DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Analysis - 35 USC § 101
With respect to claim 23, the Examiner finds that the claim term “computer storage media” is directed towards statutory subject matter. In particular, the Specification explicitly defines computer storage media to exclude communication media such as data signal or carrier wave in [0052]. Thus, the claimed “computer storage media” is limited to statutory forms of non-transitory hardware media, as it does not include transitory media.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in email with Logan Brown (Reg. No. 58,290) on 03/29/2021.
The application has been amended as follows (on top of the latest amendments submitted by the Applicant on 02/04/2021):

Listing of Claims:
1.	(Currently Amended) A method of determining that a sequence of events at a monitored computing device is associated with malware, the method comprising:

locating a loop within the sequence of events based at least in part on relative frequencies of the event types, wherein the loop is defined at least partly by a boundary;
determining a distribution of event types of the events within the loop; 
determining that the sequence of events is associated with malware based at least in part on the distribution of event types within the loop;
selecting a first portion of the sequence of events;
selecting a second portion of the sequence of events, wherein the first portion and the second portion comprise respective back-to-back fixed-size sliding windows;
determining a first distribution of event types of the events within the first portion;
determining a second distribution of event types of the events within the second portion;
determining that a difference between the first distribution of the first portion and the second distribution of the second portion satisfies a predetermined boundary criterion representing a condition for locating a boundary between distributions of back-to-back fixed-size sliding windows, wherein a previous first portion of the back-to-back fixed-size sliding windows corresponding to a previous difference of distributions at least partially overlaps with the first portion;
in response to determining that the difference satisfies the predetermined boundary criterion, locating the boundary at least partly defining the loop in the sequence of events between the first portion and the second portion
in response to determining that the sequence of events is associated with malware, performing a remediation operation or a mitigation operation on at least one software module associated with the sequence of events.

2.	(Original) The method according to claim 1, wherein events of the sequence of events are produced by at least one process or at least one thread.

3.	(Canceled).

4.	(Canceled).



6.	(Original) The method according to claim 1, wherein the respective event types are selected from the group consisting of: a system-call type, an Application Programming Interface (API)-call type, an input-output (I/O) request packet (IRP) type, or an inter-process communication (IPC)-message type.

7.	(Original) The method according to claim 1, further comprising:
determining that the distribution of event types within the loop is not found in a catalog of distributions associated with the sequence of events; and
in response, determining that the sequence of events is associated with malware.

8.	(Original) The method according to claim 1, further comprising:
determining that the distribution of event types within the loop is found in a catalog of distributions associated with malware; and
in response, determining that the sequence of events is associated with malware.

9.	(Original) The method according to claim 1, further comprising detecting, at the monitored computing device, a plurality of stack traces associated with respective events of the events within the loop.

10.	(Previously Presented) The method according to claim 1, further comprising, in response to determining that the sequence of events is associated with malware, terminating the at least one software module associated with the sequence of events.

11-19.	(Canceled)) 

20.	(Currently Amended) A method of determining that a sequence of events is associated with malware, the method comprising:
receiving event records of respective events in the sequence of events, each event record associated with a monitored computing device and having an event type;

determining a distribution of event types of the events within the loop; 
determining that the sequence of events is associated with malware based at least in part on the distribution of event types within the loop;
selecting a first portion of the sequence of events;
selecting a second portion of the sequence of events;
determining a first distribution of event types of the events within the first portion;
determining a second distribution of event types of the events within the second portion;
determining that a difference between the first distribution of the first portion and the second distribution of the second portion satisfies a predetermined boundary criterion representing a condition for locating a boundary between the distributions of portions of the sequence of events, wherein the first portion at least partially overlaps with a previous first portion corresponding to a previous difference between a previous first distribution of the previous first portion and a previous second distribution of a previous second portion
in response to determining that the difference satisfies the predetermined boundary criterion, locating the boundary at least partly defining the loop in the sequence of events between the first portion and the second portion, the distribution of event types comprising information representing the occurrences of events outside both the first portion and the second portion; and
in response to determining that the sequence of events is associated with malware, performing a remediation operation or a mitigation operation associated with the sequence of events. 

21.	(Previously Presented) The method according to claim 20, further comprising:
detecting, at the monitored computing device, a plurality of stack traces associated with respective events of the events within the loop; and
locating a point of commonality among the plurality of stack traces.

22.	(Previously Presented) The method according to claim 9, further comprising locating a point of commonality among the plurality of stack traces associated with respective events of the events within the loop.


detecting, at the monitored computing device, the sequence of the events, individual events having respective event types and taking place at the monitored computing device;
locating a loop within the sequence of events based at least in part on relative frequencies of the event types, wherein the loop is defined at least partly by a boundary;
determining a distribution of event types of the events within the loop; 
determining that the sequence of events is associated with malware based at least in part on the distribution of event types within the loop;
selecting a first portion of the sequence of events;
selecting a second portion of the sequence of events, wherein the first portion and the second portion comprise respective back-to-back fixed-size sliding windows;
determining a first distribution of event types of the events within the first portion;
determining a second distribution of event types of the events within the second portion;
determining that a difference between the first distribution of the first portion and the second distribution of the second portion satisfies a predetermined boundary criterion representing a condition for locating a boundary between distributions of back-to-back fixed-size sliding windows, wherein a previous first portion of the back-to-back fixed-size sliding windows corresponding to a previous difference of distributions at least partially overlaps with the first portion;
in response to determining that the difference satisfies the predetermined boundary criterion, locating the boundary at least partly defining the loop in the sequence of events between the first portion and the second portion; and
in response to determining that the sequence of events is associated with malware, performing a remediation operation or a mitigation operation on at least one software module associated with the sequence of events.

24.	(New) The one or more computer storage media according to claim 23, wherein events of the sequence of events are produced by at least one process or at least one thread.



26.	(New) The one or more computer storage media according to claim 23, wherein the respective event types are selected from the group consisting of: a system-call type, an Application Programming Interface (API)-call type, an input-output (I/O) request packet (IRP) type, or an inter-process communication (IPC)-message type.

27.	(New) The one or more computer storage media according to claim 23, the operations further comprising:
determining that the distribution of event types within the loop is not found in a catalog of distributions associated with the sequence of events; and
in response, determining that the sequence of events is associated with malware.

28.	(New) The one or more computer storage media according to claim 23, the operations further comprising:
determining that the distribution of event types within the loop is found in a catalog of distributions associated with malware; and
in response, determining that the sequence of events is associated with malware.

29.	(New) The one or more computer storage media according to claim 23, the operations further comprising detecting, at the monitored computing device, a plurality of stack traces associated with respective events of the events within the loop.

30.	(New) The one or more computer storage media according to claim 29, the operations further comprising locating a point of commonality among the plurality of stack traces associated with respective events of the events within the loop.

31.	(New) The one or more computer storage media according to claim 23, the operations further comprising, in response to determining that the sequence of events is associated with malware, terminating the at least one software module associated with the sequence of events.

Allowable Subject Matter
Claims 1-2, 5-10 and 20-31 are allowed.
	Regarding claim 1, the prior art of record (Kouznetsov, US-6973577-B1 (hereinafter “Kouznetsov ‘577") in view of Brown et al., US-20170163669-A1 (hereinafter “Brown ‘669") and Badishi, US-20160232347-A1 (hereinafter “Badishi ‘347")) does not disclose “wherein a previous first portion of the back-to-back fixed-size sliding windows corresponding to a previous difference of distributions at least partially overlaps with the first portion” in the recited context. Rather, Kouznetsov ‘577 teaches that occurrences of suspected patterns are identified to generate histograms which include behavioral repetitions, but fails to teach extracting a portion of distributions for determining a difference among the histograms. To this, Brown ‘669 adds that a JDS value is calculated to measure the difference between the previous and recent event-type probability distributions, but is silent as to how the two distributions should overlap in terms of identifying the difference. Also, Badishi ‘347 teaches that the sequence of functions calls (events) is determined to be associated with malware in the database and if the anomaly is detected, a process is blocked or killed, where there is no disclosure about a comparison of two distributions.
For the reasons described above, the prior art of record does not disclose, with respect to claims 20 and 23, features corresponding to those of claim 1 in the respective contexts.
Dependent claims 2, 5-10, 21-22 and 24-31 are allowed in view of their respective dependence from claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491