DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a Non-Final Office Action in response to the communication filed on April 19, 2019.
Claims 1-20 have been examined.


Drawings
The drawings filed on April 19, 2019 are acceptable for examination proceedings.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on July 16, 2019 was filed after the mailing date of the application 16/389710 on April 19, 2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112 
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Examiner has identified the following probable lack of antecedent basis in claims 1-20 and propose correction to the issues as follows:

1. A method of identifying malicious activity in a sequence of computer instructions, comprising: 
providing the sequence of computer instructions into a recurrent neural network configured to provide an output based on both a current instruction being input and at least one prior instruction in a sequence; 
evaluating the provided sequence of computer instructions in the recurrent neural network at multiple points within the sequence; and 
providing a subsequent output indicating whether the recurrent neural network has determined the of computer instructions to that point is likely malicious.  

2. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein the output is a variable indicating a determined likelihood of the  of computer instructions to that point being malicious.

3. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein a point in the sequence of computer instructions where the output indicates the of computer instructions is malicious indicatesa portion of the sequence of computer instructions likely to be malicious.

4. The method of identifying malicious activity in the sequence of computer instructions of claim 1, further comprising at least one of blocking installation of the of computer instructions once the output indicates the of computer instructions is likely malicious or blocking execution of the of computer instructions once the output indicates the of computer instructions is likely malicious.

5. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network.

6. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein the recurrent neural network evaluates the provided sequence of computer instructions for malicious activity on an end-user device.

7. The method of identifying malicious activity in the sequence of computer instructions of claim 6, wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity on a service provider device different from the end-user device.

8. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by using a loss function indicating an output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence.
9. The method of identifying malicious activity in the sequence of computer instructions of claim 1, wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by establishing an output threshold for which a false positive rate is acceptable.

10. A method of creating a recurrent neural network operable to identify malicious activity in a sequence of computer instructions, comprising: 
providing a training sequence of computer instructions and an expected output based on both a current instruction being input and at least one prior instruction in a sequence, the expected output indicating whether the training sequence of computer instructions to that point in the sequence are malicious; 
providing an error signal to the recurrent neural network based on a difference between the expected output and an actual output of the recurrent neural network to that point in the sequence; and  DocID: 4822-3857-3704.116Inventors: Petr GronitDocket No. 517284.10357 Title: Neural Network Detection of Malicious Activity 
modifying the recurrent neural network to reduce the difference between the expected output and the actual output, thereby training the recurrent neural network to identify whether the sequence of computer instructions is likely malicious.  

11. The method of creating the recurrent neural network operable to identify malicious activity in the sequence of computer instructions of claim 10, wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises backpropagation of the difference between the expected output and the actual output.

12. The method of creating the recurrent neural network operable to identify malicious activity in the sequence of computer instructions of claim 10, wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises training the output at the point in the sequence of computer instructions that results in an output having the maximum prediction level for the sequence.

13. The method of creating the recurrent neural network operable to identify malicious activity in the sequence of computer instructions of claim 10, wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network.

14. The method of creating the recurrent neural network operable to identify malicious activity inthe sequence of computer instructions of claim 10, further comprising configuring the recurrent neural network to evaluate the malicious activity on an end-user device different from the computerized device on which the recurrent neural network is trained.

15. The method of creating the recurrent neural network operable to identify malicious activity in the sequence of computer instructions of claim 10, wherein the recurrent neural network is trained to evaluate the a false positive rate is acceptable.


16. A computerized device configured to identify malicious activity in a sequence of computer instructions, comprising: 
a sequence of computer application instructions executable on the computerized device; 
a recurrent neural network malware evaluation module executing on the computerized device, and operable to evaluate the sequence of computer application instructions and to provide an output based on both a current instruction being input and at least one prior instruction in a sequence; 
wherein the of computer instructions to that point is likely malicious.  

17. The computerized device configured to identify malicious activity in the sequence of computer instructions of claim 16, wherein the output is a variable indicating a determined likelihood of the of computer instructions to that point being malicious.

18. The computerized device configured to identify malicious activity in the sequence of computer instructions of claim 16, wherein the point in the sequence of computer instructions where the output indicates the of computer instructions is malicious indicates the portion of the sequence likely to be malicious.

19. The computerized device configured to identify malicious activity in the sequence of computer instructions of claim 16, further comprising at least one of blocking installation of the of computer instructions once the output indicates the of computer instructions is likely malicious or blocking execution of the of computer instructions once the output indicates the of computer instructions is likely malicious.

20. The computerized device configured to identify malicious activity in the sequence of computer instructions of claim 16, wherein the recurrent neural network is trained to evaluate the an output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence.
Appropriate correction is requested.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 3, 4, 10, 16, 18, 19 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The term “likely” in claims 1, 3, 4, 10, 16, 18, 19 is a relative term which renders the claim indefinite. The term “likely” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. 
Appropriate correction is requested.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 16-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the claims are directed to a software per se.
Note:  although the preamble discloses a “computerized device configured to” in the independent claim 16, the body of the independent claim 16 disclose “instructions executable on the device” which fails to positively cite that the device executes the instructions. The claim can be fixed by actively reciting the “computerized device” in the body of the claim.
Dependent claims 17-20 inherit the deficiencies of the base claim 16, since the body of the claims fail to positively recite instructions performed by the device; therefore, they are rejected under 35 USC § 101 by virtue of their dependency.


Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Smyth et al. (U.S. Patent Application Publication No.: US 2018/0285740 A1 / or “Smyth” hereinafter).

Regarding claim 1, Smyth discloses “A method of identifying malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code): 
“providing the sequence of computer instructions into a recurrent neural network configured to provide an output based on both the current instruction being input and at least one prior instruction in the sequence” (Para 0111, determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”); 
“evaluating the provided sequence of computer instructions in the recurrent neural network at multiple points within the sequence” (Para 0111, 0120: determines if the portion of a code segment is malicious);
“and providing an output indicating whether the network has determined the code sequence to that point is likely malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious; and Para 0121: an output provided based the one decision).

Regarding claim 2, in view of claim 1, Smyth discloses “wherein the output is a variable indicating a determined likelihood of the code sequence to that point being malicious” (Para 0092).

Regarding claim 3, in view of claim 1, Smyth discloses “wherein the point in the sequence of computer instructions where the output indicates the code sequence is malicious indicates the portion of the sequence likely to be malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious).

Regarding claim 4, in view of claim 1, Smyth discloses “further comprising at least one of blocking installation of the code sequence once the output indicates the code sequence is likely malicious or blocking execution of the code sequence once the output indicates the code sequence is likely malicious” (Para 0122, block code from executing).
Regarding claim 5, in view of claim 1, Smyth discloses “wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network” (Para 0092: disclose use of LSTM and GRU in the RNN).

Regarding claim 6, in view of claim 1, Smyth discloses “wherein the recurrent neural network evaluates the provided sequence of computer instructions for malicious activity on an end-user device” (Para 0117: the system 10 i.e., the malicious code detection system resides on the computing device itself i.e., an “end-user device”).

Regarding claim 7, in view of claim 6, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity on a service provider device different from the end- user device” (Para 0117: inspects code segments received over the internet or intranet).

Regarding claim 8, in view of claim 1, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by using a loss function indicating the output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence” (Para 0154-0158: use of loss function).

Regarding claim 9, in view of claim 1, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by establishing an output threshold for which the false positive rate is acceptable” (Para 0123, 0174: determines false positive).

Regarding claim 10, Smyth discloses “A method of creating a recurrent neural network operable to identify malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code; and Para 0083, training is performed):  
“providing a training sequence of computer instructions and an expected output based on both the current instruction being input and at least one prior instruction in the sequence, the expected output indicating whether the training sequence of computer instructions to that point in the sequence are malicious” (Para 0083, 0148: training is performed; and Para 0111: determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”);
“providing an error signal to the recurrent neural network based on the difference between the expected output and the actual output of the recurrent neural network to that point in the sequence” (Para 0090, errors are corrected using back propagation; and Para 0111, 0120: determines if the portion of a code segment is malicious); 
“and modifying the recurrent neural network to reduce the difference between the expected output and the actual output, thereby training the recurrent neural network to identify whether a code sequence is likely malicious” (Para 0079: retrains the model).

Regarding claim 11, in view of claim 10, Smyth discloses “wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises backpropagation of the difference between the expected output and the actual output” (Para 0090: discloses back propagation).

Regarding claim 12, in view of claim 10, Smyth discloses “wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises training the output at the point in the sequence of computer instructions that results in an output having the maximum prediction level for the sequence” (Para 0090: discloses back propagation; and Para 0079: retrains the model).

Regarding claim 13, in view of claim 10, Smyth discloses “wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network” (Para 0092: disclose use of LSTM and GRU in the RNN).

Regarding claim 14, in view of claim 10, Smyth discloses “further comprising configuring the recurrent neural network to evaluate the provided sequence of computer instructions for malicious activity on an end-user device different from the computerized device on which the recurrent neural network is trained” (Para 0117: the system 10 i.e., the malicious code detection system resides on the computing device itself i.e., an “end-user device”).

Regarding claim 15, in view of claim 10, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by establishing an output threshold for which the false positive rate is acceptable” (Para 0123, 0174: determines false positive).

Regarding claim 16, Smyth discloses “A computerized device configured to identify malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code):  
“a sequence of computer application instructions executable on the computerized device” (Para 0100, sequence of characters or instruction; and Para 0092); 
“a recurrent neural network malware evaluation module executing on the computerized device, and operable to evaluate the sequence of computer application instructions and to provide an output based on both the current instruction being input and at least one prior instruction in the sequence” (Para 0111, determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”);  
“wherein the provided sequence of computer instructions is evaluated in the recurrent neural network malware evaluation module at multiple points within the provided sequence of computer instructions” (Para 0111, 0120: determines if the portion of a code segment is malicious), 
“and the output of the recurrent neural network malware evaluation module indicates whether the code sequence to that point is likely malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious; and Para 0121: an output provided based the one decision).

Regarding claim 17, in view of claim 16, Smyth discloses “wherein the output is a variable indicating a determined likelihood of the code sequence to that point being malicious” (see rejection of claim 2).

Regarding claim 18, in view of claim 16, Smyth discloses “wherein the point in the sequence of computer instructions where the output indicates the code sequence is malicious indicates the portion of the sequence likely to be malicious” (see rejection of claim 3).

Regarding claim 19, in view of claim 16, Smyth discloses “further comprising at least one of blocking installation of the code sequence once the output indicates the code sequence is likely malicious or blocking execution of the code sequence once the output indicates the code sequence is likely malicious” (see rejection of claim 4).

Regarding claim 20, in view of claim 16, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by using a loss function indicating the output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence” (see rejection of claim 8).


Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Olabiyi et al. (US 2018/0053108 A1) discloses:
[0109] In some implementations, the prediction network 705 may include a forward sequence processor 709, a backward sequence processor 711, a temporal fusion processor 713, and a classifier 715. Each processor 709, 711, and 713 may comprise one or more cascaded recurrent neural network units or RNN cells 707. Each of the RNN cells 707a, 707b, 707c, 707d, 707e, and/or 707n may be, for example, a basic RNN, long-short time memory (LSTM) RNN, or a gated RNN unit (GRU) cell.

Elkind et al. (U.S. Patent Application Publication No.: US 2019/0273510 A1) discloses: 
[0080] In one example, the RNN is a Gated Recurrent Unit (GRU). Alternatively, the RNN may be a Long Short Term Memory (LSTM) network. …. RNNs allow for the sequential analysis of varying lengths (or multiple samples) of data such as executable code. The RNNs used in the examples are not limited to a fixed set of parameters or signatures for the malicious code, and allow for the analysis of any variable length source data.


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431