Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1, 6, 11 and 16 are rejected on the ground of nonstatutory Obviousness-Type double patenting as being unpatentable over claims 1, 7, 15 and 22 of Patent No. 10,733,294. 
Claims 1, 7, 15 and 22 of Patent No. 10,733,294 contain every element of claims 1, 6, 11 and 16 of the instant application (see table below) and as such anticipate claims 1, 6, 11 and 16 of the instant application.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “  ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001).
16983468
10,733,294


1. A malware detection system for preventing evasion attacks, the malware detection system comprising:
one or more processors coupled to a memory device, the memory device including instructions which, when executed by the one or more processors, cause the one or more processors to:
create a dictionary of samples having classes from training data, wherein the training data includes data labeled as malware or benign;
receive testing data, wherein the testing data is unlabeled as malware or benign;
select a sparse classification system based on determining that a feature of the testing data has been added, removed, or contaminated;



determine sparse coefficients for the testing data using the dictionary of samples;

classify the testing data as malware or benign using the sparse coefficients and the classes of respective samples according to a sparse classification of the sparse classification system; and
output the sparse classification.



1. A malware detection system for preventing evasion attacks, the malware detection system comprising:
one or more processors coupled to a memory device, the memory device containing instructions which, when executed by the one or more processors, cause the one or more processors to:
create a dictionary of samples having classes from training data, wherein the training data includes data labeled as malware or benign;
receive testing data, wherein the testing data is unlabeled as malware or benign;
select, from a standard classification system, a sparse classification system, or a semi-supervised classification system, the sparse classification system based on determining that a feature of the testing data has been added, removed, or contaminated;
determine, based on selecting the sparse classification system, sparse coefficients for the testing data using the dictionary of samples;
classify the testing data as malware or benign using the sparse coefficients and the classes of respective samples according to a sparse classification; and

output the sparse classification.
6. At least one non-transitory machine-readable medium including instructions for preventing evasion attacks on a malware detection system, which when executed by a machine, cause the machine to:
create a dictionary of samples having classes from training data, wherein the training data includes data labeled as malware or benign;
receive testing data, wherein the testing data is unlabeled as malware or benign;
select a sparse classification system based on determining that a feature of the testing data has been added, removed, or contaminated;



determine sparse coefficients for the testing data using the dictionary of samples;


classify the testing data as malware or benign using the sparse coefficients and the classes of respective samples according to a sparse classification of the sparse classification system; and
output the sparse classification.

7. At least one non-transitory machine-readable medium including instructions for preventing evasion attacks on a malware detection system, which when executed by a machine, cause the machine to:
create a dictionary of samples having classes from training data, wherein the training data includes data labeled as malware or benign;
receive testing data, wherein the testing data is unlabeled as malware or benign;
select, from a standard classification system, a sparse classification system, or a semi-supervised classification system, the sparse classification system based on determining that a feature of the testing data has been added, removed, or contaminated;
determine, based on selecting the sparse classification system, sparse coefficients for the testing data using the dictionary of samples;

classify the testing data as malware or benign using the sparse coefficients and the classes of respective samples according to a sparse classification; and


output the sparse classification.
11. A malware detection system for preventing evasion attacks, the malware detection system comprising:
one or more processors coupled to a memory device, the memory device including instructions which, when executed by the one or more processors, cause the one or more processors to:
receive training data and testing data, wherein the training data includes data labeled as malware or benign and wherein the testing data is unlabeled as malware or benign;
select a semi-supervised classification system based on determining that a proportion of training data to testing data is below a threshold;




estimate model parameters for a combination of the training data and the testing data using a conditional expectation maximization function;


select a closest fitted model using the estimated model parameters;
determine a likelihood of at least one file of the testing data being malware or benign using the closest fitted model;
classify the at least one file based on the likelihood according to a semi-supervised classification of the semi-supervised classification system; and
output the semi-supervised classification.
15. A malware detection system for preventing evasion attacks, the malware detection system comprising:
one or more processors coupled to a memory device, the memory device containing instructions which, when executed by the one or more processors, cause the one or more processors to:
receive training data and testing data, wherein the training data includes data labeled as malware or benign and wherein the testing data is unlabeled as malware or benign;
select, from a standard classification system, a sparse classification system, or a semi-supervised classification system, the semi-supervised classification system based on determining a number of instances of the testing data is larger than a number of instances of the training data;
estimate, based on selecting the semi-supervised classification system, model parameters for the training data and the testing data using a conditional expectation maximization function;
select a closest fitted model using the estimated model parameters; and
determine a likelihood of at least one file of the testing data being malware or benign using the closest fitted model;
classify the at least one file based on the likelihood according to a semi-supervised classification; and

output the semi-supervised classification.

16. At least one non-transitory machine-readable medium including instructions for preventing evasion attacks on a malware detection system, which when executed by a machine, cause the machine to:
receive training data and testing data, wherein the training data includes data labeled as malware or benign and wherein the testing data is unlabeled as malware or benign;
select a semi-supervised classification system based on determining that a proportion of training data to testing data is below a threshold;




estimate model parameters for a combination of the training data and the testing data using a conditional expectation maximization function;


select a closest fitted model using the estimated model parameters;
determine a likelihood of at least one file of the testing data being malware or benign using the closest fitted model;
classify the at least one file based on the likelihood according to a semi-supervised classification of the semi-supervised classification system; and
output the semi-supervised classification.

22. At least one non-transitory machine-readable medium including instructions for preventing evasion attacks on a malware detection system, which when executed by a machine, cause the machine to:
receive training data and testing data, wherein the training data includes data labeled as malware or benign and wherein the testing data is unlabeled as malware or benign;
select, from a standard classification system, a sparse classification system, or a semi-supervised classification system, the semi-supervised classification system based on determining a number of instances of the testing data is larger than a number of instances of the training data;

estimate, based on selecting the semi-supervised classification system, model parameters for the training data and the testing data using a conditional expectation maximization function;
select a closest fitted model using the estimated model parameters;
determine a likelihood of at least one file of the testing data being malware or benign using the closest fitted model;
classify the at least one file based on the likelihood according to a semi-supervised classification; and

output the semi-supervised classification.




Allowable Subject Matter
Claims 1-20 would be allowable if the double patent rejection, set forth in this Office action, are overcome.  
The present application is a continuation of parent application no. 15/700,489, filed 09/11/2017, now U.S. Patent No. 10,733,294 (hereinafter application’ 294). 
Each independent claims 1, 6, 11 and 16, when compared with the ‘parent application’ 294, are found to be broader in scope than the respective independent claims 1, 7, 15 and 22 of the parent application’ 294.  However, the inventive concept of the instant application is still the same as the ‘parent application’ 294.   Specifically, the cited prior art on record does not specifically disclose, teach or suggest as a whole the limitation “create a dictionary of samples having classes from training data, wherein the training data includes data labeled as malware or benign; receive testing data, wherein the testing data is unlabeled as malware or benign; select a sparse classification system based on determining that a feature of the testing data has been added, removed, or contaminated; determine sparse coefficients for the testing data using the dictionary of samples; classify the testing data as malware or benign using the sparse coefficients and the classes of respective samples according to a sparse classification of the sparse classification system” including all the other limitation recited in the independent claims.
The limitations of the independent claims were searched, but did not result in any applicable prior art.  After further consideration, each of the independent claims as a whole are allowable.  
Dependent claims 2-5, 7-10, 12-15 and 17-20 are also allowable for incorporating the allowable feature recited in the independent claims. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on Monday-Friday 8:00am-5:00pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MENG LI/Primary Examiner, Art Unit 2437