DETAILED ACTION
1.	This action is responsive to communications regarding the applicant’s amendments and arguments, filed on 01/12/2021.
2. 	Claims 1-16 are pending.
Notice of Pre-AIA  or AIA  Status
3. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Arguments and Amendments
4.	Applicant’s arguments, see page 2-6 on the remark, filed 01/12/2021, with respect to the rejection(s) of claim(s) 1-16 under 103 rejection have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Blake Anderson (US 9021589), and Shadi Rostami-Hesarorkh (US 10230749).

Claim Rejections - 35 USC § 112
5.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


6.	Claims 1-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Regarding claim 1:
	In the instant case, the term “whereby generating a reduced feature vector representing the program” is either an incomplete sentence fragment or is grammatically improper.  In either situation, its meaning is neither definitive nor discernable. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1, 2, 6, 7, 9, 10, 11, 13, 16 are rejected under 35 U.S.C 103 as being unpatentable over Erez Amir (US 7032212), in view of Blake Anderson (US 9021589); and further in view of Shadi Rostami-Hesarorkh (US 10230749), hereinafter Shadi.

	Regarding claim 1:
Amir discloses obtaining a set of Application Programming Interface (API) functions of a system, wherein a program can invoke the API functions of the system testing a program module (e.g., API) by rendering a set of calls to the program module based upon a test model and a given list of values to be used with the test model (Amir, column 2, [lines 20-25]); obtaining a set of artifacts, wherein each artifact is associated with at least one API function testing a program module according to the test model summarized herein above, including a set of cluster elements defining sets of group elements. Each group element, in turn defines/references a set of parameter elements. The method includes creating a set of calls to the program module by performing, for each call, an initial step of assigning a value to each parameter within a cluster under test (Amir, column 3, [lines 51-58]), and a place holder for a value passed by a caller to a program module having a defined interface (e.g., an API). The value is passed to the program module through a stack or by reference to a memory location. In the context of the MICROSOFT WINDOWS operating system, in the Win32 API CloseHandle. hCbject is a parameter (e.g., CloseHandle(HANDLE hObject)) (Amir, column 7, [lines 20-27]).
 wherein the each artifact is indicative of a functionality of the at least one API function; clustering the API functions based on an analysis of the artifacts a particular EC holding values that are considered a valid (invalid) usage of the program module in a particular context. For example, in the above square root API referenced above, the negative numbers class {xx <0} is considered “invalid’ (because the particular square root function (API) is only defined for non-negative numbers). The other two classes {0} and {xxx0} are valid equivalence classes (Amir, column 8, [lines 5-11]).
whereby creating a set of clusters smaller than the set of API functions, whereby each cluster comprises API functions having a similar functionality the number of calls generated through the above described “grouping to render a covering set is smaller than a test generation method that generates all combinations of equivalence classes of the cluster parameters—a number equal to multiplying the number of equivalence classes defined for each parameter within a cluster (Amir, column 10, [lines 23-28]). However, Amir fails to disclose wherein the set of API functions comprises at least two different API functions having at least two different functionalities; performing a dimensionality reduction to a feature vector  representing the program using the set of clusters, whereby generating a reduced feature vector representing the program
Shadi teaches wherein the set of API functions comprises at least two different API functions having at least two different functionalities; whereby generating a reduced feature vector representing the program include various security functions (e.g., firewall, anti-malware, intrusion prevention/detection, Data Loss Prevention (DLP), and/or other security functions), networking functions (e.g., routing, Quality of Service (QoS), workload balancing of network related resources, and/or other networking functions), and/or other functions. For example, routing functions can be based on source information (e.g., IP address and port), destination information (e.g., IP address and port), and protocol information (Shadi, column 3, 57-64]), and further in this problem context of malware sample results data, the data set to be processed and clustered is a relatively large data set for clustering, such as forty million to hundreds of millions of results of analyzed malware samples to cluster. Moreover, some of these malware sample results (e.g., log files) can have, for example, an average of 40 features, and some can have one hundred thousand or more features (e.g., for malware that is performing the so-called kitchen sink approach to malware that includes attempting many different attack vectors, such as for each version of an operating system, browser, etc.) (Shadi, column 61, [lines 4-13]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Amir with that of Shadi in order to protect networks from unauthorized access while permitting authorized communications to pass through the firewall, filter outbound traffic by applying a set of rules or policies. Firewalls can also be capable of performing basic routing functions.
 Blake  teaches performing a dimensionality reduction to a feature vector representing the program using the set of clusters a clustering of programs within a malware classification can be done based on a probabilistic change similarity measure (Blake, column 5, [lines 20-22]), and  malware classification, instruction and/or system call categorizations can be used to reduce the size of the vertex set of the resulting Markov chains to avoid the curse of dimensionality (Blake, column 36, [lines 18-21). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Amir with that of Blake in order to classifying programs as malware or non-malware.

Regarding claim 2:
Amir, Blake and Shadi disclose wherein each API function is selected from the group 15consisting of: a system call, a function to a system library, and a hardware instruction features can be selected based on the following criteria: (1) disregard features if found in >10% of samples (e.g., a common Windows API); and (2) disregard features if found in <n (=10) number of samples. Example feature categories include Mutex, file names, library (lib) names, registry names, DNS, IP, user agent, and/or other feature categories (Shadi, column 58, [lines 30-40]).

Regarding claim 6:
Claim 6 is rejected under the same reason set forth in rejection of claim 1, but fail to disclose wherein the reduced feature vector comprises the reduced plurality of features; and utilizing the reduced feature vector in a machine learning processing for identifying malware programs. Shadi teaches grouping malware based on artifacts includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract features associated with malware; clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output (Shadi, Abstract, [lines 3-8]).

Regarding claim 7:
Claim 7 is rejected under the same reason set forth in rejection of claim 2.

Regarding claim 9:
Amir, Blake and Shadi disclose generating the clusters of the API functions based on similarity measurements between the artifacts associated with the API functions, whereby 20each cluster comprises API functions having a similar functionality the well-known MICROSOFT API “MQSendMessage” has 192 parameters. Classes of particular input parameter values (“equivalence classes') having similar effect upon the program module are defined, and a single value from each equivalence class is used to define/generate a test matrix providing minimal coverage for the potential input parameter value combinations (Amir, column 1, [lines 55-62]).

Regarding claim 10:
Claim 10 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 11:
Claim 11 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 13:
Claim 13 is rejected under the same reason set forth in rejection of claim 9.

Regarding claim 16:
Amir, Blake and Shadi disclose processor and a memory, wherein said memory retaining the computer program product of Claim 10 multiprocessor systems, microprocessor-based systems (Amir, column 4, [lines 29]), and program modules are generally located in both local and remote computer storage media including memory storage devices (Amir, column 4, [lines 42-45]).


8.	Claims 3, 8, 12 are rejected under 35 U.S.C 103 as being unpatentable over Erez Amir (US 7032212), in view of Blake Anderson (US 9021589); Shadi Rostami-Hesarorkh (US 10230749), and further in view of Gregory Miskelly (US 9772925), hereinafter Gregory.

	Regarding claim 3:
	Amir, Blake and Shadi disclose wherein each artifact is selected from the group consisting of: a documentation file of the at least one API function and a disassembly of the at least one API function these data sources can include information based on the static analysis of the binary and the API sequence calls made by the program (Blake, column 21, [lines 10-12]),static data sources of a program can include one or more of binary files of the program, a disassembled binary of the program, and/or a control flow graph generated from the disassembled binary of the program(Blake, column 21, [lines 50-55]), but fail to disclose wherein the documentation file of the at least one API function comprises a natural language description of aspects of the API function and; wherein the disassembly of the at least one API function comprises a translation of the at least one API function into assembly language.
 wherein the documentation file of the at least one API function comprises a natural language description of aspects of the API function and; wherein the disassembly of the at least one API function comprises a translation of the at least one API function into assembly language source code resembles a natural language (e. g., English) (Gregory, column 1, [lines 30-31]) and further forming 840 a continuation 236 by translating assembly instructions into the continuation, and also includes expanding 842 the continuation until the instruction X is located 808 (Gregory, column 22, [lines 25-28]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Amir with that of Gregory in order to provide debugging support by obtaining a disassembly of a portion of the executable code (Gregory, column 2, [lines 1-2]).

Regarding claim 8:
Claim 8 is rejected under the same reason set forth in rejection of claim 3.

Regarding claim 12:
Claim 12 is rejected under the same reason set forth in rejection of claim 8.

9.	Claims 4, 5, 14, 15 are rejected under 35 U.S.C 103 as being unpatentable over Erez Amir (US 7032212), in view of Blake Anderson (US 9021589); Shadi Rostami-Hesarorkh (US 10230749), and further in view of Xin Hu (US 8826439), hereinafter Hu.

Regarding claim 4:
Amir, Blake and Shadi disclose API function in the Win32 API CloseHandle. hCbject is a parameter (e.g., CloseHandle(HANDLE hObject)) (Amir, column 7, [lines 20-27]), but fail to disclose  wherein said obtaining the set of artifacts comprises disassembling of an API function to produce an artifact of the API function. However, Hu teaches the instruction extraction module 310 applies a disassembler for the supported instruction set to parse the computer file, and retrieves the machine language instruction sequence of the computer file from the disassembler (Hu, column 5, [lines 57-62]). It would have been obvious to someone skilled in the art before the effective filling date of 

Regarding claim 5:
Amir, Blake, Shadi and Hu disclose wherein said clustering the API functions is performed based on a natural language analysis of the set of artifacts extracting a machine language instruction sequence from a computer file, wherein the machine language instruction sequence comprises at least two machine language instructions of different length; encoding the machine language instruction sequence into a standardized opcode sequence (Hu, column 2, [lines 10-15]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Amir with that of Hu in order to detecting malware, comprising: extracting a machine language instruction sequence from a computer file (Hu, column 1, [lines 45-50]).

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 5.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication from the examiner should be directed to Thanh Le whose telephone number is 571-272-8556. The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Nickerson Jeffrey L can be reached on (469) 295-9235.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either obtained from either Private PAIR or Public PAIR. Status information for unpublished application is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov . Should you have question on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automatic information system, call 800-786-9199 (In USA or CANADA) or 571-272-1000.

/THANH H LE/Examiner, Art Unit 2432                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491