DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1-2, 4, 6-20 are provisionally rejected on the ground of nonstatutory double patenting over claims 1-20 of copending application No. 16/832778. This is a provisional double patenting rejection since the conflicting claims have not in fact been patented. As to Claims 1, 9, 17, copending application *778 discloses a computer-implemented method comprising: receiving an artifact (see claims 1, 16, 19 of current application: receiving an artifact); extracting features from the artifact and populating a vector (see claims 1, 16, 19 of current application: extracting features from the artifact and populating a vector); reducing features in the vector using a feature reduction operations to result in a modified vector having a plurality of buckets (see claims 1, 16, 19 of current application: reducing features in the vector using a feature reduction operation to result in a modified vector having a plurality of buckets); identifying a presence of predetermined types of features within buckets of the modified vector influencing a score above a pre-determined threshold (see claims 1, 16, 19 of current application: identifying features within buckets of the modified vector above a pre-determined projected bucket clipping threshold); attenuating a contribution of the identified features within the high influence buckets of the modified vector; inputting the modified vector into a classification model to generate a score; and providing the score to a consuming application or process (see claims 1, 16, 19 of current application: generating an overflow vector based on the identified features; inputting the modified vector into a classification model to generate a score; adjusting the score based on the overflow vector; and providing the adjusted score to a consuming application or process). 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ducau et al (WO 2020/030913) in view of Bartos (Pub. No. US 2019/0260775).

As per claims 1, 16, 19, Ducau discloses a computer-implemented method comprising: receiving an artifact (…receive an artifact…par. 1038); extracting features from the artifact and populating a vector (extract features from the file to generate a feature vector…see par. 1038, 1062); identifying features within buckets of the modified vector above a pre-determined projected bucket clipping threshold (…an evaluator can define one or more confidence classes or confidence buckets with define ranges of confidence values…1073…the evaluator can be configured to sue one or more confidence metrics to assess the performance of machine learning model…confidence metric can be a percentage or a fraction of the number of artifacts with confidence values higher than a high confidence threshold criterion of eh total number artifacts…see par. 1073-1074); generating an overflow vector based on the identified features (see par. 1098); inputting the modified vector into a classification model to generate a score (…the set of artifacts can be received during different time periods such that each machine learning model (interpreted as classification model) is trained on a set of artifacts and tested or scored on a different set of artifacts received during time periods…see par. 1049); adjusting the score based on the overflow vector (see par. 1032, 1051); and providing the adjusted score to a consuming application or process (see par. 1098). Ducau does not explicitly disclose reducing features in the vector using a feature reduction operation to result in a modified vector having a plurality of buckets. However Bartos discloses reducing features in the vector using a feature reduction operation to result in a modified vector having a plurality of buckets (…all buckets of the same type across all malware families may be merged into a “super-bucket”…see par. 57, 132). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Bartos in Ducau for including the above limitations because one ordinary skill in the art would recognize it would by improving the efficacy of the overall system by detecting malware, including finding previously undetected variants of existing malware, see Bartos, par. 143-144.





As per claims 2, 17, the combination of Ducau and Bartos discloses wherein the classification model characterizes the artifact as being malicious or benign to access, execute, or continue to execute (Ducau: see par. 1043).


As per claims 3, 18, 20, the combination of Ducau and Bartos discloses preventing access or execution of the artifact when the classification model characterizes the artifact as being malicious (Bartos: see par. 23-25). The motivation for claims 3, 18, 20 is the same motivation as in claims 1, 16, 19.


As per claim 4, the combination of Ducau and Bartos discloses wherein the classification model is a machine learning model trained using a training data set and providing a continuous scale output (Ducau: 1044-1045).


As per claim 5, the combination of Ducau and Bartos discloses wherein the machine learning model comprises one or more of: a logistic regression model, a neural network, a convolutional neural network, a recurrent neural network, a generative adversarial network, a support vector machine, a random forest (Ducau: 1045), or a Bayesian model.


As per claim 6, the combination of Ducau and Bartos discloses wherein the features comprises alphanumeric strings (Ducau: see par. 1041).


As per claim 7, the combination of Ducau and Bartos discloses inputting a plurality of vectorized malware samples into the classification model; obtaining a plurality of scores based on the inputted vectorized malware samples; and identifying, based on the classifications, buckets of the vectorized malware samples that influence the scores above the pre-determined threshold (Bartos: see par. 56-58, 132-134). The motivation for claim 7 is the same motivation as in claim 1.


As per claim 8, the combination of Ducau and Bartos discloses wherein the classification model is a machine learning-based penalty model trained using training data that is synthesized by stuffing strings into benign and malware samples and providing a continuous scale output (Ducau: 1044-1045).


As per claim 9, the combination of Ducau and Bartos discloses calculating, using the overflow vector, a broad overflow summation totaling a number of buckets having features exceeding the pre-determined projected bucket clipping threshold (Ducau: see par. 1073-1074).


As per claim 10, the combination of Ducau and Bartos discloses calculating, using the overflow vector, a weighted overflow summation in which certain buckets are weighted based on an empirical determination of how such buckets influence the score (Ducau: see par. 1073-1074).

As per claim 11, the combination of Ducau and Bartos discloses wherein the score is adjusted based on a heuristic applying the broad overflow summation and the weighted overflow summation (Ducau: see par. 1098).


As per claim 12, the combination of Ducau and Bartos discloses wherein the score is adjusted by inputting both of the broad overflow summation and the weighted overflow summation into a machine learning model (Ducau: see par. 1098).


As per claim 13, the combination of Ducau and Bartos discloses clipping features within the modified vector prior to generating the overflow vector (Ducau: see par. 1094-1095).


As per claim 14, the combination of Ducau and Bartos discloses wherein the feature reduction operation comprises random projection matrices (Ducau: see par. 1086.


As per claim 15, the combination of Ducau and Bartos discloses wherein the feature reduction operation comprises principal component analysis (Bartos: see par. 56-58, 132-134). The motivation for claim 15 is the same motivation as in claim 1.





Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to mitigating the effects of adversarial techniques such as score fuzzing and string stuffing which can act to cause machine learning model to misclassify a particular artifact.

Kenyon et al (Pub. No. US 2020/0302058); “Deferred Malware Scanning”;
-Teaches threat management facility updating and enforcing policies at various levels of control…see par. 25-28.




Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499