Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 2, 4 – 10, 12 – 16, 21, 22, and 24 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.
This action is in response to the communication filed on 4/26/2021.
All objections and rejections not set forth below have been withdrawn.

Election/Restrictions

Applicant’s election without traverse of claims 1-16 in the reply filed on 11/23/20 is acknowledged.


Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it 

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 6 and 14 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Regarding claims 6 and 14, the applicant’s specification fails to reasonably describe the scope or meaning of “close in time or were created at approximately the same time”.  The examiner notes that these recitations are relative, however, the applicant’s specification fails to provide any context or reference point for understanding what falls within or outside the scope of “close in time” or “approximately the same time”.  




The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding claims 6 and 14, the recitations of “close in time or were created at approximately the same time” are relative, however, the applicant’s specification and claims fail to provide any context or reference point for ascertaining the requisite degree of subject matter falling within or outside the scope of “close in time” or “approximately the same time”.  Thus, the claims are indefinite in scope. 

Regarding claim 7, the recitation “…a device where the two or more suspicious fragments were identified…” lacks antecedent basis within the claims.  Specifically, while the applicant’s claim recitations do introduce “a device”, the applicant’s claims do not have antecedent basis for identifying the specific two or more suspicious fragments upon any device.  Thus, the scope of the claims are indefinite.  For the purpose of expedited examination, the examiner presumes the applicant’s a device where are identified…”.


Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 4 – 9, 12 – 16, 21, and 24 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Agranonik et al. (Agranonik), US 10,581,888 B1.

Regarding claim 1, Agranonik discloses:
A computing apparatus, comprising: a hardware platform; and a storage medium having stored thereon executable instructions to provide a threat detection engine (e.g. Agranonik, fig. 1; 2:46-52; claim 18) configured to: 
identify two or more suspicious fragment objects (e.g. Agranonik, 1:29-39; 4:17-23).  Herein, a plurality of scripts (i.e. “suspicious fragment objects”) are identified for analysis.
store the two or more identified suspicious fragments objects (e.g. Agranonik, Abstract, fig. 1:108; 2:46-53; 3:9-24); 
add the two or more identified suspicious fragment objects to a rolling map to provide a temporal snapshot of suspicious fragment objects over a time span (e.g. Agranonik, 5:10-13; 10:29-37, 11:64-67).  Herein, the new fragments are added to data collected over a period of epochs within a continuous vector space (i.e. a “rolling map”); 
determine a connection between the two or more new identified suspicious fragment objects within the rolling map by analyzing data in each of the two or more stored suspicious fragment objects and metadata associated with each of the two or more stored suspicious fragment objects to determine previous and possible future connections (e.g. Agranonik, 7:4-11; 10:6-10, 38-43).  Herein, similarities (i.e. “connections”) are determined between the plurality of stored fragments, for the purpose of identifying existing classifications (i.e. “previous connections”) and continuously learned classifications (i.e. “possible future connections”).
apply the connection to a connection map (e.g. Agranonik, fig. 3:313; 11:16-22).  Herein, the newly connected data is passed to a fully connected layer (i.e. “connection map”) of a neural network.
and determine that the two or more stored suspicious fragment objects represent a probable computer security threat (e.g. Agranonik, fig. 3:315; 11:22-29).  Herein, the . 

Regarding claim 4, Agranonik discloses:
wherein determining that the two or more stored suspicious fragment objects represent a probable computer security threat comprises linking the fragments based on the data in each of the two or more stored suspicious fragment objects and the metadata associated with each of the two or more stored suspicious fragment objects (e.g. Agranonik, 9:19-28, 46-50; 9:66-10:10).  Herein, the command (i.e. “content”) as well as the location or positions of the commands (i.e. “metadata”) of the stored scripts are compared via deep learning to form malicious or benign associations.

Regarding claim 5, Agranonik discloses:
wherein determining the connection comprises identifying a verified connection between the two or more stored suspicious fragment objects (e.g. Agranonik, 3:9-24).  Herein, connections between fragments are made (i.e. “verified connections”). 

Regarding claim 6, Agranonik discloses:
wherein the determined connection is classified as a weak connection between the two or more stored suspicious fragment objects if the two or more stored suspicious fragment objects execute close in time or were created at approximately the same time (e.g. Agranonik, 3:9-24; 5:10-13; 10:29-37, 11:64-67).).  Herein, connections of 

Regarding claim 7, Agranonik discloses:
wherein the threat detection engine further comprises a fragment predictor to predict a fragment to occur on a device where the two or more suspicious fragments were identified (e.g. Agranonik, 3:46-4:6).  Herein, the inference engine comprises means to identity a potentially malicious script (i.e. a “fragment predictor”) and alerts a client device to review or identify such scripts for remediation. 

Regarding claim 8, Agranonik discloses:
wherein at least one of the two or more suspicious fragment objects are from the group consisting of a windows management instrumentation (WMI) entry, a registry entry, an environment variable, a cookie, a macro, a shortcut, a link, and a scheduled task (e.g. Agranonik, 7:61-8:20).  Herein, suspicious fragments may comprise scripts, such as powershell scripts (i.e. “macros” or “scheduled tasks”), link libraries, OS primitives (i.e. “environmental variables”), or registry entries.

Claims 9, 12 – 16, 21, and 24 are method and medium claims essentially corresponding to the above apparatus claims and they are rejected, at least, for the same reasons.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 10, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Agranonik et al. (Agranonik), US 10,581,888 B1 in view of Oliner et al. (Oliner), US 2019/0306184 A1.

Regarding claim 2, Agranonik discloses a machine learning system for detecting malware, however, does not explicitly disclose that the machine learning occurs over a time span of one hour.  
However, Oliner also discloses a machine learning system for detecting malware, and furthermore disclose that the machine learning should occurs over a time span of at least one hour (e.g. Oliner, par. 235, 259, 269).

 Thus the combination enables:
wherein the time span is one hour (e.g. Agranonik, 11:64-12:3; Oliner, par. 269-271). 

Claims 10 and 22, they are method and medium claims essentially corresponding to the above apparatus claims and they are rejected, at least, for the same reasons.

Response to Arguments

Applicant's arguments filed 4/26/21 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
No reference includes a feature offering a storage medium having stored thereon executable instructions to provide a threat detection engine configured to identify two or more suspicious fragment objects, store the two or more identified suspicious fragments objects, add the two or more identified suspicious fragments objects to a rolling map to provide a temporal snapshot of suspicious fragment 
…
(Remarks, pg. 12)

Examiner respectfully responds:
The examiner notes that the applicant’s argument essentially comprises only an allegation that the majority of the amended claim recitations are patentable over the prior art.  However, the applicant’s remarks are respectfully noted to be unpersuasive, at least, for the reason that they fail to comprise any specific evidence or rationale for supporting such alleged distinction.
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.





Conclusion


THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JEFFERY L WILLIAMS/           Primary Examiner, Art Unit 2495