DETAILED ACTION
Office Action Summary
Claims 1-20 are pending in the instant application.
Claims 1-20 are rejected under 35 USC § 102.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Li et al. (US Patent No: 8,806,641) hereinafter referred to as Li.


a constant pool address generator to generate a constant pool address table, from the class features, including a plurality of constant pool blocks, based on constant pool type, through an iterative process; (Li, column 6, lines 43-63 teaches “unpacking module 106 may identify a number of constants in a constant pool of the class file. As used herein, the phrase "constant pool" may refer to any collection, list, array, table, and/or sequence of constants used in and/or defined for a class”)
a class feature identifier to determine values for each constant pool block based on a constant pool type and store the determined values as a class file feature set; (Li, column 6, lines 43-63 teaches “For example, unpacking module 106 may identify, based on a format of the application package file, a predetermined offset of a constant pool count.”)
a feature value identifier to obtain raw feature values from a class file feature set and non- class file features; and (Li, column 7, lines 8-40 teaches “In some examples, unpacking module 106 may identify a number of fields in the class file. For example, unpacking module 106 may identify a number of class variables and/or data members of the class.”)
a feature matrix generator to generate a matrix based on the raw features that correspond to the instruction set.(Li, column 10, lines 41-60, teaches organizing features into families)

As per claims 2, 9 and 16, Li teaches … wherein the instruction set represents a Java ARchive (JAR) file and further including a file extractor to extract the class and non-class files from the JAR file. (Li, column 6, lines 1-8, teaches files maybe of various types including java class and examiner giving official notice that a JAR file is a java file type)



As per claims 4, 11 and 18, Li teaches … further including a class file storage device to store class files extracted from the instruction set by the file extractor. (Li, fig 4, item 423, 425 and 427)

As per claims 5, 12 and 19, Li teaches … further including a machine learning model trainer to train a machine learning model based on generated matrices and a threshold value. (Li, column 2, line 32)

As per claims 6, 13 and 20, Li teaches … further including a machine learning model processor to apply the machine learning model to the matrix to determine whether a second instruction set is malicious. (Li, fig 3, item 308)

As per claims 7 and 14, Li teaches … further including a class feature storage device to store class file feature values as class file feature sets. (Li, fig 6, item 695)

Other Related Art
Kumar (2012/0317644) teaches “The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, 
Han (11023580) teaches “The disclosed subject matter may be used to predict previously unlabeled features of possible malware files and to label previously unlabeled possible malware files. Using embodiments of the disclosed subject matter, a computing system may build a malware labeling model using incomplete features and partially observed file class labels. Additionally, embodiments of the disclosed subject matter, may predict the labeling output of a given anti-malware product without accessing all features of the given file. The decision rules, as characterized by the mapping function, may be transferred across different anti-malware products for increased accuracy in identifying potential malware.”
Singh (20170091654) teaches “as part of an antivirus or antimalware scheme. In the latter case, the objects may be any network object as described herein, including static objects, active objects, and network-attached devices. These embodiments are provided as nonlimiting examples only, and should be understood to be non-exclusive. Many other uses for object classification are possible, and are within the intended scope of this specification”
El-Moussa (20180053002) teaches “a matrix 142 mapping VM configuration features 152 against attack features 150 in an exemplary embodiment of the present disclosure. As can be seen from the exemplary data structure of FIG. 6, the attack feature "Changes in System files" occurred on VMs that, for example, have "Admin Allowed to read files", "Registry change allowed" and "SSH Allowed". Thus the set of reduced features [Y] permits the identification of associations between configuration features 152 and attack features 150. Notably the attack features are not specific attacks but rather classes or types of attack (e.g. an attack that involves executing malware is a class of attack, not a specific malware attack). ”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/SIMON P KANAAN/Primary Examiner, Art Unit 2492