Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
Foreign priority claimed to KR10-2019-0137229, filed 10/31/2019. However, to be entitled to the benefit of earlier filing date of 10/31/2019 under the first inventor to file provisions of the AIA , an English translation of the priority application needs to be filed. Since an English translation of the priority application is missing, the effective filing date of this application for prior-art will be considered as the filing date of this application, which is 10/28/2020 (See MPEP § 216.01).

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 10/28/2020 and 05/24/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 8, 10-12, 19-20 are rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Subbarayan et al. (US 2019/0114417 A1, hereinafter Subbarayan).
For claim 1, Subbarayan teaches a method of training a malicious code detection model performed by a computing device, the method comprising: acquiring application programming interface (API) call information of called functions from a result log of performing dynamic analysis of a malicious code (para 0044-0046 - dynamic analysis of API call information from logs; para 0064 - report or result log comprising malicious activity, and analysis of the same);
calculating time intervals between timestamps using the timestamps which indicate API call times extracted from the API call information (para 0007, 0047, 0052, 0061, 0067 - API calls with time attributes corresponding to API function call occurrences and the time/period between API calls); 
determining a feature value of the malicious code on the basis of the time intervals (para 0048-0053, 0085 - features extracted based on time intervals); and 
training the malicious code detection model using an API call sequence included in the API call information and the feature value (para 0007, 0047-0053, 0055, 0058, 0060, 0085, Fig. 4 - various attributes and allocated values (features) based on API calls sequences and occurrences, and ML training based on the same).

For claim 8, Subbarayan teaches the claimed subject matter as discussed above. Subbarayan further teaches wherein the determining of the feature value indicating a feature of the malicious code comprises additionally using additional information of a file, for which malicious code detection is requested, in the result log of performing the dynamic analysis to determine the feature value (para 0025, 0028, 0036, 0039, 0043-0045, 0083, 0085 - API traffic associated with application layer data including files, pertinent data collected or logged in any file format, and utilized for feature value determination).

For claim 10, Subbarayan teaches the claimed subject matter as discussed above. Subbarayan further teaches performing a preprocess of unifying names of functions which are determined to be similar functions among functions included in the API call information (para 0055, 0069, 0073 - aggregation of API calls or functions which have similarity of co-occurrence).

For claim 11, Subbarayan teaches a method of detecting a malicious code performed by a computing device, the method comprising: acquiring application programming interface (API) call information of called functions from a result log of performing dynamic analysis of a malicious code (para 0044-0046 - dynamic analysis of API call information from logs; para 0064 - report or result log comprising malicious activity, and analysis of the same);
calculating time intervals between timestamps using the timestamps which indicate API call times extracted from the API call information (para 0007, 0047, 0052, 0061, 0067 - API calls with time attributes corresponding to API function call occurrences and the time/period between API calls);
determining a feature value indicating a feature of the malicious code on the basis of the time intervals (para 0048-0053, 0085 - features extracted based on time intervals); and 
detecting the malicious code in a file, for which malicious code detection is requested, through a malicious code detection model (Fig. 4; para 0060-0063, 0065), wherein the malicious code detection model learns the feature value of the malicious code using an API call sequence included in the API call information and the feature value (para 0007, 0048-0053, 0055, 0058, 0060, 0085 - various attributes and allocated values (features) based on API calls sequences and occurrences, and ML training based on the same).

For claim 12, Subbarayan teaches a device for training a malicious code detection model, the device comprising: a processor; a network interface; a memory; and a computer program configured to be loaded to the memory and executed by the processor (Fig. 1A-1B; para 0005-0007), wherein the computer program comprises: an instruction to acquire application programming interface (API) call information of called functions from a result log of performing dynamic analysis of a malicious code (para 0044-0046 - dynamic analysis of API call information from logs; para 0064 - report or result log comprising malicious activity, and analysis of the same);
an instruction to calculate time intervals between timestamps using the timestamps which indicate API call times extracted from the API call information (para 0007, 0047, 0052, 0061, 0067 - API calls with time attributes corresponding to API function call occurrences and the time/period between API calls);
an instruction to determine a feature value of the malicious code on the basis of the time intervals (para 0048-0053, 0085 - features extracted based on time intervals); and 
an instruction to train a malicious code detection model using an API call sequence included in the API call information and the feature value (para 0007, 0047-0053, 0055, 0058, 0060, 0085, Fig. 4 - various attributes and allocated values (features) based on API calls sequences and occurrences, and ML training based on the same).

For claim 19, Subbarayan teaches the claimed subject matter as discussed above. Subbarayan further teaches wherein the instruction to determine the feature value of the malicious code comprises an instruction to determine the feature value additionally using additional information of a file, for which malicious code detection is requested, in the result log of performing the dynamic analysis (para 0025, 0028, 0036, 0039, 0043-0045, 0083, 0085 - API traffic associated with application layer data including files, pertinent data collected or logged in any file format, and utilized for feature value determination).

For claim 20, Subbarayan teaches the claimed subject matter as discussed above. Subbarayan further teaches further comprising an instruction to perform a preprocess of unifying names of functions which are determined to be similar functions among functions included in the API call information (para 0055, 0069, 0073 - aggregation of API calls or functions which have similarity of co-occurrence).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 6-7, 9, 13-15, 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (US 2019/0114417 A1, hereinafter Subbarayan), in view of Shibahara et al. (US 2019/0065743 A1, Shibahara hereinafter).
For claim 2, Subbarayan teaches wherein the calculating of the time intervals comprises: generating a list storing the API call sequence of a file for which malicious code detection is requested and the timestamps (para 0007, 0025-0026, 0039, 0044, 0052-0053, 0061-0062, 0067 - stored API calls or listing, and API categorization based on various factors including time and/or intervals, wherein timestamps and computing period between two API calls pertaining to a file request, in a sequence is listed or stored, and wherein the metrics comprise various factors such as timestamps (time of receiving the API calls) ).
Subbarayan does not appear to explicitly teach, however Shibahara teaches dividing the list into sections on the basis of the time intervals, wherein the determining of the feature value of the malicious code comprises analyzing the time intervals in each of the divided sections (para 0004, 0013, 0042-0046, 0049-0050, 0055, 0065 - classification or division of events based on features or attributes such as time of occurrences, in structures such as tree, and wherein the time of occurrences and the interval/period between those is considered for maliciousness determination).
Therefore, based on Subbarayan in view of Shibahara, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Shibahara in the system of Subbarayan, in order to arrange data in logical data structures for the sake of improving operational efficiency and security in Subbarayan’s system for data analysis and machine learning. One would be motivated Shibahara (para 0003-0005).

For claim 3, Subbarayan in view of Shibahara teaches the claimed subject matter as discussed above. Although Shibahara teaches techniques of sample data organization and analysis for classification to be utilized in machine learning wherein there would be a logical extension of the technique to arrange and analyze datasets efficiently in different ways to derive or train models, Subbarayan does not appear to explicitly disclose, however Shibahara teaches wherein the dividing of the list into the sections comprises evenly dividing the list on the basis of the number of the time intervals (para 0003, 0004 - software functions or API calling associated with malware execution; para 0021-0023 - node structure divided by occurrence times information associated with nodes attributes; Fig. 2-3; para 0034-0035, 0037-0040 - distribution of attributes associated with calls or APIs in even sections according to time intervals).

For claim 4, Subbarayan in view of Shibahara teaches the claimed subject matter of the method of claim 3 as discussed above. Although Shibahara teaches techniques of sample data organization and analysis for classification to be utilized in machine learning wherein there would be a logical extension of the technique to arrange and analyze datasets efficiently in different ways to derive or train models, Subbarayan does not appear to explicitly disclose, however Shibahara teaches wherein the dividing of the list into the sections comprises evenly dividing the list into three sections on the basis of the number of the time intervals (para 0003, 0004 - software functions or API 

For claim 6, Subbarayan in view of Shibahara teaches the claimed subject matter as discussed above. Although Shibahara teaches techniques of sample data organization and analysis for classification to be utilized in machine learning wherein there would be a logical extension of the technique to arrange and analyze datasets efficiently in different ways to derive or train models, Subbarayan does not appear to explicitly disclose, however Shibahara teaches wherein the dividing of the list into the sections comprises setting a reference time interval on the basis of values of the time intervals and dividing the list into the sections on the basis of the reference time interval (para 0003, 0004 - software functions or API calling associated with malware execution; para 0021-0023 - node structure divided by occurrence times information associated with nodes attributes; Fig. 2-3; para 0034-0035, 0037-0040 - distribution of attributes associated with calls or APIs in even sections according to time intervals based on a predetermined or reference time).

For claim 7, Subbarayan in view of Shibahara teaches the claimed subject matter as discussed above. Subbarayan does not appear to explicitly disclose, however Shibahara teaches wherein the feature value comprises at least one of a maximum value of the time intervals, an average value of the time intervals, and a standard deviation of the time intervals in the list including the time intervals (para 0003, 0004 - software functions or API calling associated with malware execution; para 0021-0023 - node structure divided by occurrence times information associated with nodes attributes; Fig. 2-3; para 0034-0035, 0037-0040, 0049, 0054, 0059-0060 - distribution of attributes associated with calls or APIs in even sections according to time intervals and considering maximum or average time intervals).

For claim 9, Subbarayan in view of Shibahara teaches the claimed subject matter as discussed above. Subbarayan teaches the method of claim 8, and does not appear to explicitly disclose, however Shibahara teaches wherein the additional information includes at least one of types or a number of changes of dynamic-link libraries (dlls), a number of changes in a process identifier (ID), a central processing unit (CPU) value, or telemetry data (para 0013, 0076 - features communicated from a machine as telemetry data).

As to claims 13-15, the claim limitations are similar to those of claims 2-4 respectively above. Therefore, claims 13-15 are rejected according to claims 2-4 respectively as above.

As to claims 17-18, the claim limitations are similar to those of claims 6-7 respectively above. Therefore, claims 17-18 are rejected according to claims 6-7 respectively as above.


Allowable Subject Matter
Claims 5 and 16 are objected to as being dependent upon a rejected base claims, but would be allowable if incorporated in the base claims 1, 11 and 12 including all the limitations of the base claims and any intervening claims.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433