DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.    This action is responsive to the application filed on 10/07/2019.
2.    Claims 1 – 20 are pending.
3.    Claims 3-8, 12, and 16-19 are objected.
3.    Claims 1, 2, 9-11, 13-15, and 20 are rejected.


Allowable Subject Matter
Claims 3-8, 12, and 16-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.





Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 9-11, 14, and 20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable by Yin Chen et al (US 20160379136 A1), hereinafter “Chen”.

Regarding Claim 1, Chen discloses a computing system comprising:
persistent storage disposed within a remote network management platform and configured to store (Chen, Paragraph 0015, storage that stores the software instructions to perform a behavior-based operation):
a shared classification model comprising a plurality of classifiers configured to classify software applications among a plurality of predetermined categories (Chen, Paragraphs 0017, 0029, machine-learning classifier models that generate analysis results based on software applications associated with the monitored activities),
wherein the plurality of classifiers are based on training data acquired from a plurality of managed networks associated with the remote network management platform (Chen, Paragraph 0029, machine learning techniques used for classification based on software applications associated with the monitored activities. Paragraph 0035, updating behavior features used to perform behavior-based operations, wherein the update operation included updating a condition evaluated by a decision made in a machine-learning classifier model. The update operation may include adding a new decision node to the machine-learning classifier model based on the result of the program analysis operation);
and a representation of a plurality of software applications executable on one or more computing devices within a particular managed network (Chen, Paragraph 0029, performing real-time behavior monitoring and analysis operations, which may include monitoring activities of one or more software applications operating on the computing device. Paragraph 0140, software applications are stored in the internal memory);
and a discovery application configured to perform operations comprising (Chen, Paragraph 0029, performing real-time behavior monitoring and analysis operation, which include monitoring activities of one or more software operations operating on a computing device):
obtaining one or more attributes of a software process corresponding to a software application of the plurality of software applications (Chen, Paragraph 0029, monitoring activities of one or more software applications operating on the computing device in order to generate behavior vector information structures (herein “behavior vectors”) that characterize all or a subset of the monitored activities of one or more software applications);
determining, by way of the shared classification model and based on the one or more attributes, a suggested classifier of the plurality of classifiers (Chen, Paragraph 0029, generating behavior vector information structures (herein “behavior vectors”) that characterize all or a subset of the monitored activities of one or more software applications, applying the generated behavior vectors to machine-learning classifier models (herein “classifier models”) to generate analysis results, and using the analysis results to classify the behavior vector (and thus the activities characterized by that vector and/or a software application associated with the monitored activities) as benign or non-benign. Paragraph 0039, the behavior extractor module may communicate (e.g., via a memory write operation, function call, etc.) the behavior vectors to the analyzer module, which may apply the behavior vectors to classifier models to generate analysis results that may be used to determine whether a software application or device behavior is benign or non-benign);
Chen, Paragraph 0029, classifying as benign or non-benign. Paragraph 0039, determining status of application based on analysis results);
receiving an indication that the suggested classification has been accepted (Chen, Paragraphs 0124-0125, the processing core may determine whether these results may be used to classify a behavior as either malicious or benign with a high degree of confidence, and if not treat the behavior as suspicious);
based on receiving the indication, updating the representation to indicate the suggested classification for the software application (Chen, Fig 4, Paragraphs 0124-0125, determining status of application based on classifier models using a high degree of confidence);
and storing, in the persistent storage, the representation as updated (Chen, Paragraph 0125, the processing core may use the result of the comparison generated in block 412 to classify a behavior of the mobile device as benign or potentially malicious).


Regarding Claim 9, Chen discloses the computing system of claim 1 above, wherein the shared classification model comprises a machine learning (ML) model trained to determine a respective suggested classifier of the plurality of classifiers for a respective software process based on one or more corresponding attributes of the respective software process (Chen, Paragraph 0044, the classifier models may be preinstalled on the mobile computing device, downloaded or received from a server, received from one or more peripheral devices, generated in the mobile computing device, or any combination thereof. The classifier models may be generated by using crowd sourcing solutions, behavior modeling techniques, machine learning algorithms, etc.),

providing the one or more attributes as input to the ML model (Chen, Paragraph 0046, obtain a classifier model that tests/evaluates features specific to an application operating on the mobile computing device based on the determined category of that application);
and receiving as output from the ML model the suggested classifier (Chen, Paragraph 0046, In response to determining that the application's category matches a category that is associated with an existing classifier model, the mobile computing device may retrieve that classifier model and may begin using the retrieved classifier model to monitor for non-benign behaviors on the device associated with the application).

Regarding Claim 10, Chen discloses the computing system of claim 1 above, wherein the one or more attributes comprise one or more of:
(i) a name of the software process, (ii) a command used to invoke execution of the software process, (iii) parameters provided to the software process as input, or (iv) content of a directory associated with the software process (Chen, Paragraph 0045, features of the application (e.g., the application's ability to utilize SMS messaging and how many SMS messages are expected within a certain amount of time). Designating the application as belonging to a particular category of applications, such as a “game” application, a “news” application, a “messaging” application, or various other types of applications.).

Regarding Claim 11, Chen discloses the computing system of claim 1 above, wherein obtaining the one or more attributes of the software process comprises:
identifying a plurality of unclassified software processes detected within the particular managed network (Chen, Paragraph 0029, perform real-time behavior monitoring and analysis operations, which may include monitoring activities of one or more software applications operating on the computing device (e.g., by monitoring API calls at the hardware, driver, kernel, NDK, SDK, and/or Webkit levels, etc.)),
wherein each respective unclassified software process of the plurality of unclassified software processes is associated with one or more corresponding attributes determined by a discovery process (Chen, Paragraph 0029, generating behavior vector information structures (herein “behavior vectors”) that characterize all or a subset of the monitored activities of one or more software applications),
and wherein the respective unclassified software process and the one or more corresponding attributes are stored in the persistent storage as part of the representation (Chen, Paragraph 0015, storage that stores the software instructions to perform a behavior-based operation. Paragraph 0125, the processing core may use the result of the comparison generated in block 412 to classify a behavior of the mobile device as benign or potentially malicious);
and selecting a particular unclassified software process of the plurality of unclassified software processes for classification by way of the shared classification model (Chen, Paragraphs 0017, 0029, machine-learning classifier models that generate analysis results based on software applications associated with the monitored activities);
and retrieving, from the persistent storage, the one or more corresponding attributes associated with the particular unclassified software process (Chen, Paragraph 0029, monitoring activities of one or more software applications operating on the computing device in order to generate behavior vector information structures (herein “behavior vectors”) that characterize all or a subset of the monitored activities of one or more software applications).


Claim 14 carries similar limitations as discussed with regards to Claim 1 above and therefore is rejected for the same reason.

Claim 20 carries similar limitations as discussed with regards to Claims 1 and 14 above and therefore is rejected for the same reason.





Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 2 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Rajarshi Gupta et al (US 20150356451 A1), hereinafter “Gupta”.
Regarding Claim 2, Chen discloses the computing system of claim 1 above. 

However, Chen fails to explicitly disclose wherein the plurality of classifiers comprises: a rule-based classifier based on first training data obtained from a first managed network of the plurality of managed networks, wherein the first training data comprises a rule-based discovery pattern; and a machine learning classifier based on second training data obtained from a second managed network of the plurality of managed networks, wherein the second training data comprises one or more pairs of (i) data indicating a respective software process and one or more attributes corresponding to the respective software process and (ii) a classification for the respective software process.

 
Gupta, from the same or similar field of endeavor, discloses wherein the plurality of classifiers comprises:
a rule-based classifier based on first training data obtained from a first managed network of the plurality of managed networks (Gupta, Paragraph 0082, model generator uses the information received in the cloud unit and training data to generate a full or robust classifier model),
wherein the first training data comprises a rule-based discovery pattern (Gupta, Paragraph 0072,  the behavior observer unit may receive the initial set of behaviors and/or factors from other mobile computing devices, a network server (e.g., the server ) and/or a component in a cloud service or network (e.g., the cloud service provider network. Paragraph 0082, identifying all or most of the features, data points, and/or factors that contribute to non-benign behavior);
and a machine learning classifier based on second training data obtained from a second managed network of the plurality of managed networks (Gupta, Paragraph 0083, the server may be configured to generate the full classifier model by performing, executing, and/or applying machine learning and/or context modeling techniques to behavior information and/or the results of behavior analyses provided by many mobile computing devices or other information received from the cloud service provider network),
wherein the second training data comprises one or more pairs of (i) data indicating a respective software process and one or more attributes corresponding to the respective software process and (ii) a classification for the respective software process (Gupta, Paragraph 0073, classifier unit receives observations from behavior observer, unit, compare the received information with contextual information and identify subsystems, processes, and/or applications that are contributing to problems on the device. Paragraph 0133, the device processor executing the behavior analyzer unit may generate the new classifier model from scratch by training a corpus of data with the application's specific features to develop a classifier model that tests, evaluates, and/or classifies behaviors related to those application-specific features. Paragraph 0150, the server processor executing the model generator unit may also train the obtained cloud data set with the application-specific features identified in block 714 to generate a classifier model).


Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chen in view of Gupta in order to further modify the method of analyzing behaviors of a computing device from the teachings of Chen with the method of categorizing the application based on the set of application-specific features and obtaining a classifier model based on the category of the application from the teachings of Gupta.



Regarding Claim 15, this claimed limitation is the same as the limitation addressed to Claim 2 above. Therefore it is rejected under the same rationale.




Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Vinay Sridhara et al (US 20160337390 A1), hereinafter “Sridhara”.

Regarding Claim 13, Chen discloses the computing system of claim 1 above, wherein determining the suggested classifier compresses:
determining, by way of the shared classification model, a plurality of suggested classifiers of the plurality of classifiers (Chen, Paragraph 0029, generating behavior vector information structures (herein “behavior vectors”) that characterize all or a subset of the monitored activities of one or more software applications, applying the generated behavior vectors to machine-learning classifier models (herein “classifier models”) to generate analysis results, and using the analysis results to classify the behavior vector (and thus the activities characterized by that vector and/or a software application associated with the monitored activities) as benign or non-benign. Paragraph 0039, the behavior extractor module may communicate (e.g., via a memory write operation, function call, etc.) the behavior vectors to the analyzer module, which may apply the behavior vectors to classifier models to generate analysis results that may be used to determine whether a software application or device behavior is benign or non-benign).

However, Chen fails to explicitly disclose providing for display of the plurality of suggested classifiers by way of a user interface associated with the discovery application; and receiving, by way of the user interface, a selection of the suggested classifier from the plurality of suggested classifiers.

Sridhara, from the same or similar field of endeavor, discloses providing for display of the plurality of suggested classifiers by way of a user interface associated with the discovery application (Sridhara, Paragraph 0027, computing device may display/render a prompt that displays the classification and sub-classifications of the behavior (and thus the reasons that the behavior was determined to be suspicious or non-benign), and request the user to select whether to whitelist the behavior or the software application (i.e., whether the benefits of using that application outweigh its negative characteristics));
and receiving, by way of the user interface, a selection of the suggested classifier from the plurality of suggested classifiers (Sridhara, Paragraph 0027, in response to receiving a user input indicating that the behavior is to be whitelisted, the computing device may add the behavior to the white list (e.g., by storing the behavior vector information structure and the analysis/classification results in a whitelist database in association with the software application)).



One of ordinary skill in the art would have been motivated because selecting the classifier the behavior system will no longer need to monitor or analyze the same behavior or activity for the software application and thus will lead to lowering overhead processing by the system (Sridhara – Paragraph 0027).




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. All the references listed on 892 are related to the subject matter of classifying applications using machine learning techniques.
Some of the prior art include:
	US 20120227105 A1, US 20150121524 A1, and US 20160285897 A1.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAVIER O GUZMAN whose telephone number is (571)270-0588. The examiner can normally be reached Monday - Friday 8 am to 4 pm EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAVIER O GUZMAN/Primary Examiner, Art Unit 2446