DETAILED ACTION
	Claims 1-19 are pending. This is in response to the application filed on November 20, 2018 which claims priority to a foreign application filed on October 19, 2018.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Authorization
Authorization for this examiner’s amendment was given in an interview with Scott Ulbrich #48,005 on February 1st, 2021.

Claim Amendment
1. (Currently amended) A malicious software recognition apparatus, comprising: 
 	a hardware storage, being configured to store a training dataset and a test dataset, each of the training dataset and the test dataset comprising a plurality of network flow datasets, each of the network flow datasets corresponding to one of a plurality of software categories, the software categories comprising a plurality of malicious software categories; and 
 	a processor, being electrically connected to the storage, and configured to find out that a plurality of first recognition accuracies of recognizing a subset of the malicious software categories by a malicious software recognition model are lower than a first threshold by testing the malicious software recognition model by the test dataset, determine that an overlap degree of the network flow datasets corresponding to the subset is larger than a second threshold, update the software categories by combining the malicious software categories corresponding to the subset in response to the determination result that the overlap degree is larger than the second threshold, update the training dataset by integrating the network flow datasets corresponding to the subset, and train the malicious software recognition model according to the updated training dataset; 
 	wherein the processor further obtains an actual recognition result by recognizing an actual network flow dataset by the trained malicious software recognition model. 2. (Original) The malicious software recognition apparatus of claim 1, wherein the subset comprises a first malicious software category and a second malicious software category, the overlap degree being determined as greater than the second threshold by the processor is between the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category, and the processor integrates the network flow datasets corresponding to the subset by performing the following operations: retaining the network flow datasets corresponding to the first malicious software category and discarding the network flow datasets corresponding to the second malicious software category. 3. (Original) The malicious software recognition apparatus of claim 1, wherein the subset comprises a first malicious software category and a second malicious software category, the overlap degree being determined as greater than the second threshold by the processor is between the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category, and the processor integrates the network flow datasets corresponding to the subset by taking a union of the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category. 4. (Original) The malicious software recognition apparatus of claim 1, wherein the actual recognition result comprises a specific malicious software category and a second recognition accuracy, the specific malicious software category is one of the malicious software categories, the second recognition accuracy is between a third threshold and a fourth threshold, the processor further updates the training dataset by integrating the network flow datasets corresponding to the specific malicious software category and the actual network flow dataset, and the processor further trains the malicious software recognition model by the updated training dataset. 5. (Original)  The malicious software recognition apparatus of claim 1, wherein the actual recognition result comprises a specific malicious software category and a second recognition accuracy, the specific malicious software category is one of the malicious software categories, the second recognition accuracy is lower than a third threshold, the processor further updates the software categories by adding a new malicious software category, and the processor further trains a sub-recognition model in the malicious software recognition model that corresponds to the new malicious software category by the actual network flow dataset. 6. (Original) The malicious software recognition apparatus of claim 1, wherein the storage further stores a flow behavior related report corresponding to each of the malicious software categories. 7. (Original) The malicious software recognition apparatus of claim 6, wherein the actual recognition result comprises a specific malicious software category, the specific malicious software category is one of the malicious software categories, and the processor further retrieves an actual flow behavior related report from the flow behavior related reports according to the specific malicious software category. 8. (Original) The malicious software recognition apparatus of claim 6, wherein the processor further combines the flow behavior related reports corresponding to the malicious software categories that correspond to the subset. 9. (Original) The malicious software recognition apparatus of claim 1, wherein the actual recognition result comprises a specific malicious software category, and the processor further blocks an application program corresponding to the actual network flow dataset. 10. (Original) The malicious software recognition apparatus of claim 1, wherein the software categories further comprise a normal software category. 11. (Currently Amended) A malicious software recognition method for use in an electronic computing apparatus, the electronic computing apparatus storing a training dataset and a test dataset, each of the training dataset and the test dataset comprising a plurality of network flow datasets, each of the network flow datasets corresponding to one of a plurality of software categories, the software categories comprising a plurality of malicious software categories, and the malicious software recognition method comprising
finding out that a plurality of first recognition accuracies of recognizing a subset of the malicious software categories by a malicious software recognition model are lower than a first threshold by testing the malicious software recognition model by the test dataset;
 determining that an overlap degree of the network flow datasets corresponding to the subset is larger than a second threshold; 
 updating the software categories by combining the malicious software categories corresponding to the subset in response to the determination result that the overlap degree is larger than the second threshold; 
updating the training dataset by integrating the network flow datasets corresponding to the subset in response to the determination result that the overlap degree is larger than the second threshold; 
training the malicious software recognition model by a machine learning algorithm and the updated training dataset; and 
obtain an actual recognition result by recognizing an actual network flow dataset by the trained malicious software recognition model. 12. (Original) The malicious software recognition method of claim 11, wherein the subset comprises a first malicious software category and a second malicious software category, the determining step determines that the overlap degree between the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category is larger than the second threshold, and the step of updating the training dataset by integrating the network flow datasets corresponding to the subset comprises: retaining the network flow datasets corresponding to the first malicious software category; and discarding the network flow datasets corresponding to the second malicious software category. 13. (Original) The malicious software recognition method of claim 11, wherein the subset comprises a first malicious software category and a second malicious software category, the determining step determines that the overlap degree between the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category is larger than the second threshold, and the step of updating the training dataset by integrating the network flow datasets corresponding to the subset comprises: taking a union of the network flow datasets corresponding to the first malicious software category and the network flow datasets corresponding to the second malicious software category. 14. (Original) The malicious software recognition method of claim 11, wherein the actual recognition result comprises a specific malicious software category and a second recognition accuracy, the specific malicious software category is one of the malicious software categories, the second recognition accuracy is between a third threshold and a fourth threshold, and the malicious software recognition method further comprises: updating the training dataset by integrating the network flow datasets corresponding to the specific malicious software category and the actual network flow dataset; and re-training the malicious software recognition model by the updated training dataset. 15. (Original) The malicious software recognition method of claim 11, wherein the actual recognition result comprises a specific malicious software category and a second recognition accuracy, the specific malicious software category is one of the malicious software categories, the second recognition accuracy is lower than a third threshold, and the malicious software recognition method further comprises: updating the software categories by adding a new malicious software category; and training a sub-recognition model in the malicious software recognition model that corresponds to the new malicious software category by the actual network flow dataset. 16. (Original) The malicious software recognition method of claim 11, wherein the electronic computing apparatus further stores a flow behavior related report corresponding to each of the malicious software categories, the actual recognition result comprises a specific malicious software category, the specific malicious software category is one of the malicious software categories, and the malicious software recognition method further comprises: retrieving an actual flow behavior related report from the flow behavior related reports according to the specific malicious software category. 17. (Original) The malicious software recognition method of claim 11, wherein the electronic computing apparatus further stores a flow behavior related report corresponding to each of the malicious software categories, and the malicious software recognition method further comprises: combining the flow behavior related reports corresponding to the malicious software categories that correspond to the subset. 18. (Original) The malicious software recognition method of claim 11, wherein the actual recognition result comprises a specific malicious software category, and the malicious software recognition method further comprises: blocking an application program corresponding to the actual network flow dataset. 19. (Original) The malicious software recognition method of claim 11, wherein the software categories further comprise a normal software category.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
 	US Patent 10325224 (hereinafter Erenrich) discloses a system to provide methods that accelerate machine learning processes.  A machine learning model may be trained and updated as the examples are labeled.  A subset or batch of 
 	US PG Pub 20190188212 (hereinafter Miller) discloses an invention to provide a system and a means of prioritized detection of clusters of anomalous samples in an unlabeled data batch. The present invention is applicable to various types of data that require high-dimensional feature representation, including network traffic flow datasets. Each a subset of samples is evaluated by using a model order selection criterion called the Bayesian information criterion (BIC) for identifying anomalous cluster (Summary section and Fig. 7 and related paragraphs).’
However, either above art discloses in singly or in combination teaches all  claimed features recited in claims 1 and 11, particularly determining the accuracies of recognizing a subset of the malicious software categories by a malicious software recognition model are lower than a first threshold by testing the malicious software recognition model by the test dataset; determining that an overlap degree of the network flow datasets corresponding to the subset is larger than a second threshold. Therefore, the claims are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably 

Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 




/TRI M TRAN/Primary Examiner, Art Unit 2494