Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	
Claims
Claims 1, 9, 10, 12, 17, and 20 have been amended. Claim 18 is new. Claims 1-20 are rejected and pending in the application. This action is Final. 

Response to Arguments
Applicant Argues 
The claims have been amended to address the objections.

Examiner Responds:
Applicant’s amendments filed on December 7, 2020 have addressed the Examiner’s claim objections. Therefore, the objections for claims 18 and 20 have been withdrawn. 

Applicant Argues 
Claims 1 and 12 were amended to recite: “classifying the artefact based on a combination of an output of the machine learning model and an output of xenospace centroid when the output of the xenospace centroid is a first value; and modifying a classification workflow based on the output of the xenospace centroid when the output of the xenospace centroid is a second value different from the first value such that the classifying is not based on a combination the output of the machine learning model and the output of xenospace centroid.”

Examiner Responds:
Applicant's 35 USC § 103 arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection. 


Claim Rejections – 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kenyon et al. U.S. Patent Publication (2020/0302058; hereinafter: Kenyon) in view of Panging et al. U.S. Patent Publication (2020/0175321; hereinafter: Panging) and further in view of Luan et al. U.S. Patent Publication (2018/0096230; hereinafter: Luan) 



Claims 1 and 12
As to claims 1 and 12, Kenyon disclose a system comprising: at least one data processor (paragraph[0094], “be processes executed by one or more processors or other processing circuitry…etc.”); and 
memory storing instructions which, when executed by the at least one data processor, result in operations comprising (paragraph[0123], “a system for computer assisted identification of intermediate threats. The system may include a memory storing an integrative model configured to evaluate a potential threat by a threat…etc.”): 
receiving an artefact (paragraph[0036], " The security management facility 122 may include functionality to scan applications, files, and data for malicious code, remove or quarantine applications and files… In embodiments, the scanning may include 
parsing the artefact into a plurality of observations (paragraph[0051], “Identity definitions may include instructions and data that can be parsed and acted upon for recognizing features of known or potentially malicious code…etc.”, the reference describes parsing data to recognize definitions (i.e., a plurality of observations).); 
inputting a first subset of the observations into a machine learning model trained using historical data to classify the artefact (paragraph[0051], “Definitions also may include, for example, code or data to be used in a classifier, such as a neural network or other classifier that may be trained using machine learning….etc.”, the reference describes using data or code (i.e., first subset) from definitions to train the machine learning system. The reference describes using historical data (e.g., paragraph[0072]) to classify data as threats.); 

Kenyon does not appear to explicitly disclose 
inputting a second subset of the observations into a xenospace centroid configured to classify the artefact; and 
classifying the artefact based on a combination of an output of the machine learning model and an output of xenospace centroid when the output of the xenospace centroid is a first value;
modifying a classification workflow based on the output of the xenospace centroid when the output of the xenospace centroid is a second value different from the first value such that the classifying is not based on a combination the output of the machine leaning model and the output of xenospace centroid. 

However, Panging discloses inputting a second subset of the observations into a xenospace centroid configured to classify the artefact (paragraph[0161], “A centroid 2016 may be used as a reference or an exemplary data value 2104 for the data values within a cluster 2014… This process allows the machine learning model 2004 to quickly classify new inputs based on the centroids 2016 of clusters 2014…etc.”, the reference describes using centroid (i.e., xenospace centroid) to classify data.); and 
classifying the artefact based on a combination of an output of the machine learning model and an output of xenospace centroid when the output of the xenospace centroid is a first value (paragraph[0162], “the model training engine 2002 may train the machine learning model 2004 to use the previously identified boundaries 2012, clusters 2014, and/or centroid 2016 to identify and classify various types of network attacks…etc.”, the reference describes using machine learning and centroids output objects to classify network attacks. The reference describes network attacks as data intrusions (i.e., artefact) (e.g., paragraph[0157]).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging to provide the classification of network attacks which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging to provide a solution that allows computing systems to efficiently determine how similar different data samples are to each other and to perform operations based on their similarity (Panging: paragraph[0004]). 

The combination of Panging and Kenyon does not appear to explicitly disclose modifying a classification workflow based on the output of the xenospace centroid when the output of the xenospace centroid is a second value different from the first value such that the classifying is not based on a combination the output of the machine leaning model and the output of xenospace centroid. 

However, Luan discloses modifying a classification workflow based on the output of the xenospace centroid when the output of the xenospace centroid is a second value different from the first value such that the classifying is not based on a combination the output of the machine leaning model and the output of xenospace centroid (paragraph[0062]-paragraph[0063], “Once the centroids 645, 655, 665 are generated, files within the centroids 645, 655 (and/or the centroids 645, 655 themselves) can be (re) classified. For example, files X.sub.1-3 (and/or the centroid 645) can be (re) classified as malware type A and/or files X.sub.4-5 (and/or the centroid 655) can be (re) classified as malware type B…etc.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging and Luan to provide reclassify a classification of malicious data which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging and Luan to provide a system with a greater ability to detect and classify malicious and/or clean files (Luan: paragraph[0003]).  

Claims 2 and 13
As to claims 2 and 13, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 12, as noted above, and Panging further disclose wherein the classifying based on the combination of the output of the machine learning model and the output of the xenospace centroid classifies the artefact as being malicious or benign (Paragraph[0162], “a technical improvement to the device 100 by training machine learning models 2004 to determine whether any new inputs correspond with a network attack based on its classification…etc.”).

Claims 3 and 14
As to claims 3 and 14, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 13, as noted above, and Kenyon further disclose wherein the operations further comprise: preventing the artefact from being executed, continuing to execute, or accessed when the classifying indicates that the artefact is malicious (paragraph[0036], “The security management facility 122 may include functionality to scan applications, files, and data for malicious code, remove or quarantine applications and files, prevent certain actions, perform remedial actions, as well as other security measures…etc.”).

Claims 4 and 15
As to claims 4 and 15, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 12, as noted above, and Kenyon further disclose wherein the artefact comprises at least one of: a file, a portion of a file, metadata characterizing a file, or source code (paragraph[0036], " The security management facility 122 may include functionality to scan applications, files, and data for malicious code, remove or quarantine applications and files…etc.”).

Claim 5
As to claim 5, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 1, as noted above, and Kenyon further disclose wherein all of the observations in the first subset of the observations differ from all of the observations in the second subset of the observations (paragraph[0051], “Identity definitions may include instructions and data that can be parsed and acted upon for recognizing features of known or potentially malicious code…etc.”, the reference describes scanning data definitions subset (i.e., first subset) data in Kenyon. The reference of Panging describes scanning data from network attacks (i.e., second subset) (e.g., Panging: paragraph[0157]).).

Claim 6
As to claim 6, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 1, as noted above, and Kenyon further disclose wherein a portion of the observations in the first subset of the observations are common to a portion of the observations in the second subset of the observations (paragraph[0051], “Identity definitions may include instructions and data that can be parsed and acted upon for recognizing features of known or potentially malicious code…etc.”, the reference describes scanning data definitions subset (i.e., first subset) data in Kenyon. The reference of Panging describes scanning data from network attacks (i.e., second subset) (e.g., Panging: paragraph[0157]). The Examiner interprets the common portion as data being common between the two sets.).

Claim 7
As to claim 7, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 1, as noted above, and Kenyon further disclose wherein the first subset of the observations is common to all of the observations in the second subset of the observations (paragraph[0051], “Identity definitions may include instructions and data that can be parsed and acted upon for recognizing features of known or potentially malicious code…etc.”, the reference describes scanning data definitions subset (i.e., first subset) data in Kenyon. The reference of Panging describes scanning data from network attacks (i.e., second subset) (e.g., Panging: paragraph[0157]). The Examiner interprets the common portion as data being the all commonality between the two sets.).

Claims 8 and 16
As to claims 8 and 16, the combination of Kenyon, Panging, and Luan discloses all the elem11ents in claim 12, as noted above, and Kenyon further disclose wherein the machine learning model comprises at least one of: a logistic regression model, a neural network, a concurrent neural network, a recurrent neural network, a generative adversarial network, a support vector machine, or a random forest (paragraph[0114], “The resulting tags may be used when training models, and may advantageously permit a neural network or other machine learning model to simultaneously draw multiple inferences about a new threat sample…etc.”).

Claim 11
As to claim 11, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 1, as noted above, and Panging further disclose logging the output of the xenospace centroid for informational purposes along with an identification of the artefact (paragraph[0162], “For example, the model training engine 2002 may be configured to use training data 2010 that comprise instances of different types of network attacks to train the machine learning model 2004 to identify the various types of attacks…etc.”). 

Claim 18
As to claim 18, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 1, as noted above, and Luan further disclose herein the modified classification workflow comprises: classifying the artefact using only the output of the xenospace centroid (paragraph[0061, “used to generate centroids, once the centroids are defined, a new file (e.g., a file within an unknown classification) can be compared against a decision boundary and/or the centroids to determine a classification for the file…etc.”).

Claim 20
As to claim 20, Kenyon disclose a computer-implemented method comprising:
receiving an artefact(paragraph[0036], " The security management facility 122 may include functionality to scan applications, files, and data for malicious code, remove or quarantine applications and files… In embodiments, the scanning may include scanning some or all files on a periodic basis, scanning an application when the application is executed, scanning data transmitted to or from a device…etc.”, the reference describes scanning data (i.e., artefact) that was transmitted (i.e., receiving) to a device.); 
parsing the artefact into a plurality of observations (paragraph[0051], “Identity definitions may include instructions and data that can be parsed and acted upon for recognizing features of known or potentially malicious code…etc.”, the reference describes parsing data to recognize definitions (i.e., a plurality of observations).); 
inputting a first subset of the observations into a machine learning model trained using historical data to classify the artefact as being malicious or benign(paragraph[0051], “Definitions also may include, for example, code or data to be used in a classifier, such as a neural network or other classifier that may be trained using machine learning….etc.”, the reference describes using data or code (i.e., first subset) from definitions to train the machine learning system. The reference describes using historical data (e.g., paragraph[0072]) to classify data as threats.); 

preventing the artefact from being executed, from continuing to execute, or from being accessed when the artefact is classified as malicious(paragraph[0036], “The security management facility 122 may include functionality to scan applications, files, and data for malicious code, remove or quarantine applications and files, prevent certain actions, perform remedial actions, as well as other security measures…etc.”).

Kenyon does not appear to explicitly disclose 
inputting a second subset of the observations into a xenospace centroid configured to classify the artefact as being malicious, benign, or requires cloud processing; 
providing the second subset of observations to a remote computing system for analysis when an output of the xenospace centroid indicates that the artefact is requires cloud processing and receiving a classification from the remote computing system; 
classifying the artefact as malicious or benign based on a combination of (i) an output of the machine learning model and (ii) an output of xenospace centroid and/or the received classification from the remote computing system; 

However, Panging discloses inputting a second subset of the observations into a xenospace centroid configured to classify the artefact as being malicious, benign, or requires cloud processing (paragraph[0161]-paragraph[0162], “A centroid 2016 may be used as a reference or an exemplary data value 2104 for the data values within a cluster 2014… This process allows the machine learning model 2004 to quickly classify new inputs based on the centroids 2016 of clusters 2014…whether any new inputs correspond with a network attack based on its classification…etc.”, the reference describes using centroid (i.e., xenospace centroid) to classify data.); 
classifying the artefact as malicious or benign based on a combination of (i) an output of the machine learning model and (ii) an output of xenospace centroid and/or the received classification from the remote computing system(paragraph[0162], “the model training engine 2002 may train the machine learning model 2004 to use the previously identified boundaries 2012, clusters 2014, and/or centroid 2016 to identify and classify various types of network attacks…etc.”, the reference describes using machine learning and centroids output objects to classify network attacks. The reference describes network attacks as data intrusions (i.e., artefact) (e.g., paragraph[0157]).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging to provide the classification of network attacks which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging to provide a solution that allows computing systems to efficiently determine how similar different data samples are to each other and to perform operations based on their similarity (Panging: paragraph[0004]). 

The combination of Panging and Kenyon does not appear to explicitly disclose providing the second subset of observations to a remote computing system for analysis when an output of the xenospace centroid indicates that the artefact is requires cloud processing and receiving a classification from the remote computing system.

However, Luan discloses providing the second subset of observations to a remote computing system for analysis when an output of the xenospace centroid indicates that the artefact is requires cloud processing and receiving a classification from the remote computing system (Figure 1, elements 116 and 118, paragraph[0036], “Additional details on the contents and use of centroids are provided below. The centroid generation system 116 may be used to create centroids for use by either or both of the file classification systems 114, 124, as described herein. In order to provide updates to the file classification system 124 at the endpoint 120, the computing system 110 may utilize an update system 118…etc.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging and Luan to provide reclassify a classification of malicious data which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging and Luan to provide a system with a greater ability to detect and classify malicious and/or clean files (Luan: paragraph[0003]).  


Claims 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kenyon et al. U.S. Patent Publication (2020/0302058; hereinafter: Kenyon) in view of Panging et al. U.S. Patent Publication (2020/0175321; hereinafter: Panging) and further in view of Luan et al. U.S. Patent Publication (2018/0096230; hereinafter: Luan) and further in view of Baggerman U.S. Patent Publication (2020/0026566; hereinafter: Baggerman)

Claims 9 and 17
As to claim 9 and 17, the combination of Kenyon, Panging, and Luan discloses all the elements in claim 12, as noted above, but do not appear to explicitly disclose wherein the modified classification workflow comprises: classifying the artefact using only the machine learning model. 

However, Baggerman discloses wherein the modified classification workflow comprises: classifying the artefact using only the machine learning model (paragraph[0036]-paragraph[0037], “Once the model 125 has been trained, the workload classification module 122 may use it to predict a classification of a new instance of a workload based on attributes characterizing the new instance of the workload…etc.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging, Luan, and Baggerman to provide new classifications of new instances which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging, Luan, and Baggerman to improve the approach for presenting metrics that are relevant to a workload being processed by a computer (Baggerman: paragraph[0008]).

Claims 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kenyon et al. U.S. Patent Publication (2020/0302058; hereinafter: Kenyon) in view of Panging et al. U.S. Patent Publication (2020/0175321; hereinafter: Panging) and further in view of Luan et al. U.S. Patent Publication (2018/0096230; hereinafter: Luan) and further in view of Baggerman U.S. Patent Publication (2020/0026566; hereinafter: Baggerman) and further in view of Yadav et al. U.S. Patent Publication (2020/0120144; hereinafter: Yadav) 

Claims 10 and 19
As to claim 10 and 19, the combination of Kenyon, Panging, Luan, and Baggerman discloses all the elements in claim 17, as noted above, but do not appear to explicitly disclose wherein the modified classification workflow comprises: providing the second subset of observations to a remote computing system for analysis; and receiving a classification from the remote computing system, wherein the output of the xenospace centroid used to classify the artefact as malicious is or is based on the classification received from the remote computing system.

However, Yadav discloses wherein the modified classification workflow comprises: providing the second subset of observations to a remote computing system for analysis (paragraph[0087], “In some embodiments, in addition to dynamically re -classifying risk sources, the risk assessment module 132 may identify drifting trends within the clustering space….etc.”); and receiving a classification from the remote computing system (paragraph[0050], “when the risk assessment module 132 receives initial security data associated with a risk source, for example, based on a request submitted to the web server 134…etc.”), wherein the output of the xenospace centroid used to classify the artefact as malicious is or is based on the classification received from the remote computing system (paragraph[0088], “the configuration engine 206 may configure the network security component 150 to block any requests corresponding to the CIDR range and/or the ASN. The configuration engine 206 may also configure the web server 134 and/or the service application 138 to deny any requests corresponding to the CIDR range and/or the ASN…etc.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kenyon with the teachings of Panging, Luan, Baggerman, and Yadav to dynamically reclassify risk which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kenyon with the teachings of Panging, Luan, Baggerman, and Yadav to provide dynamic classification of risk sources to improve the security of online computer systems that may be subject to malicious attacks (Yadav: paragraph[0008]).

Final Rejection
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.










Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAWAUNE A CONYERS whose telephone number is (571)270-3552.  The examiner can normally be reached on M-F 8:00am-4:30pm EST. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/DAWAUNE A CONYERS/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000