DETAILED ACTION
This Office Action is in response to the application 16/867,440 filed on May 05th, 2020.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-32 were canceled. Claims 33-52 have been added. Claims 33-52 are pending and herein considered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 06/24/2021, is in compliance with the provisions of 37 CRR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent 
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 33-52 are provisionally rejected on the ground of nonstatutory double patenting over claims 1-28 of U.S. Patented Application 10,685,112 since the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 33-35, 42-44, 46-50 and 52 are rejected under 35 U.S.C 103(a) as being unpatentable over Satish et al. (Satish), U.S. Patent Number 8,401,982, in view of Rowland et al. (Rowland), U.S. Patent Number 8,973,141.
Regarding claim 33; Claim 33 is directed to a computer-implemented method which has similar scope as claim 48. Therefore, claim 33 remains un-patentable for the same reasons.
Regarding claim 34
Regarding claim 35; Claim 35 is directed to the computer-implemented method of claim 34 which has similar scope as claim 50. Therefore, claim358 remains un-patentable for the same reasons.
Regarding claim 42; Satish and Rowland disclose the computer-implemented method according to claim 33, Satish further discloses comprising: determining whether the series of events includes at least one malicious event (Satish: col. 7, lines 52-53; a series of feature vectors for each training file, one for each detected behavior event.); and classifying the received data based at least on a presence of the at least one malicious event in the series of events (Satish: col. 9, lines 8-11; classifying a training file as legitimate or malicious on the basis of the feature vectors.).
Regarding claim 43; Satish and Rowland disclose the computer-implemented method according to claim 42, Satish further discloses comprising: determining that an event is malicious based at least on a filename and/or a filepath associated with the event (Satish: col. 9, lines 28-33; the set of training files and associated feature vectors, the constructed decision tree and associated information (e.g., splitting attributes, splitting tests) and client system to name a few.).
Regarding claim 44; Satish and Rowland disclose the computer-implemented method according to claim 43, wherein Satish further discloses the filename and/or the filepath associated with the event is analyzed based at least on a pattern associated with one or more filenames and/or filepaths that are known to be non-malicious (Satish: col. 10; lines 39-43; the security system discovers that the time gap between a file delete and a preceding registry modification is good indicator that can help classify a training file as legitimate or malicious and include the corresponding features in the decision tree.)
Regarding claim 46; Satish and Rowland disclose the computer-implemented method according to claim 43, wherein Satish further discloses the data object comprises a file, a function, and/or a software program (Satish: col. 4, line 55; separating legitimate software from malware.).
Regarding claim 47; Satish and Rowland disclose the computer-implemented method according to claim 1, wherein Satish further discloses the two or more subsequence of events comprise consecutive and/or non-consecutive events from the series of events (col. 5, lines 13-14; event sequencing and timing information can help to accurately classify the file.).
Regarding claim 48; Satish discloses a system comprising:
at least one processor (col. 5, line 48; Fig. 2; at least one processor 202.); and
at least one memory (col. 5, line 50; Fig. 2; a memory 206.) including program code which when executed by the at least one processor causes operations comprising:
analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object (col. 6, lines 51-55; detect the occurrence of events of interest; the file monitor module 320 passes values of the attributes of interest and data related to the exhibited events of interest (e.g., event type, sequence, and timing) to the security analysis engine 330 to determine whether the file is malware.), and the series of events being analyzed to at least extract, from the series of events, two or more subsequences of events (col. 8, lines 34-38; each of the subsequent feature vectors, the values of the event sequencing features are the orders in which behavior events of the corresponding event types were first observed at that points in time.);
(col. 7; line 23; Fig. 4; a machine learning engine 420.), a classification for the received data, the machine learning model classifying the received data based at least on whether two or more subsequences of events when considered together are malicious (col. 9, lines 8-11; the machine learning engine 420 learns to find out the best means of classifying a training file as legitimate or malicious on the basis of the feature vectors.); and
providing the classification indicative of whether the received data is malicious (col. 10, lines 27-30; the security system 120 associates a label with the feature vectors indicating the classification of the associated training file before feeding the feature vectors into the decision tree induction algorithm.), the classification being used to make a determination of whether to continue to execute the data object in order to prevent damage to a computing system and/or software (col. 11, lines 18-22; the security module determines whether the target process is malicious based on the decision tree traversal, and either terminates the target process if it is determined malicious or leaves it alone if determined legitimate.).
Satish fails to explicitly disclose at least two of the subsequences of events being non-consecutive.
However, in the same field of endeavor, Rowland discloses universal actor correlator comprising at least two of the subsequences of events being non-consecutive (col. 11, lines 15-28; entities are extracted from five event types and used as anchor points for subsequent event correlation.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Rowland into the (Rowland: )
Regarding claim 49; Satish and Rowland disclose the system according to claim 48, wherein Satish further discloses the two or more subsequences of events are extracted by at least: determining a plurality of subsequences in the series of events (Satish: col. 9, lines 12-16; the machine learning engine determines whether and what event timing and/or sequencing information (e.g., a specific event pair) can be used to render improved classification.); identifying a plurality of most frequent subsequences in the plurality of subsequences (Satish: col. 10, lines 60-64; identifies a newly launched process that is associated with an unknown computer file and identifies that process as the target process for security scrunity.); and selecting, from the plurality of the most frequent subsequences, the two or more subsequences of events (Satish: col. 11, lines 13-18; determines that the target process is not successfully classified; if the target file is not successfully classified, the security module continues to monitor the runtime behavior of the target process and repeats steps until a successful classification is reached.).
Regarding claim 50; Satish and Rowland disclose the system according to claim 49, wherein Satish further discloses the selecting of the two or more subsequence of events is based on a frequency of occurrence of the plurality of most frequent subsequences exceeding a predetermined threshold (Satish: col. 11, lines 11-13; if the confidence score is below a threshold value, the security module ignores the represented classification.).
Regarding claim 52.
Claims 36-41, 45 and 51 are rejected under 35 U.S.C 103(a) as being unpatentable over Satish et al. (Satish), U.S. Patent Number 8,401,982, in view of Rowland et al. (Rowland), U.S. Patent Number 8,973,141, and further in view of Xaypanya et al. (Xaypanya), U.S. Pub. Number 2014/0279762.
Regarding claim 36; Claim 36 is directed to the computer-implemented method of claim 34 which has similar scope as claim 51. Therefore, claim 36 remains un-patentable for the same reasons.
Regarding claim 37; Satish, Rowland and Xaypanya disclose the computer-implemented method according to claim 36, wherein Xaypanya further discloses the Apriori algorithm is configured to at least: identify a most frequent event (Xaypanya: par. 0019; identify the category membership or association mostly through multiple regressions and combinaturics.); and identify, based at least on the most frequent event, a most frequent subsequence of events, the most frequent subsequence of events including the most frequent event and at least one other event (Xaypanya: par. 0019; identify discrete data elements (e.g., parameters, parametric values, by locking certain explanatory and non-dependent variables, and iteratively regressing the data, as well as with unassociated variables, etc.) but also the combination of elements to form a higher level data set to determine the proper categorizations.).
Regarding claim 38; Satish and Rowland disclose the computer-implemented method according to claim 33.
Satish and Rowland fail to explicitly disclose analytical neutral network intelligent interface machine learning method and system wherein the machine learning model comprises a recurrent neural network.
(Xaypanya: par. 0023; application to neutral network learning reveals many interesting insights in locating anomalous behaviors.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Xaypanya into the method and system of Satish and the system and method of Rowland wherein analytical neutral network intelligent interface machine learning method and system wherein the machine learning model comprises a recurrent neural network to solve structured and unstructured data problems through the automated creation of decision trees (Xaypanya: par. 0005).
Regarding claim 39; Satish, Rowland and Xaypanya disclose the computer-implemented method according to claim 38, wherein Xaypanya further discloses the recurrent neural network comprises a long short term memory network (Xaypanya: par. 0032; dynamic memory.).
Regarding claim 40; Satish, Rowland and Xaypanya disclose the computer-implemented method according to claim 39, wherein Xaypanya further discloses the long short term memory network comprises a memory cell, the memory cell being configured maintain a value, the memory cell being further configured to determine, based at least on an event, whether to update, output, discard, and/or continue to maintain the value (Xaypanya: par. 0071; one or more models may be updated to include the statistically anomalous data and further updating the rule’s definition.)
Regarding claim 41; Satish and Rowland disclose the computer-implemented method according to claim 33, wherein Satish further discloses the machine learning model determines the classification for the received data by at least: generating a representation the two or more subsequences of events (Satish: col. 6, lines 66-67; the security analysis engine makes the determination based on the classification represented by the leaf node.); determining an average representation of the two or more subsequences of events over a plurality of time steps associated with the series of events (Satish: col. 7, lines 3-6; the security analysis engine considers other factors such as the confidence score for the represented classification and the local security policy in making the determination.).
Satish and Rowland fail to explicitly disclose determining a logistic regression of an average representation of the two or more subsequences of events; and determining, based on the logistic regression, the classification for the received data.
However, in the same field of endeavor, Xaypanya discloses analytical neutral network intelligent interface machine learning method and system wherein determining a logistic regression of an average representation of the two or more subsequences of events (Xaypanya: par. 0021; multiple associations can run multiple iterations of regression analysis to prove to the decision tree ANNI has derived from the data.); and determining, based on the logistic regression, the classification for the received data (Xaypanya: par. 0022; analyze data and recognize DNA type pattern analysis, used for classification and the above stated regression analysis.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Xaypanya into the method and system of Satish and the system and method of Rowland wherein determining a (Xaypanya: par. 0005).
Regarding claim 45; Satish and Rowland disclose the computer-implemented method according to claim 44.
Satish and Rowland fail to explicitly disclose the pattern associated with the one or more non-malicious filenames and/or filepaths is modeled using a Markov chain.
However, in the same field of endeavor, Xaypanya discloses analytical neutral network intelligent interface machine learning method and system wherein the pattern associated with the one or more non-malicious filenames and/or filepaths is modeled using a Markov chain (Xaypanya: par. 0024; Markov network.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Xaypanya into the method and system of Satish and the system and method of Rowland wherein the pattern associated with the one or more non-malicious filenames and/or filepaths is modeled using a Markov chain to solve structured and unstructured data problems through the automated creation of decision trees (Xaypanya: par. 0005).
Regarding claim 51; Satish and Rowland disclose the system according to claim 49.
Satish and Rowland fail to explicitly disclose the plurality of the most frequent subsequences are identified by at least applying an Apriori algorithm.
(Xaypanya: par. 0006; an apriori algorithm is employed to mine association rules via trending engine topology to update definitions of behavioral and/or activity (e.g., statistically anomalous events).).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Xaypanya into the method and system of Satish and the system and method for Rowland wherein the plurality of the most frequent subsequences are identified by at least applying an Apriori algorithm to solve structured and unstructured data problems through the automated creation of decision trees (Xaypanya: par. 0005).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KHOI V LE/
Primary Examiner, Art Unit 2436