Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 16/102,571 is presented for examination by the examiner.  Claims 1-6 and 8-21 are pending.  Claims 1, 9, and 17 are currently amended.


Response to Arguments
Applicant's arguments filed 7/22/21 have been fully considered but they are not persuasive.  Applicant argues that the prior art, Singh, places both the static analysis engine and the dynamic analysis engine both at the TDP.  Applicant argues that the prior art does not determine if suspect code is malicious or not on the cloud service of Singh.  Examiner respectfully disagrees with the notion that the cloud service is “only for updating the classification engines”.  In column 16, lines 20 Singh teaches of a secondary analysis is made of the suspect object.  Keeping in mind this is describing what the cloud service does once the TDP has sent to it the suspect object.  Singh further elaborates on this secondary analysis in column 17, lines 10-22, is used to determine if object is malicious.  Singh explicitly teaches, “[m]aintained within the threat detection platform 150 or located in the cloud, as shown, the classification engine 140 associated with the secondary static analysis may be configured to determine if the object is malicious”.  Singh clearly shows classification engine 140 .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 5, 8, 9, 11, 13, 16, 17, 19 are rejected under 35 U.S.C. 103 as being unpatentable over USP 9,690,933 to Singh et al hereinafter Singh in view of USP Application Publication 2019/0222593 to Craig et al hereinafter Craig.

As per claims 1, 9, and 17, Singh teaches a method for creating a malware inference architecture comprising:

classifying, at the endpoint, the instruction set as potentially malicious or benign (col. 15, lines 37-38) according to a first machine learning model based on a first parameter set, where in the shallow machine learning model has been previously trained [col. 15, lines 19-20; based on the current predictive model]; 
in response to determining at least one of the instructions sets as potentially malicious, sending a filtered instruction set (col. 15, lines 53) to a cloud system (Fig. 5A, 520) wherein the filtered instruction set is a subset of the instruction sets [suspect features of the object] classified as potentially malicious (col 15, lines 45-46) by one or more parameters of the first parameter set being equal to or exceeding a threshold value (col. 10, lines 40-45); and 
analyzing, at the cloud system (Fig. 2, element 235 and Fig. 5C), the filtered instruction set using a second machine learning model to determine if the filtered instruction set comprises malicious code (col. 16, lines 15-20), the second machine learning model has been previously trained and is configured to verify the filtered instructions comprises malicious code (col. 17, lines 17-30) and classify a type of security risk (col. 17, lines 25-30) associated with the filtered instruction set based on a second parameter set that is different from the first parameter set [current predictive model is updated by the cloud system to be the new reference model which is then set back to the TDP; col. 15, lines 10-20).  Singh is silent in explicitly teaching the first machine learning model is a shallow machine learning model and sending a filtered subset of the instruction sets after analysis by the shallow learning model to a deep machine learning model as now require by the amended claims.  On the other hand 

For claim limitations below the terms first and shallow and second and deep are used interchangeably with the newly amended claims and combination of references.

As per claims 3, 11, and 19, Singh teaches the instruction set is filtered based on meeting one or more parameters of the first parameter set of the first machine learning model above a threshold value (col. 15, line 40).

As per claims 5 and 13, Singh teaches the first machine learning model is decoupled from the second machine learning model (col. 15, lines 35-40), such that classifying potential threats by the first machine learning model is decoupled from a final classification of a threat within the instruction set by the second machine learning model (col. 17, lines 23-35).
As per claims 8 and 16, Singh teaches the second parameter set is comprised of a number of parameters that dynamically modifies a number of parameters associated with the second machine learning model (col. 15, lines 1-7).

Claims 2, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Singh and Craig as applied to claims 1, 9, and 17 and in further view of USP Application Publication 2014/0310808 to Yao et al hereinafter Yao.

As per claims 2, 10, and 18, Singh and Craig are silent in explicitly teaching biasing the first machine learning model in favor of false positives, wherein the first machine learning model is penalized in training if it predicts a false negative as compared to a false positive such that the first machine learning model overestimates potentially malicious instruction sets, and wherein false negatives for true malicious instruction sets is minimized.  Singh does address the notion of updating the model when there are too many errors (false negatives).  Yao on the other hand teaches this limitation as there is a potentially high cost for when there are too many false negatives and you want a machine learning to err on the side of caution so false negatives are punished 10-to-1 (0062).  This meshes with the system of Singh and Craig well as wanting to avoid false negatives as much as possible.  The server side can easily handle false positive which less costs than what could happen if false negatives occur.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  Biasing machine learning feedback is well within the skill set of one of ordinary skill in the art.

s 4, 6, 12, 14, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh and Craig as applied to claims 1, 9, and 17 and in further view of USP 8,023,974 to Diao et al hereinafter Diao.

As per claims 4, 12, and 20, Singh and Craig teaching refining the first machine learning model [current predictive model] at the endpoint [TDS] by modifying, based on threshold values (col. 16, lines 34-38) for the second parameter set of the second machine learning model optimized for malicious instruction detection [new reference model], one or more corresponding parameters in the first parameter set (col. 15, lines 15-20).  Singh is silent in explicitly teaching training the first machine learning model with a set of training data at the endpoint, wherein a parameter budget of the first parameter set is fixed as constant, causing a size of the first machine learning model to remain below a threshold size.  Singh uses lower power device as the endpoints (i.e. phone).  Diao teaches training the first machine learning model with a set of training data at the endpoint, wherein a parameter budget of the first parameter set is fixed as constant, causing a size of the first machine learning model to remain below a threshold size by sending the phone a lightweight version of the reference model which some features removed so that is can be executed on lower power devices unlike the server which runs the full scale model with all its feature for optimum maliciousness detection (col. 5, lines 40-45 and 60-65 and col. 3, lines 50-60).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  Singh already controls which models are sent/optimized for the phones.  There would be no point in sending a model that was too complex for the 

As per claims 6 and 14, the combined system of Singh, Craig, and Diao teaches the second machine learning model is a deep network based on one or more machine learning techniques, and the second parameter set is greater than the first parameter set [Diao: col. 5, lines 40-45 and 60-65 and col. 3, lines 50-60]. 
As per claim 15, the combined system of Singh, Craig, and Diao teaches the first machine learning model has a lower accuracy [Singh: col. 16, lines 33-40], but shorter computation time, than the second machine learning model [Diao: col. 5, lines 40-45 and 60-65 and col. 3, lines 50-60]. 

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Singh and Craig as applied to claim 1 and in further view of USP Application Publication  2015/0373039 to Wang.

As per claim 21, Singh and Craig are silent in explicitly teaching the first parameter set includes at least an IP address accessed and the at least one of the instruction sets is marked as potentially malicious for attempting to access an outside IP address.  Singh teaches sending features of the object that appear suspect (col. 15, line 53).  Wang teaches machine learning threat models can be trained with IP addresses of known threats.  Thus the blacklisted IP addresses are parameters of the model (0061).  .


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431