DETAILED ACTION

Information Disclosure Statement
The IDSes filed 1/13/2021, 11/14/2019, and 10/14/2019  have been considered and entered.

Drawings
The drawings filed 7/19/2019 are accepted.
Specification
The specification filed 7/19/2019 is accepted.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the medium of claim 20 is not limit to non-transitory embodiments and therefore encompasses transient signals which are not statutory.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).


Claims  1-4, 12,  and 15-20   are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li et al (US 2018/0300482 hereinafter Li) in view of Schmidtler et al ( US 2018/0013772 hereinafter Schmidtler)  .



As to claim 1,   
Li discloses a system Fig 1, comprising: 
a processor Fig 8 808 in view of  Fig 1 130 
configured to: 
	store a set  
[0043] ML pack 134 can include a plurality of machine learning 
models
					in view of  Fig 1 130 comprising ML pack134

	comprising one or more sample classification models
[0043] ML pack 134 can include a plurality of machine learning 
models
	on a networked device  Fig 1 130

	perform n-gram analysis  
Fig 3 steps 320-340
in view of  [0024] n-gram processing
	on a sequence [0028] sequential data
of received [0028] extract from the file, which can be received from node 110
     in view of  [0025] network 120 e.g. the internet  (i.e. packets)
[[packets]] associated with a received file  
[0026] transmit a file to monitoring node 130 via network 120
in view of Fig 3 310 extract from file

	wherein performing the n-gram analysis 
Fig 3 steps 320-340
in view of  [0024] n-gram processing
includes using at least one stored sample classification model
	[0043] pack 134 can include any suitable machine learning model so as 
to analyze different aspects of the file received from node 110

and determine that the received file is malicious based at least in part on 
the n-gram analysis of the sequence of received packets
	[0024] malicious files based on n-gram processing of sequential data

and in response to determining that the file is malicious prevent propagation of the received file
	[0044]  responsive to determining the file is likely malicious, 
quarantine the file


and a memory Fig 8 856, 812, and 816
coupled to Fig 8 804
the processor Fig 8 808

and configured to provide [0061] computer-readable medium can store such machine instructions
the processor with instructions.  [0061] instructions for a programmable processor

	Li does not disclose
the term  packets associated with a received file  


	Schmidtler teaches
packets associated with a received file  
 	[0012] the file may correspond to one or more data packets

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).
Li discloses performing n-gram analysis on sequential data on a file received over the internet, but does not literally disclose that the analysis is based on 'a sequence of received packets'.  Schmidtler  cures Li's deficiency by teaching in [0012 ]that 'a file may correspond to one or more data packets'.   Moreover, one of ordinary skill in the art would understand that the internet is a packet based network and that receiving a file over the internet includes receiving a sequence of packets.  As such the combination of Li  and Schmidtler arrives at the claimed invention.
As to claim 2,   
Li discloses wherein
the processor Fig 8 808 in view of  Fig 1 130
is configured to perform the n-gram analysis 
Fig 3 steps 320-340
in view of  [0024] n-gram processing
at least in part by [[comparing ]]
[0024] statistical analysis
in view of  [0003] compare that file to each of a variety of known malicious files
n-grams in the received packets 
	[0024] n-grams of discrete tokens 
in view of  [0024] sequential data can include discrete tokens
in view of [0026] transmit a file to node 130
against a predetermined list of n-grams. 
[0024] files that are malicious may be likely to include certain tokens.  The vector of 
weights can reflect the frequency of tokens thereby reflecting the likelihood that a file including those tokens is malicious
			in view of  [0042] pack 134 generates a likelihood that the file is malicious based on a 
vector of weights compared to a threshold
	Li does not literally state
		comparing n-grams in the received packets against a predetermined list of n-grams
	
Schmidtler teaches
		[0023 ]comparing a received feature vector to a verified data set
		wherein in  [0021] constructing a feature vector may comprise building n-grams

In other words, 'constructing a feature vector' includes 'building n-grams' suggesting that one embodiment of a feature vector is a vector of n-grams.
therefore
Li as modified by Schmidtler teaches
comparing n-grams in the received packets against a predetermined list of n-grams

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).  Both reference teach classification of unclassified incoming data using known, predetermined data.  N-grams being a unit of data used in the analysis thereby yielding  a combination which renders obvious the claimed invention.
As to claim 3,   
Li discloses 
  the predetermined list of n-grams 
[0024] files that are malicious may be likely to include certain tokens.  The vector of 
weights can reflect the frequency of tokens thereby reflecting the likelihood that a file including those tokens is malicious
	in view of [0024] n-grams of discrete tokens 

Li does not literally state
the predetermined list of n-grams was generated using a plurality of previously collected malware samples.

Schmidtler teaches
	[0035] similarity between the feature vector and known malicious content
wherein in  [0021] constructing a feature vector may comprise building n-grams

In other words, 'constructing a feature vector' includes 'building n-grams' suggesting that one embodiment of a feature vector is a vector of n-grams.

therefore
Li as modified by Schmidtler teaches
the predetermined list of n-grams was generated using a plurality of previously collected malware samples.

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).  Both reference teach classification of unclassified incoming data using known, predetermined data.  N-grams being a unit of data used in the analysis thereby yielding  a combination which renders obvious the claimed invention especially in view of Schmidtler 's teaching in [0035] explicitly referencing known malicious content which corresponds to the claimed  plurality of previously collected malware samples.  And moreover, in order to facilitate comparison to feature vectors (i.e. vectors of n-grams), one of ordinary skill in the art would understand that the malware samples would be formed in similar units for comparison (i.e. n-grams).  N-grams being nothing more than a data byte wherein those of ordinary skill in the art understand the byte to be a fundamental unit of data in the computing arts.

As to claim 4,   
Li does not disclose 
	wherein the processor is further configured to determine a file type associated with the file

	Schmidtler teaches
wherein the processor is further configured to determine a file type associated with the file
	[0026] determine the schema and/or file type of a downloading file

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).
As to claim 12,   
Li discloses 
a value for a feature in a feature vector
Fig 3 330 generating a vector of weights based on respective frequencies of n-grams
	
	Li does not specifically state
wherein performing the n-gram analysis includes updating a value for a feature in a feature vector whenever the feature is matched. 
 
Schmidtler teaches 
wherein performing the n-gram analysis includes updating a value for a feature in a feature vector whenever the feature is matched. 
	[0023] a score may be calculated by comparing a received feature vector to a verified 
date set
			and  [0023] the score may be incrementally updated as a file continues to download 
     and/or a feature vector continues to be updated

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).  
Li suggests updating a value whenever the feature is matched because Li maintains a frequency of n-grams.  A frequency of n-grams is a collection of counts, each count of the collection representing the number of occurrences of a particular n-gram value.  It stands to reason, therefore, that to maintain a frequency of n-grams during the analysis of a file that a respective count value for a respective n-gram is updated whenever a next n-gram matching the respective n-grams is determined.  
Although one of ordinary skill in the art should understand Li's teaching, Schmidtler is provided for clarity wherein Schmidtler teaches in [0023] that as the file is processed that a score and feature vector is updated based on comparison with  the received feature.  
As such, the combination of Li and Schmidtler teach the claim limitation of wherein performing the n-gram analysis includes updating a value for a feature in a feature vector whenever the feature is matched. 
As to claim 15,   
 Li does not disclose wherein
	the processor is configured to receive at least one updated classification model

Schmidtler teaches 
		[0024] models may be updated  by connecting to a security status modeling service 

	therefore
Li as modified by Schmidtler teaches 
the processor is configured to receive at least one updated classification model

	 

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to allow for model updates via network transmitting from a central source according to practices well known by those of ordinary skill in the art .

As to claim 16,   
Li discloses 
	n-gram analysis 
Fig 3 steps 320-340
in view of  [0024] n-gram processing

	Li does not disclose
the n-gram analysis is performed inline with other packet analyses as a single pass analysis of a 
traffic stream.

Schmidtler teaches 
n-gram analysis [0021] building n-grams
is performed inline [0025] automatic inline detection
with other packet analyses 
[0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]  these examples being different from n-gram based 
        analysis
as a single pass analysis Fig 3 process 300 from start to end without any loops
of a traffic stream. [0026] data stream

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.
As to claim 17,   
Li discloses wherein the processor is further configured to
use a set of whitelisted n-grams 
[0037] certain tokens may be used frequently in a benign manner, a vector of weights 
of such tokens thus can be inversely related to the frequency with potentially relevant tokens within the extracted sequential data.
when performing the n-gram analysis
Fig 3 steps 320-340
in view of  [0024] n-gram processing


As to claim 18,   
Li discloses wherein the processor is further configured to 
[[transmit]] a copy of the received file 
	[0026] node 110 transmits a file to monitoring node 130
to [0028] ML Pack 134 can include a parser configured to parse the file received from node 110
a security platform ML Pack 134
and perform the n-gram analysis 
Fig 3 steps 320-340
in view of  [0024] n-gram processing
while awaiting a verdict [0028] ML pack 134 can initiate corrective action
from the security platform. ML Pack 134

	Li teaches and renders obvious
		transmit a copy of the file to a security platform

	because
		Firstly, Li teaches in [0026] that nodes 110 transmit the file to node 130.
		Secondly, Li teaches that ML Pack 134 parses the received file and initiates corrective actions 
thereby  indicating that node 130 transmits the received file to ML Pack 134 to thereby arrive at the claimed invention.
Thirdly,  Li teaches in [0046] that Figures 1 and Figures 2 are only exemplary embodiments and 
'In still another configuration, any suitable number of data processors are distributed across a computing environment, each of which can be configured so as to perform any suitable operations…'
			thereby  rendering obvious an embodiment wherein at least a portion of ML Pack is 
implemented on another node remote from 130 to also thereby arrive at the claimed invention.


Claims 19 and 20 are rejected on the basis previously presented in the rejection of claim 1. 

Claims 5 - 7 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Vu et al ( US 2015/0244730 hereinafter Vu).
 As to claims 5, Li in view of  Schmidtler teaches all the subject matter pointed out in the above 103  rejection of parent claim 4.

As to claim 5,   
Li discloses
wherein the processor is configured to select, [0043] the machine learning model can be selected
from the set of one or more sample classification models, 
[0043] a plurality of machine learning models
in view of  [0043] the group consisting of
a linear classification model, [0043] linear models
[[based on the determined filetype associated with the file.]]

Neither Li nor Schmidtler discloses
wherein the processor is configured to select, from the set of one or more sample classification models, a linear classification model, based on the determined filetype associated with the file.

	Vu teaches 
wherein the processor is configured to select, from the set of one or more sample classification models, a linear classification model, based on the determined filetype associated with the file.
	[0067] the feature value set is sent to the appropriate machine-learning model 
determined by the file type

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of Vu as elements known in the prior art combined to yield predictable results.  For example, Li  discloses using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).  Vu is  also directed to detection of malware using machine learning (see Abstract). 
Although Li discloses selecting a model from a group of models, he is silent with respect to the criteria used for selecting the model.  Vu cures Li's deficiency by teaching a file type may be used to determine a selected model to thereby arrive at the claimed invention.

As to claim 6,   
Li discloses
wherein performing the n-gram analysis includes accumulating a set of weights corresponding to observed n-grams.
	Fig 3 step 330  generate a vector of weights based on respective frequencies of n-grams

As to claim 7,   
Li discloses
wherein the weights Fig 3 step 330  generate a vector of weights
are accumulated in a single [[float]] value.
	[0034] a normalized TF = .2425
	in view of [0032]-[0033] respective n-gram frequencies can be referred to as a TF….a 
vector of weights can be based on a normalized TF

Li does not necessarily disclose a float value.  However, those of ordinary skill in the art know that a decimal value can be represented in float notation, thereby rendering the claim limitation obvious based on known mathematical fact. 
Claims 8-10 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Vu in further view of Pevny et al ( US 2020/0364334 hereinafter Pevny).
 
As to claim 8, Li in view of  Schmidtler teach all the subject matter pointed out in the above 103  rejection of parent claim 4.


As to claim 8,   
Li discloses
wherein the processor is configured to select, [0043] the machine learning model can be selected
from the set of one or more sample classification models, 
[0043] a plurality of machine learning models
in view of  [0043] the group consisting of
a [[non-linear ]]classification model, [0043] the machine learning model
[[based on the determined filetype associated with the file.]]

Neither Li nor Schmidtler discloses
wherein the processor is configured to select, from the set of one or more sample classification models, a linear classification model, based on the determined filetype associated with the file.

	Vu teaches 
wherein the processor is configured to select, from the set of one or more sample classification models, a linear classification model, based on the determined filetype associated with the file.
	[0067] the feature value set is sent to the appropriate machine-learning model 
determined by the file type

	Neither Li Schmidtler nor Vu teaches 
wherein the model is a non-linear model

	Pevny teaches
wherein the model is a non-linear model 
[0033] non-linear models

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of Vu as elements known in the prior art combined to yield predictable results.  For example, Li  discloses using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).  Vu is  also directed to detection of malware using machine learning (see Abstract). 
Although Li discloses selecting a model from a group of models, he is silent with respect to the criteria used for selecting the model.  Vu cures Li's deficiency by teaching a file type may be used to determine a selected model to thereby arrive at the claimed invention.

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  Schmidtler and Vu with those of  Pevny as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ).   In [0008] Li lists many different model type appropriate for statistical analysis relating to malicious file detection.  Pevny extends the teachings of Li  in the field of malicious content and/or data anomaly detection in [0033] by including  additional models including non-linear models which may be used for malware detection thereby providing Li with a more exhaustive list of solutions to incorporate with which to detect malware more thoroughly . 
  

 


As to claim 9,   
Li discloses
wherein the non-linear classification model  [0008] linear models
includes n-gram 
	[0024] vector of weights generated based on frequencies of n-grams
	and  [0008] inputting the vector of weights to a machine learning model
features [[and non n-gram features.]]
 [0020] features for 4-grams of code in the files
 

Li does not disclose wherein
the non-linear classification model  includes non n-gram features

Schmidtler teaches 
the classification model  [0035] predictive models
includes non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

As such Li modified by Schmidtler teaches 
the non-linear classification model  includes n-gram and non n-gram features


Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.
 
As to claim 10,   
Li does not disclose wherein
	at least one non n-gram feature is associated with a file size

Schmidtler teaches 
at least one non n-gram feature is associated with a file size  see  [0030]

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content.  As such, Schmidtler  may be incorporated into Li to form a more compressive solution for protecting malware because the combination would be configured to analyze additional data characteristics indicative of malicious content than would Li alone.
Claim 11 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of  Vu in further view of Pevny in further view of  Finkelshtein et al ( US 2019/0354682 hereinafter Finkelshtein).

 As to claim 11, Li in view of  Schmidtler in further view of  Vu in further view of Pevny teaches all the subject matter pointed out in the above 103  rejection of parent claim 9.


As to claim11,
Li does not teach non n-gram features

Schmidtler teaches
non n-gram features
[0035] feature vectors to build predictive models
in view of [0029] feature vectors may comprise data points from one or more categories
see examples in [0029]-[0034]

	Neither Li, Schmidtler, Vu nor Pevny teaches 
wherein at least one non n-gram feature is associated with a presence of an overlay

	Finkelshtein teaches
wherein at least one non n-gram feature is associated with a presence of an overlay
		[0004]-[0006] a need arises for techniques for detecting malicious software that is present in a 
files overlay

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram and non-n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  Schmidtler Vu and Pevny with those of  Finkelshtein as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]) , but also teaches the use of additional i.e. non n-gram analysis (see [0029] – [0035]) for detecting malicious content including file size [0030] and header anomalies [0031].  Finkelshtein extends the teachings of Schmidtler  in the field of malicious content and/or data anomaly detection in [0004]-[0006] including  techniques for detecting malicious software that is present in a files overlay.

Claims 13 and 14 are  is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Li in view of  Schmidtler in further view of Pevny in further view of Miserendino (US 2017/0262633 hereinafter  Miserendino).
 
As to claim 13, Li in view of  Schmidtler teach all the subject matter pointed out in the above 103  rejection of parent claim 1.

As to claim 13,   
Li discloses wherein 
using the at least one stored 
[0043] ML pack 134 can include a plurality of machine learning models
			in view of  Fig 1 130 comprising ML pack134
sample classification model
[0043] pack 134 can include any suitable machine learning model so as to analyze 
different aspects of the file received from node 110
includes running a [[non-linear]] classifier
[0042] a suitable machine learning model that generates an output
[[against a packet stream until a purported file length is reached.]]

	Li does not disclose
		running a classifier against a packet stream

	Schmidtler teaches
running a classifier against a packet 
[0026] the data stream of the executable file accessible to a parsing component
stream [0012] the file may correspond to one or more data packets

	
	Neither Li nor Schmidtler teach
running a  non-linear  classifier against a packet stream  

	Pevny teaches 
running a  non-linear  classifier[0033] non-linear models

therefore
	Li as modified by Schmidtler and Pevny teaches
running a  non-linear  classifier against a packet stream

Neither Li, Schmidtler, nor Pevny teach 
running a  non-linear  classifier against a packet stream  until a purported file length is reached

Miserendino teaches
running a  non-linear  classifier against a packet stream  until a purported file length is reached
	[0136] parses file headers to determine expected section lengths
		In other words, the file header is parsed until the section length is identified


Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ). Likewise,  Schmidtler  teaches the use of  n-gram and non-n-gram analysis using machine learning mechanisms  to detect malicious content (see [0029] – [0035]).
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  and Schmidtler with those of  Pevny as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ).   In [0008] Li lists many different model type appropriate for statistical analysis relating to malicious file detection.  Pevny extends the teachings of Li  in the field of malicious content and/or data anomaly detection in [0033] by including  additional models including non-linear models which may be used for malware detection thereby providing Li with a more exhaustive list of solutions to incorporate with which to detect malware more thoroughly . 

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  Schmidtler and Pevny with those of Miserendino as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ).     Miserendino is directed to a particular case wherein a file has been truncated.  Truncation is detected with the summation of file section lengths is greater than the total file buffer size.  A file may be truncated, for example, when a download is interrupted.  Miserendino further teaches in [0137] that a fall-though classifier may be able to better handle truncated files.  

Therefore, the Li may be improved by using Miserendino' s truncation detection in order to, as Miserendino teaches, send a truncated file to a classifier that may be able to better handle truncated files



As to claim 14,   
Neither Li, Schmidtler, nor Pevny teaches
wherein the purported file length is not an actual file length and a verdict is determined prior to reaching an actual end of the file

Miserendino teaches
wherein the purported file length [0136] expected section lengths
is not an actual file length [0136] file buffer size
and a verdict is determined [0136] Truncation detection to detect truncation events
prior to reaching an actual end of the file 
[0137]  further processing may remove the file from analysis completely

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Li  Schmidtler and Pevny with those of Miserendino as elements known in the prior art combined to yield predictable results.  For example, Li  discloses the use of n-gram analysis using machine learning models to detect malware (see [0004] and [0008] ).     Miserendino is directed to a particular case wherein a file has been truncated.  Truncation is detected with the summation of file section lengths is greater than the total file buffer size.  A file may be truncated, for example, when a download is interrupted.  Miserendino further teaches in [0137] that a fall-though classifier may be able to better handle truncated files.  

Therefore, the Li may be improved by using Miserendino' s truncation detection in order to, as Miserendino teaches, send a truncated file to a classifier that may be able to better handle truncated files





Conclusion

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RICHARD A MCCOY/Examiner, Art Unit 2431