Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s Preliminary Amendment filed on 16 October 2020. Claim 1 has been canceled. Claims 2-21 have been added. Claims 2-21 remain pending. 


Continued Examination Under 37 CFR 1.114
4.	This application is a continuation of Serial No. 14/658,808 filed on 16 March 2015 which is now, US Patent No. 10,708,296 issued on 07 July 2020.


Double Patenting
5.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
6.	Claims 2-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 10,708,296. Although the claims at issue are not identical, they are not patentably distinct from each other because the scope of the claims are the same for the instant application and the issued application. Each claim classifying a behavior of a file as anomalous or non-anomalous based on an execution graph, generating a classifier based on the particular feature set, determining that the classifier is below a threshold, and on the modified particular feature set meets or exceeds the threshold.
7. 	Claims 1-17 of US Patent No. 10,708,296 contains every element of claims 2-21, of the instant application and as such anticipates claims 2-21 of the instant application. Claims of instant application are effectively a subset of the claims in the patent. Thus, the entire scope of the patent reference claim falls within the scope of the examined claim. Therefore, a patent to the instant applicant would improperly extend the right to exclude granted by a patent. 
8. 	"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896,225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re 
Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). " ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). 



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-21 are rejected under 35 U.S.C. 103 as being unpatentable over Titonis et al. (Pub No. 2013/0097706) in view of Gu et al. (Pub No. 2009/0172815).
Referring to the rejection of claim 2, Titonis et al. discloses a method performed by a programmed processor of a computer system, the method comprising: (See Titonis et al., para. 432, i.e., a processing unit)
classifying a behavior of a file as anomalous or non-anomalous based on an execution graph of the file, wherein the classified behavior belongs to a particular feature set; (See Titonis et al., para. 21, 165, and 283-296)
Please note that in this example, classification of a behavior and static analysis of a file as malware or benign obtained from the execution of the sandbox request (i.e. execution graph of the file) wherein the classified behavior belongs to a feature set extracted from the corresponding log file.
generating a classifier based on the particular feature set; (See Titonis et al., para. 293-308)
Please note that in this example, generating a classifier based on the feature extractor wherein feature vectors (i.e. malware, free of known malware defects, network intrusion alert features, validity metric computed for log files) are used to provide labels for anti-virus infection to be used for training automated classification analysis via a machine learning technique. 
However, Titonis et al. fail to explicitly disclose determining that the classifier is below a threshold.
Gu et al. discloses a method and apparatus for detecting malware infection. 
Gu et al. discloses determining that the classifier is below a threshold; (See Gu et al., Figure 5 and para. 51-55)
Please note that in this example, an anomaly detection engine monitors, scans, and classify anomalies that are detected and if the anomaly score is below the threshold, continue to monitor the behavior the file.
Gu et al. discloses and in response to the classifier being below the threshold, modifying the particular feature set by removing one or more features of the particular feature set such that a regenerated classifier based on the modified particular feature set meets or exceeds the threshold. (See Gu et al., Figure 5 and para. 51-56 and 71-73)
Please note that in this example, removing the one or more features if the classifier detects that the anomaly score exceeds the predefined threshold by issuing a warning and alert indicating the inbound file is infection or exploit wherein an automatic pruning algorithm is used to remove the infected file from the network. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Titonis et al.’s automated behavioral and static analysis using an instrumented sandbox machine learning classification for mobile security modified with Gu et al.’s method and apparatus for detecting malware infection.
Motivation for such an implementation would enable detection of successful bot infections through the communication sequences that occur during the infection process and examine the infected events for a threshold combination of sequences. (See Gu et al., para. 19) 

Referring to the rejection of claim 3, (Titonis et al. modified by Gu et al.) discloses wherein the file comprises one of an executable file, a word processing document, and a PDF file. (See Titonis et al., para. 149 and 151)
Referring to the rejection of claim 4, (Titonis et al. modified by Gu et al.) discloses further comprising generating the execution graph. (See Titonis et al., para. 110-111)
Referring to the rejection of claim 5, (Titonis et al. modified by Gu et al.) discloses wherein generating the execution graph comprises running the received file in a sandbox; (See Titonis et al., para. 136-137) and collecting an execution trace of the received file while running in the sandbox, wherein the generated execution graph is based on the collected execution trace. (See Titonis et al., para. 136-137)
Referring to the rejection of claim 6, (Titonis et al. modified by Gu et al.) discloses wherein generating the execution graph comprises running the received file in a sandbox, and monitoring the received file while running in the sandbox, wherein the generated execution graph is based on the monitored received file. (See Titonis et al., para. 247-249)
Referring to the rejection of claim 7, (Titonis et al. modified by Gu et al.) discloses wherein classifying the behavior comprises extracting the behavior from the execution graph; (See Titonis et al., para. 223) and performing anomaly detection on the extracted behavior to classify the behavior as anomalous or non-anomalous. (See Titonis et al., para. 223 and 338)
Referring to the rejection of claim 8, (Titonis et al. modified by Gu et al.)  discloses wherein extracting the behaviors from the execution graph comprises generating at least one of frequency metrics, volumetric metrics, and pattern metrics. (See Titonis et al., para. 165 and 367 and Gu et al., para. 47 and 72-73)
The rationale for combining Titonis et al. in view of Gu et al. is the same as claim 2.


Referring to the rejection of claim 9, (Titonis et al. modified by Gu et al.)  discloses a system comprising: 
a processor; (See Titonis et al., para. 432, i.e., a processing unit)
and memory having instructions stored therein which when executed by the processor causes the system to (See Titonis et al., para. 432, i.e. memory executed by the processing unit)
classify a behavior of a file as anomalous or non-anomalous based on an execution graph of the file, wherein the classified behavior belongs to a particular feature set; (See Titonis et al., para. 21, 165, and 283-296)
Please note that in this example, classification of a behavior and static analysis of a file as malware or benign obtained from the execution of the sandbox request (i.e. execution graph of the file) wherein the classified behavior belongs to a feature set extracted from the corresponding log file.
generate a classifier based on the particular feature set; (See Titonis et al., para. 293-308)
Please note that in this example, generating a classifier based on the feature extractor wherein feature vectors (i.e. malware, free of known malware defects, network intrusion alert features, validity metric computed for log files) are used to provide labels for anti-virus infection to be used for training automated classification analysis via a machine learning technique. 
However, Titonis et al. fail to explicitly disclose determining that the classifier is below a threshold.
Gu et al. discloses a method and apparatus for detecting malware infection. 
Gu et al. discloses determine that the classifier is below a threshold; (See Gu et al., Figure 5 and para. 51-55)
Please note that in this example, an anomaly detection engine monitors, scans, and classify anomalies that are detected and if the anomaly score is below the threshold, continue to monitor the behavior the file.
Gu et al. discloses and in response to the classifier being below the threshold, modify the particular feature set by removing one or more features of the particular feature set such that a regenerated classifier based on the modified particular feature set meets or exceeds the threshold. (See Gu et al., Figure 5 and para. 51-56 and 71-73)
Please note that in this example, removing the one or more features if the classifier detects that the anomaly score exceeds the predefined threshold by issuing a warning and alert indicating the inbound file is infection or exploit wherein an automatic pruning algorithm is used to remove the infected file from the network. 
The rationale for combining Titonis et al. in view of Gu et al. is the same as claim 2.

Referring to the rejection of claim 10, (Titonis et al. modified by Gu et al.)  discloses wherein the file comprises one of an executable file, a word processing document, and a PDF file. (See Titonis et al., para. 149 and 151)
Referring to the rejection of claim 11, (Titonis et al. modified by Gu et al.) discloses wherein the memory has further instructions to generate the execution graph. (See Titonis et al., para. 110-111)
Referring to the rejection of claim 12, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to generate the execution graph comprises instructions to run the received file in a sandbox; (See Titonis et al., para. 136-137)  and collect an execution trace of the received file while running in the sandbox, wherein the generated execution graph is based on the collected execution trace. (See Titonis et al., para. 136-137)
Referring to the rejection of claim 13, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to generate the execution graph comprises instructions to run the received file in a sandbox, and monitor the received file while running in the sandbox, wherein the generated execution graph is based on the monitored received file. (See Titonis et al., para. 247-249)
Referring to the rejection of claim 14, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to classify the behavior comprises instructions to extract the behavior from the execution graph; (See Titonis et al., para. 223) and perform anomaly detection on the extracted behavior to classify the behavior as anomalous or non-anomalous.

Referring to the rejection of claim 15, (Titonis et al. modified by Gu et al.)  discloses wherein the instructions to extract the behaviors from the execution graph comprises instructions to generate at least one of frequency metrics, volumetric metrics, and pattern metrics. (See Titonis et al., para. 165 and 367 and Gu et al., para. 47 and 72-73)
The rationale for combining Titonis et al. in view of Gu et al. is the same as claim 2.
Referring to the rejection of claim 16, (Titonis et al. modified by Gu et al.) discloses a non-transitory machine-readable medium having stored therein instructions which when executed by a processor: (See Titonis et al., para. 432, i.e. computer readable storage medium executed by a processing unit)
classify a behavior of a file as anomalous or non-anomalous based on an execution graph of the file, wherein the classified behavior belongs to a particular feature set; (See Titonis et al., para. 21, 165, and 283-296)
Please note that in this example, classification of a behavior and static analysis of a file as malware or benign obtained from the execution of the sandbox request (i.e. execution graph of the file) wherein the classified behavior belongs to a feature set extracted from the corresponding log file.
generate a classifier based on the particular feature set; (See Titonis et al., para. 293-308)
Please note that in this example, generating a classifier based on the feature extractor wherein feature vectors (i.e. malware, free of known malware defects, network intrusion alert features, validity metric computed for log files) are used to provide labels for anti-virus infection to be used for training automated classification analysis via a machine learning technique. 
However, Titonis et al. fail to explicitly disclose determining that the classifier is below a threshold.
Gu et al. discloses a method and apparatus for detecting malware infection. 
Gu et al. discloses determine that the classifier is below a threshold; (See Gu et al., Figure 5 and para. 51-55)
Please note that in this example, an anomaly detection engine monitors, scans, and classify anomalies that are detected and if the anomaly score is below the threshold, continue to monitor the behavior the file.
Gu et al. discloses and in response to the classifier being below the threshold, modify the particular feature set by removing one or more features of the particular feature set such that a regenerated classifier based on the modified particular feature set meets or exceeds the threshold. (See Gu et al., Figure 5 and para. 51-56 and 71-73)
Please note that in this example, removing the one or more features if the classifier detects that the anomaly score exceeds the predefined threshold by issuing a warning and alert indicating the inbound file is infection or exploit wherein an automatic pruning algorithm is used to remove the infected file from the network. 
The rationale for combining Titonis et al. in view of Gu et al. is the same as claim 2.
Referring to the rejection of claim 17, (Titonis et al. modified by Gu et al.)  discloses further comprising generating the execution graph. (See Titonis et al., para. 110-111)
Referring to the rejection of claim 18, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to generate the execution graph comprises instructions to run the received file in a sandbox; (See Titonis et al., para. 136-137) and collect an execution trace of the received file while running in the sandbox, wherein the generated execution graph is based on the collected execution trace. (See Titonis et al., para. 136-137)
Referring to the rejection of claim 19, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to generate generating the execution graph comprises instructions to run the received file in a sandbox, and monitor the received file while running in the sandbox, wherein the generated execution graph is based on the monitored received file. (See Titonis et al., para. 247-249)
Referring to the rejection of claim 20, (Titonis et al. modified by Gu et al.) discloses wherein the instructions to classify the behavior comprises instructions to extract the behavior from the execution graph; (See Titonis et al., para. 223) and perform anomaly detection on the extracted behavior to classify the behavior as anomalous or non-anomalous. (See Titonis et al., para. 223 and 338)
Referring to the rejection of claim 21, (Titonis et al. modified by Gu et al.)  discloses wherein the instructions to extract the behaviors from the execution graph comprises instructions to generate at least one of frequency metrics, volumetric metrics, and pattern metrics. (See Titonis et al., para. 165 and 367 and Gu et al., para. 47 and 72-73)
The rationale for combining Titonis et al. in view of Gu et al. is the same as claim 2.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        June 17, 2022

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436