Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is response to 05/16/2019. Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/15/2019 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.


Drawings
The drawings filed on 05/16/2019 are accepted by the examiner.

Allowable Subject Matter
Claims 1-20 are allowed in light of the Applicant’s argument and in light of the prior art made of record.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:


Cavazos et al. (prior art on the record) teaches a system for detecting malware. Malware may be detected by obtaining a plurality of malware binary executables and a plurality of goodware binary executables, decompiling the plurality of malware binary executables and the plurality of goodware binary executable to extract corresponding assembly code for each of the plurality of malware binary executables and the plurality of goodware binary executable, constructing call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables from their corresponding assembly code, determining similarities between the call graphs using graph kernels applied to the call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables, building a malware detection model from the determined similarities between call graphs by applying a machine learning algorithm such as a deep neural network (DNN) algorithm to the determined similarities, and identifying whether a subject executable is malware by applying the built malware detection model to the subject executable.
Anderson et al. (prior art on the record) teaches a system for classifying programs as malware or non-malware. Included herein are techniques and tools for classifying programs and for detecting malware based on the analysis of graphs constructed using dynamically collected instruction traces of executable programs. With the increasing proliferation of malware threats, new techniques to detect and contain malware can be desirable. Further, the dynamic program traces include data that is derived at least from the dynamic execution of a program. A Markov chain representation of individual instructions derived from the execution of programs can be used to grant a finer level of resolution, and taking the Markov chain as a graph allows for the use of the machinery of graph kernels to construct a similarity matrix between instances in a training set. In some implementations, 2-grams can be used to condition transition probabilities for the Markov chain. In some implementations, a graph multiple kernel learning framework can be used in classification. In one implementation, two distinct measures of similarity can be used to construct a kernel matrix: a Gaussian kernel, which can measure local similarity between the graphs' edges, and a spectral kernel, which can measure global similarity between the graphs. Given a constructed kernel matrix, a kernel-based classification algorithm or process (e.g., a support vector machine, a Gaussian process, or the like) can be trained to perform classification on new testing points such as unclassified programs.
Anderson et al. (prior art on the record) teaches a system for  protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. A download event information identifies a file, a network address (e.g., uniform resource locator) from which the file was downloaded, and an identifier of the client computer that downloaded the file. The malware download detection system uses the download event information to build and update a tripartite download graph, and uses the download graph to train one or more classifiers. The malware download detection system consults the one or more classifiers to classify a download event. The download event is classified as malicious if either the file or the network address is classified as malicious.
Kreal et al. (prior art on the record) teaches a system for classifying executable files using convolutional networks. Further, the system enable (i) receiving an executable file, wherein the executable file is comprised of one or more bytes, (ii) embedding the executable file by converting each of the bytes in the executable file to vectors, (iii) determining whether the executable file includes malware by passing the vectors through a convolutional neural network (CNN), wherein the CNN includes a plurality of convolutional layers and a global average pooling layer, and (iv) providing an output indicating the determination of whether the received executable file includes the malware.

None of the prior art of record teaches the non-obvious feature of the present invention, “map each of the assembly instructions to a fixed length instruction vector 9using one-hot encoding and an instruction vocabulary;  10form vector representations of blocks of a control flow graph for 11corresponding functions of the executable file by embedding and aggregating 12bags of the instruction vectors;  13generate, based on the formed vector representations of the blocks of the 14control flow graph, a call graph model of the functions in the executable file;  15form, a vector representation of the executable file based in part on the call 16graph model of the executable file; and  17determine, based on the vector representation of the executable file, 18whether the executable file is malware”, in combined with other limitations as detailed in independent claims. 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Therefore, claims 1-20 hereby allowed in view of applicant’s persuasive arguments and in the light of amendments to the claims.  

Conclusion
4.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see form “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST.    If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeffrey L. Nickerson can be reach on (469) 295-9235. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from their Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (In USA or Canada) or 571-272-1000.