DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: The claims requires a recurrent neural network for comparing predicted call sequence with actual call sequence and determining abnormality. The claims further require converting the system call into a vector representation of the system call by performing a first embedding operation on a system call feature of the system call and a separate second embedding operation on one or more argument features of the system call to generate a system call feature embedding comprising machine learned embedding values and one or more argument feature embeddings comprising machine learned embedding values.
The combination of available prior art Subbarayan and Sofka teach requiring a recurrent neural network for comparing predicted call sequence with actual call sequence and determining abnormality but do no teach converting the system call into a vector representation of the system call by performing a first embedding operation on a system call feature of the system call and a separate second embedding operation on one or more argument features of the system call to generate a system call feature embedding .
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Claims 1, 3-11 and 13-20 are allowed.

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Stephen Walder on 2/7/2022.
The application has been amended as follows: 

1.	(Currently amended)  A method for detecting abnormal system call sequences in a monitored computing environment, the method comprising:
	receiving, from a computing system resource of the monitored computing environment, a system call of an observed system call sequence for evaluation;
	processing, by a trained recurrent neural network (RNN) trained to predict system call sequences, the system call to generate a prediction of a subsequent system call in a predicted system call sequence;

	identifying, by the abnormal call sequence logic, a difference between the predicted system call sequence and the observed system call sequence based on results of the comparing; and
	generating, by the abnormal call sequence logic, an alert notification in response to identifying the difference, wherein processing the system call comprises converting the system call into a vector representation of the system call by performing a first embedding operation on a system call feature of the system call and a separate second embedding operation on one or more argument features of the system call to generate a system call feature embedding comprising machine learned embedding values and one or more argument feature embeddings comprising machine learned embedding values.

2.	(Canceled)  

3.	(Currently amended)  The method of claim [[2]] 1, wherein processing the system call further comprises inputting the vector representation of the system call into a long short term memory (LSTM) cell such that the RNN generates, for each system call feature of a plurality of system call features, and each argument feature of a plurality of argument features, probabilities that the corresponding system call feature or the 
 
5.	(Currently amended)  The method of claim [[2]] 1, wherein converting the system call into the vector representation of the system call comprises: 
converting the system call into a tokenized representation of the system call by mapping a system call feature of the system call to a first token and one or more argument features of the system call to one or more second tokens based on a system call feature mapping data structure and an argument feature mapping data structure.

11.	(Currently amended)  A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system, causes the data processing system to specifically configure the data processing system to:
	receive, from a computing system resource of the monitored computing environment, a system call of an observed system call sequence for evaluation;
	process, by a trained recurrent neural network (RNN) of the data processing system, trained to predict system call sequences, the system call to generate a prediction of a subsequent system call in a predicted system call sequence;
	compare, by abnormal call sequence logic of the data processing system, the subsequent system calls in the predicted system call sequence to an observed system call in the observed system call sequence; 

	generate, by the abnormal call sequence logic, an alert notification in response to identifying the difference, wherein the computer readable program further configures the data processing system to process the system call at least by converting the system call into a vector representation of the system call by performing a first embedding operation on a system call feature of the system call and a separate second embedding operation on one or more argument features of the system call to generate a system call feature embedding comprising machine learned embedding values and one or more argument feature embeddings comprising machine learned embedding values.

12.	(Canceled)    

13.	(Currently amended)  The computer program product of claim [[12]] 11, wherein the computer readable program further configures the data processing system to process the system call further at least by inputting the vector representation of the system call into a long short term memory (LSTM) cell such that the RNN generates, for each system call feature of a plurality of system call features, and each argument feature of a plurality of argument features, probabilities that the corresponding system call feature or the corresponding argument feature is part of a subsequent system call in the predicted system call sequence.   
 

15.	(Currently amended)  The computer program product of claim [[12]] 11, wherein the computer readable program further configures the data processing system to convert the system call into the vector representation of the system call at least by: 
converting the system call into a tokenized representation of the system call by mapping a system call feature of the system call to a first token and one or more argument features of the system call to one or more second tokens based on a system call feature mapping data structure and an argument feature mapping data structure.

20.	(Currently amended)  A data processing system comprising:
a recurrent neural network (RNN); and
a processor configured to execute abnormal call sequence logic, wherein:
the RNN is trained to predict system call sequences,
the RNN receives, from a computing system resource of the monitored computing environment, at least one system call of an observed system call sequence for evaluation;
	the RNN processes the at least one system call to generate a prediction of a subsequent system call in a predicted system call sequence;
	the abnormal call sequence logic compares the subsequent system call in the predicted system call sequence to an observed system call in the observed system call sequence; 

	the abnormal call sequence logic generates an alert notification in response to identifying the difference, wherein processing the system call comprises converting the system call into a vector representation of the system call by performing a first embedding operation on a system call feature of the system call and a separate second embedding operation on one or more argument features of the system call to generate a system call feature embedding comprising machine learned embedding values and one or more argument feature embeddings comprising machine learned embedding values.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494