DETAILED ACTION
This office action is in response to communication filed on 12/20/2018.
Claims 1-20 are being considered on the merits.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority
Acknowledgment is made of applicant’s claim for priority for provisional 62/608,174 filed 12/20/2017.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/20/2018 has been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, an initialed and dated copy of the Applicant’s IDS form 1449 12/20/2018 is attached to the instant office action.
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 
Fig. 1 Ref. 122
Fig. 3 Ref. 302 
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” 
Specification
Note: The dependencies of claim 16 and claim 6 which have similar limitations are different. Claim 16 is a dependent of claim 12 instead of 11, where being a dependent of claim 11 would mirror claim 6 being a dependent of claim 1. No correction required, just pointing it out in case it was unintentional.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as based on a disclosure which is not enabling.  The disclosure does not enable one of ordinary skill in the art to practice the invention without specifying how the application relates to the program or where the atmosphere data and attack pattern data comes from, which is/are critical or essential to the practice of the invention but not included in the claim(s) or specification. See In re Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). 
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


12.	Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: a connection between the program (along with the log data and manual submission data) and the application behavior (along with atmosphere data and attack pattern data), these appear to be completely separate functions and it is unclear how the application behavior is related to receiving log and manual submission data or classifying and identifying the program. Does the atmosphere data and attack pattern data come from the log data and manual submission data? Is the application behavior part of the program? Looking at Fig. 1 there appears to be a connection, but that connection is not apparent in the claim.
Claims 2-10 and 12-20 are rejected as dependent claims using the same rationale.
Where applicant acts as his or her own lexicographer to specifically define a term of a claim contrary to its ordinary meaning, the written description must clearly redefine the claim term and set forth the uncommon definition so as to put one reasonably skilled in the art on notice that the applicant intended to so redefine that claim term. Process Control Corp. v. HydReclaim Corp., 190 F.3d 1350, 1357, 52 USPQ2d 1029, 1033 (Fed. Cir. 1999). The term “atmosphere data” in claim 1 is used by the claim to mean some kind of data relating to malware prediction in relation to application behavior, while the 
Claims 2-10 and 12-20 are rejected as dependent claims using the same rationale.
Claims 2 and 12 discloses identifying the source of the application based on the log data and manual submission data; however the log data and manual submission data in claim 1 are specifically related to the program. It is unclear how this is related to the source of the application which is related to atmosphere data and attack pattern data. The metes and bounds are not clearly defined.
Claims 3-4, 13-14 and 16-18 are rejected as dependent claims using the same rationale.
Note: As mentioned above claims 2 and 12 which contain similar limitations have different dependent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1, 5-6, 9-11, 15-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff (US 20150381637 A1, provided in IDS) in view of Albertson (US 9009827 B1), in further view of Alperovitch (US 20130254880 A1, provided in IDS). 
Regarding claim 1, Raff teaches a system for malware prediction and suppression, comprising: a plurality of host computers, each of the plurality of host computers comprising a host antimalware service configured to collect log data, (Raff, in Para. [0025], discloses a plurality of client networks (i.e. host computers) which provide log files (i.e. collects log data))
a server, the server comprising a report database and a knowledge base; (Raff, in Fig. 5C and in Para. [0027, 0077 and 0123], discloses a categorization repository (i.e. knowledge base) and a data repository for the entity record (i.e. report database) and a breach detection platform (i.e. server))
wherein the server is configured to perform the steps of: receiving, from the plurality of host computers, log data relating to [a program]; (Raff, in Fig. 5C and in Para. [0123], discloses retrieving logs from various log sources)
classifying, based on the log data, [the program]; (Raff, in Fig. 5C and in Para. [0124-0125], discloses scoring and classifying the entity based on the log data)
identifying whether [the program] is new, and, when [the program] is new, format [the program] for inclusion into the knowledge base; (Raff, in Fig. 5C and in Para. [0123], discloses determining whether the entity is new and if so adding it the categorization repository (i.e. knowledge base) after it has been normalized (i.e. formatted)).
While Raff teaches collecting log data related to an entity, Raff fails to explicitly teach collecting manual submission data related to a program.
However, Albertson from the analogous technical field teaches each of the plurality of host computers further comprising a manual reporting interface provided by the antimalware service; and     (Albertson, Col. 31 L. 31-38, discloses a user interface for use by a human technician for analyzing threats (i.e. manual reporting)).
(Albertson, Col. 5 L. 24-46, discloses a human technician confirming an attack, where the attack can be an application (i.e. program), before sharing the attack data (i.e. manual submission data)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff to incorporate the teachings of Albertson, with a motivation to improve cyber security by sharing security information (Albertson, Col. 3 L. 29-40).  
While Raff as modified by Albertson teaches classifying a program, Raff as modified by Albertson fails to explicitly teach reacting to application behavior.
However, Alperovitch from the analogous technical field teaches identifying an application behavior, and performing a numerical malware prediction based on the application behavior, (Alperovitch, in Fig. 5 and in Para. [0054-0055], discloses monitoring application behavior (i.e. identifying) and calculating a reputation score (i.e. numerical malware prediction))
wherein the numerical malware prediction comprises retrieving malware atmosphere data, retrieving attack pattern data, and generating the numerical malware prediction based on the application behavior, the malware atmosphere data, and the attack pattern data; (Alperovitch, in Fig. 5 and in Para. [0021 and 0055], discloses calculating a reputation score (i.e. numerical malware prediction) based on the behavior and other stored data, where the other stored data can include previously stored crowdsourced data, such as similarity and differences to other application (i.e. pattern data) and origination (i.e. atmosphere data))
identifying at least one countermeasure from a list of acceptable countermeasures based on the numerical malware prediction; and (Alperovitch, in Fig. 5 and in Para. [0056], discloses determining an action (i.e. countermeasure) based on the calculated reputation score (i.e. numerical malware prediction))
(Alperovitch, in Fig. 5 and in Para. [0056], discloses determining an action (i.e. countermeasure) such as deleting the application (i.e. implement countermeasure)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson to incorporate the teachings of Alperovitch, with a motivation to provide a more robust and capable crowdsourcing solution (Alperovitch, Para. [0032]).  
Regarding claim 5, Raff as modified by Albertson and Alperovitch teaches the system of claim 1.
Albertson further teaches wherein the step of receiving, from the plurality of host computers, log data and manual submission data relating to a program comprises: accessing, with the host antimalware service, the host computer, and determining one or more instances of probable suspicious behavior; (Albertson, Col. 5 L. 31-46, discloses software initially determining an attack (i.e. probable suspicious behavior))
generating a confirmation message indicating the suspicious behavior, displaying the confirmation message via the manual reporting interface, and receiving a confirmation from a user via the manual reporting interface; and (Albertson, Col. 5 L. 31-46, discloses human technician (i.e. user) confirming an attack (i.e. probable suspicious behavior))
generating and sending a report to the server comprising log data of the suspicious behavior (Albertson, Col. 5 L. 31-46, discloses attack data (i.e. manual submission data and log data)).
Regarding claim 6, Raff as modified by Albertson and Alperovitch teaches the system of claim 1.
Alperovitch further teaches wherein the step of classifying the program comprises: identifying a plurality of reports received from the host computers, each of the reports comprising at least one of log (Alperovitch, in Para. [0022], discloses comparing to crowdsource data)
identifying a conflict in the plurality of reports; and (Alperovitch, in Para. [0022], discloses discovering differences in the data)
 flagging the program for expert evaluation based on the conflict (Alperovitch, in Para. [0022], discloses flagging differences in the data).
Regarding claim 10, Raff as modified by Albertson and Alperovitch teaches the system of claim 1.
Raff further teaches wherein the server further comprises a server antimalware service configured to scan the log data and manual submission data (Raff, in Para. [0077], discloses a breach detection platform (i.e. server) which performs log analysis (i.e. scan the log)).
Albertson further teaches wherein the log data and manual submission data further comprises the program, and (Albertson, Col. 5 L. 31-46, discloses attack data (i.e. manual submission data and log data) including an application identifier).
Regarding claim 9, Raff as modified by Albertson and Alperovitch teaches the system of claim 1.
Raff further teaches wherein the server further comprises a deep learning element, and (Raff, in Para. [0066], discloses using machine learning).
Albertson further teaches wherein the server is configured to perform the steps of: automatically generating at least one rule based on the list of known virus samples and known benign files; and (Albertson, Col. 8 L. 23-25, discloses automatically generating a rule set based on recognized pattern (i.e. known virus and benign files))
(Albertson, Col. 8 L. 23-25, discloses generating (i.e. updating) a rule set based on security attack data (i.e. log data and manual submission data)).
Alperovitch further teaches wherein the knowledge base further comprises a list of known virus samples and known benign files, (Alperovitch, in Para. [0018], discloses a database with application reputation (i.e. known and benign virus files).
As per claims 11, 15-16, and 19-20, these claims recite a token method to perform the steps as recited by the system of claims 1, 5-6, and 9-10, and has limitations that are similar to those of claims 1, 5-6, and 9-10, thus is rejected with the same rationale applied against claims 1, 5-6, and 9-10.
Claims 2-3 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff in view of Albertson and Alperovitch, in further view of Evans (US 10516695 B1). 
Regarding claim 2, Raff as modified by Albertson and Alperovitch teaches the system of claim 1.
Albertson further teaches performing an attack attribution on the source of the application; and (Albertson, Col. 11 L. 5-9, discloses determining the source of the attack).
wherein implementing the countermeasure comprises: identifying, from the log data and manual submission data, a source of the application; (Alperovitch, in Para. [0021], discloses determining origination of application in crowdsource data).
While Raff as modified by Albertson and Alperovitch teaches determining the source, Raff as modified by Albertson and Alperovitch fails to explicitly teach sending a message to the source.
However, Evans from the analogous technical field teaches automatically generating and sending one or more communications to the source of the application (Evans, in Col. 9 L. 47-65, discloses notifying the owner of the source of the malicious behavior).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson and Alperovitch to incorporate the teachings of Evans, with a motivation to maximize response while minimizing impact on the users (Evans, Col. 2 L. 61-66).  
Regarding claim 3, Raff as modified by Albertson and Alperovitch teaches the system of claim 2.
Evans further teaches wherein the step of automatically generating and sending one or more communications to the source of the application comprises: identifying a registered owner of the source of the application; and generating and sending a message to the registered owner of the source of the application (Evans, in Col. 9 L. 47-65, discloses notifying the owner of the source of the malicious behavior).
As per claims 12-13, these claims recite a token method to perform the steps as recited by the system of claims 2-3, and has limitations that are similar to those of claims 2-3, thus is rejected with the same rationale applied against claims 2-3.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff in view of Albertson, Alperovitch and Evans, in further view of David (US 20180247045 A1). 
Regarding claim 4, Raff as modified by Albertson, Alperovitch and Evans teaches the system of claim 2.
While Raff as modified by Albertson, Alperovitch and Evans teaches sending a message to the source, Raff as modified by Albertson, Alperovitch and Evans fails to explicitly teach counterattacking.
However, David from the analogous technical field teaches wherein the step of automatically generating and sending one or more communications to the source of the application comprises: identifying, with a whitelist, an absence of the source of the application on a whitelist; and (David, in Para. [0029], discloses checking a whitelist).
(David, in Para. [0029], discloses counter attacking any malicious attempt).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson, Alperovitch and Evans to incorporate the teachings of Evans, with a motivation to provide total security (David, Para. [0029]).  
As per claim 14, this claim recites a token method to perform the steps as recited by the system of claim 4, and has limitations that are similar to those of claim 4, thus is rejected with the same rationale applied against claim 4.
Claims 7-8 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff in view of Albertson and Alperovitch, in further view of Myslinski (US 8990234 B1). 
Regarding claim 7, Raff as modified by Albertson and Alperovitch teaches the system of claim 6.
Raff further teaches wherein the system is further configured to perform the steps of: receiving an expert evaluation indicating the program as malicious or non-malicious, and uploading the expert evaluation to the knowledge base; (Raff, in Para. [0107], discloses manual review by an expert).
While Raff as modified by Albertson and Alperovitch teaches an expert evaluating the program, Raff as modified by Albertson and Alperovitch fails to explicitly teach flagging a source of the report.
However, Myslinski from the analogous technical field teaches identifying one or more reports in the plurality of reports contradicting the expert evaluation, and identifying a source of the one or more reports; and flagging the source of the one or more reports (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses a source that provides false or inaccurate information (i.e. contradicts expert)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson and Alperovitch to incorporate the teachings of Myslinski, with a motivation to verify accuracy of information (Myslinski, Col. 1 L. 15-18).  
Regarding claim 8, Raff as modified by Albertson, Alperovitch, and Myslinski teaches the system of claim 7.
Myslinski further teaches wherein the system is further configured to perform the steps of: identifying a source that has been flagged a plurality of times; and (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses a source that often provides false or inaccurate information)
classifying further reports from the source as untrusted (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses determining that a source that provides false or inaccurate information are unreliable (i.e. untrusted)).
As per claims 17-18, these claims recite a token method to perform the steps as recited by the system of claims 7-8, and has limitations that are similar to those of claims 7-8, thus is rejected with the same rationale applied against claims 7-8.
Conclusion
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208.  The examiner can normally be reached on M-Th 9:00-18:00 (Flex).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/JESSICA J SOUTH/Examiner, Art Unit 2431                                                                                                                                                                                                        /TRANG T DOAN/Primary Examiner, Art Unit 2431