Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 are presented for examination. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kimon et al hereafter Kimon (US pat. App. Pub. 20200410091) and in view of Joglekar et al hereafter Joglekar (US pat. App. Pub. 20210374027).  
4.	As per claims 1, Kimon discloses a malware analysis server, comprising: a hardware platform comprising a processor and a memory; a machine learning model; a store of known objects previously classified by the machine learning model; and instructions encoded within the memory to instruct the processor to: receive a test sample; apply the machine learning model to the test sample to provide the test sample with classified features (paragraphs: 27, 30-32, 44, 55-58, and 60-61; wherein it emphasizes that a machine learning model previously classifies and stores known objects then it receives new test sample to apply the MLM to the test sample to provide with classified features); compute pairwise distances between the test sample and a set of known objects from the store of known objects; select a group of near neighbor samples from the set of known objects; select a group of far neighbor samples from the set of known objects; and generate an explanation for the test sample according to the near neighbor samples and far neighbor samples (paragraphs: 16, 33-37, 48-54, 59, and 62; wherein it elaborates compute the pairwise distance between the test sample and the known objects and select the difference between these two objects to generate a result). Although, Kimon mentions machine learning model. He does not specifically mentions using unsupervised machine learning model. However, in the same field of endeavor, Joglekar teaches using unsupervised machine learning model to classify known objects (paragraphs: 71, 97, and 102).    
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Joglekar’s teachings of using unsupervised machine learning model to classify known objects with the teachings of Kimon, for the purpose of effectively protecting the computer instruction from unauthorized intruders.  
5.	As per claim 2, Kimon discloses the malware analysis server, wherein the machine learning model is unsupervised (paragraphs: 14, 26, 41).
6.	As per claim 3, Kimon discloses the malware analysis server, wherein the hardware platform is a disaggregated hardware platform (paragraphs: 33, 48, 60).
7.	As per claim 4, Kimon discloses the malware analysis server, further comprising a virtualization or containerization layer (paragraphs: 23, 38, 50).
8.	As per claim 5, Kimon discloses the malware analysis server, wherein selecting the group of near neighbor samples comprises computing a minimum match threshold on one or more features (paragraphs: 15, 42, 54).
9.	As per claim 6, Kimon discloses the malware analysis server, wherein selecting the group of far neighbor samples comprises computing a maximum match threshold on one or more features (paragraphs: 32, 44, 49).
10.	As per claim 7, Kimon discloses the malware analysis server, wherein selecting the group of near neighbor or far neighbor samples comprises computing a composite distance from a plurality of features (paragraphs: 16, 29, 45).
11.	As per claim 8, Kimon discloses the malware analysis server, wherein selecting the group of near neighbor samples comprises selecting samples in a same cluster as the test sample (paragraphs: 24, 39, 51).
12.	As per claim 9, Kimon discloses the malware analysis server, wherein the cluster is part of a first supercluster (paragraphs: 31, 43, 55).
13.	As per claim 10, Kimon discloses the malware analysis server, wherein selecting the group of far neighbor samples comprises selecting samples from one or more superclusters different from the first supercluster (paragraphs: 13, 25, 28).
14.	As per claim 11, Kimon discloses the malware analysis server, wherein selecting the group of far neighbor samples comprises selecting samples from one or more other clusters within the first supercluster (paragraphs: 27, 53, 62).
15.	As per claim 12, Kimon discloses the malware analysis server, wherein the instructions are further to instruct the processor to generate a report comprising a meaning group explanation (paragraphs: 46, 56, 63).
16.	As per claim 13, Kimon discloses one or more tangible, non-transitory computer readable storage media having stored thereon executable instructions to instruct a processor to: analyze a test sample via machine learning model; compute pairwise distances to select a set of near neighbors from a set of known objects according to similar features (paragraphs: 27, 30-32, 44, 55-58, and 60-61); compute pairwise distances to select a set of far neighbors from the set of known objects according to dissimilar features; and generate a meaning group explanation report from the near neighbors and far neighbors (paragraphs: 16, 33-37, 48-54, 59, and 62). Although, Kimon mentions machine learning model. He does not specifically mentions using unsupervised machine learning model. However, in the same field of endeavor, Joglekar teaches using unsupervised machine learning model to classify known objects (paragraphs: 71, 97, and 102).    
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Joglekar’s teachings of using unsupervised machine learning model to classify known objects with the teachings of Kimon, for the purpose of effectively protecting the computer instruction from unauthorized intruders.  
17.	As per claim 14, Kimon discloses the one or more tangible, non-transitory computer readable storage media, wherein selecting the set of near neighbors or far neighbors further comprises computing a pairwise aggregate match score based on a combination of exact match features and approximate match features (paragraphs: 23, 36, 48).
18.	As per claim 15, Kimon discloses the one or more tangible, non-transitory computer readable storage media, wherein computing the pairwise aggregate match score comprises weighting features (paragraphs: 27, 42, 53).
19.	As per claim 16, Kimon discloses the one or more tangible, non-transitory computer readable storage media, wherein the instructions are further to instruct the processor to generate a report comprising a meaning group explanation (paragraphs: 29, 44, 56).
20.	As per claim 17, Kimon discloses the one or more tangible, non-transitory computer readable storage media, wherein the meaning group explanation comprises a very similar category with an explanation of very similar features (paragraphs: 24, 39, 55).
21.	As per claim 18, Kimon discloses the one or more tangible, non-transitory computer readable storage media, wherein the meaning group explanation comprises a very dissimilar category with an explanation of very dissimilar features (paragraphs: 32, 49, 60).
22.	As per claim 19, Kimon discloses a computer-implemented method of analyzing a binary test sample object via comparison to known objects, comprising: analyzing the test sample via machine learning to classify the test sample; comparing the test sample to a large set of known objects comprising computing pairwise feature distances between the test sample and the known objects (paragraphs: 27, 30-32, 44, 55-58, and 60-61); selecting a set of near neighbor objects according to a minimum threshold for pairwise feature distance; selecting a set of far neighbor objects according to a maximum threshold for pairwise feature distance; and generating a human-readable explainability report for the classification, including comparison with the near neighbor objects and contrast with the far neighbor objects (paragraphs: 16, 33-37, 48-54, 59, and 62). Although, Kimon mentions machine learning model. He does not specifically mentions using unsupervised machine learning model. However, in the same field of endeavor, Joglekar teaches using unsupervised machine learning model to classify known objects (paragraphs: 71, 97, and 102).    
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Joglekar’s teachings of using unsupervised machine learning model to classify known objects with the teachings of Kimon, for the purpose of effectively protecting the computer instruction from unauthorized intruders.   
23.	As per claim 20, Kimon discloses the method, wherein classifying the test sample further comprises analyzing the test sample according to an unsupervised machine learning model (paragraphs: 14, 26, 41).
Citation of References
24. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: 
Zhu et al (US pat. app. Pub. 20210182387): discusses detect anomalous behavior in an execution environment. A set of system events captured from a monitored computing system are received. Using the received system events, a model is then trained using machine learning. The model is trained to automatically extract one or more features for the received set of system events, wherein a system event feature is determined by a semantic analysis and represents a semantic relationship between or among a grouping of system events that are observed to co-occur in an observation sample. An observation sample is associated with an operating scenario that has occurred in the execution environment. Once trained, and using the features, the model is used to detect anomalous behavior. As an optimization, prior to training, the set of system events are pre-processed into a reduced set of system events.  
Enfinger (US pat. App. Pub. 20180183815): elaborates that designed to detect malware without the requirement of malware signatures. The process relies upon converting a binary code file to an image. One or more machine learning techniques are used to classify the code as benign or malicious software. 
Conclusion
25.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD W REZA whose telephone number is (571)272-6590.  The examiner can normally be reached on Monday-Friday 8:30-5:30 ET.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436