DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/12/2021 has been entered.
 
Response to Arguments
1) Applicant argues that “Avasarala is silent regarding ‘predicting ... a security threat based on the security risk score and the security threat zone,’” (see Remarks page 4, ¶ 1).
Applicant’s arguments, see Remarks page 4, ¶ 1, filed 8/12/2021, with respect to the rejection(s) of claim(s) 1, 10 and 17 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Martin (US 2018/0004942).

2) Applicant submits that in Avasarala, “there is no disclosure of employing a deep learning algorithm to predict a security threat based on reputation score (alleged security risk score) and security event threat level (alleged security threat zone)” (see Remarks page 4, ¶ 1).
Applicant’s arguments, see Remarks page 4, ¶ 1, filed 8/12/2021, with respect to the rejection(s) of claim(s) 1, 10 and 17 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, Martin (US 2018/0004942).

3) Applicant submits that “Avasarala is silent regarding ‘wherein each pattern match with the topographical threat map is utilized to predict the security threat,’” (see Remarks page 4, ¶ 2).
The above Applicant’s argument directed at the amended claims submitted on 8/12/2021 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

4) Applicant argues that “Sridhara fails to disclose or suggest that the predicated security threat is ‘based on the security risk score and the security threat zone, wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat,’ as recited in claim 1’” (see Remarks page 5, ¶ 4 and page 6, ¶ 1).

a). Applicant's argument that Sridhara fails to disclose or suggest that the predicated security threat is “based on the security risk score and the security threat zone” has been fully considered but it is not persuasive. First of all, the previous OA relied on Avasarala instead of Sridhara to teach “predicting ... a security threat based on the security risk score and the security threat zone”. Additionally, this argument is moot in view of a new ground(s) of rejection made in view of Martin (US 2018/0004942).

b). Applicant's argument that Sridhara fails to disclose or suggest “wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat” is directed at the amended claims submitted on 

5) Applicant submits that, because Sridhara fails to disclose or suggest the predicted security threat, Sridhara cannot possibly disclose or suggest "the remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware and the predicted security threat," as recited in claim 1. Furthermore, Applicant submits that Sridhara is silent regarding "effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware," as recited in claim 1. (see Remarks page 6, ¶ 2).

a) Applicant's argument that “because Sridhara fails to disclose or suggest the predicted security threat, Sridhara cannot possibly disclose or suggest "the remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware and the predicted security threat” is directed at the amended claims submitted on 8/12/2021. The above Applicant’s argument has been considered, but is moot in view of new rejections made below in response to the latest amendments by applicant.

b) Applicant’s argument that Sridhara is silent regarding "effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware", directed at the amended claims submitted on 8/12/2021 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

6) Applicant submits that, the cited references Sridhara, Lee, Luo, Gao, Avasarala, and Dontov, taken alone or in combination, fail to disclose or suggest at least "predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone, wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat; and upon detecting the pattern match corresponding to the malware, effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware and the predicted security threat, wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure," as recited in claim 1, and therefore cannot render claim 1 obvious. (see Remarks page 6, ¶ 3).

a) Applicant's argument that the cited references Sridhara, Lee, Luo, Gao, Avasarala, and Dontov, taken alone or in combination, fail to disclose or suggest at least "predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone” have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Martin (US 2018/0004942).

b) Applicant’s argument that the cited references Sridhara, Lee, Luo, Gao, Avasarala, and Dontov, taken alone or in combination, fail to disclose or suggest at least "wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat" is directed at the amended claims submitted on 8/12/2021. The above Applicant’s argument has been considered, but is moot in view of new rejections made below in response to the latest amendments by applicant.



d) Applicant’s argument that the cited references Sridhara, Lee, Luo, Gao, Avasarala, and Dontov, taken alone or in combination, fail to disclose or suggest at least "wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure" has been considered, but is moot in view of new rejections made below in response to the latest amendments to other limitations of claim 1 by applicant.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 8, 10, 12, 13, 16, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), and further in view of Martin (US 2018/0004942).

Regarding claims 1, 10 and 17, Sridhara teaches A method of generating cognitive security intelligence for detecting and preventing a malware in a computing system (see [0005]: “the method further includes monitoring an instruction queue to identify an instruction sequence associated with the key asset, determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities, and removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity”), the method comprising: 
monitoring, by a cognitive security device implemented in the computing system, instructions being executed by a processor of the computing system (see [0099] and Fig. 2: “The debug and trace module 212 may be configured to monitor various device features at a low level (e.g., at the firmware, hardware, or machine levels), and to monitor an instruction queue to identify instruction sequences or instruction execution patterns that are associated with the monitored features”); 
determining, by the cognitive security device, a plurality of events triggered by the execution of the instructions and a plurality of activities performed by the execution of the instructions (see [0054]: “The behavior observer module 202 may monitor/observe mobile device operations and events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events. The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal activities, events, behaviors, software applications, or processes”. And see [0028]); 
correlating, by the cognitive security device, the plurality of events and the plurality of activities to determine a sequence of events (see [0091]: “the mobile device 102 may be configured to generate concise and light-weight behavior signatures for each critical resource based on the result of the comparison and/or analysis operations, and send these light-weight behavior signatures to the behavior analyzer module 204 for analysis. The behavior analyzer module 204 may receive and use the light-weight behavior signatures to quickly and efficiently determine the sequences of operations that should be analyzed together as a single mobile device behavior and/or the mobile device behaviors that require additional, different, or deeper analysis. For example, the behavior analyzer module 204 may determine that all API calls relating a critical resource and its associated ghost resources logged in the past week should be analyzed together as a single mobile device behavior”. Because [0054] states that events may be observed by collecting information pertaining to library API calls, the Examiner interprets determining “that all API calls relating a critical resource and its associated ghost resources logged in the past week should be analyzed together as a single mobile device behavior” taught in [0091] as correlating, by the cognitive security device, the plurality of events … to determine a sequence of events) and activities (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “identified sequences/patterns” compared “to a sequence of activities) (And see [0037]: “The hardware debug module may be configured to prevent access to information or key assets based on the privileges of a requesting software application. …Privileges may be set based on execution patterns or sequences of operations, such as whether the software application is authorized to access and use the communication circuitry of the mobile device after reading a portion of the memory that stores credit card information, security keys, device IDs, etc.” Also see [0005], [0035] and [0090]); 
mapping, by the cognitive security device, the sequence of events and activities with a topographical threat map to detect a pattern match corresponding to the malware (see [0090]: “the mobile device 102 may be configured to compare and/or analyze information retrieved from the API call behavioral log database with behavioral specification models to identify suspicious sequences or patterns of API calls that are indicative of a malicious activity or behavior, to identify the operations that should be evaluated together as part of a single mobile device behavior”. And [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “known patterns of malicious activities” in [0099] and “behavioral specification models” in [0090] as a topographical threat map. The Examiner further interprets “to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison” in [0099] as mapping, by the cognitive security device, the sequence of events and activities with a topographical threat map to detect a pattern match corresponding to the malware. And see [0119]: “the mobile device may also monitor an instruction queue to identify an instruction sequence associated with the key asset, determine whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities”.  Also see [0005], [0070], [0091] and [0121]), 
wherein the topographical threat map is event and activity behavior map of …malwares (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. The Examiner interprets “known patterns of malicious activities” in [0099] as a topographical threat map, wherein the topographical threat map is event and activity behavior map of …malwares), and is built based on a cognitive analysis of at least one of external knowledge, or historic knowledge (see [0081]: “the analyzer module 204 may be configured to perform real-time behavior analysis operations, which may include performing, executing, and/or applying data, algorithms, classifiers or behavior models (collectively "classifier models") to the collected behavior information. Each classifier model may be a behavior model that includes information that may be used by a mobile device processor to evaluate a specific aspect of a mobile device behavior. The classifier models may be preinstalled on the mobile device, downloaded, received from a network server, generated in the mobile device, or any combination thereof. A classifier model may be generated by using machine learning and other similar techniques”. And see [0087]: “The network server may continuously reevaluate existing classifier models as new behavior/analysis reports are received from mobile devices, and/or generate new or updated models based on historical information (e.g., collected from prior executions, previous applications of behavior models, etc.), new information, machine learning”. And see [0110]: “the mobile device 102 may further include a communication link suitable for communicating with a network server and/or a component in a cloud service or network. The communication link may be configured to support sending and receiving behavior models to and from an external server”. The Examiner interprets “behavior models” disclosed in [0090] and [0081], which is interpreted as the topographical threat map, wherein the behavior model is received by the mobile device 102 from a network server (see [0081] and [0110]) that uses “historical information” to generate the behavior model (see [0087]), as “wherein the topographical threat map … is built based on a cognitive analysis of … historic knowledge”, as recited in claim 1). 

Sridhara fails to teach wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares (emphasis added).
In the same field of endeavor, Lee teaches wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares (see ABSTRACT: “The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. …The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base”. And see [0025]: “assume that the server 110 is communicatively coupled to the knowledge base 122 includes a set of application groups, each of which corresponds to a particular malware family or malware group”. The Examiner interprets “a set of application groups, each of which corresponds to a particular malware family or malware group” in [0025] as a plurality of categories of malwares recited in claim 1. And see [0030]: “the classifier component 226 may evaluate the event sequence of the new application based on the knowledge base”. And see [0031]: “The event sequence of the application may be compared with the event information of each application group in the knowledge base in order to calculate similarity distances”. wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares. And see [0021] and [0026]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the topographical threat map comprising an event and activity behavior map of malwares taught by Sridhara be an event and activity behavior map of a plurality of categories of malwares (emphasis added), as taught by Lee. It would have been obvious because Lee teaches that doing so enables the following desirable actions: “the information about the determined application group may be provided. For example, if the new application is classified to determine whether the application is one of the known malware family variants, the information of the malware family where new application belongs may be provided. In one embodiment, such information may be fed into an anti-malware application or anti-malware module residing on the client device. In another embodiment, the information may be presented on the screen of the client device allowing users to perform appropriate actions” (see Lee [0043]).

Sridhara modified in view of Lee fails to teach “wherein mapping further comprises dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities; predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone, wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat; and upon detecting the pattern match corresponding to the malware, effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a 

In the same field of endeavor, Martin teaches wherein mapping further comprises dynamically determining a security risk score (see [0052] and Fig. 1: “the system scans the network accounting log for matches to various network traffic, HTTP header, and DNS data defined in threat elements (e.g., IOCs) representative of the newly-identified security threat in Block S140. …the system can calculate a similarity score between a network event represented in the network accounting log and a threat element defined by the new threat intelligence based on a number of discrete datums contained in the threat element (e.g., network level port connection, an IP address, a MAC address, a website URL, a hostname, a browser identifier, and other packet data) that are identical and/or similar to datums contained in the network event”. The Examiner interprets “a similarity score” as a security risk score) and a security threat zone (see [0058]: “The system can also estimate a stage of this cyber attack on the network--such as initial infiltration, command and control, reconnaissance, or lateral movement stages--based on which threat elements of the cyber attack pattern defined in the new threat intelligence have been matched (e.g., to a sufficient degree of similarity) to network events in the network accounting log”. The Examiner interprets “a stage of this cyber attack on the network--such as initial infiltration, command and control, reconnaissance, or lateral movement stages” as a security threat zone) for a set of events from the plurality of events (see [0007] and Fig. 1: “a method S100 for detecting a cyber attack includes: recording representations of network events occurring on a network over a period of time to a network accounting log in Block S110; compressing the network accounting log into a compressed log file representing the network events occurring within the period of time in Block S120; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a value representative of a and a set of activities from the plurality of activities (see [0018]: “The system can apply new threat intelligence to a network accounting log of the network to detect cyber attacks already present on a machine within the network. Threat intelligence for a particular security threat can define: … indicators of compromise (IOCs) for such an attack. … IOCs for a particular cyber attack can also specify: unusual (outbound) network traffic; unusual privileged user account activity; log-in anomalies; increases in database read volume; suspicious registry or system file changes; unusual DNS requests; Web traffic showing non-human behavior; geographical irregularities; and other attack patterns that indicate possible compromise of a system or network in an instance of the particular cyber attack”); 
predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone (see [0054]: “threat intelligence for a newly-identified security threat defines an attack pattern, including a relative timeline of one or more initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack. In this example, once network elements in the network accounting log are matched to threat elements defined in the new threat intelligence, the system can calculate a degree of temporal alignment between timestamps of these network events and an order of threat elements defined in the new threat intelligence. The system can then merge this degree of temporal alignment and similarity scores between these network events and threat elements into a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack pattern characteristic of the newly-identified security threat”. The Examiner interprets “a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack” as a predicted security threat. The Examiner interprets “a similarity score” as a security risk score. The Examiner interprets “a stage of this cyber attack on the network--such as initial infiltration, command and control, reconnaissance, or lateral movement stages” taught in [0058] and [0054] as a security threat zone. The Examiner further interprets merging “this degree of temporal alignment and similarity scores between these network events and threat elements into a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack” as predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone. Also see [0055]: “By not only matching network events in the network accounting log to threat elements in the new threat intelligence but also matching order and/or timing of these data, the system can calculate a high-resolution confidence score for exposure of the network to the newly-identified security threat”. And see [0057]: “in Block S140 the system can: calculate a confidence score for presence of the newly-identified security threat on the network based on: a number of threat elements defined in the new threat intelligence to matched network events stored in the network accounting log; a strength of alignment of these threat elements in the new threat intelligence to matched network events (e.g., proportional to matched metadata and content values); and temporal alignment between a relative timeline of threat elements defined in the new threat intelligence and timestamps of matched network events stored in the network accounting log”. And see [0056], [0058]), 
wherein a deep learning algorithm is employed to predict security threat (see [0055]: “the new threat intelligence includes a cyber attack model of the newly-identified security threat; and the system can pass the cyber attack model and timestamped network events--matched to threat elements in the new threat intelligence--into an artificial neural network to calculate a strength of temporal alignment between the cyber attack model and these network events (e.g., a " confidence score")”. The Examiner interprets an artificial neural network as a deep learning algorithm. The Examiner further interprets to calculate a confidence score as to predict security threat), 
wherein each pattern match with the topographical threat map is utilized to predict the security threat (see [0053]: “The system can then aggregate matches between network events and threat elements to predict exposure of the network to the newly-identified security threat in Block S140. For example, the system can calculate a linear combination of similarity scores between these network events and threat elements; this linear combination can represent a confidence score for exposure of the network to the newly-identified security threat”); and 
upon detecting the pattern match corresponding to the malware, effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor (see [0066] and Fig. 1: “in response to an alignment between threat elements defined in the new threat intelligence and network elements stored in the network accounting log, automatically executing a process to contain the security threat. Generally, in Block S152, the system can automatically execute a script or other process to automatically respond to a possible security threat identified in Block S130 and confirmed in Block S140. For example, the system can automatically terminate a process, quarantine files, delete registry keys, take a compromised computer off the network, shift a compromised computer to a quarantine network, initiate a third-party investigation, and/or execute any other script or function in Block S152 to automatically respond to possible exposure of the network to the newly-identified security threat”. And see [0024] and [0051]) based on a profile of the malware (see [0068]: “the system can execute attack-type specific processes based on threat intelligence for a confirmed cyber attack type. For example, the system can automatically execute a quarantine script to remove all compromised assets from the network for a malicious data mining attack detected and/or confirmed in Block S140. In another example, the system can automatically execute an observation script to track and record both intra-network and inter-network events occurring at compromised computers for an advanced persistent threat detected and/or confirmed in Block S140. In another example, following detecting and/or confirming a cyber attack on  and the predicted security threat (see [0067]: “if the confidence score for risk of the newly-identified security threat to the network exceeds a preset quarantine score (e.g., if the confidence score exceeds a range of values for triggering a manual investigation, such as 80%), the system can automatically execute a process to quarantine the asset--originating or involving threat elements defined by the new threat intelligence--from the network in order to contain the newly-identified security threat”. The Examiner interprets the confidence score as the predicted security threat. And see [0061] and [0069]), 
wherein the security risk score is employed based on a deep learning algorithm (see [0052] and Fig. 1: “the system scans the network accounting log for matches to various network traffic, HTTP header, and DNS data defined in threat elements (e.g., IOCs) representative of the newly-identified security threat in Block S140. …the system can calculate a similarity score between a network event represented in the network accounting log and a threat element defined by the new threat intelligence based on a number of discrete datums contained in the threat element (e.g., network level port connection, an IP address, a MAC address, a website URL, a hostname, a browser identifier, and other packet data) that are identical and/or similar to datums contained in the network event”. The Examiner interprets “a similarity score” as a security risk score. And see [0055]: “the new threat intelligence includes a cyber attack model of the newly-identified security threat; and the system can pass the cyber attack model and timestamped network events--matched to threat elements in the new threat intelligence--into an artificial neural network to calculate a strength of temporal alignment between the cyber attack model and these network events (e.g., a " confidence score"). By not only matching network events in the network accounting log to threat elements in the new threat intelligence but the system can calculate a high-resolution confidence score for exposure of the network to the newly-identified security threat in Block S140 and selectively output alerts in Block S150 accordingly”. Because “matching network events in the network accounting log to threat elements in the new threat intelligence” taught in [0055] calculates “a similarity score” (a security risk score) (see [0052]) and uses an artificial neural network (a deep learning algorithm), Martin teaches wherein the security risk score is employed based on a deep learning algorithm) to take the remedial measure (see [0067]: “if the confidence score for risk of the newly-identified security threat to the network exceeds a preset quarantine score (e.g., if the confidence score exceeds a range of values for triggering a manual investigation, such as 80%), the system can automatically execute a process to quarantine the asset--originating or involving threat elements defined by the new threat intelligence--from the network in order to contain the newly-identified security threat”. Martin teaches that “matching network events in the network accounting log to threat elements in the new threat intelligence” taught in [0055] calculates “a similarity score” (a security risk score), which is combined with “matching order and/or timing of these data” to calculate a confidence score (see [0055] and [0054]). Martin further teaches taking the remedial measure based on the confidence score in [0067]. Therefore, Martin teaches wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of detecting and preventing a malware taught by Sridhara modified in view of Lee by letting the mapping further comprise dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities, as taught by Martin; and by adding the step of predicting, by the cognitive security device, a security threat based on the security risk score and the security threat zone, 
Additionally, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of detecting and preventing a malware taught by Sridhara modified in view of Lee by adding the step of upon detecting the pattern match corresponding to the malware, effecting, by the cognitive security device, a remedial measure to prevent the malware by constructing remedial instructions to be executed by the processor based on a profile of the malware and the predicted security threat, wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure, as taught by Martin. It would have been obvious because doing so achieves the commonly understood benefit of containing the detected malware.

Regarding claims 10 and 17, they claim a system and a non-transitory computer-readable medium corresponding to the method of claim 1. Therefore, claims 10 and 17 are rejected for the same reason as that of claim 1.

Regarding claim 3, Sridhara further teaches wherein the plurality of events comprises at least one of device processes, device services, or registry  (see [0054]: “The behavior observer module 202 may monitor/observe mobile device operations and events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events”. The Examiner interprets “device (including sensor devices) state changes” as device processes).

Regarding claim 4, Sridhara further teaches wherein the plurality of activities comprises activities performed on at least one of memory, data, files, folders, or system configuration (see [0054]: “The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.), file read/write/seek operations, changing file permissions, etc.”. The Examiner interprets “file system activity” as activities performed on files).

Regarding claims 5, 13 and 19, Sridhara further teaches wherein detecting the pattern match comprises determining whether the sequence of events and activities is analogous to a sequence of event and activities demonstrated by the malware using the topographical threat map (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison”. And see [0119]: “the mobile device may also monitor an instruction queue to identify an instruction sequence associated with the key asset, determine whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities”).

Regarding claims 8 and 16, Sridhara further teaches wherein the remedial measure comprises at least one of suspending the instructions being executed by the processor, suspending the plurality of events, blocking the plurality of activities, or undoing the changes made by the malware (see [0099]: “The debug and trace module 212 may then work in conjunction with other components or modules, such as the illustrated detection and analysis modules 214, in the mobile device 102 to compare identified sequences/patterns to known patterns of malicious activities, and determine whether an identified sequence/pattern is associated with a malicious activity based on the results of the comparison. The mobile device may then delete, terminate, purge, stop, or freeze sequences or patterns that are associated with a malicious activity. For example, the detection and analysis modules 214 may stop or prevent a software application from accessing or using a key asset of the mobile device until the behavior analyzer module 204 determines that the software application is benign”. The Examiner interprets freezing “sequences or patterns that are associated with a malicious activity” as suspending the instructions being executed by the processor).

Regarding claim 12, Sridhara further teaches wherein the plurality of events comprises at least one of device processes, device services, or registry  (see [0054]: “The behavior observer module 202 may monitor/observe mobile device operations and events by collecting information pertaining to library API calls in an application framework or run-time libraries, system call APIs, file-system and networking sub-system operations, device (including sensor devices) state changes, and other similar events”. The Examiner interprets “device (including sensor devices) state changes” as device processes), and wherein the plurality of activities comprises activities performed on at least one of memory, data, files, folders, or system configuration (see [0054]: “The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.), file read/write/seek operations, changing file permissions, etc.”. The Examiner interprets “file system activity” as activities performed on files).

Claims 2, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), further in view of Martin (US 2018/0004942), and further in view of Gao (US 10,491,502).

Regarding claims 2, 11 and 18, Sridhara modified in view of Lee and Martin fails to teach wherein monitoring the instructions being executed by the processor further comprises replicating machine code instructions being executed by the processor.
However, Gao teaches wherein monitoring information comprises replicating information (emphasis added to show the difference between the reference and the claim)(see claim 8: “A non-transitory machine readable medium storing a program that when executed by at least one processing unit of a host computer replicates traffic for monitoring, the program comprising sets of instructions”).
Both the machine code instructions being executed by the processor taught by Sridhara modified in view of Lee and Martin and the traffic taught by Gao are information. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let monitoring information taught by Sridhara modified in view of Lee and Martin further comprise replicating information, as taught by Gao. Because the information monitored in Sridhara modified in view of Lee and Martin are machine code instructions being executed by the processor, when the above modification is made, Sridhara modified in view of Lee, Martin and Gao would teach wherein monitoring the instructions being executed by the processor further comprises replicating machine code instructions being executed by the processor, as recited in claim 2.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Sridhara (US 2015/0230108), further in view of Lee (US 2007/0136455), further in view of Martin (US 2018/0004942), and further in view of Dontov (US 2019/0138727).

Regarding claim 9, Sridhara modified in view of Lee and Martin fails to teach wherein the malware is a ransomware having no pre- configured signature in the cognitive security device.
In the same field of endeavor, Dontov teaches wherein the malware is a ransomware having no pre- configured signature in the cognitive security device (see [0094]: “the system may focus on file rename events, as most known ransomware attacks rename files and such events may be detected quickly. However, it will be appreciated that the security system may analyze any type of file modification event and/or combinations of such events to detect activities of known or unknown types of ransomware”. The Examiner interprets “unknown types of ransomware” as a ransomware having no pre- configured signature in the cognitive security device).
Both Dontov and Sridhara modified in view of Lee and Martin teach detecting a malware using monitored events in a computing system. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the detected malware taught by Sridhara modified in view of Lee and Martin be a ransomware having no pre- configured signature in the cognitive security device, as taught by Dontov. It would have been obvious because Dontov teaches that “Ransomware is considered a dominating threat in the security world” (see [0003]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        

/HENRY TSANG/Primary Examiner, Art Unit 2495