DETAILED ACTION
This Office Action is in response to the application 16/679,765 filed on November 11th, 2019.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending and herein considered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/20/2019, is in compliance with the provisions of 37 CRR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C 103(a) as being unpatentable over Wesson, U.S. Patent Number 10,546,143, in view of Liu et al. (Liu), U.S. Pub. Number 2016/0021141.
Regarding claim 13; Wesson discloses non-transitory computer readable medium comprising computer instructions
capable of being executed in a processor of a clustering server of an automated malware analysis system (col. 4, line 48; fig. 2; a clustered file system (CFS).), the computer instructions configured to:
receive from a sandbox server sandbox analysis reports of similar malware samples at an application programming interface (API) of the clustering server for automatically clustering the sandbox analysis reports of the similar malware samples (col. 3, line 64 – col. 4, line 12; data analysis platform 102 is configured to perform analysis on the files it receives, provide file to sandbox service 106 and scan service 108 for additional processing and to receive report back from those services; sandbox service 106 is execute the samples it receives in a sandbox, and observer or record any potentially malicious actions the sample take.);
cluster the sandbox analysis reports of events based on the URL clustering, static properties of the malware samples and dynamic properties of the malware samples (col. 13, lines 18-65; region of the report indicates that a total of 788 of the samples analyzed by platform share a cluster identifier; portions of two different reports, appearing in region is an example of a report obtainable by clicking on region in report; as indicated in region of the engines that evaluated the sample , 56 of the engines considered it to be malicious.); and
send a plurality of sandbox reports clusters from the clustering server to the sandbox server so that an analyst can focus only on one event per cluster and quickly verify correctness of a same decision for all similar events in a same cluster (col. 18, lines 16-46; processing can be triggered by causing the sample to be transmitted to services for further evaluation, generating an alert; providing a result after thorough analysis (e.g., subjecting the sample to analysis by services and waiting results); providing a verdict back to agent (e.g., malicious or not) by leveraging information previously ascertained from previously seen samples.).
Wesson fails to explicitly disclose cluster similar Uniform Resource Locators (URLs) together.
However, in the same field of endeavor, Liu discloses rating network security posture and comparing network maliciousness comprising cluster similar Uniform Resource Locators (URLs) together (Liu: par. 0034; IP address may be grouped by AS type, country of origin to determine an overall network maliciousness for a respective network level entity.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Liu into the system and method of Wesson comprising cluster similar Uniform Resource Locators (URLs) together to determine susceptibility to malicious attacks and determine a similarity in malicious activity between different networks (Liu: par. 0003).
Regarding claim 14; Wesson and Liu disclose the non-transitory computer readable medium according to claim 13, wherein Liu further discloses the clustering similar Uniform Resource Locators (URLs) together comprises: performing text encoding to soft cluster the similar URLs; performing feature extraction after the text encoding; and performing a Gaussian mixture model (GMM) based soft clustering of the similar URLs after the feature extraction (Liu: pars. 0202-0204; the analysis more tractable by assuming that A’s and S’s follow an isometric Gaussian distribution; by plugging in the multivariate Gaussian distribution in Eqn. A4, each term i appears in an argument of an exponential function; to solve the MAP problem, these terms need to minimized.).
Regarding claim 15; Wesson and Liu disclose the non-transitory computer readable medium according to claim 14, wherein Liu further discloses the clustering the sandbox analysis reports of events comprises: determining an event feature matrix from the clustered URLs; determining a Gower's distance matrix from the event feature matrix; and performing a density-based spatial clustering after determining the Gower’s distance matrix (Liu: pars. 0063, 0147; collectively, [X, d, f] from the feature vector set, or a feature matrix, to capture the dynamic behavior in the respective aggregate signal; A3 denotes an exemplary AS-distance similarity matrix; such a matrix entry A3(i, j)=K/h(I,j).).
Regarding claim 16; Wesson and Liu disclose the non-transitory computer readable medium according to claim 14, wherein Wesson further discloses the performing text encoding comprises: given a URL, tokenizing the URL using a character dictionary such that this tokenization is used as input to an auto encoder network (Wesson: col. 16, lines 1-19; a hashing operation is performed; hashing engine performs an LSH hashing operation on the locus; additional processing can be performed in conjunction with process or portions such as sending the sample to services and associating the sample with the result of the LSH hash in a reposistory.).
Regarding claim 17; Wesson and Liu disclose the non-transitory computer readable medium according to claim 14, wherein Liu further discloses the performing feature extraction comprises: extracting a features matrix (Liu: par. 0067; the feature vector representation has linear complexity O(N) since the vector is extracted for each aggregate signal independently.).
Regarding claim 18; Wesson and Liu disclose the non-transitory computer readable medium according to claim 13, wherein Wesson further discloses the clustering the sandbox analysis reports of events comprises: using the clustering of URLs as features for clustering the sandbox analysis reports (Wesson: col. 6, lines 21-25; previously unseen samples (i.e., based on the MD5 value not being present in repository) are dispatched, in parallel with the processing performed by platform, to scan service, and sandbox service.).
Regarding claim 19; Wesson and Liu disclose the non-transitory computer readable medium according to claim 15, wherein Liu further discloses the determining a Gower’s distance matrix comprises: using a Gower’s distance for calculating the Gower’s distance matrix (Liu: par. 0122; using the same adjacency information, calculating the shortest path between any pair of prefixes, its length is then taken to be their AS distance.).
Regarding claim 20; Wesson and Liu disclose the non-transitory computer readable medium according to claim 15, wherein Liu further discloses the performing a density-based spatial clustering comprises: determining final clustering of events using the density-based spatial clustering (Liu: par. 0152 & 0159; the set of spatial features may be correlated with the observed matrices through this hidden similarity matrix H; result in an inference of various spatial features as the aggregated signal is sampled at each month throughout the sampling period.).
Regarding claim 1; Claim 1 is directed to an automated malware analysis system which has similar scope as claim 13. Therefore, claim 1 remains un-patentable for the same reasons.
Regarding claims 2-12; Claims 2-12 are directed to the system of claim 1 which have similar scope as claims 14-20. Therefore, claims 2-12 remain un-patentable for the same reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KHOI V LE/
Primary Examiner, Art Unit 2436