DETAILED ACTION
This Notice of Allowability is in response to RCE filed on 09 December 2021. Claims 4, 6-8, 10, 13, 15-20 have been canceled. Claims 1-3, 5, 9, 11-12, 14 and 21-26 are pending of which claim 1 is independent claim.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application is the National Stage of International Application No. PCT/CA2017/051020, filed August 30, 2017, which claims priority from U.S. Provisional Application Serial No. 62/381,930, filed August 31, 2016.

Response to Arguments
Claim objections and rejections have been withdrawn in view of amended claim.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Victor P. Lin (Reg. No. 66996) on 10 January 2022.
The application has been amended as follows:
1.	(Currently Amended) An apparatus for network-based, malware analysis comprising:
	a processor; and
	a memory configured to store computer program code;
	wherein the processor, memory, and computer program code are configured for in-line inspection of network-based content and to provide:
	a signature scanner configured to scan at network line-rates incoming network-based content with signature-based scanning which comprises comparing a signature of the incoming network-based content with previously identified signatures to identify if the incoming network-based content is a known threat content;
	an Artificial Intelligent (AI) scanner configured to scan at network-line rates and previously trained and configured to:
	read the code of the network-based content which has not been identified as a known threat in the signature-based scanning step without executing the code;
	use machine learned characteristics of malicious code to assign a risk value to the network-based content based on the read code of the network-based content;
	identify network-based content having been assigned a risk score below a safe threshold value as safe content;
 value as threat content; and
	identify network-based content having been assigned a risk score above the safe threshold value and below the threat threshold value as suspicious content; and
	a controller configured, based on the scans:
		to allow safe content; and
		to block threat content; and
	a behavioural scanner configured to run suspicious content in an isolated virtual environment to determine whether the suspicious content contains threat content or safe content;
	wherein the controller is configured to notify a user of identified suspicious content and prompt the user for input regarding how to process the identified suspicious content.

2.	(Previously Presented) The apparatus according to claim 1, the network-based content includes Multipurpose Internet Mail Extension (MIME) objects.

3.	(Previously Presented) The apparatus according to claim 1, the network-based content includes one or more attachments.

4.	(Cancelled)



6-8.	(Cancelled)

9.	(Currently Amended) The apparatus according to claim [[8]]1, wherein the controller is configured to:
	receive information from other users of the  apparatus regarding how to process suspicious content; and
	provide this information to the user to allow the user to base their input on information received from other users.

10.	(Cancelled) 

11.	(Previously Presented) The apparatus according to claim 1, wherein the content is processed through the signature and AI scanners at a rate of at least 1 Gbps.

12.	(Previously Presented) The apparatus according to claim 1, wherein the apparatus is configured to identify different types of malware identified as threat content.

13.	(Cancelled) 



15-20.	(Cancelled) 

21.	(Previously Presented) The apparatus according to claim 1, wherein suspicious content from the behavioural scanner is passed to a machine learning algorithm as identified content and is identified to the AI scanner as either comprising malware or as not comprising malware; 
	wherein the AI scanner is configured to scan the identified content to refine the characteristics which it uses to identify content as a threat based on the identified content received.

22.	(Previously Presented) The apparatus according to claim 1, wherein the AI scanner is configured to prioritize scanning unidentified content which has not been identified as being blocked or allowed over identified content which has already been identified as being blocked or allowed.

23.	(Previously Presented) The apparatus according to claim 1, wherein the apparatus is configured to assign priority and allocate apparatus resources based on both the size of each inspection task and the time taken to complete each content inspection task.



25.	(Previously Presented) The apparatus according to claim 1 wherein the network-line rates are between 1 Gbits/s and 10Gbits/s.

26.	(Previously Presented) The apparatus according to claim 1 wherein the network-line rates are over 100Gbits/s.

Allowable Subject Matter
Claims 1-3, 5, 9, 11-12, 14 and 21-26 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The closest references of record are Morishita et al. (US 2007/0160062), Caspi et al. (US 10,193,902) and Paithane et al. (US 2015/0220735).
Morishita et al. teaches a network based content inspection (NBCI) system. The invention improves the efficiency of the NBCI of an individual communication session by learning from the processing results of other communication sessions which may be carried via different network protocols. In addition, the invention provides methods that do not weaken the overall security for the network and that improve the stability of NBCI systems by minimizing the risk of system resource exhaustion if subjected to a burst of large payloads. The invention also improves perceived network stability by preventing the system resources from being "live-locked" by a few large content inspection tasks. 
Caspi et al. teaches a method for training a malware detector comprising a deep learning algorithm is described, which comprises converting a set of malware files and non-malware files into vectors by using a feature based dictionary, and/or by using a conversion into an image, and providing prospects that the files constitute malware.
Paithane et al. teaches a system and method for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.
Morishita et al. (US 2007/0160062), Caspi et al. (US 10,193,902) and Paithane et al. (US 2015/0220735), either taken by itself or in any combination, fail to disclose or suggest limitation “an Artificial Intelligent (AI) scanner configured to scan at network-line rates and previously trained and configured to:	read the code of the network-based content which has not been identified as a known threat in the signature-based scanning step without executing the code; use machine learned characteristics of malicious code to assign a risk value to the network-based content based on the read code of the network-based content; identify network-based content having been assigned a risk score below a safe threshold value as safe content; 	identify network-
Dependent claims are allowed by virtue of their dependencies.
None of the prior art of record either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492