Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 1-5, 8, 10-13, and 16-19 are allowed.
The following is an examiner’s statement of reasons for allowance: 

Regarding independent claims 1, 10 and 17, the closest prior art are the following:
1. The previously cited reference Sridhara (US 2015/0230108) teaches (see the Office Action (“OA”) dated 9/17/2021, pages 7-11) A method of generating cognitive security intelligence for detecting and preventing a non-signature based malware in a computing system (see [0005]: “the method further includes monitoring an instruction queue to identify an instruction sequence associated with the key asset, determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities, and removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity”. Sridhara teaches detecting and preventing a non-signature based malware because it detects a malware without comparing the code of the malware with signatures of known malware codes), the method comprising: 
monitoring, by a cognitive security device implemented in the computing system, instructions being executed by a processor of the computing system; 
determining, by the cognitive security device, a plurality of events triggered by the execution of the instructions and a plurality of activities performed by the execution of the instructions 
correlating, by the cognitive security device, the plurality of events and the plurality of activities to determine a sequence of events and activities of the non- signature based malware,
wherein the plurality of events comprises: file dropping and execution, device fingerprinting, system vulnerability exploitation, system cryptic processes, bulk file search, and voluminous network events in the computing system (see [0054]: “The behavior observer module 202 may also monitor file system activity, which may include searching for filenames, categories of file accesses (personal info or normal data files), creating or deleting files (e.g., type exe, zip, etc.)”.  The Examiner interprets creating files as file dropping. And see [0055]: “The behavior observer module 202 may also monitor/observe data network activity, which may include types of connections, protocols, port numbers, server/client that the device is connected to, the number of connections, volume or frequency of communications, etc. The behavior observer module 202 may monitor phone network activity, which may include monitoring the type and number of calls or messages (e.g., SMS, etc.) sent out, received, or intercepted (e.g., the number of premium calls placed)”), and 
mapping, by the cognitive security device, the sequence of events and activities with a topographical threat map to detect a pattern match corresponding to the non-signature based malware, 
wherein the non-signature based malware is having no pre-configured signature in the cognitive security device (see [0005]: “the method further includes monitoring an instruction queue to identify an instruction sequence associated with the key asset, determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities, and removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity”. Sridhara teaches wherein the non-signature based malware is having no pre-configured signature in the cognitive security device because it detects a malware without comparing the code of the malware with signatures of known malware codes), 
wherein the topographical threat map is event and activity behavior map of (see [0081]: “the analyzer module 204 may be configured to perform real-time behavior analysis operations, which may include performing, executing, and/or applying data, algorithms, classifiers or behavior models (collectively "classifier models") to the collected behavior information. Each classifier model may be a behavior model that includes information that may be used by a mobile device processor to evaluate a specific aspect of a mobile device behavior. The classifier models may be preinstalled on the mobile device, downloaded, received from a network server, generated in the mobile device, or any combination thereof. A classifier model may be generated by using machine learning and other similar techniques”. And see [0087]: “The network server may continuously reevaluate existing classifier models as new behavior/analysis reports are received from mobile devices, and/or generate new or updated models based on historical information (e.g., collected from prior executions, previous applications of behavior models, etc.), new information, machine learning”. The Examiner interprets “behavior models” disclosed in [0090] and [0081], which is interpreted as the topographical threat map, wherein the behavior model uses “historical information”, as “wherein the topographical threat map … is built based on a cognitive analysis of … historic knowledge”) and external data source that is connected to Internet for continuous learning of new threats and patterns of (see [0110]: “the mobile device 102 may further include a communication link suitable for communicating with a network server and/or a component in a cloud service or network. The communication link may be configured to support sending and receiving behavior models to and from an external server”. And see [0087]: “the mobile device 102 may be configured to communicate with a network server that includes an offline classifier and/or a real-time online classifier. The network server may be configured to generate or update the classifier models by performing, executing, and/or applying machine learning and/or context modeling techniques to behavior information and/or results of behavior analyses provided by many mobile devices. The network server may receive a large number of reports from many mobile devices and analyze, consolidate or otherwise turn such crowd-sourced information into useable information, particularly a lean data set or focused behavior models that can be used or accessed by all mobile devices. The network server may continuously reevaluate existing classifier models as new behavior/analysis reports are received from mobile devices, and/or generate new or updated models based on historical information (e.g., collected from prior executions, previous applications of behavior models, etc.), new information”).

2. The previously cited reference Martin (US 2018/0004942) teaches (see the OA dated 9/17/2021, pages 13-18) wherein the topographical threat map defines a plurality of security- threat-zones that vary for each event and an associated activity of (see [0054]: “threat intelligence for a newly-identified security threat defines an attack pattern, including a relative timeline of one or more initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack”. The Examiner interprets “initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack” as a plurality of security- threat-zones that vary for each event and an associated activity of . The Examiner further interprets “threat intelligence for a newly-identified security threat defines an attack pattern, including a relative timeline of one or more initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack” as wherein the topographical threat map defines a plurality of security- threat-zones that vary for each event and an associated activity of ), 
wherein mapping further comprises dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities; 
predicting, by the cognitive security device, a security threat indicating that a correlated flow of an event and an activity is associated with a security-threat- level that is closer to the successful malware-infection or not, based on the security risk score and the security threat zone, before any successful infection takes place on the computing system (see [0054]: “threat intelligence for a newly-identified security threat defines an attack pattern, including a relative timeline of one or more initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack. In this example, once network elements in the network accounting log are matched to threat elements defined in the new threat intelligence, the system can calculate a degree of temporal alignment between timestamps of these network events and an order of threat elements defined in the new threat intelligence. The system can then merge this degree of temporal alignment and similarity scores between these network events and threat elements into a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack pattern characteristic of the newly-identified security threat”. The Examiner interprets “a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack” as a security threat indicating that a correlated flow of an event and an activity is associated with a security-threat- level that is closer to the successful malware-infection or not. The Examiner interprets “a similarity score” as the security risk score. The Examiner interprets “a stage of this cyber attack on the network--such as initial infiltration, command and control, reconnaissance, or lateral movement stages” taught in [0058] and [0054] as the security threat zone. The Examiner further interprets merging “this degree of temporal alignment and similarity scores between these network events and threat elements into a confidence score that represents a degree to which network events stored in the network accounting log match a cyber attack” as predicting, by the cognitive security device, a security threat indicating that a correlated flow of an event and an activity is associated with a security-threat- level that is closer to the successful malware-infection or not, based on the security risk score and the security threat zone. Also see [0055]: “By not only matching network events in the network accounting log to threat elements in the new threat intelligence but also matching order and/or timing of these data, the system can calculate a high-resolution confidence score for exposure of the network to the newly-identified security threat”. And see [0057]: “in Block S140 the system can: calculate a confidence score for presence of the newly-identified security threat on the network based on: a number of threat elements defined in the new threat intelligence to matched network events stored in the network accounting log; a strength of alignment of these threat elements in the new threat intelligence to matched network events (e.g., proportional to matched metadata and content values); and temporal alignment between a relative timeline of threat elements defined in the new threat intelligence and timestamps of matched network events stored in the network accounting log”. And see [0056], [0058]), 
wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat; and 
upon detecting the pattern match corresponding to the non-signature based malware, effecting, by the cognitive security device, a remedial measure to prevent the non-signature based malware by constructing remedial instructions to be executed by the processor based on a profile of the non-signature based malware and the security-threat-level of the predicted security threat (see [0067]: “if the confidence score for risk of the newly-identified security threat to the network exceeds a preset quarantine score (e.g., if the confidence score exceeds a range of values for triggering a manual investigation, such as 80%), the system can automatically execute a process to quarantine the asset--originating or involving threat elements defined by the new threat intelligence--from the network in order to contain the newly-identified security threat”. The Examiner interprets the confidence score as the security-threat-level of the predicted security threat. And see [0061] and [0069]), wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure.

3. The previously cited reference Lee (US 2007/0136455) teaches (see the OA dated 9/17/2021, pages 11 and 12) wherein the topographical threat map is event and activity behavior map of a plurality of categories of malwares.

4. A new reference Turbin (US 2011/0191850) teaches A method of generating cognitive security intelligence for detecting and preventing a non-signature based malware in a computing system (see abstract: “there is provided a method of operating a computer to detect malware, which malware writes a copy of an executable file to a non-volatile memory of the computer and creates a launch point that causes that executable file to be run at start-up of the computer”), the method comprising: 
determining, by the cognitive security device, … a plurality of activities performed by the execution of the instructions (see [0021]: “The step of monitoring the creation and/or modification of any launch points may comprises one or more of:”)
wherein the plurality of activities comprise: re-writing boot sectors of Master Boot Record (MBR) (see [0023]: “monitoring modifications to a boot sector of a non-volatile memory of the computer”. And see [0053]: “the shutdown scanner unit 6 would need to monitor the computer system for changes to the registry, modifications to the boot sector of the hard disk or any writing to files that occurs, in order to detect the creation or modification of any launch points”. The Examiner interprets “modifications to the boot sector of the hard disk” as re-writing boot sectors of Master Boot Record (MBR) because Master Boot Record (MBR) is stored on the hard disk ), bulk file extension change, bulk file name change, folder name change, system file zoning flag modification, system boot run registry (see [0062] and [0063]: “the application launch points that the shutdown scanner unit 6 will detect can include: A program/executable file specified under a Run/RunOnce key in the Windows® registry. The Run/RunOnce keys in the HKEY_LOCAL_MACHINE hive of the Windows® registry specify programs/executable files that are to be run automatically. For example, programs/executable files specified under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key are run each time Windows® boots up. In contrast, programs/executable files specified under a RunOnce registry key are run the first time Windows® is started and then automatically deleted”), deletion of volume shadow copies, modification to security center notifications, disabling of windows error recovery on startup, and scheduling of system reboot in the computing system. 

5. A new reference Stevenson (US 2017/0013002) teaches wherein the topographical threat map defines a plurality of security- threat-zones that vary for each event and an associated activity of the (see [0118]: “As shown in FIG. 9, security assessment device 165 may classify a security situation based on a set of classifications, such as a first level 905, a second level 910, a third level 915, a fourth level 920, and a fifth level 925”. The Examiner interprets “a first level 905, a second level 910, a third level 915, a fourth level 920, and a fifth level 925” as a plurality of security- threat-zones that vary for each event and an associated activity of the …malwares), and 
wherein each security-threat-zone is indicative of whether a threat level of each event and an associated activity has an increased likelihood of being closer to the successful infection on the computing system or not (see [0121]: “Second level 910 may be associated with a security situation indicating an increased risk of attack relative to first level 905. For example, second level 910 may be associated with a general threat to the web platform (e.g., a relatively higher level of threat than the threat failing to satisfy a significance threshold). In some implementations, second level 910 may be associated with one or more events associated with an increased likelihood of an attack directed at the web platform, a threshold quantity of detected surveillance, or the like”. And see [0122]: “Third level 915 may be associated with a security situation indicating a specific risk of an attack. For example, third level 915 may be associated with a determined or predicted targeting of a particular system, location, unit, or operation associated with the web platform. In some implementations, third level 915 may be associated with an occurrence of a major event associated with the web platform and corresponding to an increased likelihood of attack”.  And see [0123]: “Fourth level 920 may be associated with a security situation indicating a limited attack. For example, fourth level 920 may be associated with a detected ongoing attack, a predicted imminent attack, or the like. In some implementations, fourth level 920 may be associated with an attack that causes limited interference with web platform operations, such as based on detecting a threshold attack successfulness”. And see [0124]: “Fifth level 925 may be associated with a security situation indicating a general attack. For example, fifth level 925 may be associated with a detected attack with a threshold impact to one or more operations relating to the web platform”), based on a predefined threshold (see [0119]: “each level may correspond to a set of threshold criteria. For example, a particular level may be assigned to a security situation when a threshold quantity of information is exfiltrated from a data structure”).

Independent claims 1, 10 and 17 are allowable for the following reason: before the effective filing date of the claimed invention, it would not have been obvious to a person of ordinary skill in the art 
first to improve the method of detecting and preventing a malware disclosed by Sridhara by 
1) letting the topographical threat map define a plurality of security- threat-zones that vary for each event and an associated activity of malwares, and wherein each security-threat-zone is indicative of whether a threat level of each event and an associated activity has an increased likelihood of being closer to the successful infection on the computing system or not, as taught by Martin; 
2) letting mapping further comprise dynamically determining a security risk score and a security threat zone for a set of events from the plurality of events and a set of activities from the plurality of activities, as taught by Martin; 
3) adding the step of predicting, by the cognitive security device, a security threat indicating that a correlated flow of an event and an activity is associated with a security-threat- level that is closer to the successful malware-infection or not, based on the security risk score and the security threat zone, before any successful infection takes place on the computing system, wherein a deep learning algorithm is employed to predict security threat, wherein each pattern match with the topographical threat map is utilized to predict the security threat, as taught by Martin; and 
4) adding the step of upon detecting the pattern match corresponding to the non-signature based malware, effecting, by the cognitive security device, a remedial measure to prevent the non-signature based malware by constructing remedial instructions to be executed by the processor based on a profile of the non-signature based malware and the security-threat-level of the predicted security threat, wherein the security risk score is employed based on a deep learning algorithm to take the remedial measure, as taught by Martin; 
a plurality of categories of malwares (emphasis added), as taught by Lee,
third to improve the method of detecting and preventing a malware disclosed by Sridhara modified in view of Martin and Lee by letting the plurality of activities comprise: re-writing boot sectors of Master Boot Record (MBR), bulk file extension change, bulk file name change, folder name change, system file zoning flag modification, system boot run registry, deletion of volume shadow copies, modification to security center notifications, disabling of windows error recovery on startup, and scheduling of system reboot in the computing system, as taught by Turbin; and
finally to improve the method of detecting and preventing a malware disclosed by Sridhara modified in view of Martin, Lee and Turbin by letting the topographical threat map define a plurality of security- threat-zones that vary for each event and an associated activity of the plurality of categories of malwares, and wherein each security-threat-zone is indicative of whether a threat level of each event and an associated activity has an increased likelihood of being closer to the successful infection on the computing system or not, based on a predefined threshold (emphasis added), as taught by Stevenson.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495