Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 3/31/2020.
Claims 1-18 have been examined.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/1/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 6-10, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Lan et al. (US Patent Number 10,546,123).

Regarding claims 1 and 10, Lan disclosed a method comprising: 
receiving, by a processing resource of a computer system, a potential malware sample (Lan Col. 8 Line 1 – Col. 9 Line 45, for example); 
extracting, by the processing resource, a plurality of feature vectors from the potential malware sample, wherein the plurality of feature vectors represent values of static features of the potential malware sample (Lan Col. 6 Line 33 – Col. 7 Line 67 for example); 
converting, by the processing resource, the plurality of feature vectors into an input vector (Lan Col. 6 Line 33 – Col. 7 Line 67 for example); 
generating, by the processing resource, a sequence by walking a plurality of decision trees based on the input vector, wherein the plurality of decision trees are associated with a machine-learning model that has been trained based on the static features of a set of known malware samples (Lan Col. 8 Line 1 – Col. 9 Line 45, for example); 
calculating, by the processing resource, a hash value for the sequence (Lan Col. 8 Line 1 – Col. 9 Line 45, for example); 
determining, by the processing resource, whether the hash value matches a malware hash value of a plurality of malware hash values corresponding to a known malware sample of the set of known malware samples (Lan Col. 8 Line 1 – Col. 9 Line 45, for example); and 
when said determining is affirmative, classifying, by the processing resource, the potential malware sample as malware and associating the malware with a malware family of the known malware sample (Lan Col. 8 Line 1 – Col. 9 Line 45, for example), but Lan did not explicitly teach that the sequence is a byte sequence.
However, it was well known in the art of computing to represent data as sequences of bytes, and as such it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have represented the node patterns as byte sequences in the system of Lan.  This would have been obvious because the person having ordinary skill in the art would have been motivated to provide a typical data representation means when generating the node patterns.
Regarding claims 6 and 15, Lan taught that when the hash value of the malware matches to at least one of the malware hash value of the plurality of malware hash values corresponding to the at least one of known malware sample of the set of known malware samples, associating, by the processing resource, the malware with the malware family of the matched at least one of known malware sample (Lan Col. 8 Line 1 – Col. 9 Line 45, for example).
Regarding claims 7 and 16, Lan taught that the hash value is calculated by concatenating the generated byte sequence to form a unique predefined byte sequence (Lan Col. 8 Line 1 – Col. 9 Line 45, for example).
Regarding claims 8 and 17, Lan taught that the plurality of feature vectors comprises any or a combination of entry point information, an import table, resource information, a DOTNET structural data, and a set of text strings pertaining to the potential malware sample (Lan Col. 6 Line 33 – Col. 7 Line 67 for example).
Regarding claims 9 and 18, Lan taught that the processing resource is configured on a cloud based service (Lan Col. 14 Lines 47-56).
Allowable Subject Matter
Claims 2-5 and 11-14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Claims 1, 6-10, and 15-18 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 8,375,450 taught a zero day malware scanner which utilized decision trees generated through machine learning of known malware files to analyze suspect files, but did not teach or suggest generating a byte sequence from a plurality of decision trees and hashing the byte sequence to create a hash for comparing with other hashes of know malware.
Bayer et al., "Scalable, Behavior-Based Malware Clustering" taught one example of using locality sensitive hashing for malware clustering.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491