DETAILED ACTION


1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1, 8 and 15 are independent.  

3.	The IDS submitted on 10/15/2019 has been considered.

Claim Objections
4.	Claims 11 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 101
5.	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

6.	Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claim 1 is rejected under 35 U.S.C. 101 as not falling within one of the four statutory categories of invention.  While the claim recites a series of steps or acts to be performed, a statutory “process” under 35 U.S.C. 101 must (1) be tied to particular machine, or (2) transform underlying subject matter performing program verification …, analyzing unverified program data …, generating detection results … and performing at least one corrective action … is broad enough that the claim could be completely performed mentally, verbally or written down with pencil and paper for execution by a human being without a machine nor is any transformation apparent.  Thus the recited method is not tied to a particular machine or apparatus.  Additionally, none of the recited steps transform a particular article into a different state or thing.  Accordingly, the recited method is directed to nonstatutory subject matter.  To overcome rejection under 35 U.S.C. 101, it is suggested that at least one of the previously identified steps is to be performed “by a computer” to positively tie the method to a computer.
Dependent claims 2-7 are also rejected based on their dependency of the rejected claim 1.










Claim Rejections - 35 USC § 102
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

8.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


9.	Claims 1, 3, 5, 7, 8, 10, 12, 14, 15, 17, 19 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Patterson (US PG Pub. 2018/0069885).
	As regarding claim 1, Patterson discloses A computer-implemented method for detecting unknown malicious program behavior, comprising: 
performing program verification based on system activity data [para. 57; performing collecting log data]; 
analyzing unverified program data identified from the program verification to detect abnormal events, including analyzing host-level events to detect abnormal host-level events by learning a program representation as a graph embedding through an attentional architecture based on an invariant graph between different system entities [para. 58-60; analyzing collected log data to generate a graphical model for detecting anomalous events]; 
generating detection results based on the analysis [para. 61; determining malicious events]; and 
performing at least one corrective action based on the detection results [para. 4; performing mitigation of security threats].  

As regarding claims 3, 10 and 17, Patterson further discloses The method of claim 1, wherein analyzing the host-level events further includes: modeling the system event data as the invariant graph to capture a program behavior profile [para. 54 and 60]; and  
18086Page 28 of 35learning the program representation as a graph embedding through an attentional architecture including an attentional heterogeneous graph neural network (AHGNN) [para. 4, 21, 54 and 60].  

As regarding claims 5, 12 and 19, Patterson discloses The method of claim 3, further comprising training the attentional architecture to distinguish between an unknown program and a known benign program, including learning a similarity metric and the program graph representation jointly for improved graph matching between the unknown program and the known benign program [para. 54 and 60].  

As regarding claim 7, 14 and 20, Patterson discloses The method of claim 1, wherein performing the corrective action further includes performing at least one corrective action selected from the group consisting of:  18086Page 29 of 35transmitting the detection results to at least one computing device associated with at least one end-user [para. 65 and 78], changing a security setting for an application or hardware component, changing an operational parameter of an application or hardware component, halting or restarting an application or hardware component, changing an environmental condition, and changing status of a network interface.  

As regarding claim 8, Patterson discloses A computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for detecting unknown malicious program behavior, the method performed by the computer comprising: 
performing program verification based on system activity data [para. 57; performing collecting log data]; 
analyzing unverified program data identified from the program verification to detect abnormal events, including analyzing host-level events to detect abnormal host- level events by learning a program representation as a graph embedding through an attentional architecture based on an invariant graph between different system entities [para. 58-60; analyzing collected log data to generate a graphical model for detecting anomalous events]; 
generating detection results based on the analysis [para. 61; determining malicious events]; and 
performing a corrective action based on the detection results [para. 4; performing mitigation of security threats].  


15, Patterson discloses A system for detecting unknown malicious program behavior, comprising: 
a memory device for storing program code [para. 93 and 95]; and 
at least one processor device operatively coupled to a memory device and configured to execute program code stored on the memory device [para. 32, 93 and 95] to: 
perform program verification based on system activity data [para. 57; performing collecting log data];  
18086Page 32 of 35analyze unverified program data identified from the program verification to detect abnormal events by analyzing host-level events to detect abnormal host- level events by learning a program representation as a graph embedding through an attentional architecture based on an invariant graph between different system entities [para. 58-60; analyzing collected log data to generate a graphical model for detecting anomalous events]; 
generate detection results based on the analysis [para. 61; determining malicious events]; and 
perform at least one corrective action based on the detection results [para. 4; performing mitigation of security threats].  







Claim Rejections - 35 USC § 103
10.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

11.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


11.	Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Patterson (US PG Pub. 2018/0069885) in view of Pikhur (US PG Pub. 2016/0378975).
As regarding claims 2, 9 and 16, Patterson discloses The method of claim 1, wherein: 
analyzing the unverified program data further includes analyzing network communications to detect abnormal network communication events [para. 34].
Patterson does not explicitly disclose the network communications being associated with Transmission Control Protocol (TCP) or User Datagram Protocol (UDP); however, Pikhur discloses it [para. 26]. 
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Patterson’s communication protocol to further comprise TCP or UDP, as disclosed by Pikhur, as one of a plurality of alternative protocols that may be used for network communications.
Patterson further discloses the host-level events are selected from the group consisting of: process-to-process, process-to-file, process-to-Internet socket, and combinations thereof [para. 38].  

12.	Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Patterson (US PG Pub. 2018/0069885) in view of Murphey (US PG Pub. 2019/0098032).
As regarding claims 6 and 13, Patterson does not explicitly disclose generating the detection results further includes integrating the abnormal events to obtain integrated data, and refining the integrated data for trustworthy events; however, Murphey discloses it [para. 175]. 
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Patterson’s system to further comprise the missing limitation, as disclosed by Murphey, in order to provide up-to-date data.







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433