Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
   
            DETAILED ACTION

1.	This action is responsive to:  an original application filed on 17 May 2019.	
2.	Claims 1-20 are currently pending and claims 1, 11 and 20 are independent claims. 

Information Disclosure Statement

3.	The information disclosure statement (IDS) submitted are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

					    Pre-Amendment 

4.	Preliminary amendment has been noted by the examiner.

              Priority

5.	Priority claimed from foreign application no. RU2018147233, filed on 28 December 2018.

         Drawings

6.	The drawings filed on 17 May 2019 are accepted by the examiner. 

                                                       Claim Rejections - 35 USC § 102

7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
	
Claims 1-20 are rejected 35 U.S.C §102 (a)(1) as being anticipated by Lem et al. (US Publication No. 20190132344), hereinafter Lem.  

In regard to claim 1: 
monitoring a file during execution of the file within a computer system (Lem, ¶41). 
forming a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data (Lem, ¶116).
and wherein the feature vector represents a convolution of the behavioral data in the form of a set of numbers (Lem, ¶132, 172).
calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious (Lem, ¶183, 180, 189).

and deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety (Lem, ¶122-124, 71).

In regard to claim 2:
wherein the model for calculation of parameters is trained by a method of machine learning performed on at least one safe file and one malicious file (Lem, ¶6).
In regard to claim 3: 
wherein the method of machine learning is one of: gradient boosting on decision-making trees; decision-making trees; the method of k-nearest neighbors; or the method of support vectors (Lem, ¶79). 
In regard to claim 4: 
wherein the behavioral data comprises at least: the commands being executed by the file, the attributes being transmitted to those commands and the values being returned; data on the RAM areas being modified by the file being executed; or static parameters of the file (Lem, ¶115-116). 
In regard to claim 5: 

In regard to claim 6: 
wherein the trained model for calculation of parameters is a set of rules for computing the degree of maliciousness of the file and the limit degree of safety of the file, which depend on the behavioral data (Lem, ¶178).
In regard to claim 7: 
wherein the time laws are monotonic in nature (Lem, ¶183).
In regard to claim 8: 
wherein the correlation between the degree of maliciousness and the limit degree of safety is at least: the difference from a predetermined threshold value of the distance between the degree of maliciousness and the boundary conditions of maliciousness; the difference from a predetermined threshold value of the area bounded in a given time interval between the degree of maliciousness and the boundary conditions; or the difference from a predetermined value of the rate of mutual increase of the curve describing the degree of maliciousness and the boundary conditions of maliciousness as a function of time (Lem, ¶65-66, 116).
In regard to claim 9: 

In regard to claim 10: 
wherein the model for calculation of parameters is retrained so that, when that model is used, the criterion formed afterwards will ensure at least: the accuracy of determining the degree of maliciousness and the limit degree of safety is greater than when using an untrained model for calculation of parameters; the utilization of the computing resources is lower than when using an untrained model for calculation of parameters (Lem, ¶122). 
In regard to claim 11: 
a hardware processor configured to: monitor a file during execution of the file within a computer system (Lem, ¶41).
form a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data (Lem, ¶16).
and wherein the feature vector represents a convolution of the behavioral data in the form of a set of numbers (Lem, ¶172, 132).

and ii) a limit degree of safety that is a probability that the file will definitely prove to be safe, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law (Lem, ¶109-110).
and decide that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety (Lem, ¶71, 122-124).
In regard to claim 12: 
wherein the model for calculation of parameters is trained by a method of machine learning performed on at least one safe file and one malicious file (Lem, ¶6).
In regard to claim 13: 
wherein the method of machine learning is one of: gradient boosting on decision-making trees; decision-making trees; the method of k-nearest neighbors; or the method of support vectors (Lem, ¶79).
In regard to claim 14: 
wherein the behavioral data comprises at least: the commands being executed by the file, the attributes being transmitted to those commands and the values being 
In regard to claim 15: 
wherein calculating the limit degree of safety based on the degree of maliciousness, and wherein the limit degree of safety is calculated when the file is launched, on the basis of an analysis of static parameters of the file (Lem, ¶13).
In regard to claim 16: 
wherein the trained model for calculation of parameters is a set of rules for computing the degree of maliciousness of the file and the limit degree of safety of the file, which depend on the behavioral data (Lem, ¶178). 
In regard to claim 17: 
wherein the correlation between the degree of maliciousness and the limit degree of safety is at least: the difference from a predetermined threshold value of the distance between the degree of maliciousness and the boundary conditions of maliciousness; the difference from a predetermined threshold value of the area bounded in a given time interval between the degree of maliciousness and the boundary conditions; or the difference from a predetermined value of the rate of mutual increase of the curve describing the degree of maliciousness and the boundary conditions of maliciousness as a function of time (Lem, ¶65-66, 116).
In regard to claim 18: 

In regard to claim 19: 
wherein the model for calculation of parameters is retrained so that, when that model is used, the criterion formed afterwards will ensure at least: the accuracy of determining the degree of maliciousness and the limit degree of safety is greater than when using an untrained model for calculation of parameters; the utilization of the computing resources is lower than when using an untrained model for calculation of parameters (Lem, ¶122).
In regard to claim 20: 
monitoring a file during execution of the file within a computer system (Lem, ¶41). 
forming a feature vector based on behavioral data during the execution of the file, wherein features of the feature vector characterize the behavioral data (Lem, ¶116).
and wherein the feature vector represents a convolution of the behavioral data in the form of a set of numbers (Lem, ¶132, 172).

and ii) a limit degree of safety that is a probability that the file will definitely prove to be safe, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law (Lem, ¶109-110).
and deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety (Lem, ¶122-124, 71).
   Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890