DETAILED ACTION
	Claims 12-14 are presented on 05/02/2022 for examination on merits.  Claims 1-11 and 15-20 are cancelled by the Applicant on 05/02/2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Election/Restrictions
Claims 1-11 and 15-20 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected Groups I and III (Claims 1-11 and 15-20), there being no allowable generic or linking claim.  The Applicant has cancelled claims 1-11 and 15-20.  
Applicant’s election without traverse of Group I (Claims 12-14) in the reply filed on 05/02/2022 is acknowledged.  It should be noted that the previously presented claims 12-14 should have been presented with complete text of the claims following the status mark(s).

Claim Objections
Claims 12 and 14 are objected to because of the following informalities: 
Claim 12 recites two instances of “the at least one computing processing engine with the at least one Machine Learning system module” in steps e and g, respectively.  This recitation is inconsistent with the same element for “at least one computing processing engine configured with at least one Machine Learning system module” as defined in step c and recited in steps d and f.  For formality reasons, appropriate correction is required.
Claim 14 recite the limitation “wherein the filtered data messages that do not decrypt successfully are placed in the at least one data store” that may be informally mean that the filtered data messages that cannot be decrypted successfully are placed in the at least one data store. If this is the case, The Examiner suggests amending the limitation to “wherein the filtered data messages that are not decrypted successfully are placed in the at least one data store.”

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 12-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 12 recites the limitation for “retrieving the at least one Machine Learning Algorithms and Feature Sets Output” unclearly, because three components are involved in step g, namely (1) the at least one computing processing engine, (2) the at least one Machine Learning system module, and (3) the at least one Machine Learning Algorithms and Feature Sets model.  It is confusing which one of the three components performs the retrieving function in the claim.  It is also questionable whether both at least one Machine Learning Algorithms and Feature Sets Output are retrieved by the same component.
Claim 12 recites the limitation "place it in the at least one data store" step h unclearly, because the Applicant fails to particularly point out what “it” represents.  It should be noted that the “at least one Evolving Malware Threats” as predicted in step h is in a plural form and thus cannot be reasonably interpreted as what the word “it” means in the claim.
Claim 13 recites the limitation “wherein the filter module comprises at least one decryption algorithm to check received data messages” unclearly, because it appears that the function of the at least one decryption algorithm should be decrypting the received data messages rather than checking.  It is also noted that the Applicant broadly defines “checking” without mentioning what criteria are checked.
Claim 14 recites the limitation “wherein the filtered data messages that do not decrypt successfully are placed in the at least one data store” unclearly, because of the missing object to be decrypted in the clause “that do not decrypt […] successfully.”  The Examiner suggests amending the limitation to “wherein the filtered data messages that are not decrypted successfully are placed in the at least one data store.”
Claims 13-14 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 12.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Otvagin (US 10785255 B1; hereinafter “Otva”) in view of Vashisht (US 11227047 B1; hereinafter “Vash”).

As per claim 12, Otva teaches a method comprising: 
a. a filter module accepting a plurality of received data messages for filtering (Otva, as shown in FIG. 5A, the filtering (pre-analysis) logic 510 is a filter module accepting a plurality of received data messages; col. 18, lines 22-25: the pre-analysis (filtering) logic 510 records the UUID 211 along with the representative content 210 and the sensor ID 207 that are provided as part of the metadata 206 into the distributed data store 170.sub.1); 
b. the filter module placing a plurality of filtered data messages from received data messages which fail a filter test into at least one data store (Otva, col. 18, lines 18-25: records the UUID 211 when the [analysis of] the representative content 210 fails); 
c. at least one computing processing engine configured with at least one Machine Learning system module reading the plurality of filtered data messages and breaking each into a plurality of message fragments and storing them as filtered data message fragments in the at least one data store (Otva, the Abstract, step (iii) places at least a portion of the metadata into a data store for subsequent use in retrieval of the suspicious object by the object analysis system; Otva discloses that metadata 202 and other metadata produced therefrom aggregated metadata 206 …are stored in the metadata data store 170 or 390 as shown in FIGS. 1 and 3, respectively); 
d. the at least one computing processing engine configured with the at least one Machine Learning system module reading the plurality of filtered data messages and the filtered data message fragments (Otva, col. 18, lines 1-4: [filtering] the UUID 211 and sensor ID 207 associated with the metadata 206.  Otva disclose using and/or machine-learning algorithms for data analysis; col. 26, lines 1-7); 
e. the at least one computing processing engine with the at least one Machine Learning system module comprised of at least one Machine Learning Algorithms and Feature Sets model, learning Malware Schema Features from filtered data messages and the filtered data message fragments; 
f. the at least one computing processing engine configured with the at least one Machine Learning system module storing a plurality of newly learned Malware Higher-Level Schema Features, and storing at least one Machine Learning Algorithms and Feature Sets Output in the at least one data store (Otva, col. 25, lines 49-67: inspect information associated with the suspicious object 204 using logic models 730 for anomalies in characteristics such as formatting anomalies for example… including the object's name, type, size, path, or protocols); 
While Otva contemplates how to determine whether the likelihood of the suspicious object being associated with malware (see col. 4, lines 24-36), Otva does not explicitly disclose a step of retrieving a machine learning algorithms and feature sets output to predict malware threats.  This aspect of the claim is identified as a difference.
In a related art, Vash teaches: 
g. the at least one computing processing engine with the at least one Machine Learning system module configured with the at least one Machine Learning Algorithms and Feature Sets model retrieving the at least one Machine Learning Algorithms and Feature Sets Output to predict at least one Evolving Malware Threats (Vash, col. 5, lines 30-50: CDS 123 can send a signal to cybersecurity detection engine 105 to change the configuration of the first machine learning model…to change the configuration of the second machine learning model from learning mode to active mode … for better prediction; col. 8, lines 57-67); and 
h. the at least one computing processing engine configured with the at least one Machine Learning system module to predict the at least one Evolving Malware Threats, and place it in the at least one data store (Vash, col. 3, lines 53-63: tuning machine learning models at a pace demanded by the cybersecurity threat landscape, which is evolving… automated deployment of finely-tuned machine learning models, regulated based on datasets collected from multiple and distributed compute devices, ensuring that an optimal (or near optimal) cyber threat detection system is continuously operating).
Otva and Vash are analogous art, because they are in a similar field of endeavor in improving the detection of malware threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Otva by Vash’s techniques of selecting machine learning algorithms and output features to predict malware threats.  For this combination, the motivation would have been to improve the accuracy of prediction by using finely-tuned machine learning models.

Claim 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Otva and Vash, as applied to claim 12, and further in view of Jakobsson (US 11102244 B1; hereinafter “Jakob”).

As per claim 13, the references of Otva and Vash as combined above teach the method of claim 12 but do not explicitly disclose using a decryption algorithm to check received data messages. This aspect of the claim is identified as a further difference.
In a related art, Jakob teaches:
wherein the filter module comprises at least one decryption algorithm to check received data messages (Jakob, col. 38, lines 40-44: the decrypted content is analyzed for security threats prior to allowing the user access to the decrypted content; col. 38, lines 63-66: causes the decryption of the encrypted file, which is then analyzed for security risks).
Jakob is analogous art to the claimed invention in a similar field of endeavor in improving the detection of malicious threats using machine learning techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify the Otva-Vash system with Jakob’s technique of encrypting data message before data analysis. For this combination, the motivation would have been to improve the level of security and automatically preventing the end-user from accessing the data message before risks of threats are evaluated.

As per claim 14, the references of Otva and Vash as combined above teach the method of claim 12 but do not explicitly disclose the filtered data messages that do not decrypt successfully are placed in the at least one data store. This aspect of the claim is identified as a further difference.
In a related art, Jakob teaches:
wherein the filtered data messages that do not decrypt successfully are placed in the at least one data store (Jakob, col. 39, lines 22-29: If a security threat is detected, the user may not be allowed access to the decrypted content…moving the message … to a different folder, preventing access to a portion of the message).
Jakob is analogous art to the claimed invention in a similar field of endeavor in improving the detection of malicious threats using machine learning techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify the Otva-Vash system with Jakob’s technique of tentatively storing encrypted data message before data analysis. For this combination, the motivation would have been to facilitate the threat analysis by storing unknown data message in encrypted form and automatically preventing the end-user from accessing the data message before risks of threats are evaluated.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        06/14/2022