Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 01/14/2019.
Claims 1-19 are pending and rejected; Claims 1, 9 and 13 are independent claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Griffin et al. US Pub. NO.: 2020/0167464 A1 (hereinafter Griffin) in view of Shrestha US Pub.: 2020/0202184 A1 (hereinafter Shrestha).
Griffin teaches:
As to claim 1, a method for producing a set of indicators of unwanted activity in a computer system (see Griffin ¶3, each label represents/indicate an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity) comprising: 
producing a plurality of training sets each comprising: 1) a plurality of activity values, each indicative of execution of an instruction by a computerized device of the computer system, extracted from one of the plurality of input data sets, and 2) a respective infection label (see Griffin Fig. 2, steps 204-206, ¶¶4-5, 19-20 “method further includes vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process 
producing for each training set of the plurality of training sets (see Griffin Fig. 2, steps 206-208) one of a plurality of sets of relevant activity values by: 
training a classification model to output, in response to the respective training set, an infection classification equal to respective infection label (see Griffin Fig. 2, steps 206-208, ¶¶20-21, “malicious activity detection system 104 (see FIG. 1) associates the vectorized first process trees  with respective labels [i.e. classification]. Each label represents an amount by which a respective vectorized first process tree reflects (i.e., indicates) the malicious activity 114”); and 
analyzing the classification model to identify a set of relevant activity values, of the plurality of activity values, effecting the infection classification in response to the training data set (see Griffin Fig. 2, step 208, ¶¶20-21, “malicious activity detection system 104 (see FIG. 1) trains artificial neural network 110 (see FIG. 1) by using the vectorized first process trees generated in step 204 and the labels associated with the vectorized first process trees in step 206 [i.e. analyzing]”; ¶12 “analyzes each process sub-tree and associated sub-trees”); 
analyzing the plurality of sets of relevant activity values to produce the plurality of indicators of unwanted activity (see Griffin ¶12, “analyzes each process sub-tree and associated sub-trees to proactively determine whether the sub-trees represent a contextual sub-task that has the capability for malicious behavior (i.e., to recognize a threat vector)”); and 
providing the plurality of indicators of unwanted activity to at least one security engine for the purpose of detecting unwanted activity in at least one other system (see Griffin ¶16, “subsequently generates an output indicating that one or more of the additional vectorized process trees indicates a malicious activity 114”). 

Even though Griffin teaches:
receiving a plurality of input data sets, each describing system activity over an identified period of time and comprising an infection label and system activity information collected from a computer system (see Griffin ¶14, “Malicious activity detection system 104 receives process trees 106 that specify computer processes that were previously executed on one or more computers”; ¶¶3-5, Each label represents an amount by which a respective vectorized process tree reflects the malicious activity. An artificial neural network is trained by using the vectorized first process trees and the associated labels as training input” [i.e. infection label and system activity information collected from a computer system]);
Griffin doesn’t explicitly teach but the related art Shrestha teaches:
each describing system activity over an identified period of time (see Shrestha ¶3, “Over the course of some time period, such as a day, a week, or a month, such security and surveillance systems may capture significant amounts of video data”)
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the system of detecting malicious activity on a computer system disclosed by Griffin to include the systems and methods for machine learning-based site-specific threat modeling and threat detection, as thought by Shrestha, in order to receive/monitor the activity of the recited computer system over an identified period of time. It would have been obvious to one of ordinary skill in the art to include time period in order to identify the time of occurrence and enhance security.
As to claim 2, the combination of Griffin and Shrestha teaches the method of claim 1, wherein each of the plurality of indicators of unwanted activity comprises at least one activity value of the plurality of activity values (see Griffin ¶23, “malicious activity detection system 104 (see FIG. 1) receives data specifying first process trees 106 (see FIG. 1) and second process trees 112 (see FIG. 1) from data flows from OS query”).

As to claim 3, the combination of Griffin and Shrestha teaches the method of claim 1, wherein analyzing the classification model to identify a set of relevant activity values further comprises computing an importance value for each of the set of relevant activity values, indicative of a contribution of the relevant activity value to the infection classification (see Griffin ¶38, “malicious activity detection system 104 (see FIG. 1) analyzes data in a process tree included in first process trees 106 (see FIG. 1) or second process trees 112 (see FIG. 1) and determines whether a threat vector is present”). 

As to claim 4, the combination of Griffin and Shrestha teaches the method of claim 1, wherein the infection label is selected from a group of labels consisting of "infected" and "not infected" (see Griffin ¶21, malicious activity detection system 104 (see FIG. 1) trains artificial neural network 110 (see FIG. 1) by using the vectorized first process trees generated in step 204 and the labels associated with the vectorized first process trees in step 206). 

As to claim 5, the combination of Griffin and Shrestha teaches the method of claim 1, wherein the system activity information is collected from at least one information source selected from a group of information sources consisting of: an operating system log repository, a capture of network traffic, a security monitoring tool log repository, a network device log repository, a capture of memory access operations, a capture of processor utilization values, a capture of file accesses, and an application log repository (see Griffin ¶2, security techniques detect known cyber-attacks by using preconfigured tooling and can include collecting and analyzing data in log files from network devices, host assets, and operating systems). 

As to claim 6, the combination of Griffin and Shrestha teaches the method of claim 1, wherein at least one activity value of the plurality of activity values is selected from a group of possible activity values consisting of: a time value, a network address value, a file name value, a file path value, a digital memory address value, an amount of digital memory, a registry key path value, a registry key value, a network protocol identifier value, a network port value, an amount of bytes, a user name value, a user account type value and a domain name value (see Shrestha ¶89, a feature extractor may include a trained machine learning classifier that operates to extract features from video data relating to a detected activity within a site under surveillance including, a time of day (or period) of the detected activity, one or more entities involved in the detected activity (e.g., objects, people, etc.), a macro region (e.g., activity location within the site), and the activity type).  

As to claim 7, the combination of Griffin and Shrestha teaches the method of claim 1, wherein analyzing the plurality of sets of relevant activity values to produce the plurality of indicators of unwanted activity comprises at least one operation selected from a group of operations consisting of: an intersection between at least some of the plurality of sets of relevant activity values, sorting the plurality of relevant activity values of the plurality of sets of relevant activity values according to an identified sorting criterion, and applying a k-means classification method to at least some of the plurality of sets of relevant activity values (see Shrestha ¶¶41, a clustering method (e.g., k-means clustering)

As to claim 8, the method of claim 1, further comprising: training at least one other classification model to output, in response to the respective training set, at least one other infection classification equal to respective infection label; and analyzing the at least one other classification model to identify at least one other set of relevant activity values, of the plurality of activity values, effecting the at least one other infection classification in response to the respective training data set (see Griffin ¶29, vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process trees with respective labels, each label representing an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity). 
As to independent claim 9, this claim directed to a system executing the method of claim 1; therefore it is rejected along similar rationale.
As to claim 10, the combination of Griffin and Shrestha teaches the system of claim 9, wherein the at least one hardware processor is further adapted to sending the plurality of indicators of unwanted activity to at least one other hardware processor via at least one digital communication network interface connected to the at least one hardware processor (see Griffin ¶3, in response to the artificial neural network providing an output indicating that a combination of the input vectors indicates the malicious activity, performing, by the one or more processors, a remedial action for the malicious activity).
As to claim 11, the combination of Griffin and Shrestha teaches the system of claim 10, wherein the at least one hardware processor is adapted to receiving the plurality of input data sets via the at least one digital communication network interface (see Griffin Fig. 3 and ¶74, an external computer or external storage device (e.g., computer data storage unit 312) via a network (not shown), for example, the Internet, a local area network, a wide area network and/or a wireless network).
As to claim 12, the combination of Griffin and Shrestha teaches the system of claim 9, wherein the at least one hardware processor is further adapted to storing the plurality of indicators of unwanted activity on at least one non-volatile digital storage connected to the at least one hardware processor (see Griffin ¶3, in response to the artificial neural network providing an output indicating that a combination of the input vectors indicates the malicious activity, performing, by the one or more processors, a remedial action for the malicious activity).
Griffin teaches:
As to claim 13, a system for identifying unwanted activity in a computer system see (Griffin ¶3, Each label represents/indicate an amount by which a respective vectorized process tree included in the 
extracting a plurality of system activity values from the input data, each indicative of execution of an instruction by a computerized device of the computer system (see Griffin Fig. 2, steps 204-206, ¶¶4-5, 19-20 “method further includes vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process trees with respective labels. Each label represents an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity”); 
identifying in the plurality of system activity values at least one indicator of unwanted activity of a plurality of indicators of unwanted activity, generated by at least one other hardware processor by analyzing a classification model trained to output an infection classification in response to a plurality of input system activity values; and outputting a determination of unwanted activity according to identifying the at least one indicator of unwanted activity (see Griffin Fig. 2, step 208, ¶¶20-21, “malicious activity detection system 104 (see FIG. 1) trains artificial neural network 110 (see FIG. 1) by using the vectorized first process trees generated in step 204 and the labels associated with the vectorized first process trees in step 206 [i.e. analyzing]”; ¶12 “analyzes each process sub-tree and associated sub-trees”).
Even though Griffin teaches:
receiving input data comprising system activity information collected from the computer system over an identified period of time (see Griffin ¶14, “Malicious activity detection system 104 receives process trees 106 that specify computer processes that were previously executed on one or more computers”; ¶¶3-5, Each label represents an amount by which a respective vectorized process tree reflects the malicious activity. An artificial neural network is trained by using the vectorized first process trees and the associated labels as training input” [i.e. infection label and system activity information collected from a computer system]);
Griffin doesn’t explicitly teach but the related art Shrestha teaches:
over an identified period of time (see Shrestha ¶3, “Over the course of some time period, such as a day, a week, or a month, such security and surveillance systems may capture significant amounts of video data”); 
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the system of detecting malicious activity on a computer system disclosed by Griffin to include the systems and methods for machine learning-based site-specific threat modeling and threat detection, as thought by Shrestha, in order to receive/monitor the activity of the recited computer system over an identified period of time. It would have been obvious to one of ordinary skill in the art to include time period in order to identify the time of occurrence and enhance security.

As to claim 14, he system of claim 13, wherein generating the plurality of indicators of unwanted activity by analyzing a classification model trained to output an infection classification in response to a plurality of input system activity values comprises: receiving a plurality of input data sets, each describing system activity over an identified period of time and comprising an infection label and system activity information collected from a training computer system (see Griffin ¶14, “Malicious activity detection system 104 receives process trees 106 that specify computer processes that were previously executed on one or more computers”; ¶¶3-5, Each label represents an amount by which a respective vectorized process tree reflects the malicious activity); 
producing a plurality of training sets each comprising: 1) a plurality of activity values, each indicative of execution of an instruction by a training computerized device of the training computer system, extracted from one of the plurality of input data sets, and 2) a respective infection label (see Griffin Fig. 2, steps 204-206, ¶¶4-5, 19-20 “method further includes vectorizing, by the first computer system, each of the first process trees and associating, by the first computer system, the vectorized first process trees with respective labels. Each label represents an amount by which a respective vectorized process tree included in the vectorized first process trees reflects the malicious activity”); 
producing for each training set of the plurality of training sets (see Griffin Fig. 2, steps 206-208) one of a plurality of sets of relevant activity values by: 
training a classification model to output, in response to the respective training set, an infection classification equal to respective infection label (see Griffin Fig. 2, steps 206-208, ¶¶20-21, “malicious activity detection system 104 (see FIG. 1) associates the vectorized first process trees  with respective labels [i.e. classification]. Each label represents an amount by which a respective vectorized first process tree reflects (i.e., indicates) the malicious activity 114”); and 
analyzing the classification model to identify a set of relevant activity values, of the plurality of activity values, effecting the infection classification in response to the training data set (see Griffin Fig. 2, step 208, ¶¶20-21, “malicious activity detection system 104 (see FIG. 1) trains artificial neural network 110 (see FIG. 1) by using the vectorized first process trees generated in step 204 and the labels associated with the vectorized first process trees in step 206 [i.e. analyzing]”; ¶12 “analyzes each process sub-tree and associated sub-trees”); 
analyzing the plurality of sets of relevant activity values to produce the plurality of indicators of unwanted activity (see Griffin ¶12, “analyzes each process sub-tree and associated sub-trees to proactively determine whether the sub-trees represent a contextual sub-task that has the capability for malicious behavior (i.e., to recognize a threat vector)”); and 
providing the plurality of indicators of unwanted activity to at least one security engine for the purpose of detecting unwanted activity in at least one other system (see Griffin ¶16, “subsequently generates an output indicating that one or more of the additional vectorized process trees indicates a malicious activity 114”).

As to claim 15, the system of claim 13, wherein the at least one hardware processor is adapted to receiving the input data via at least one digital communication network interface connected to the at least one hardware processor (see Griffin ¶2, security techniques detect known 

As to claim 16, the system of claim 13, wherein the at least one hardware processor is adapted to outputting the determination of unwanted activity via at least one display device connected to the at least one hardware processor (see Griffin Fig. 3, (310) and ¶64, ) I/O devices 310 include any known type of external device, including a display).

As to claim 17, the system of claim 13, wherein the at least one hardware processor is adapted to outputting the determination of unwanted activity via at least one other digital communication network interface connected to the at least one hardware processor (see Griffin Fig. 3 and ¶74, an external computer or external storage device (e.g., computer data storage unit 312) via a network (not shown), for example, the Internet, a local area network, a wide area network and/or a wireless network)

As to claim 18, the system of claim 13, wherein identifying in the plurality of system activity values at least one indicator of unwanted activity of the plurality of indicators of unwanted activity comprises identifying a match between the at least one indicator of unwanted activity and the plurality of system activity values according to at least one activity matching test (see Griffin ¶47, malicious activity detection system 104 (see FIG. 1) analyzes the processes as the processes are initiated and in the context of their associated process trees to determine whether there is a match to one of thirteen known methods of stealing user credentials from a Microsoft.RTM. Windows.RTM. system)

As to claim 19, the system of claim 18, wherein the at least one indicator of unwanted activity comprises at least one activity value; and wherein the at least one activity matching test comprises comparing the at least one activity value to at least one of the plurality of system activity values (see 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478.  The examiner can normally be reached on Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/JEFFREY C PWU/             Supervisory Patent Examiner, Art Unit 2433