employ any time span they desired, including of one hour.  This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that the selection of a suitable time span can result in better accuracy (e.g. Oliner, par. 270, 271).  
 Thus the combination enables:
wherein the time span is one hour (e.g. Agranonik, 11:64-12:3; Oliner, par. 269-271). 

Claims 10 and 22, they are method and medium claims essentially corresponding to the above apparatus claims and they are rejected, at least, for the same reasons.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495