DETAILED ACTION
This office action is in response to communication filed on 8/16/2021.
Claims 1-3, and 5-21 are being considered on the merits.
	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendments
The amendment filed 8/16/2021 has been entered. Claims 1-3 and 5-21 remain pending in the application. Applicant’s amendments to the claims and arguments only partially overcome the 112(a) and 112(b) rejections previously set forth in the Non-Final Office Action of 2/19/2021. The drawing objections are not addresses and are maintained.
Response to Arguments
Regarding the rejection of claims 1-20 under 35 USC 112(a):
The Applicant submits on pages 10-11 that the specification does provide for enablement for relating the application to the program as well as where the atmosphere and attack pattern data comes from.
The Examiner respectfully disagrees.
The amendment to the claims does overcome the 112(a) with the regards to where the atmosphere and attack pattern data comes from. As pointed out by the applicant on page 10, Figure 4 does provide for this. However, regarding the enablement of how the application relates to the program, the examiner maintains that the claims and the specification to not make the connection. Pointing out how they are related and where this is stated in the specification would help overcome this rejection.
Regarding the rejection of claims 1 and 11 under 35 USC 112(b):

The Examiner respectfully disagrees.
The amendment to the claims does clear up where the atmosphere data, attack pattern data, and application behavior comes from- namely expert analysis data, report data, and crowdsourced information. However, the two portions of this claim are still not connected. The first portion relates to a program and log data and manual submission data, while the application is related to expert analysis data, report data, and crowdsourced information. The examiner maintains these claims do not connect these five types of data or the application to the program.
Regarding the rejection of claims 1 and 11 under 35 USC 103:
The Applicant submits on page 12 “the source of collecting manual submission data in Albertson is not a variety of users who have different levels of expertise” and thus fails to teach manual submission data.
The Examiner respectfully disagrees.
The examiner does not necessarily disagree with the differences presented between the instant application and Albertson (US 9009827 B1); however, claims are given their broadest reasonable interpretation. In this case nowhere in the claims does it specify who is inputting the manual data. Further expanding on the arguments presented in the Non-Final Office Action of 2/19/2021, Albertson teaches manual data submission in Col. 5 L.44-52 where a human technician confirms software-detected attack, the human operator being an administrator or engineer does not preclude it from being manual submission data. The Examiner respectfully submits that the reference does provide inputting manual data, thus the arguments are not found to be persuasive.
Regarding the rejection of claims 1 and 11 under 35 USC 103:

The Examiner respectfully disagrees.
Without commenting on what Alperovitch does or does not teach, the claim limitations are not directed towards using a signature-based detection system and do not specify a semi-real-time reacting mechanism and thus Alperovitch does not need to teach that. Alperovitch is used for very specific limitations as outlined in the Non-Final rejection 2/19/21 and no arguments are directed against those limitation (except as addressed next) and thus the arguments are not found to be persuasive. The Examiner maintains that Alperovitch can be combined with the other references to teach claims 1 and 11. 
Regarding the rejection of claims 1 and 11 under 35 USC 103:
The Applicant submits on pages 13-14 Alperovitch only teaches passive countermeasures, while the instant application teaches both passive and offensive countermeasures, and thus fails to meet the limitation “implementing at least one countermeasure”.
The Examiner respectfully disagrees.
Further expanding on the arguments presented in the Non-Final Office Action of 2/19/2021, Alperovitch teaches the limitation “implementing at least one countermeasure” in Para. [0056] implementing an action (i.e. countermeasure), using the broadest reasonable interpretation a passive countermeasure, as the applicant puts it, is still a countermeasure and can read on this limitation. The specific counterattack (i.e. active) is taught by David (US 20180247045 A1), against which no argument is made. 
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
In this case, the Albertson teaches improving security by sharing security information (i.e. manual input data) (Albertson, Col. 3 L. 29-40) and Alperovitch teaches providing more robust crowdsourcing solutions (Alperovitch Para. [0032]). The examiner maintains that these reasons are enough to support the motivation to combine, and thus the arguments are not found to persuasive. 
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 
Fig. 1 Ref. 122
Fig. 3 Ref. 302 
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be 
Specification
Note: The dependencies of claim 16 and claim 6 which have similar limitations are different. Claim 16 is a dependent of claim 12 instead of 11, where being a dependent of claim 11 would mirror claim 6 being a dependent of claim 1. No correction required, just pointing it out in case it was unintentional.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as based on a disclosure which is not enabling.  The disclosure does not enable one of ordinary skill in the art to practice the invention without specifying how the application relates to the program, which is/are critical or essential to the practice of the invention but not included in the claim(s) or specification. See In re Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). 
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


12.	Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: a connection between the program (along with the log data and manual submission data) and the application behavior (along with expert analysis data, report data, and crowdsourced information), these appear to be completely separate functions and it is unclear how the application behavior is related to receiving log and manual submission data or classifying and identifying the program. Does the expert analysis data, report data, and crowdsourced information come from the log data and manual submission data? Is the application behavior part of the program? Looking at Fig. 1 there appears to be a connection, but that connection is not apparent in the claim.
Claims 2-10 and 12-20 are rejected as dependent claims using the same rationale.
Where applicant acts as his or her own lexicographer to specifically define a term of a claim contrary to its ordinary meaning, the written description must clearly redefine the claim term and set forth the uncommon definition so as to put one reasonably skilled in the art on notice that the applicant intended to so redefine that claim term. Process Control Corp. v. HydReclaim Corp., 190 F.3d 1350, 1357, 52 USPQ2d 1029, 1033 (Fed. Cir. 1999). The term “atmosphere data” in claim 1 is used by the claim to mean some kind of data relating to malware prediction in relation to application behavior, while the accepted meaning is data related to nature and the real world atmosphere such as stated in the 
Claims 2-10 and 12-20 are rejected as dependent claims using the same rationale.
Claims 2 and 12 discloses identifying the source of the application based on the log data and manual submission data; however the log data and manual submission data in claim 1 are specifically related to the program. It is unclear how this is related to the source of the application which is related to expert analysis data, report data, and crowdsourced information. The metes and bounds are not clearly defined.
Claims 3-4, 13-14 and 16-18 are rejected as dependent claims using the same rationale.
Note: As mentioned above claims 2 and 12 which contain similar limitations have different dependent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1, 5-6, 9-11, 14-16 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Raff (US 20150381637 A1, provided in IDS) in view of Albertson (US 9009827 B1) and Alperovitch (US 20130254880 A1, provided in IDS), in further view of David (US 20180247045 A1). 
Regarding claim 1, Raff teaches a system for malware prediction and suppression, comprising: a plurality of host computers, each of the plurality of host computers comprising a host antimalware service configured to collect log data, (Raff, in Para. [0025], discloses a plurality of client networks (i.e. host computers) which provide log files (i.e. collects log data))
a server, the server comprising a report database and a knowledge base; (Raff, in Fig. 5C and in Para. [0027, 0077 and 0123], discloses a categorization repository (i.e. knowledge base) and a data repository for the entity record (i.e. report database) and a breach detection platform (i.e. server))
wherein the server is configured to perform the steps of: receiving, from the plurality of host computers, log data relating to [a program]; (Raff, in Fig. 5C and in Para. [0123], discloses retrieving logs from various log sources)
classifying, based on the log data, [the program]; (Raff, in Fig. 5C and in Para. [0124-0125], discloses scoring and classifying the entity based on the log data)
identifying whether [the program] is new, and, when [the program] is new, format [the program] for inclusion into the knowledge base; (Raff, in Fig. 5C and in Para. [0123], discloses determining whether the entity is new and if so adding it the categorization repository (i.e. knowledge base) after it has been normalized (i.e. formatted)).
While Raff teaches collecting log data related to an entity, Raff fails to explicitly teach collecting manual submission data related to a program.
However, Albertson from the analogous technical field teaches each of the plurality of host computers further comprising a manual reporting interface provided by the antimalware service; and     (Albertson, Col. 31 L. 31-38, discloses a user interface for use by a human technician for analyzing threats (i.e. manual reporting)).
(Albertson, Col. 5 L. 24-46, discloses a human technician confirming an attack, where the attack can be an application (i.e. program), before sharing the attack data (i.e. manual submission data)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff to incorporate the teachings of Albertson, with a motivation to improve cyber security by sharing security information (Albertson, Col. 3 L. 29-40).  
While Raff as modified by Albertson teaches classifying a program, Raff as modified by Albertson fails to explicitly teach reacting to application behavior.
However, Alperovitch from the analogous technical field teaches identifying an application behavior, and performing a numerical malware prediction based on the application behavior, (Alperovitch, in Fig. 5 and in Para. [0054-0055], discloses monitoring application behavior (i.e. identifying) and calculating a reputation score (i.e. numerical malware prediction))
wherein the numerical malware prediction retrieves one or more of expert analysis data, report data, and crowdsourced information to generate malware atmosphere data, attack pattern data, and application behavior data; retrieving the malware atmosphere data and the attack pattern data, and generating the numerical malware prediction based on the application behavior, the malware atmosphere data, and the attack pattern data; (Alperovitch, in Fig. 5 and in Para. [0021 and 0055], discloses calculating a reputation score (i.e. numerical malware prediction) based on the behavior and other stored data, where the other stored data can include previously stored crowdsourced data, such as similarity and differences to other application (i.e. pattern data) and origination (i.e. atmosphere data))
identifying at least one countermeasure from a list of acceptable countermeasures based on the numerical malware prediction; and (Alperovitch, in Fig. 5 and in Para. [0056], discloses determining an action (i.e. countermeasure) based on the calculated reputation score (i.e. numerical malware prediction))
implementing the at least one countermeasure (Alperovitch, in Fig. 5 and in Para. [0056], discloses determining an action (i.e. countermeasure) such as deleting the application (i.e. implement countermeasure)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson to incorporate the teachings of Alperovitch, with a motivation to provide a more robust and capable crowdsourcing solution (Alperovitch, Para. [0032]).  
While Raff as modified by Albertson, and Alperovitch teaches sending a message to the source, Raff as modified by Albertson, and Alperovitch fails to explicitly teach counterattacking.
However, David from the analogous technical field teaches identifying, with a whitelist, an absence of the source of the application on a whitelist; and (David, in Para. [0029], discloses checking a whitelist)
with the plurality of host computers, executing a Direct Denial of Service (DDoS) attack on the source of the application (David, in Para. [0029], discloses counter attacking any malicious attempt).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson, and Alperovitch to incorporate the teachings of David, with a motivation to provide total security (David, Para. [0029]).  
Regarding claim 5, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 1.
Albertson further teaches wherein the step of receiving, from the plurality of host computers, log data and manual submission data relating to a program comprises: accessing, with the host antimalware service, the host computer, and determining one or more instances of probable suspicious (Albertson, Col. 5 L. 31-46, discloses software initially determining an attack (i.e. probable suspicious behavior))
generating a confirmation message indicating the suspicious behavior, displaying the confirmation message via the manual reporting interface, and receiving a confirmation from a user via the manual reporting interface; and (Albertson, Col. 5 L. 31-46, discloses human technician (i.e. user) confirming an attack (i.e. probable suspicious behavior))
generating and sending a report to the server comprising log data of the suspicious behavior (Albertson, Col. 5 L. 31-46, discloses attack data (i.e. manual submission data and log data)).
Regarding claim 6, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 1.
Alperovitch further teaches wherein the step of classifying the program comprises: identifying a plurality of reports received from the host computers, each of the reports comprising at least one of log data and manual submission data; (Alperovitch, in Para. [0022], discloses comparing to crowdsource data)
identifying a conflict in the plurality of reports; and (Alperovitch, in Para. [0022], discloses discovering differences in the data)
 flagging the program for expert evaluation based on the conflict (Alperovitch, in Para. [0022], discloses flagging differences in the data).
Regarding claim 10, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 1.
Raff further teaches wherein the server further comprises a server antimalware service configured to scan the log data and manual submission data (Raff, in Para. [0077], discloses a breach detection platform (i.e. server) which performs log analysis (i.e. scan the log)).
Albertson further teaches wherein the log data and manual submission data further comprises the program, and (Albertson, Col. 5 L. 31-46, discloses attack data (i.e. manual submission data and log data) including an application identifier).
Regarding claim 9, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 1.
Raff further teaches wherein the server further comprises a deep learning element, and (Raff, in Para. [0066], discloses using machine learning).
Albertson further teaches wherein the server is configured to perform the steps of: automatically generating at least one rule based on the list of known virus samples and known benign files; and (Albertson, Col. 8 L. 23-25, discloses automatically generating a rule set based on recognized pattern (i.e. known virus and benign files))
automatically updating the at least one rule based on the log data and manual submission data. (Albertson, Col. 8 L. 23-25, discloses generating (i.e. updating) a rule set based on security attack data (i.e. log data and manual submission data)).
Alperovitch further teaches wherein the knowledge base further comprises a list of known virus samples and known benign files, (Alperovitch, in Para. [0018], discloses a database with application reputation (i.e. known and benign virus files).
Regarding claim 21, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 9.
Albertson further teaches flagging suspicious behavior (Albertson, in Col. 14 L. 1-4, discloses alerting (i.e. flagging) suspicious behavior).
David further teaches wherein the deep learning element and knowledge base are further configured to work with a software behavior computation (SBC)-based detection process to perform analysis comprising: examining source code by analyzing and computing suspicious object behavior and benign object behavior; (David, in Para. [0031], discloses creating one or more signatures such as processes/functions (i.e. behavior) to verify (i.e. examining) the code)
eliminating obfuscation in malware and deriving net behavior of underlying code, based on a foundation of the Structure Theorem and Correctness Theorem; and (David, in Para. [0031], discloses validity being based on the behavior of the code (i.e. circumventing obfuscation))
As per claims 11, 14-16, and 19-20, these claims recite a token method to perform the steps as recited by the system of claims 1, 5-6, and 9-10, and has limitations that are similar to those of claims 1, 5-6, and 9-10, thus is rejected with the same rationale applied against claims 1, 5-6, and 9-10.
Claims 2-3 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff in view of Albertson, Alperovitch and David, in further view of Evans (US 10516695 B1). 
Regarding claim 2, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 1.
Albertson further teaches performing an attack attribution on the source of the application; and (Albertson, Col. 11 L. 5-9, discloses determining the source of the attack).
wherein implementing the countermeasure comprises: identifying, from the log data and manual submission data, a source of the application; (Alperovitch, in Para. [0021], discloses determining origination of application in crowdsource data).
While Raff as modified by Albertson, Alperovitch, and David teaches determining the source, Raff as modified by Albertson, Alperovitch, and David fails to explicitly teach sending a message to the source.
However, Evans from the analogous technical field teaches automatically generating and sending one or more communications to the source of the application (Evans, in Col. 9 L. 47-65, discloses notifying the owner of the source of the malicious behavior).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson, Alperovitch, and David to incorporate the teachings of Evans, with a motivation to maximize response while minimizing impact on the users (Evans, Col. 2 L. 61-66).  
Regarding claim 3, Raff as modified by Albertson, Alperovitch, David and Evans teaches the system of claim 2.
Evans further teaches wherein the step of automatically generating and sending one or more communications to the source of the application comprises: identifying a registered owner of the source of the application; and generating and sending a message to the registered owner of the source of the application (Evans, in Col. 9 L. 47-65, discloses notifying the owner of the source of the malicious behavior).
As per claims 12-13, these claims recite a token method to perform the steps as recited by the system of claims 2-3, and has limitations that are similar to those of claims 2-3, thus is rejected with the same rationale applied against claims 2-3.
Claims 7-8 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over  Raff in view of Albertson, Alperovitch, and David, in further view of Myslinski (US 8990234 B1). 
Regarding claim 7, Raff as modified by Albertson, Alperovitch, and David teaches the system of claim 6.
Raff further teaches wherein the system is further configured to perform the steps of: receiving an expert evaluation indicating the program as malicious or non-malicious, and uploading the expert evaluation to the knowledge base; (Raff, in Para. [0107], discloses manual review by an expert).
While Raff as modified by Albertson, Alperovitch, and David teaches an expert evaluating the program, Raff as modified by Albertson, Alperovitch, and David fails to explicitly teach flagging a source of the report.
However, Myslinski from the analogous technical field teaches identifying one or more reports in the plurality of reports contradicting the expert evaluation, and identifying a source of the one or more reports; and flagging the source of the one or more reports (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses a source that provides false or inaccurate information (i.e. contradicts expert)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Raff as modified by Albertson, Alperovitch, and David to incorporate the teachings of Myslinski, with a motivation to verify accuracy of information (Myslinski, Col. 1 L. 15-18).  
Regarding claim 8, Raff as modified by Albertson, Alperovitch, David and Myslinski teaches the system of claim 7.
Myslinski further teaches wherein the system is further configured to perform the steps of: identifying a source that has been flagged a plurality of times; and (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses a source that often provides false or inaccurate information)
classifying further reports from the source as untrusted (Myslinski, in Col. 21 L. 62- Col. 22 L. 2, discloses determining that a source that provides false or inaccurate information are unreliable (i.e. untrusted)).
As per claims 17-18, these claims recite a token method to perform the steps as recited by the system of claims 7-8, and has limitations that are similar to those of claims 7-8, thus is rejected with the same rationale applied against claims 7-8.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208. The examiner can normally be reached M-Th 9:00-18:00 (Flex).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/TRANG T DOAN/Primary Examiner, Art Unit 2431