DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1 and 11 are independent.  

3.	The IDS’es submitted on 5/20/2019 and 9/18/2020 have been considered.

Claim Objections
4.	Claims 6, 7, 16, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 101
5.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matters.  It appears that the claimed system only comprises software since the series of actions can be performed by software.  Therefore, when interpreted broadly as code, the claimed elements of the system are not limited to a machine or a physical part of a device within the meaning of 35 U.S.C. 101.
Claim Rejections - 35 USC § 102
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

8.	Claims 1-4, 8, 10, 11-14, 18 and 20 are rejected under 35 U.S.C. 102 as being anticipated by Tolpin (US PG Pub. 2017/0032120).
As regarding claims 1 and 11, Tolpin discloses A computer-implemented method, comprising: 
generating, by a server, kernel level feature vectors of system call hierarchy during testing phase of a computing system [para. 53-54 and 62-63; logging systems calls in an order]; 
training, by the server, a machine-learning model based upon the kernel level feature vectors for the machine-learning model to learn a normal behavior of the computing system [para. 53-54; logging system calls of an uninfected malware application]; 
retrieving, by the server, a first set of system calls of a first sub-system of the computing system during runtime of the computing system [para. 52; logging system calls of infected application after the first run]; 
retrieving, by the server, a second set of system calls of a second sub-system of the computing system during runtime of the computing system [para. 52; logging system calls of infected application after the second run]; 
executing, by the server, the machine-learning model on the first and the second sets of system calls to compare the runtime behavior of the computing system with the normal behavior [para. 56-59; comparing the system calls by merging differences between runs of the application]; and 
normal behavior over a predetermined threshold, instructing, by the server, the computing system to execute one or more mitigation instructions [para. 47; logging system calls associated with the malware for later use in detecting new or similar variants of malware (as described in para. 49].  

As regarding claims 2 and 12, Tolpin further discloses The computer-implemented method of claim 1, wherein the kernel level feature vectors comprises normal behavior features of both software and hardware components of the computing system [para. 52-55].  

As regarding claims 3 and 13, Tolpin further discloses The computer-implemented method of claim 1, further comprising: retrieving, by the server, the first and the second sets of system calls based on system call interception using dynamic kernel trace points [para. 41 and 51].  

As regarding claims 4 and 14, Tolpin further discloses The computer-implemented method of claim 1, further comprising: combining, by the server, the first and the second sets of system calls across sub-systems to generate an entire system call hierarchy [para. 56-59].  

As regarding claims 8 and 18, Tolpin further discloses The computer-implemented method of claim 1, further comprising: determining, by the server, the one or more mitigation instructions for anomalous system behavior based on a weight value of the system call associated with the anomalous system behavior.  


As regarding claims 10 and 20, Tolpin further discloses The computer-implemented method of claim 1, further comprising: determining, by the server, that the runtime behavior deviates from the normal behavior based on a hierarchical risk model comprising an attack tree [para. 60].  







Claim Rejections - 35 USC § 103
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	Claims 5, 15, 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tolpin (US PG Pub. 2017/0032120) in view of Chen (US PG Pub. 2018/0018456).
As regarding claims 5 and 15, Tolpin does not explicitly disclose Page 19 of 2315744439\000022\110763783ATC0021-USPATENTtraining, by the server, the machine-learning model based on a convolutional neural network.  However, Chen discloses it [para. 105].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Tolpin’s system to further comprise training, by the server, the machine-learning model based on a convolutional neural network, as disclosed by Chen, as one of a plurality alternative machine-learning model techniques for learning system call behaviors.

9 and 19, Tolpin and Chen further discloses The computer-implemented method of claim 1, further comprising: applying, by the server, a hybrid approach of rules combined with machine-learning model on the first and the second sets of system calls [Tolpin para. 52 combined Chen para. 105].  



















CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433   

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433