DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Claim Rejections - 35 USC § 103
1. Applicant argues that Parikh is silent regarding "dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities," as recited in claim 1 (see Remarks, page 3, ¶ 2).
Applicant’s arguments with respect to claim(s) 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Specifically, the new ground of rejection relies on Luo (US 2019/0102554).

2. Applicant argues that Sridhara is silent regarding "wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure," as recited in amended claim 1 (see Remarks, page 3, ¶ 3-page, ¶ 1).
Applicant’s arguments with respect to claim(s) 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Specifically, the new ground of rejection relies on Luo (US 2019/0102554) to teach "wherein the security risk score is employed based on a deep learning algorithm”.  Additionally, Sridhara teaches “to take the remedial measure" (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. And see [0005]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 8, 10, 12, 13, 16, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), and further in view of Luo (US 2019/0102554).

Regarding claims 1, 10 and 17, Sridhara teaches A method of generating cognitive security intelligence for detecting and preventing a malware in a computing system (see [0005]: “the method further includes monitoring an instruction queue to identify an instruction sequence associated with the , the method comprising: 
monitoring, by a cognitive security device implemented in the computing system, instructions being executed by a processor of the computing system (see [0099] and Fig. 2: “The debug and trace module 212 may be configured to monitor various device features at a low level (e.g., at the firmware, hardware, or machine levels), and to monitor an instruction queue to identify instruction sequences or instruction execution patterns that are associated with the monitored features”); 
determining, by the cognitive security device, a plurality of events triggered by the execution of the instructions and a plurality of activities performed by the execution of the instructions (see [0054]: “The behavior observer module 202 may monitor/observe mobile device operations and events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events. The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.), file read/write/seek operations, changing file permissions, etc.”. And see [0046]: “the configurable hardware debug and trace module 122 may be configured to monitor key assets (e.g., portions of the system memory 112, etc.) at a low level (e.g., at the kernel, firmware, hardware, or machine levels) to identify a suspicious or malicious activities, events, behaviors, software applications, or processes”. And see [0028]); 
correlating, by the cognitive security device, the plurality of events and the plurality of activities to determine a sequence of events (see [0091]: “the mobile device 102 may be configured to determine the sequences of operations that should be analyzed together as a single mobile device behavior and/or the mobile device behaviors that require additional, different, or deeper analysis. For example, the behavior analyzer module 204 may determine that all API calls relating a critical resource and its associated ghost resources logged in the past week should be analyzed together as a single mobile device behavior”. Because [0054] states that events may be observed by collecting information pertaining to library API calls, the Examiner interprets determining “that all API calls relating a critical resource and its associated ghost resources logged in the past week should be analyzed together as a single mobile device behavior” taught in [0091] as correlating, by the cognitive security device, the plurality of events … to determine a sequence of events) and activities (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “identified sequences/patterns” compared “to known patterns of malicious activities” taught in [0099] as a sequence of activities) (And see [0037]: “The hardware debug module may be configured to prevent access to information or key assets based on the privileges of a requesting software application. …Privileges may be set based on execution patterns or sequences of operations, such as whether the software application is authorized to access and use the communication circuitry of the mobile device after reading a portion of the memory that stores credit card information, security keys, device IDs, etc.” Also see [0005], [0035] and [0090]); 
mapping, by the cognitive security device, the sequence of events and activities with a topographical threat map to detect a pattern match corresponding to the malware (see [0090]: “the mobile device 102 may be configured to compare and/or analyze information retrieved from the API call behavioral log database with behavioral specification models to identify suspicious sequences or patterns of API calls that are indicative of a malicious activity or behavior, to identify the operations that should be evaluated together as part of a single mobile device behavior”. And [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “known patterns of malicious activities” in [0099] and “behavioral specification models” in [0090] as a topographical threat map. The Examiner further interprets “to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison” in [0099] as mapping, by the cognitive security device, the sequence of events and activities with a topographical threat map to detect a pattern match corresponding to the malware. And see [0119]: “the mobile device may also monitor an instruction queue to identify an instruction sequence associated with the key asset, determine whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities”.  Also see [0005], [0070], [0091] and [0121]), 
wherein the topographical threat map is event and activity behavior map of malwares (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “known patterns of malicious activities” in [0099] as a topographical threat map, wherein the topographical threat map is event and activity behavior map of malwares), and is built based on a cognitive analysis of at least one of external knowledge, or historic knowledge (see [0081]: “the analyzer module 204 may be configured to perform real-time behavior analysis operations, which may include performing, executing, and/or applying data, algorithms, classifiers or behavior models (collectively "classifier models") to the collected behavior information. Each classifier model may be a behavior model that includes information that may be used by a mobile device processor to evaluate a specific aspect of a mobile device behavior. The classifier models may be preinstalled on the mobile device, downloaded, received from a network server, generated in the mobile device, or any combination thereof. A classifier model may be generated by using machine learning and other similar techniques”. And see [0087]: “The network server may continuously reevaluate existing classifier models as new behavior/analysis reports are received from mobile devices, and/or generate new or updated models based on historical information (e.g., collected from prior executions, previous applications of behavior models, etc.), new information, machine learning”. And see [0110]: “the mobile device 102 may further include a communication link suitable for communicating with a network server and/or a component in a cloud service or network. The communication link may be configured to support sending and receiving behavior models to and from an external server”. The Examiner interprets “behavior models” disclosed in [0090] and [0081], which is interpreted as the topographical threat map, wherein the behavior model is received by the mobile device 102 from a network server (see [0081] and [0110]) that uses “historical information” to generate the behavior model (see [0087]), as “wherein the topographical threat map … is built based on a cognitive analysis of … historic knowledge”, as recited in claim 1); and 
upon detecting the pattern match corresponding to the malware, effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. And see [0005]).

Sridhara fails to teach wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares (emphasis added).
In the same field of endeavor, Lee teaches wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares (see ABSTRACT: “The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. …The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base”. And see [0025]: “assume that the server 110 is communicatively coupled to the knowledge base 122 includes a set of application groups, each of which corresponds to a particular malware family or malware group”. The Examiner interprets “a set of application groups, each of which corresponds to a particular malware family or malware group” in [0025] as a plurality of categories of malwares recited in claim 1. And see [0030]: “the classifier component 226 may evaluate the event sequence of the new application based on the knowledge base”. And see [0031]: “The event sequence of the application may be compared with the event information of each application group in the knowledge base in order to calculate similarity distances”. The Examiner further interprets the knowledge base 122 including event information of “a set of application groups, each of which corresponds to a particular malware family or malware group” as wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares. And see [0021] and [0026]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the topographical threat map comprising an event and activity behavior map of malwares taught by Sridhara be an event and activity behavior map of a plurality of categories of malwares (emphasis added), as taught by Lee. It would have been obvious because Lee teaches that doing so enables the following desirable actions: “the information about the determined application group may be provided. For example, if the new application is classified to determine whether the application is one of the known malware family variants, the information of the malware family where new application belongs may be provided. In one embodiment, such information may be fed into an anti-malware application or anti-malware module residing on the client device. In another embodiment, the information may be presented on the screen of the client device allowing users to perform appropriate actions” (see Lee [0043]).


In the same field of endeavor, Luo teaches wherein mapping further comprises dynamically (see [0041] and Fig. 1: “dynamic alert threshold setting logic 158 uses an approximation algorithm to dynamically set a threshold for multi-urgency alert levels”. And see [0036] and Fig. 2A: “if, at block 184, machine learning candidate model training logic 152 determines that it is time to train candidate models, then it automatically trains one or more additional candidate models based upon the available training data”. And see [0040]: “If, at block 198, it is determined that one of the candidate models actually performed better than the production model 138 currently being used by alert generation computing system 104, then, if it has not already done so, the system automatically sets the alert and reset thresholds”. The Examiner interprets determining using a model regularly updated through machine learning as dynamically determining…) determining a security risk score and a security threat zone for a set of events from the plurality of events or (emphasis added to show the difference between the reference and the claim) a set of activities from the plurality of activities (see [0033] and Fig. 2A: “It is first assumed that a malicious activity identification model (such as model 138 in FIG. 1) is deployed in an alert generation computing system to identify malicious activity and output a confidence level associated with each set of malicious activity identified. This is indicated by block 166 in the flow diagram of FIG. 2. In performing its operation, it illustratively receives activity or event indicators 134 from a monitored computing system 102. This is indicated by block 168. It also outputs a malicious activity indicator, along with a corresponding confidence score, when malicious activity is detected. This is indicated by blocks 170 and 172 in the flow diagram of FIG. 2. It can apply alert thresholds to the confidence score, to identify the particular urgency level that the malicious activity should be associated with”. 
The Examiner interprets a confidence score corresponding to a malicious activity indicator as a security risk score. The Examiner further interprets “the particular urgency level that the malicious activity should be associated with” as “a security threat zone” for an event or an activity for the following reason: Merriam-Webster dictionary defines “zone” as “a region or area set off as distinct from surrounding or adjoining parts”.  The “particular urgency level that the malicious activity should be associated with” is “a region or area set off as distinct from surrounding or adjoining parts” and therefore a security threat zone. Because Luo teaches receiving activity or event indicators 134, which indicates a set of events or a set of activities, Luo teaches wherein mapping further comprises dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events or a set of activities from the plurality of activities).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Sridhara modified in view of Lee so that the mapping of Sridhara modified in view of Lee further comprises dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities, as taught by Luo regarding a set of events from the plurality of events or a set of activities from the plurality of activities. It would have been obvious because doing so achieves the commonly understood benefit of more accurately determining the risk of a malware using a quantitative security risk score and a discrete security threat zone. 

Additionally, Luo further teaches wherein the security risk score is employed based on a deep learning algorithm (see [0003] In order to detect malicious activity, machine learning models, that model normal and malicious activity, are often trained. Activity on a monitored computing system is then detected and the model is used to identify whether the activity is normal or possibly malicious. The output of the model may indicate whether activity is normal or malicious, and it may include a confidence score that indicates the system's confidence in the identification of the activity as being normal or malicious”).

Luo fails to teach “to take the remedial measure”. However, Sridhara teaches “to take the remedial measure" (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. And see [0005]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Sridhara modified in view of Lee and Luo as described above by letting the purpose of employing the security risk score based on a deep learning algorithm taught by Luo be to take the remedial measure taught by Sridhara. It would have been obvious because doing so achieves the commonly understood benefit of determining more precisely a remedial measure to take by employing the quantitative security risk score to find the corresponding remedial measure.  When such a modification is made, Sridhara modified in view of Lee and Luo would teach wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure.

Regarding claim 3, Sridhara further teaches wherein the plurality of events comprises at least one of device processes, device services, or registry  (see [0054]: “The behavior observer module 202 events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events”. The Examiner interprets “device (including sensor devices) state changes” as device processes).

Regarding claim 4, Sridhara further teaches wherein the plurality of activities comprises activities performed on at least one of memory, data, files, folders, or system configuration (see [0054]: “The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.), file read/write/seek operations, changing file permissions, etc.”. The Examiner interprets “file system activity” as activities performed on files).

Regarding claims 5, 13 and 19, Sridhara further teaches wherein detecting the pattern match comprises determining whether the sequence of events and activities is analogous to a sequence of event and activities demonstrated by the malware using the topographical threat map (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. And see [0119]: “the mobile device may also monitor an instruction queue to identify an instruction sequence associated with the key asset, determine whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities”).

Regarding claims 8 and 16, Sridhara further teaches wherein the remedial measure comprises at least one of suspending the instructions being executed by the processor, suspending the plurality of events, blocking the plurality of activities, or undoing the changes made by the malware (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. The Examiner interprets freezing “sequences or patterns that are associated with a malicious activity” as suspending the instructions being executed by the processor).

Regarding claim 12, Sridhara further teaches wherein the plurality of events comprises at least one of device processes, device services, or registry  (see [0054]: “The behavior observer module 202 may monitor/observe mobile device operations and events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events”. The Examiner interprets “device (including sensor devices) state changes” as device processes), and wherein the plurality of activities comprises activities performed on at least one of memory, data, files, folders, or system configuration (see [0054]: “The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.), file activities performed on files).


Claims 2, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), further in view of Luo (US 2019/0102554), and further in view of Gao (US 10,491,502).

Regarding claims 2, 11 and 18, Sridhara modified in view of Lee and Luo fails to teach wherein monitoring the instructions being executed by the processor further comprises replicating machine code instructions being executed by the processor.
However, Gao teaches wherein monitoring information comprises replicating information (see claim 8: “A non-transitory machine readable medium storing a program that when executed by at least one processing unit of a host computer replicates traffic for monitoring, the program comprising sets of instructions”).
Both the machine code instructions being executed by the processor taught by Sridhara modified in view of Lee and Luo and the traffic taught by Gao are information. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let monitoring information taught by Sridhara modified in view of Lee and Luo further comprise replicating information, as taught by Gao. Because the information monitored in Sridhara modified in view of Lee and Luo are machine code instructions being executed by the processor, when the above modification is made, Sridhara modified in view of Lee, Luo and Gao would teach wherein monitoring the instructions being executed by the processor further comprises replicating machine code instructions being executed by the processor, as recited in claim 2.

Claims 6, 7, 14, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), further in view of Luo (US 2019/0102554), and further in view of Avasarala (US 2014/0090061).

Regarding claims 6, 14 and 20, Sridhara modified in view of Lee and Luo fails to teach predicting a security threat based on the security risk score and the security threat zone.
In the same field of endeavor, Avasarala teaches predicting a security threat based on the security risk score and the security threat zone (see [0112] and Fig. 8: “CEP 806 outputs security event threat information and mitigation instructions to mitigation component 810. …CEP 806 may configure mitigation efforts and instructions for mitigation component 810 based on reputation scores and threat levels that it determines”. And see [0110]: “CEP 806 may calculate a reputation score of the source and use that to make a determination whether the suspected malware file is actually malware and, therefore, is actually a security event. For example, if the source is a trusted partner of the entity implementing system 800 known to have good security measures, CEP 806 may give the source a high reputation score. This score may be used to determine that file does not represent a security event unless the likelihood that it is malware is sufficiently high. Additionally, if CEP 806 determines that the file represents a security event (it is malware), CEP 806 may calculate a probable next event based on past security events from source. This allows CEP 806 to instruct appropriate mitigation. CEP 806 may also calculate a security event threat level based on these calculations”. 
The Examiner interprets “a reputation score of the source” used to “make a determination whether the suspected malware file is actually malware” taught in [0110] as “the security risk score”. The Examiner further interprets “a security event threat level” taught in [0110] as “the security threat zone” for the following reason: Merriam-Webster dictionary defines “zone” as “a region or area set off as distinct from surrounding or adjoining parts”.  The “security event threat level” is “a region or area set predicting a security threat because configuring mitigation efforts and instructions taught by Avasarala in [0112] cannot occur without predicting a security threat first: mitigation efforts and instructions will only be configured if a security threat is predicted to exist. Because Avasarala teaches in [0112] configuring mitigation efforts and instructions based on reputation scores (the security risk score) and threat levels that it determines (the security threat zone) and configuring mitigation efforts and instructions necessarily requires first predicting a security threat, Avasarala teaches predicting a security threat based on the security risk score and the security threat zone).
The mapping taught by Sridhara modified in view of Lee and Luo comprises determining a security score and a security threat zone.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by Sridhara modified in view of Lee and Luo by letting the mapping taught by Sridhara modified in view of Lee and Luo using a security score and a security threat zone comprise predicting a security threat based on the security risk score and the security threat zone taught by Avasarala. It would have been obvious because doing so achieves the commonly understood benefit of predicting a security threat.

Regarding claims 7 and 15, Sridhara further teaches wherein effecting the remedial measure comprises effecting the remedial measure based on the predicted security threat (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. The Examiner interprets “whether an identified sequence/pattern is associated with a malicious activity” taught in [0099] as the predicted security threat. And see [0005]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), further in view of Luo (US 2019/0102554), and further in view of Dontov (US 2019/0138727).

Regarding claim 9, Sridhara modified in view of Lee and Luo fails to teach wherein the malware is a ransomware having no pre- configured signature in the cognitive security device.
In the same field of endeavor, Dontov teaches wherein the malware is a ransomware having no pre- configured signature in the cognitive security device (see [0094]: “the system may focus on file rename events, as most known ransomware attacks rename files and such events may be detected quickly. However, it will be appreciated that the security system may analyze any type of file modification event and/or combinations of such events to detect activities of known or unknown types of ransomware”. The Examiner interprets “unknown types of ransomware” as a ransomware having no pre- configured signature in the cognitive security device).
Both Dontov and Sridhara modified in view of Lee and Luo teach detecting a malware using monitored events in a computing system. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the detected malware taught by Sridhara modified in view of Lee and Luo be a ransomware having no pre- configured signature in the cognitive security device, as taught by Dontov . It would have been obvious because Dontov teaches that “Ransomware is considered a dominating threat in the security world” (see [0003]).

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 






/ZHIMEI ZHU/Examiner, Art Unit 2495  

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495