DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 05/04/2020, wherein claims 1-20 are pending and ready for examination.
  
Response to ArgumentsApplicant's arguments filed 12/28/2021 have been fully considered but they are not persuasive. 

Specification
Applicant Asserts: It appears that the Office unintentionally included the objections to the specification. The analysis does not pertain to the specification of this application.

Examiner Response:   The Examiner withdraws the objection to the specification and thanks applicant representative for working to advance the prosecution of this application.

101 Rejection
Applicant Asserts:  The 101 rejections also appear misplaced. Claims 1-13 are unquestionably directed to a process, which is a statutory category. These claims do not recite software per se, but a process that may be performed by software. There is no requirement to recite hardware in a process claim.
Examiner Response:  The Examiner thanks applicant representative for an admittedly misplaced rejection and withdraws the 35 U.S.C.  Rejection of claims 1-13 as they are directed to a process/method, which is one of the four statutory categories for patentability.

	Prior Art RejectionsApplicant Asserts:  Applicant also disagrees with the prior art rejections. The independent claims each recite the creation/use of a feature vector for a system call function. There is nothing in Li that is similar to a feature vector for a system call function. The independent claims each recite the creation/use of a feature vector for a system call function. There is nothing in Li that is similar to a feature vector for a system call function.  The Office has taken the position that Li’s converting of a path to a vector 1s equivalent to creating a feature vector for a system call function. There is no basis for this position. However, Li does not teach or suggest anything similar to the creation of a feature vector for the system call function that is invoked when a system call is made. Stated another way, the claims require a feature vector that is specific to a system call function. A PHOSITA would not find anything like this in Li’s teachings.

Examiner Response:  Respectfully, the Examiner does not agree with the characterization of the prior art of record not teaching creation of a feature vector for a system call function and maintains the rejections as reading of the claim feature. As to the feature vectors, the Examiner interprets Li at least at location [0050] plainly teaching system and function calls are vectorized from “call paths” that were hooked.  There is nothing special or unique about a call path. The source which could be a operating system of application, hence system or function call, is taught by Li to include the event for the call path [0051].  These events identify the actions surrounding the call such as ‘writes’ and a ‘file opening’ feature.  These paths are converted into a numerical vector thereby vectorized using a provenance graph.  It is for this reason the 
	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 6-12, 14, 16, and 18-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Li; Ding et al, US 20210064751 A1, March 4, 2021 hereafter referred to as Li.

            As to claim 1, Li teaches a method for detecting malware – Li [0014] FIG. 2 is a block/flow diagram illustrating a high-level system/method of an algorithm for provenance detection of stealthy malware threats) comprising:
          detecting that a system call has been made – Li [0094] In block 340, anomalies are analyzed and detected.  Here, the claimed ‘system call’ is taught by Li as ‘anomalies’ because they are detected by monitoring the application hooks taught by Li at [0049 and 0050]);
            in response to detecting that the system call has been made, monitoring execution of a system call function that the system call invokes - Li [0050]…Hooking involves intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is referred to as a hook. Hook functions can intercept operating system calls or function calls in order to monitor behavior or modify the function of an application or other component);
             in conjunction with monitoring the execution of the system call function, creating a feature vector for the system call function - Li [0070] In path embedding, a neural network model can be used to convert a path to a vector, particularly, for an object in the path, the path embedding and the embeddings of surrounding object can be used.  Here, the claimed ‘creating’ is taught by Li as ‘convert’ whereas the claimed features of the vector would include the embeddings of the surrounding object);
              comparing the feature vector for the system call function to feature vectors for known-safe system call functions - Li [0095] Benign paths are well clustered, while many malicious paths are identified as outliers of the benign cluster.  Here, the claimed ‘comparing’ is taught by Li aa ‘identified’ because the benign paths are the know-safe system call functions whereas visually comparing the outliers identifies possible malicious activities; and
when the comparison indicates that the feature vector for the system call function is anomalous - Li   [0144] In various embodiments, the memory components 1170 can include a process terminator 1150 configured to send one or more commands to terminate a process identified as malicious and/or stealth malware blocking the system call - Li   [0144]…The process terminator 1150 may also be configured to send an alert signal or communication to a system administrator identifying the malicious behavior and/or stealth malware).

              As to claim 6, Li teaches the method of claim 1 wherein the feature vector includes a via library feature that identifies whether the system call function uses a library to invoke a known-safe system call function - Li [0034] The true version of the software application may be known to load a certain set of .DLL libraries and .DAT files. In contrast, the malware version of the application would not have the same pattern as the true version of the Here, the claimed ‘indication’ is taught by Li as ‘certain set’ which would include .DLL or .DAT file extensions)

              As to claim 7, Li teaches the method of claim 1 method of claim 1, wherein the feature vector includes a by user feature that identifies whether the system call is made by a user component – Li [0129] when a user clicks a URL actively functioning as a link in a .doc file. Each of these events and entities can have a time stamp showing the order of execution. The order of execution of the process instance can generate provenance data and a provenance graph G(p).

              As to claim 8, Li teaches the method of claim 1, wherein the feature vector includes a new system feature that identifies whether a system on which the system call is made is new – Li [0129]…A benign process of word processing program 810 can read multiple types of files, for example, .dat 820, .css 830, .doc 840, etc.) created by other programs or itself, and writes new files, for example, .doc 840, png 850, .txt 860, etc.).

             As to claim 9, Li teaches the method of claim 1, wherein comparing the feature vector to feature vectors for known-safe system call functions comprises evaluating the feature vector using a multidimensional anomaly detection algorithm – Li [0119] The PV-DM model can be trained using a Gensim library, which can embed each path into a 100 dimensional embedding vector. The embedding vector(s) can be used to train a outlier detection model using the Local Outlier Factor (LOF) algorithm).

             As to claim 10, Li teaches the method of claim 9, wherein the multidimensional anomaly detection algorithm is trained using the feature vectors for the known-safe system call functions - Li  [0074] To hunt for stealthy malware, the provenance-based threat detection method or system (i.e., tool) can employ a neural embedding model that can project the different components (e.g., causal paths) from the provenance graph of a process into a n-dimensional numerical vectors space, where similar components (e.g., causal paths) are geographically closer). 

             As to claim 11, Li teaches the method of claim 9, wherein the multidimensional anomaly detection algorithm is the Local Outlier Factor (LOF) algorithm – Li [0119]…The PV-DM model can be trained using a Gensim library, which can embed each path into a 100 dimensional embedding vector. The embedding vector(s) can be used to train a outlier detection model using the Local Outlier Factor (LOF) algorithm).

              As to claim 12, Li teaches the method of claim 1, wherein blocking the system call comprises preventing the system call function from returning successfully - Li [0144] … the memory components 1170 can include a process terminator 1150 configured to send one or more commands to terminate a process identified as malicious and/or stealth malware).

              As to claim 14, Li teaches one or more computer storage media storing computer executable instructions – Li [0147] Each computer program may be tangibly stored in a machine-readable storage media which when executed on a computing system implement a malware detection engine – Li [0022] FIG. 10 is an exemplary processing system configured to implement a provenance-based threat detection tool, comprising:
             a handler that is configured to monitor execution of a system call function that is invoked when a system call is made – Li [0050] Code that handles such intercepted function calls, events or messages is referred to as a hook. Hook functions can intercept operating system calls or function calls in order to monitor behavior or modify the function of an application or other component, the handler being further configured to create a feature vector for the system call function based on the monitoring – Li [0056] … because hook functions can continually monitor a process, the collected provenance data and related provenance graph can grow dynamically in real time as one or more processes run. Here, the claimed ‘feature vector’ is taught by Li as ‘grow dynamically’ because what is grown are the feature vectors depicting the application provenance; and
               an anomaly detector that is configured to receive the feature vector for the system call function from the handler and to return a score indicative of whether the feature vector for the system call function is anomalous - Li [0066 and 0143] since at ‘66 Rare paths are more likely to be malicious. A regularity score, R, can be used to define the rareness of a path since at ‘143…the memory components 1170 can include an anomaly detector 1140 configured to determine which embedded paths exhibit malicious behavior).
           
           As to claim 16, Li teaches the computer storage media of claim 14, wherein the anomaly detector calculates the score by evaluating the feature vector using a multidimensional anomaly detection algorithm - Li [0089 and 0099] since at ’89… FIG. 3 is a block/flow diagram illustrating a system/method of an algorithm for building a graph of processes for provenance detection since at ’99 In block 420, a regularity score is calculated for each of the selected or sample paths).

            As to claim 17, claim 17 is a computer storage media that is directed to the method of claim 9.  Therefore claim 17 is rejected for the reasons as set forth in claim 9.

          As to claim 18, Li teaches the computer storage media of claim 14, wherein the handler is configured to block the system call when the score indicates that the feature vector is anomalous - Li [0144] the memory components 1170 can include a process terminator 1150 configured to send one or more commands to terminate a process identified as malicious and/or stealth malware. The process terminator 1150 may also be configured to send an alert signal or communication to a system administrator identifying the malicious behavior and/or stealth malware).

           As to claim 19, Li teaches the computer storage media of claim 14, wherein the handler is configured to register one or more probes that cause the handler to be notified when system calls are made – Li … [0050] The Linux.RTM. Security Module (LSM) framework includes security fields in kernel data structures and calls to hook functions at critical points in the kernel code to manage the security fields and to perform access control. It also adds functions for registering security modules. Hooking involves intercepting function calls or messages or events passed between software components).

           As to claim 20, Li teaches a method for detecting malware comprising: 
           in response to a system call being made, creating a feature vector for a system call function that is invoked when the system call is made, the feature vector defining a plurality of features including at least two of:
           a number of steps feature – Li [0108] The straight paths are selected from the "snapshot" of the provenance graph, where the actions at a single point in time extend backwards and forwards. The length of the sample paths 522 is determined by the value of N used to select the number of forward and backward steps from an initial node); 
           a delete count feature;
           an open count feature – Li [0109] In various embodiments, a regularity score, R, can be calculated for each of the sample paths to determine the frequency or rareness of each sample path selected from the snapshot of the provenance graph.  Here, the claimed ‘open count’ is taught by Li as ‘path selected’ because the selection opens the activity whereas the claimed ‘feature’ is taught by Li as ‘regularity score’);

           a by user feature;
           a new system feature; or
           a via library feature – Li [0034] …The true version of the software application may be known to load a certain set of .DLL libraries and .DAT files. In contrast, the malware version of the application would not have the same pattern as the true version of the software application); 
          evaluating the feature vector for the system call function using a multidimensional anomaly detection algorithm – Li [0014] FIG. 2 is a block/flow diagram illustrating a high-level system/method of an algorithm for provenance detection of stealthy malware threats) to thereby generate a score indicating whether the feature vector for the system call function is anomalous – Li [0110] …A sample path 522 that has less frequent entities and events would generate a lower regularity score. In various embodiments, finding paths with the lowest regularity scores can identify a malicious action); and when the score indicates that the feature for the system call function vector is anomalous, blocking the system call, whereas when the score indicates that the feature vector for the system call function is not anomalous, allowing the system call – Li [0113] The regularity score for causal paths 536, 537 having multiple rare actions (i.e., entities, events) or highly rare actions would be notably different (e.g., higher or lower) than causal paths 538 made up entirely of routine actions. The causal paths 536, 537 having identifiably different (e.g., lower) regularity scores can be selected for subsequent embedding and malware detection, while the causal path 538 an be eliminated from anomaly detection). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 2-5, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Li in view of San Miguel; John Michael et al, US 20210105613 A1, April 8, 2021, hereafter referred to as San Miguel.

            As to claim 2, Li teaches the method of claim 1.  LI DOES NOT TEACH wherein the feature vector includes a number of steps feature HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR SAN MIGUEL TEACHES wherein the feature vector includes a number of steps feature - San Miguel [0040] …Because power drain and storage space from extensive data collection is a concern, the collected data is run through feature selection methods that reduce the number of individual features and retain the most relevant features.  Here, the claimed ‘number of steps’ is taught by San Miguel as ‘feature selection’ which is an option to identify the claimed ‘power and storage features of the application.   To provide the provenance-based threat detection tool of Li with a vector organizing tool directed at the number of steps in a particular feature would have been obvious to one of ordinary skill in the art in view of the teachings of San Miguel, since all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods of providing a number of steps as a feature with no change in their respective functions, and the combination would have yielded nothing more than predictable results to one of ordinary skill in the art before the effective filing date of the claimed invention, i.e., one skilled in the art would have recognized that the incorporating filtering features to create certain feature vectors provided by San Miguel would allow the provenance detector of Li the ability to create and/or identify vectors of varying complexities).

            As to claim 3, the combination of Li and San Miguel teaches the method of claim 2, wherein the number of steps feature identifies a number of system call functions that are invoked during execution of the system call function – San Miguel [0029]… The logs 130 include at least two of the following: a log of the system calls invoked by each of the applications 122, a log of the indicated power consumed by the mobile device 102 during executing each of the applications 122, and a log of network activity through the network interface 114 for each of the applications 122.  The rationale to consider San Miguel with Li in claim 2 applies equally here in claim 3 for the incorporation of filtering features).

           As to claim 4, Li teaches the method of claim 1.  LI DOES NOT TEACH wherein the feature vector includes one or more count features – San Miguel [0029]… The logs 130 include at least two of the following: a log of the system calls invoked by each of the applications 122.  Here, the claimed ‘count feature’ is taught by San Miguel as simply a ‘log of system call’ because the log accumulates the number of calls per application.  The rationale for considering the features of San Miguel in claim 3 applies equally here in claim 4 since the logs provide a feature rich application source.
  
               As to claim 5, the combination of Li and San Miguel teaches the method of claim 4, wherein the one or more count features include one or more of:
              a delete count feature that identifies a number of delete operations the system call function performs;
              an open count feature that identifies a number of open operations the system call function performs - San Miguel [0030] the logs 130 include a log of a system call invoked by each of the applications 122 to request permission to use restricted services of the operating system 120. In one embodiment, the logs 130 include the indicated power consumed by each of the processor 110); or
               a create count feature that identifies a number of create operations the system call function performs. The rationale for considering the features of San Miguel in claim 2 applies equally here in claim 5.

             As to claim 15, Li teaches the computer storage media of claim 14. LI DOES NOT TEACH wherein monitoring the execution of the system call function comprises determining a number of steps for the system call function, and wherein the feature vector includes the number of steps, HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR SAN MIGUEL TEACHES wherein monitoring the execution of the system call function comprises determining a number of steps for the system call function, and wherein the feature vector includes the number of steps - San Miguel [0040] …Because power drain and storage space from extensive data collection is a concern, the collected data is run through feature selection methods that reduce the number of individual features and retain the most relevant features.  Here, the claimed ‘number of steps’ is taught by San Miguel as ‘feature selection’ which is an option to identify the claimed ‘power and storage features of the application.   The rationale for considering the features of San Miguel in claim 2 applies equally here in claim 15.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Pradadarao; Akulavenkatavara et al, US 20080052696 A1, February 28, 2008, hereafter referred to as Pradadarao.

             As to claim 13, Li teaches the method of claim 1.  LI DOES NOT TEACH wherein detecting that the system call has been made comprises: 
registering one or more probes; and associating a handler with the one or more probes, HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR PRADADARAO TEACHES wherein detecting that the system call has been made comprises:
            registering one or more probes; and associating a handler with the one or more probes – Pradadarao [0027] …The communication daemon 16 may implement a "push" mechanism that passes the contents of the DBMS 14 to the probe handler generator 18 whenever there is a change in the DBMS (e.g. when an instrumentation function registers with the registration API 12. Thus, it would have been recognized by one of ordinary skill before the effective filing date of the claimed invention in the art that applying the known technique taught by Pradadarao to the provenance-based threat detection tool of Li would have yielded predicable results and resulted in an improved device, namely, a detection tool that would register the probes and handlers for vector mapping by the handler generator of Pradadarao to the provenance-based threat detection tool of Li).

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249103/24/2022


/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491