DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                          EXAMINER’S AMENDMENT
2. An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with Sanders N Hillis on 03/11/2022. The application has been amended as follows:

1. (Currently Amended) A system for detecting and preventing execution of malware on a target system, the system comprising:
an interface for receiving training data that includes known legitimate domain names and known malware-associated domain names;
a processor in communication with the interface; and
non-transitory computer readable media in communication with the processor that stores instruction code, which when executed by the processor, causes the processor to:
train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology;
train a second model to predict a correct domain name associated with domain names in the training data using an unsupervised learning methodology, wherein the domain names utilized to train the first model include both legitimate domain names and malware-associated domain names, and the domain names utilized to train the second model include legitimate domain names and not malware-associated domain names;
train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model;
subsequent to training of the first, second, and third models, receive a new domain name;
process the new domain name through the trained models to determine that the domain name is a legitimate domain name or a malware-associated domain name; and
communicate with the target system based on the processing to thereby facilitate removal of the malware in response to the new domain name being determined as the malware-associated domain name.

2. (Cancelled).

3. (Currently Amended) The system according to claim 1 

10.(Currently Amended) A method for detecting and preventing execution of malware on a target system, the method comprising:
receiving training data that includes known legitimate domain names and known malware-associated domain names;
training a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology, wherein training the first model to classify the domain names in the training data comprises providing as inputs to the first model both legitimate domain names and malware-associated domain names as the training data;
training a second model to predict a correct domain name associated with legitimate domain names in the training data using an unsupervised learning methodology, wherein training the second model to predict the correct domain name comprises providing as inputs to the second model as the training data legitimate domain names and omitting provision of the malware-associated domain names;
training a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model;
subsequent to training of the first, second, and third models, receiving a new domain name;
processing the new domain name through the trained models to determine that the domain name is a legitimate domain name or a malware-associated domain name; and
communicating with the target system based on the processing to thereby facilitate removal of the malware from the target system.

11. (Cancelled).

12. (Currently Amended) The method according to claim 10 

16. (Currently Amended) A non-transitory computer readable media that stores instruction code for detecting and preventing execution of malware on a target system, the instruction code being executable by a machine for causing the machine to:

train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology, wherein the domain names utilized to train the first model include both legitimate domain names and malware-associated domain names;
train a second model to predict  a predicted domain name associated with domain names in the training data using an unsupervised learning methodology, the domain names utilized to train the second model include legitimate domain names and not malware-associated domain names;
train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model;
subsequent to training of the first, second, and third models, receive a new domain name;
process the new domain name through the trained models to determine that the domain name is a legitimate domain name or a malware-associated domain name; and
communicate with the target system based on the processing to thereby facilitate removal of the malware from the target system.

17. (Cancelled).

18. (Currently Amended) The non-transitory computer readable media according to claim 16 


                                                     Allowance Subject Matter
3. Claims 1,3-10,12-16 and 18-20 are allowed.

4. The following is an examiner's statement of reasons for allowance:

The closest prior art of record is below:

Hunt et al. (US 2017/0099319) discloses the method involves obtaining first and second phishing models of a policy for assessing whether phishing is performed on websites. First and second results are determined for assessing whether phishing is performed on the website by applying the phishing models to first and second sets of features of the web site, respectively. Third result is determined for assessing whether phishing is performed on the website based on a combination of the first and second results. A classification is identified about whether phishing is performed on the website based on the third result.

Nguyen et al. (US 2016/0065597) discloses the method involves receiving a request to provide a reputation score of a domain name. Input data associated with the domain name are received. A set of features is extracted from the input data and the domain name. A feature vector is generated based on the features. The reputation score of the domain name is calculated. A graph database is generated based on trusted features and reference domain names. A machine-learning classifier is trained based on the database, where the score represents a probability that the name is associated with malicious activity.

Zawoad et al. (WIPO 2018/164701) discloses the method involves extracting first set of features from received malicious activity information. Second set of features is calculated based on the received malicious activity information, where the second set of the features includes a 

 Sofka et al. (US 10/154,051) discloses a  computer-implemented data processing method comprises: executing a recurrent neural network (RNN) comprising nodes each implemented as a Long Short-Term Memory (LSTM) cell and comprising links between nodes that represent outputs of LSTM cells and inputs to LSTM cells, wherein each LSTM cell implements an input layer, hidden layer and output layer of the RNN; receiving network traffic data associated with networked computers; extracting feature data representing features of the network traffic data and providing the feature data to the RNN; classifying individual Uniform Resource Locators (URLs) as malicious or legitimate using LSTM cells of the input layer, wherein inputs to the LSTM cells are individual characters of the URLs, and wherein the LSTM cells generate feature representation; based on the feature representation, generating signals to a firewall device specifying either admitting or denying the URLs.

Luo et al. (US 2018/0219887) discloses the method involves gathering a set of security signals from the online service. The set of security signals are gathered in a rolling window of time. The identification is made whether each security signal of set of security signals is malicious or benign. The malicious signals of set of security signals are balanced with benign signals of set of security signals to produce a balanced training dataset. A predictive model is produced based 

Meshi et al. (US 10,574,681) discloses a method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

However, none of the prior art of record alone or in combination teaches or suggest: “train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology, wherein the domain names utilized to train the first model include both legitimate domain names and malware-associated domain names; train a second model to predict  a predicted domain name associated with domain names in the training data using an unsupervised learning methodology, the domain names utilized to train the second model include legitimate domain names and not malware-associated domain names; train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model; subsequent to training of the first, second, and third models, receive a new domain name; process the new domain name through the trained models to determine that the domain 

Although the references cited above are relevant to certain claim limitations, all the claim limitations of the present claims would not have been obvious over such references and thus are patentable. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431