Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3 – 9 and 11 – 20 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Paithane et al (US 20180048660), hereafter Pai and Hoernecke et al (US 20170098086), hereafter Hoe have been fully considered and are persuasive. Claim(s) 2 and 10 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3 – 9 and 11 – 20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Michael Fainberg (attorney) for filed amended claims:
1.	(Currently Amended) A method for intercepting malicious messages for training a malware detection classifier, the method comprising:
accessing an application database containing information about a plurality of applications, including malicious applications and untrusted applications;
calculating a respective priority level for each application in the database based on a function of a number of computing devices on which the respective application was identified and an amount of time elapsed since the respective application was added or modified in the database;
selecting an application with the greatest respective priority level among all other calculated priority levels for each application, for execution in an execution environment; 

during the execution of the selected application in the execution environment, monitoring network activity comprising information about data being sent and received over a network connected to the execution environment; 
extracting, from the network activity, an electronic message; and
in response to determining that the electronic message corresponds to the selected application, storing the electronic message in a message database used for training the machine-learning based malware detection classifier. 
2.	(Canceled)  
3.	(Currently Amended) The method of claim [[2]] 1, wherein the respective priority level is inversely proportional to an amount of time elapsed since the respective application was added or modified in the application database.
4.	(Currently Amended) The method of claim [[2]] 1, 
number of computing devices on which the respective application was identified.
5.	(Currently Amended) The method of claim [[2]] 1, wherein the calculating comprises:
	calculating the respective priority level based on a formula:            
                p
                =
                
                    
                        
                            
                                n
                            
                            
                                a
                            
                        
                    
                    
                        
                            
                                t
                            
                            
                                b
                            
                        
                    
                
            
        
	wherein p is the respective priority level, n is the number of computing devices on which the respective application was identified; t is [[an]] the amount of time elapsed since the respective application was added or modified in the application database, and a and b are power coefficients, where a > b > 0.
6.	(Currently Amended) The method of claim [[2]] 1, wherein the calculating comprises:
	assigning a maximum priority level to the respective application in response to determining that the respective application is capable of performing data exchanges over the network. 
7.	(Original) The method of claim 1, wherein determining that the electronic message corresponds to the selected application comprises:
	determining that the extracted electronic message is marked with an identifier of a network-level protocol port used by the selected application for performing data exchanges over the network.
8.	(Original) The method of claim 1, wherein the execution environment is one of: a computing device, a hypervisor with a virtual machine running, and an emulator.

a hardware processor configured to:
access an application database containing information about a plurality of applications, including malicious applications and untrusted applications;
calculate a respective priority level for each application in the database based on a function of a number of computing devices on which the respective application was identified and an amount of time elapsed since the respective application was added or modified in the database;
select an application with the greatest respective priority level among all other calculated priority levels for each application, for execution in an execution environment; 

during the execution of the selected application in the execution environment, monitor network activity comprising information about data being sent and received over a network connected to the execution environment; 
extract, from the network activity, an electronic message; and
in response to determining that the electronic message corresponds to the selected application, store the electronic message in a message database used for training the machine-learning based malware detection classifier. 
10.	(Canceled)
9, wherein the respective priority level is inversely proportional to an amount of time elapsed since the respective application was added or modified in the application database.
12.	(Currently Amended) The system of claim [[10]] 9, wherein 
number of computing devices on which the respective application was identified.
13.	(Currently Amended) The system of claim [[10]] 9, wherein the hardware processor is configured to perform the calculating by:
	calculating the respective priority level based on a formula:            
                p
                =
                
                    
                        
                            
                                n
                            
                            
                                a
                            
                        
                    
                    
                        
                            
                                t
                            
                            
                                b
                            
                        
                    
                
            
        
	wherein p is the respective priority level, n is the number of computing devices on which the respective application was identified; t is [[an]] the amount of time elapsed since the respective application was added or modified in the application database, and a and b are power coefficients, where a > b > 0.
14.	(Currently Amended) The system of claim [[10]] 9, wherein the hardware processor is further configured to perform the calculating by:
	assigning a maximum priority level to the respective application in response to determining that the respective application is capable of performing data exchanges over the network. 

	determining that the extracted electronic message is marked with an identifier of a network-level protocol port used by the selected application for performing data exchanges over the network.
16.	The system of claim 9, wherein the execution environment is one of: a computing device, a hypervisor with a virtual machine running, and an emulator.
17.	A non-transitory computer readable medium storing thereon computer executable instructions for intercepting malicious messages for training a malware detection classifier, including instructions for:
accessing an application database containing information about a plurality of applications, including malicious applications and untrusted applications;
calculating a respective priority level for each application in the database based on a function of a number of computing devices on which the respective application was identified and an amount of time elapsed since the respective application was added or modified in the database;
selecting an application with the greatest respective priority level among all other calculated priority levels for each application, for execution in an execution environment; 

during the execution of the selected application in the execution environment, monitoring network activity comprising information about data being sent and received over a network connected to the execution environment; 

in response to determining that the electronic message corresponds to the selected application, storing the electronic message in a message database used for training the machine-learning based malware detection classifier. 
18.	(Currently Amended) The non-transitory computer readable medium of claim 17, wherein the respective priority level is directly proportional to the number of computing devices on which the respective application was identified 


19.	(Currently Amended) The non-transitory computer readable medium of claim [[18]] 17, wherein the respective priority level is inversely proportional to [[an]] the amount of time elapsed since the respective application was added or modified in the application database.
20.	(Currently Amended) The non-transitory computer readable medium of claim [[18]] 17, including instructions for:
	calculating the respective priority level based on a formula:            
                p
                =
                
                    
                        
                            
                                n
                            
                            
                                a
                            
                        
                    
                    
                        
                            
                                t
                            
                            
                                b
                            
                        
                    
                
            
        
	wherein p is the respective priority level, n is the number of computing devices on which the respective application was identified; t is [[an]] the amount of a and b are power coefficients, where a > b > 0.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Pai teaches [0016, Fig. 2] a malware detection system for multiple application (“multi-app”), multiple plug-in (“multi-plugin”) analysis of a suspicious object within a sandbox environment, where the suspicious object may include one or more data elements (e.g., files, documents, etc.) and/or one or more uniform resource locators (URLs). The sandbox environment features one or more virtual machines, each virtual machine includes launcher logic that is responsible for setting an analysis environment variation framework for analysis of a suspicious object for malware. The analysis environment variation framework, referred to herein as a “multi-app, multi-plugin processing framework,” includes multiple application/plug-in combinations that, when launched, process the suspicious object concurrently in the virtual machine. During processing of the suspicious object, the behaviors of these application/plug-in combinations are monitored and analyzed to determine whether the suspicious object is associated with a malicious attack. [083, Figs. 6A-6B] The launcher logic receives an object path and parameters associated with the suspicious object provided to the virtual machine for analysis (block 600). Based on one or more of the supplied parameters, the launcher logic (object-application mapping logic) determines a first application type for the multi-app, multi-plugin processing framework (block 605). Thereafter, configuration data (priority list) is read to identify the best match for the first application type (block 610). For instance, where the exact application (type/version) is listed in the priority list (e.g., 

Further, a second prior art of record Hoe teaches [0052] use of an exemplary security risk score system ranging from 0 to 100, other scoring regimes may be used without departing from the scope of this disclosure. For example, security risk scores may be greater than 100 in some embodiments. In general, the security risk score provides a numeric score that may be used to compare one application's security risk against another application's security risk and/or to sort or categorize all of the applications present within the service provider system 100. This may enable administrative security personnel to prioritize their security testing time on applications that present the greatest real-time security risks. Additionally, the security risk scores may be used to determine a subset of applications that may be assigned an automated testing regime that is likely to be sufficient given the security risk presented by applications in the subset.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: an application selection module selects, from a plurality of applications, an application for execution in an execution environment based on a priority level of the application and calculating a respective priority level for each application in the database based on a function of a number of computing devices on which the respective application was identified and an amount of time elapsed since the respective application was added or modified in the database. During the execution of the selected application, a network interception module monitors network activity comprising information about data being sent and received over a network connected to the execution environment and 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 9 and 17 mutatis mutandis.  Claim(s) 2 and 10 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/BADRINARAYANAN /Examiner, Art Unit 2496.