DETAILED ACTION

Information Disclosure Statement
The IDSes filed 1/13/2021, 11/14/2019, and 10/14/2019  have been considered and entered.

Drawings
The drawings filed 7/19/2019 are accepted.
Specification
The specification filed 7/19/2019 is accepted.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the medium of claim 20 is not limit to non-transitory embodiments and therefore encompasses transient signals which are not statutory.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).


Claims  1-4, 6-8, 11, 14, 16, 17, 19, and 20  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li et al (US 2018/0300482 hereinafter Li) in view of Schmidtler et al ( US 2018/0013772 hereinafter Schmidtler)  .



As to claim 1,   
Li discloses a system Fig 1, comprising: 
a processor Fig 8 808 in view of  Fig 1 130 including 234  or in view of  Fig 2 210 including 234  
configured to: 
receive [0029] file received from node 110  or node 210
a set of features, 
[0020] number of features 
also referred as  [0024] tokens i.e. units of code
in view of  [0054] features for 4-grams of code in the files
in other words, Li uses token and feature interchangeably 
including a plurality of n-grams,  [0019] n-grams
extracted [0029] extracted
from a set of files; [0019] the files in view of [0029] the file received

determine a reduced set of features 
[0054] an appropriate number of features can be selected so as to 
reduce computing effort
that includes at least some of the plurality of n-grams; 
[0054] features for 4-grams of code in the files

and use the reduced 
[0054] an appropriate number of features can be selected to so as to 
reduce computing effort
set of features 
[0020] number of features 
also referred as  [0024] tokens i.e. units of code
in view of  [0054] features for 4-grams of code in the files
in view of [0041] vector of weights of n-grams
in view of  [0024] vector of weights based on frequencies of n-grams
to generate 
[0042] inputting the vector of weights to a machine learning model
in view of [0041] vector of weights of n-grams
in view of  [0054] features for 4-grams of code in the files

a model [0042]-[0043] machine learning model
usable by a data appliance Fig 1 110 NODE
to perform [[inline]] malware analysis; 
[0046] each node 110 can include ML pack 234 to locally protect that 
node

and a memory Fig 8 856, 812, and 816
coupled to Fig 8 804
the processor Fig 8 808

and configured to provide [0061] computer-readable medium can store such machine instructions
the processor with instructions.  [0061] instructions for a programmable processor

	Li does not disclose
the term  'inline malware analysis'

	Schmidtler teaches
inline malware analysis [0014] inline detection of malicious content

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses a 1st embodiment in Fig 1 wherein portions of the malware content detection is done remotely from the Nodes 110 by Monitoring Node 130.  Li also discloses a 2nd embodiment in Fig 2 wherein  the features of Fig 1 Monitoring Node 130 are incorporated into Nodes 210 to enabled [0046] local protection corresponding to 'inline malware analysis'.  However, Li does not use the term 'inline malware analysis'.  Schmidtler cures Li's deficiency in [0014] by teaching 'inline detection of malicious content'  in view of [0012] wherein a inline detection uses an inline parser which may be installed on the sending, receiving, or intermediate device.


As to claim 2,   
Li discloses
	the set of features extracted from a set of known malicious files
		[0045] files known to be malicious 
also [0048] extracting from the file, data comprising tokens and determining the file is 
    likely malicious
also  [0042] a determination is made that the file is malicious which thereby corresponds to 'features extracted from a set of known malicious files'

also  [0039] relatively enhance the weights of the n-grams more likely to be 
included in malicious files.
			In other words, the weights of the weighted vectors that are assigned to each of the n-
grams are determined by an association of the n-gram to a known malicious file

As to claim 3,   
Li discloses
	the set of features extracted from a set of known benign files
		[0045] files known to be benign
also [0042] the file is likely benign

also [0039] relatively reduce the weights of the n-grams more likely to be 
     included in malicious files.
In other words, the weights of the weighted vectors that are assigned to each of the n-
grams are determined by an association or lack thereof of the n-gram to a known malicious file

As to claim 4,   
Li discloses wherein
	the reduced set of features [0054] the accuracies …were similar to one another.
	is determined using mutual information
[0054] an appropriate number of features can be selected so as to reduce computing effort


As to claim 6,   
Li discloses wherein
the generated model[0042]-[0043] machine learning model
		includes n-gram features
[0042] inputting the vector of weights to a machine learning model
in view of [0041] vector of weights of n-grams
in view of  [0054] features for 4-grams of code in the files


As to claim 7,   
Li discloses wherein
the generated model[0042]-[0043] machine learning model

Li does not disclose wherein
	the generated model includes non n-gram features

Schmidtler teaches 
the generated model [0035] predictive models
includes non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.

As to claim 8,   
Li does not disclose wherein
	at least one non n-gram feature is associated with a file size

Schmidtler teaches 
at least one non n-gram feature is associated with a file size  see  [0030]

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.

As to claim 11,   
Li does not disclose wherein
	at least one non n-gram feature is associated with a number of sections in a file

Schmidtler teaches 
at least one non n-gram feature is associated with a number of sections in a file
 [0013] file sections may be used to generate feature vectors…a score may be generated
see also  [0018] state information relating to file section  may be used to generate feature vectors 
as input to a machine learning mechanism that provides security status scores for the file as output


Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.


As to claim 14, 
Li discloses wherein the model is a linear model [0008] generalized linear model


As to claim 16,   
Li discloses
	wherein the plurality of n-grams [0019] n-grams
is extracted [0012] extracting tokens and generating n-grams of the tokens
during [[static]] analysis [0028] parser configured to parse a file
of the set of files. [0021] exemplary files

Li does not disclose wherein
	wherein the plurality of n-grams is extracted during static analysis of the set of files.

Schmidtler teaches 
static analysis of the set of files.
	[0018] static data may be extracted from the file as a result of parsing

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.

As to claim 17,   
Li discloses a first data appliance Fig 2 210 Node

Li does not disclose wherein
	the model is transmitted to a first data appliance

Schmidtler teaches 
		[0024] models may be updated  by connecting to a security status modeling service 

	therefore
Li as modified by Schmidtler teaches 
the model is transmitted to a first data appliance

	because 

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to allow for model updates via network transmitting from a central source according to practices well known by those of ordinary skill in the art .


Claim 19 is rejected on the basis presented in the rejection of claim 1.
Claim 20 is rejected on the basis presented in the rejection of claim 1.


Claims 5   is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Pourmohammad( US 2019/0095820 hereinafter Pourmohammad).

 As to claim 5, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 1.


As to claim 5,
	Li discloses
the reduced set of features [0054] the accuracies …were similar to one another.

	Neither Li nor Schmidtler teaches 
		the reduced set of features is determined using a Chi-squared score

	Pourmohammad teaches
the reduced set of features is determined using a Chi-squared score 
	[0273] using Chi-Squared, the top 10% of the most important features i.e. n-grams that 
are important

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of Pourmohammad as elements known in the prior art combined to yield predictable results.  In [0054] Li expresses a motivation for reducing the computing effort  while maintaining accuracy by selecting the appropriate number of features.  Pourmohammad teaches that Chi-Squared testing may be used to determine the top 10% of the most important n-gram features to, in combination with Li  and Schmidtler,   thereby arrive at the claimed invention because Li may incorporate Pourmohammad' s teaching of Chi-Squared testing to achieve the goal of  selecting the appropriate number of features.  
Claims 9, 10,  and 12  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Ivanov( US 9396334 hereinafter Ivanov).

 As to claims 9, 10 and 12, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 7.


As to claim 9,
	
Schmidtler teaches
non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

wherein at least one non n-gram feature is associated with a header [[size]]  see  [0031]
wherein at least one non n-gram feature is associated with a [[header]] file [[size]]  see  [0030]

	Neither Li nor Schmidtler teaches 
wherein at least one non n-gram feature is associated with a header size

	Ivanov teaches
wherein at least one non n-gram feature is associated with a header size  see  C3  39-40
	   

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of  Ivanov as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content including file size [0030] and header anomalies [0031].  Ivanov extends the teachings of Schmidtler  in the field of malicious content and/or data anomaly detection in C2 65 – C4 45 including using 'header types and sizes' see  C3 39-40  in the calculation of a checksum for matching to known  'harmful files' C2 65- C3 43  .

As such, Ivanov may be incorporated into Li and Schmidtler  to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li and Schmidtler   alone.

Claim 10 is rejected on the basis presented in the rejection of claim 9 wherein  Ivanov C3 15 – 21 teaches comparing a computed checksum to a database of checksums of known harmful files.
As to claim 12,
		
Schmidtler teaches
non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

	Neither Li nor Schmidtler teaches 
wherein at least one non n-gram feature is associated with a length of a file

	Ivanov teaches
wherein at least one non n-gram feature is associated with 
a length C3 28 length of a function code
of a file C3 26-28 function of the file includes at least  length of a function code
	   

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of  Ivanov as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content including file size [0030] and header anomalies [0031].  Ivanov extends the teachings of Schmidtler  in the field of malicious content and/or data anomaly detection in C2 65 – C4 45 including using 'length of a function code of a file' see  C3 26-28. 


Claim 13 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Finkelshtein et al ( US 2019/0354682 hereinafter Finkelshtein).

 As to claim 13, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 7.


As to claim13,
Schmidtler teaches
non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

	Neither Li nor Schmidtler teaches 
wherein at least one non n-gram feature is associated with whether a file includes an overlay

	Finkelshtein teaches
wherein at least one non n-gram feature is associated with whether a file includes an overlay
		[0004]-[0006] a need arises for techniques for detecting malicious software that is present in a 
files overlay

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of  Finkelshtein as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content including file size [0030] and header anomalies [0031].  Finkelshtein extends the teachings of Schmidtler  in the field of malicious content and/or data anomaly detection in [0004]-[0006] including  techniques for detecting malicious software that is present in a files overlay.
 



Claim 15  is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Pevny et al ( US 2020/0364334 hereinafter Pevny).

 As to claim 15, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 1.


As to claim15,

	Neither Li nor Schmidtler teaches 
wherein the model is a non-linear model

	Pevny teaches
wherein the model is a non-linear model 
[0033] non-linear models

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of  Pevny as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ).   In [0008] Li lists many different model type appropriate for statistical analysis relating to malicious file detection.  Pevny extends the teachings of Li  in the field of malicious content and/or data anomaly detection in [0033] by including  additional models including non-linear models which may be used for malware detection thereby providing Li with a more exhaustive list of solutions to incorporate with which to detect malware more thoroughly . 

Claim 18 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Maisel et al ( US 2018/0203998 hereinafter Maisel).

 As to claim 18, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 17.


As to claim 18,   
Li discloses 
a first data appliance Fig 2 210 Node
a processor Fig 8 808 in view of  Fig 1 130 including 234  or in view of  Fig 2 210 including 234  


Li does not disclose wherein
wherein, in response to a false positive result reported by a second data appliance, the processor is configured to generate an updated model and transmit the updated model to the first data appliance.

Schmidtler teaches 
		[0024] models may be updated  by connecting to a security status modeling service 

therefore
Li as modified by Schmidtler teaches 
the model is transmitted to a first data appliance
			the processor is configured to generate an updated model

	Neither Li nor Schmidtler teaches
wherein, in response to a false positive result reported by a second data appliance, the processor is configured to generate an updated model and transmit the updated model to the first data appliance.


	 Maisel teaches wherein
in response to a false positive [0037] false positive
result reported by a second data appliance, [0037] endpoint agent 135 did not correctly classify
the processor [0037] manager 120
is configured to generate an updated model 
[0037] generated updates that enable the model to successfully classify
and transmit the updated model to the first data appliance.
	[0037] generate, based on updates, corresponding updates for one or more endpoint 
agents  
in view of Fig 1
and in view of  [0029] wherein endpoints are connected to the system 100 vis network

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of Maisel as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to allow for model updates via network transmitting from a central source according to practices well known by those of ordinary skill in the art .
0024] whereas Maisel teaches in [0037] that when an agent 135 creates a false positive, manager 120 may generate model updates and updated one or more endpoint agents.  As such, Maisel may be incorporated into Li and Schmidtler  for a more robust  model update regime responsive to false positives created by imperfect models.  

Conclusion

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RICHARD A MCCOY/Examiner, Art Unit 2431