DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 08/05/2021. After the examiner’s amendment shown below, claims 1, 10 and 20 are independent. Claims 6, 8, 16 and 18 are cancelled. Claims 1, 2, 10, 12, 14 and 20 are amended. Thus, claims 1-5, 7, 9-15, 17 and 19-20 are pending and being considered.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative- Megha Eswaran (Reg. No. 76,406) on 09/09/2021. The summary of the interview is attached.

Amendments to the Claims
The application has been amended as followed:
1. 	(Currently Amended) A method comprising: 

processing the software application by computing a set of byte values based on the plurality of bytes; 
based on the set of byte values, directly converting the software application to an audio file;
extracting, from at least a portion of the audio file, a set of audio features; 
generating a classification for the software application by using a machine learning model, trained to analyze the extracted set of audio features, to classify the software application based on the set of audio features, the classification based on comparing the extracted set of audio features with a set of precomputed audio descriptors in a database; [[and]]
based on the classification, determining whether the software application is malware; and
causing presentation of a notification within a graphical user interface of the client device indicating the classification of the software application. 

2. (Currently Amended) The method of claim 1, wherein converting the software application further comprises: converting the software application to an image file that comprises an image signal.  

3. (Previously Presented) The method of claim 2, wherein the audio file comprises a one-dimensional audio signal and the image signal is a two-dimensional image signal.  



5. (Previously Presented) The method of claim 2, further comprising: fusing the extracted set of audio features with extracted image features from the image signal.  

6. (Cancelled) 

7. (Previously Presented) The method of claim 1, wherein the machine learning model is trained with prediction probabilities of the set of audio features of the software application.  

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, further comprising: modifying the software application to prevent a user from opening the software application.  

10. (Currently Amended) A system comprising: 
one or more processors; and 
a memory storing instructions, that when executed by the one or more processors, configure the one or more processors to perform operations comprising: 

processing the software application by computing a set of byte values based on the plurality of bytes; 
based on the set of byte values, directly converting the software application to an audio file;
extracting, from at least a portion of the audio file, a set of audio features; 
generating a classification for the software application by using a machine learning model, trained to analyze the extracted set of audio features, to classify the software application based on the set of audio features, the classification based on comparing the extracted set of audio features with a set of precomputed audio descriptors in a database; [[and]]
based on the classification, determining whether the software application is malware; and
causing presentation of a notification within a graphical user interface of the client device indicating the classification of the software application. 

11. (Previously Presented) The system of claim 10, the operations further comprising: causing display on a graphical user interface of the client device of the audio file as an audio spectrogram.  

12. (Currently Amended) The system of claim 10, the operations further comprising: converting the software application to an image file that comprises an image signal. 



14. (Currently Amended) The system of claim 10, the operations further comprising: 

15. (Previously Presented) The system of claim 12, the operations further comprising: fusing the extracted set of audio features with extracted image features from the image signal.  

16. (Cancelled) 

17. (Previously Presented) The system of claim 10, wherein the machine learning model is trained with prediction probabilities of the set of audio features of the software application.  

18. (Cancelled) 

19. (Previously Presented) The system of claim 10, the operations further comprising: modifying the software application to prevent a user from opening the software application.  

20. (Currently Amended) A non-transitory computer-readable storage medium including instructions that when executed by a computer, cause the computer to perform operations comprising: 
accessing, using a hardware processor, a software application from a client device, the software application comprising a plurality of bytes; 
processing the software application by computing a set of byte values based on the plurality of bytes; 
based on the set of byte values, directly converting the software application to an audio file;
extracting, from at least a portion of the audio file, a set of audio features; 
generating a classification for the software application by using a machine learning model, trained to analyze the extracted set of audio features, to classify the software application based on the set of audio features, the classification based on comparing the extracted set of audio features with a set of precomputed audio descriptors in a database; [[and]]
based on the classification, determining whether the software application is malware; and
causing presentation of a notification within a graphical user interface of the client device indicating the classification of the software application. 

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
After further search and consideration, the claims 1-5, 7, 9-15, 17 and 19-20 are allowed over the cited prior art(s) of record. 
The following references/prior arts disclose the general subject matter recited in the independent claims 1, 10 and 20 before/after the current amendment is made and/or submitted.

A.	Mehrdad Farrokhmanesh (NPL: A Novel Method for Malware Detection Using Audio Signal Processing Techniques; IEEE 2016), this paper propose a novel method based on audio signal processing techniques. Where the program binary bytes represents as audio signals, as shown in Figure 1 on PDF Page 3, depicts to create MIDI files (hereinafter a set of byte values) from program binaries/bytes. The created MIDI files are used to create real audio signals, as shown in Figure 1 on PDF Page 3, depicted to extract features from audio signal, typically audio signal is divided into frames based on their times and then a frequency domain process such as MFCC or chromagram is done on entire frame for extracting features from each frame. Once the features are extracted from each divided frame, then the bag of feature set can be used to training a classifier like SVM, and/or as disclosed in PDF Page 4 and PDF Page 5, to train a machine learning classifier (for example KNN or Random Forest) with these features to create classifier model, and use this model to predict class of unknown files and/or unknown samples (as disclosed on PDF Page 2 and 7), in order to detect a malware or malicious software/program.



C.	Lakshmanan Nataraj (NPL: A Signal Processing Approach to Malware Analysis; December 2015; Provided with IDS), this paper presents a common method of viewing and editing malware binaries is by using Hex Editors, which display the bytes of the binaries in hexadecimal representation. An equivalent representation is viewing a binary as a grayscale image or an audio signal as shown in Fig. 1.1. In the first part of the dissertation the paper represent malware binaries as digital grayscale images with the observation that malware variants that are similar in structure and from the same family also appear similar visually (Fig. 1.2). The paper then apply image descriptors to model the similarity between malware variants, identify malware families, separate malware from benign software and retreive similar malware from a large database. The paper also presents to treat the malware binaries as audio-like one dimensional signals and leverage automated audio descriptors, and also treat the malware binaries as digital images 2D signals.

D.	Johns; Jeffrey Thomas et al. (US 2019/0132334 A1), discloses a message generation logic 150 that is configured to produce alert messages to warn of potential cyber-attacks. The alert may be transmitted to a system administrator or cyber-security administrator to report on results of the analysis, that is, a classification of an executable file as malicious and thus associated with a cyber-attack. Additionally, or in the alternative, a remediation logic 760 is configured to mitigate the effects of the cyber-attack or halt the cyber-attack by preventing further operations by the network device caused by the executable file 410. Such as the cyber-security system, additionally or alternatively, may perform remediation operations on the malicious executable file to prevent execution of the executable file, such as quarantining the executable file, deleting the executable file, storing the executable file as part of a log and setting permissions to read only (for subsequent analysis), or the like (operation 365).

E.	Enfinger; Kerry Wayne (US 2018/0183815 A1; Filed on 10/16/2017), discloses a system and method for detecting malware. The system and method is designed to detect malware without the requirement of malware signatures. The process relies upon converting a binary code file to an image. One or more machine learning techniques are used to classify the code as benign or malicious software. FIG. 1 is an illustrative embodiment of a method for detecting malware, referred to generally as malware detection method 100 without requiring malware signatures. The malware detection system 100 is designed to analyze code in a computer system to determine if such code is benign or malicious. Upon a 

F.	FRIEDRICHS; OLIVER et al. (US 2013/0139261 A1), discloses a machine learning techniques would be used to identify whether a given software application is likely to be malicious or benign, and potentially produce a score that reflects the confidence in that classification. To avoid obscuring the details of the invention, in the following, the nomenclature associated with machine learning techniques will be described in reference to their application towards the classification of software application as being either malicious or benign. Machine learning approaches first tend to involve what is known in the art as a "training phase". In the context of classifying software applications as benign or malicious, a training "corpus" is first constructed. This corpus typically comprises a set of software applications. Each application in this set is optionally accompanied with a "label" of its disposition, for example "benign", "malign", or "unknown". The labels can be determined either through manual analysis or through some other independent and possibly more expensive means. It is desirable to have fewer unknown samples, though at the same time is understood in the art that labeled data may be more expensive to obtain. 



H.	See the other cited prior arts.

However, the above prior arts of record including the rest of the cited prior arts either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole recited in the independent claims 1, 10 and 20. 
For this reason, the specific claim limitation(s) such as, but not limited to, “directly converting the software application to an audio file, based on the computed set of byte values” recited in the independent claims 1, 10 and 20 are taken as whole are allowed. 
The dependent claims 2-5, 7, 9, 11-15, 17 and 19 which are dependent on the above independent claim(s) being further limiting to the independent claims, definite and enabled by the specification are also allowed.
Furthermore, the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). The grounds of 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submission should be clearly labeled “Comments on Statement of Reasons for Allowance.” In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control Branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB’s Customer service if any questions at (703) 305-8497.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Mon-Fri: 8AM – 4PM. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For 

/ALI CHEEMA/
Examiner, Art Unit 2433	

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498