Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
1.	Amended claims 1 – 4, 6 – 15 and 17 – 20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Dorian Cartwright (attorney) for filed amended claims:
1. A method comprising: maintaining, by a central training node of a cybersecurity fabric, a sample library having a plurality of samples, wherein the samples include virus samples and benign samples; generating, by the central training node, a global virus classification model by extracting features from the plurality of samples and training a machine-learning classifier or a deep-learning neural network, wherein said extracting features from the plurality of samples comprises: transforming, by the central training node, each binary file of a plurality of binary files, representing the plurality of samples, into a time series vector represented in a form of a plurality of chunks, wherein each chunk includes j bits and each chunk is interpreted as an unsigned integer value ranging from 0 to 2j-1 and wherein a size of the time series vector is equal to a number of the plurality of chunks; and projecting, by the central training node, the time series vector from a time domain to a first domain by applying a transformation to the time series vector; distributing, by the central training node, the global virus classification model to a plurality of detection nodes of the cybersecurity fabric for use by each of the plurality of detection nodes as a local virus detection model in connection with virus detection and sample collection, wherein each of the plurality of detection nodes is associated with a respective customer network; responsive to detection of a virus in network traffic being processed by a detection node of the plurality of detection nodes, receiving, by the central training node, a virus sample from the detection node; creating or updating, by the central training node, a feature depository by extracting features from the plurality of samples; and responsive to a retraining event: creating, by the central training node, an improved global virus classification model by retraining the machine-learning classifier or the deep-learning neural network based on features contained in the feature depository; and causing, by the central training node, the plurality of detection nodes to be upgraded by distributing the improved global virus classification model to the plurality of detection nodes to replace their respective local virus detection models.
12. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a central training node of a cybersecurity fabric, causes the one or more processors to perform a method comprising: maintaining a sample library having a plurality of samples, wherein the samples include virus samples and benign samples; generating a global virus classification model by extracting features from the plurality of samples and training a machine-learning classifier or a deep-learning neural network, wherein said extracting features from the plurality of samples comprises: reading in parallel a plurality of binary files representing the plurality of samples into corresponding buffers of a plurality of buffers; and creating an M-dimensional feature vector for each of the plurality of files by performing a feature extraction process on each buffer of the plurality of buffers, wherein each dimension of the M-dimensional feature vector corresponds to an extracted feature of the extracted features; distributing the global virus classification model to a plurality of detection nodes of the cybersecurity fabric for use by each of the plurality of detection nodes as a local virus detection model in connection with virus detection and sample collection, wherein each of the plurality of detection nodes is associated with a respective customer network; responsive to detection of a virus in network traffic being processed by a detection node of the plurality of detection nodes, receiving a virus sample from the detection node; 

Claims 5 and 16 are cancelled. Therefore dependent claims 6 and 17 are amended to depend on claim 1 and 12 respectively.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Weith et al (US 20190281073) teaches Abstract: methods for testing Signature Pattern Matching (SPM) for a new signature associated with a cloud-based security system with a plurality of nodes and a testing node include operating the testing node with a same management software and SPM library as the plurality of nodes; obtaining a new signature derived to detect malicious content; compiling the new signature in the SPM library for the testing node; implementing one or more test cases related to the malicious content to analyze behavior of the testing node with the SPM library containing the new signature; and, responsive to success in the one or more test cases, providing the SPM library to the plurality of nodes for detection of the malicious content. [034] The information key is hashed to generate an index value (i.e., a bit position). A value of zero in a bit position in the guard table can indicate, for example, the absence of information, while a one in that bit position can indicate the presence of information. Alternatively, a one could be used to represent absence, and a zero to represent presence. Each content item may have an information key that is hashed. For example, the processing node manager 118 may identify the Uniform Resource Locator (URL) address of URL requests as the information key and hash the URL address; or may identify the file name and the file size of an executable file information key and hash the file name and file size of the executable file. Hashing an information key to generate an index and checking a bit value at the index in the detection processing filter 112 generally requires less processing time than actually searching threat data 114. The use of the detection processing filter 112 may improve the failure query (i.e., responding to a request for absent information) performance of database queries and/or any general information queries.

Further, a second prior art of record Gordeychik et al (US 20190104140) teaches [066] With the use of the detection module 110, a search is made for signs of suspicious activity (i.e., characteristic signs of computer attacks) in a suspicious activity database 113 on the basis of the security notification received and the added tags of the object contained in said security notification. Upon finding a sign of suspicious activity, the tag contained in the suspicious activity database 113 is added to the security notification by the detection module 110. The tag indicates the presence of the sign of suspicious activity which has been found. After this, signs of a computer attack are detected by identifying the signature of computer attacks from a database of computer attacks 114 among the objects and security notifications obtained and the tags of the mentioned objects and security notifications from the object database.

Further, a third prior art of record Avrahami et al (US 20190068620) teaches [096] A feature extractor module 808 includes code to extract behavioral features from the received events. For example, the behavioral features can include network behavioral features, database behavioral features, file behavioral features, or any combination thereof. An attack detector module 810 includes code to detect a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data. A protection improver module 812 includes code to execute an ad hoc protection improvement based on the detected malware attack. For example, the protection improver module 812 may include code to dynamically install a file access monitor agent on a machine correlated with the detected malware attack. In some examples, the protection improver module 812 can retrain the malware identification model based on collected findings associated with the malware attack. A traffic blocker module 814 includes code to block network traffic associated with the detected malware attack. A report generator module 816 includes code to generate a report and sending the report to a security information and event management (SIEM) service. In some examples, the report generator module 816 may include code to update a knowledge database based on the detected malware attack.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: extracting features from the plurality of samples comprises: reading in parallel a plurality of binary files representing the plurality of samples into corresponding buffers of a plurality of buffers and creating an M-dimensional feature vector for each of the plurality of files by performing a feature extraction process on each buffer of the plurality of buffers, wherein each dimension of the M-dimensional feature vector corresponds to an extracted feature of the extracted features.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 12 mutatis mutandis.  Claim(s) 5 and 16 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.