Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application 16/184,423 filed on 11/08/2018.
Claims 1-23 have been examined and are pending in this application.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 04/11/2019 and 02/08/2019, are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 22-23 are objected to because of the following informalities:  
Regarding claims 22-23; claims 22-23 recite the limitations “the method of claim 21” It would read as “The method of claim 21,”  
Appropriate correction(s) is required.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 3, 8, 10, 15-16 and 21-23 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Zhao (US 2018/0060580).
Regarding claim 1, Zhao discloses a method comprising: 
receiving an executable file, wherein the executable file (container file) is comprised of one or more bytes (file stored as a continuous set of bytes) (Zhao par. 0019 and 0022. Zhao teaches that the convolutional neural network may apply, to input data (e.g., a container file) as receiving the container file, i.e. executable file, a plurality of kernels adapted to process and extract information from portions of the input data and each file stored as a continuous set of bytes at an offset from a beginning of the container file); 
(include one or more files) by converting each of the bytes in the executable file to vectors (one or more features) (Zhao par. 0017-0018, 0023-0024 and 0027. Zhao teaches that at the outset, representing the container file as a whole may require an extended feature space that concatenates, i.e., embedding, all features (e.g., file name, file path or location, size, creator, owner, embedded Universal Resource Locator (URL)) from every constituent file. The container file may be classified further based on one or more features, i.e. vectors, associated with the file including, i.e. embedding. The container file 100 may include one or more files for each architecture including, for example, a first file 122, a second file 124, a third file 126, and a fourth file 128, i.e. one or more vectors and a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files. See also par. 0006); 
determining (analyzing) whether the executable file includes malware by passing (utilized) the vectors through a convolutional neural network (CNN) (Zhao par. 0004, 0017, 0024 and 0026. Zhao teaches that training, based at least on training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; analyzing ,i.e. determining, a container file as a whole may be inefficient thus, the container file is converted into  a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files by the convolutional neural network may be trained to classify container files and convolutional neural network 200 may be utilized, i.e. passing,  to process the container file 100. The container file 100 may include an n number of files including, for example, the first file 122, the second file 124, the third file 126, and the fourth file 128. See also par. 0018), wherein the CNN includes a plurality of convolutional layers and a global average pooling layer (Zhao par. 0018, 0020; 0025 and Fig. 2A (210, 220). Zhao teaches that classifying a container file may include utilizing a machine learning model configured to analyze the files individually. For example, the machine learning model may be a neural network including, for example, a convolutional neural network (CNN) and Pooling Layer. See also par. 0006); and 
providing an output indicating the determination of whether the received executable file includes the malware (Zhao par. 0039, 0045 and Fig.5. Zhao teaches that a training file may be a container file that is known to include at least one file rendering, i.e. providing, the container file malicious as a whole. The output of the neural network system a classification of a container file (e.g., the container file 100) as malicious or benign).  
Regarding claim 3, Zhao discloses the method of claim 1, 
Zhao further discloses wherein the CNN further includes a max pooling layer and a plurality of fully connected layers (Zhao par. 0025 and Fig. 2A. Zhao teaches that the convolutional neural network 200 may include a convolution layer 210, a pooling layer 220, a dense layer 230, a dropout layer 240, and an activation layer 250), and wherein the plurality of convolutional layers includes a first set of convolutional layers and a second set of convolutional layers (Zhao par. 0020 and 0035 and Fig. 2A. Zhao teaches that the convolutional neural network may include at least one convolutional layer having one or more learnable kernels configured to detect certain combinations of features in overlapping groups of two or more files. The convolutional neural network 200 is shown to include single convolution layer (e.g., the convolution layer 210). However, the convolutional neural network 200 may include additional convolution layers without departing from the scope of the present disclosure. For instance, each additional convolution layer may apply different kernels, which may include larger and/or more complex combination of features. See also par. 0036).
Regarding claim 8, Zhao discloses a system comprising: 
at least one processor (Zhao abstract and par. 0057. Zhao teaches that the system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including); and
a non-transitory computer readable storage medium having a program stored thereon, the program causing the at least one processor (Zhao abstract and par. 0057. Zhao teaches that the system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including); to execute the steps of:
receiving an executable file, wherein the executable file (container file) is comprised of one or more bytes (file stored as a continuous set of bytes) (Zhao par. 0019 and 0022. Zhao teaches that the convolutional neural network may apply, to input data (e.g., a container file) as receiving the container file, i.e. executable file, a plurality of kernels adapted to process and extract information from portions of the input data and each file stored as a continuous set of bytes at an offset from a beginning of the container file); 
(include one or more files) by converting each of the bytes in the executable file to vectors (one or more features) (Zhao par. 0017-0018, 0023-0024 and 0027. Zhao teaches that at the outset, representing the container file as a whole may require an extended feature space that concatenates, i.e., embedding, all features (e.g., file name, file path or location, size, creator, owner, embedded Universal Resource Locator (URL)) from every constituent file. The container file may be classified further based on one or more features, i.e. vectors, associated with the file including, i.e. embedding. The container file 100 may include one or more files for each architecture including, for example, a first file 122, a second file 124, a third file 126, and a fourth file 128, i.e. one or more vectors and a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files. See also par. 0006); 
determining (analyzing) whether the executable file includes malware by passing (utilized) the vectors through a convolutional neural network (CNN) (Zhao par. 0004, 0017, 0024 and 0026. Zhao teaches that training, based at least on training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; analyzing ,i.e. determining, a container file as a whole may be inefficient thus, the container file is converted into  a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files by the convolutional neural network may be trained to classify container files and convolutional neural network 200 may be utilized, i.e. passing,  to process the container file 100. The container file 100 may include an n number of files including, for example, the first file 122, the second file 124, the third file 126, and the fourth file 128. See also par. 0018), wherein the CNN includes a plurality of convolutional layers and a global average pooling layer (Zhao par. 0018, 0020; 0025 and Fig. 2A (210, 220). Zhao teaches that classifying a container file may include utilizing a machine learning model configured to analyze the files individually. For example, the machine learning model may be a neural network including, for example, a convolutional neural network (CNN) and Pooling Layer. See also par. 0006); and 
providing an output indicating the determination of whether the received executable file includes the malware (Zhao par. 0039, 0045 and Fig.5. Zhao teaches that a training file may be a container file that is known to include at least one file rendering, i.e. providing, the container file malicious as a whole. The output of the neural network system a classification of a container file (e.g., the container file 100) as malicious or benign).  
Regarding claim 10; claim 10 is directed to a system associated with the method claimed in claim 3. Claim 10 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 15, Zhao discloses a non-transitory computer readable storage medium comprising a set of instructionsPage 17 of 20 KCP-8395678-2Inventors: Krcil, Marek et al.Docket No. 517284.10336executable by a computer, the non-transitory computer readable storage medium (Zhao par. 0008 and 0057. Zhao teaches that Implementations of the current subject matter can include, but are not limited to, methods consistent with the descriptions provided herein as well as articles that comprise a tangibly embodied machine-readable medium operable to cause one or more machines (e.g., computers, etc.)) comprising: 
(container file) is comprised of one or more bytes (file stored as a continuous set of bytes) (Zhao par. 0019 and 0022. Zhao teaches that the convolutional neural network may apply, to input data (e.g., a container file) as receiving the container file, i.e. executable file, a plurality of kernels adapted to process and extract information from portions of the input data and each file stored as a continuous set of bytes at an offset from a beginning of the container file); 
instructions for embedding the executable file (include one or more files) by converting each of the bytes in the executable file to vectors (one or more features) (Zhao par. 0017-0018, 0023-0024 and 0027. Zhao teaches that at the outset, representing the container file as a whole may require an extended feature space that concatenates, i.e., embedding, all features (e.g., file name, file path or location, size, creator, owner, embedded Universal Resource Locator (URL)) from every constituent file. The container file may be classified further based on one or more features, i.e. vectors, associated with the file including, i.e. embedding. The container file 100 may include one or more files for each architecture including, for example, a first file 122, a second file 124, a third file 126, and a fourth file 128, i.e. one or more vectors and a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files. See also par. 0006); 
instructions for determining (analyzing) whether the executable file includes malware by passing (utilized) the vectors through a convolutional neural network (CNN) (Zhao par. 0004, 0017, 0024 and 0026. Zhao teaches that training, based at least on training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; analyzing ,i.e. determining, a container file as a whole may be inefficient thus, the container file is converted into  a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files by the convolutional neural network may be trained to classify container files and convolutional neural network 200 may be utilized, i.e. passing,  to process the container file 100. The container file 100 may include an n number of files including, for example, the first file 122, the second file 124, the third file 126, and the fourth file 128. See also par. 0018), wherein the CNN includes a plurality of convolutional layers and a global average pooling layer (Zhao par. 0018, 0020, 0025 and Fig. 2A (210, 220). Zhao teaches that classifying a container file may include utilizing a machine learning model configured to analyze the files individually. For example, the machine learning model may be a neural network including, for example, a convolutional neural network (CNN) and Pooling Layer. See also par. 0006); and 
instructions for providing an output indicating the determination of whether the received executable file includes the malware (Zhao par. 0039, 0045 and Fig.5. Zhao teaches that a training file may be a container file that is known to include at least one file rendering, i.e. providing, the container file malicious as a whole. The output of the neural network system a classification of a container file (e.g., the container file 100) as malicious or benign).  
Regarding claim 16; claim 16 is directed to a non-transitory computer readable storage medium associated with the method claimed in claim 3. Claim 16 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 21, Zhao discloses a method comprising: 
receiving, at one or more computing devices, an executable file (container file) (Zhao par. 0019 and 0022. Zhao teaches that the convolutional neural network may apply, to input data (e.g., a container file) as receiving the container file, i.e. executable file, a plurality of kernels adapted to process and extract information from portions of the input data); 
determining (analyzing) whether the received executable file includes malware (Zhao par. 0004, 0017, 0024 and 0026. Zhao teaches that training, based at least on training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; analyzing ,i.e. determining, a container file as a whole may be inefficient thus, the container file is converted into  a vector space having 100,000 features may be required to represent the container file 100 if the container file 100 includes 1,000 files by the convolutional neural network may be trained to classify container files and convolutional neural network 200 may be utilized, i.e. passing,  to process the container file 100. The container file 100 may include an n number of files including, for example, the first file 122, the second file 124, the third file 126, and the fourth file 128. See also par. 0018); and 
providing an output indicating whether the received executable file includes the malware (Zhao par. 0039, 0045 and Fig.5. Zhao teaches that a training file may be a container file that is known to include at least one file rendering, i.e. providing, the container file malicious as a whole. The output of the neural network system a classification of a container file (e.g., the container file 100) as malicious or benign).  
Regarding claim 22, Zhao discloses the method of claim 21, 
Zhao further discloses wherein the determining comprises determining, using an executable file classification engine stored in one or more memory devices of the one or more computing devices, whether the received executable file includes the malware, the executable file classification engine being trained, using supervised learning, to classify the executable file into at least one of a plurality of classes (Zhao par. 0039. Zhao teaches that According to some example embodiments, the convolutional neural network 200 may be trained to classify container files (e.g., as malicious or benign) by at least utilizing the convolutional neural network 200 to process a plurality of training files. A training file may be a container file that is known to include at least one file rendering the container file malicious as a whole. Alternately or additionally, the training file may be a container file that is known to include two or more files that are individually benign but render the container file malicious as a combination. One or more supervised learning (e.g., backward propagation of errors) and optimization techniques (e.g., gradient descent) may be used to minimize an error in the output 204 relative to a correct classification of the training files. See also par. 0020-0021 and 0047-0048).
Regarding claim 23, Zhao discloses the method of claim 21, 
Zhao further discloses wherein the determining comprises determining, based on a feature vector comprising a plurality of features extracted from at least a portion of the received executable file (Zhao par. 0026 and 0049. Zhao teaches that the convolutional neural network 200 may be utilized to process the container file 100. The container file 100 may include an n number of files including, for example, the first file 122, the second file 124, the third file 126, and the fourth file 128. As such, the convolutional neural network 200 may receive, at an input 202, a plurality of feature vectors representing files included the container file 100. The convolutional neural network 200 may be adapted to process feature vectors corresponding to the files in each training file. For instance, the convolutional neural network 200 may process the first feature vector 212, the second feature vector 214, the third feature vector 216, and the fourth feature vector 218. These feature vectors may respectively correspond to the first file 122, the second file 124, the third file 126, and the fourth file 128 of the container file 100. See also par. 0020-0021 and 0047-0048).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C.
102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person 
Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Zhao (US 2018/0060580) and in view of Girod (US 6,112,219).
Regarding claim 2, Zhao discloses the method of claim 1, 
Zhao further discloses converting each of the bytes in the executable file to vectors (Zhao par. 0017-0018, 0022 and 0026. Zhao teaches that a plurality of feature vectors representing files included the container file and the convolutional neural network 200 may receive an n number of feature vectors); Zhao does not explicitly disclose wherein each of the bytes is an eight-dimensional vector.
However, in an analogous art, Girod discloses wherein each of the bytes is an eight-dimensional vector (Girod Col. 6; lines 50-51 and Col.7; lines 47-48. Girod teaches that the input samples and output coefficients, are represented by eight-dimensional column vectors and input samples having a precision of eight bits have been assumed, as above).  
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the representing of input data of Zhao using the representation of input data taught in Girod in order to represent the input data by eight-dimensional vectors to reduce storage space, faster the amount of computing cycle and to improve the speed of software process (Girod Col. 2; lines 61-63; Col. 6; lines 50-51 and Col.7; lines 57-59).
Regarding claim 9; claim 9 is directed to a system associated with the method claimed in claim 2. Claim 9 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Zhao (US 2018/0060580) and in view of Feeney (US 2010/0162400).
Regarding claim 7, Zhao discloses the method of claim 1, 
Zhao further discloses determining the executable file includes the malware (Zhao par. 0004, 0017, 0024 and 0026); Zhao does not explicitly disclose further comprising: denying execution of the executable file in response to determining the executable file includes the malware; and executing the executable file in response to determining the executable file does not include the malware.
However, in an analogous art, Feeney discloses wherein further comprising: denying execution of the executable file in response to determining the executable file includes the malware (Feeney par. 0064. Feeney teaches that such decisions then be used in conjunction with an overall intrusion-detection, virus-filtering or virus scanning apparatus to control access to the file (e.g. the information may be used to determine if a file should be deleted, quarantined passed to the client with a warning, or passed to the client without a warning. See also par. 0075); and executing the executable file in response to determining the executable file does not include the malware (Feeney par. 0064. Feeney teaches that such decisions then be used in conjunction with an overall intrusion-detection, virus-filtering or virus scanning apparatus to control access to the file (e.g. the information may be used to determine if a file should be passed to the client without a warning. See also par. 0075).  
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of file analysis of Zhao using the method of examining file taught in Feeney in order to detect vulnerabilities (Files containing such malicious software/code) in specific applications, so as to execute machine-code instructions and to take a decision to control access to the file (output from a model, whether the file is normal, is possibly infected, or is definitely infected) (Feeney par. 0002 and 0064).
Regarding claim 14; claim 14 is directed to a system associated with the method claimed in claim 7. Claim 14 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Allowable Subject Matter
Claims 4-6, 11-13 and 17-20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907.  The examiner can normally be reached on M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANCHIT K SARKER/Examiner, Art Unit 2495