DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on January 4, 2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.  It is noted by the Examiner that all of the references were considered, but due to the extensive size of the IDS it was only considered based upon a cursory review.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “hardware processor is configured to identify/select/apply/provide/identify” in claim 28; “hardware processor is configured to perform” in claim 31; “hardware processor is configured to apply” in claim 32; and “hardware processor is configured to apply” in claim 33.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,878,093.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the patented claims in that the claims of the patent contain all of the limitations of that instant application.  Claims 21-40 therefore are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable for obvious-type double patenting.

17/125,280
21. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to: receive a string associated with an artifact; apply a convolution matrix to a set of values associated with the string to define at least a portion of a feature vector; provide the feature vector as an input to a machine learning threat model; and identify the artifact associated with the string as malicious based on an output of the machine learning threat model meeting a predefined criterion.22. The non-transitory processor-readable medium of claim 21, the instructions further comprising code to cause the processor to: convert each character in the string into a vector of values to define a character matrix including the set of values associated with the string.23. The non-transitory processor-readable medium of claim 21, the instructions further comprising code to cause the processor to: perform a remedial action on the artifact based on identifying the artifact as malicious.24. The non-transitory processor-readable medium of claim 21, wherein the artifact is at least one of a function of software code, a webpage, a data file, a model file, a source file, a script, a binary executable file, a table in a database system, a development deliverable, a word-processing document, an email message, a text message, a network address, a file path, a device, or an entity.25. The non-transitory processor-readable medium of claim 21, the instructions further comprising code to cause the processor to: select the convolution matrix from a set of convolution matrices based on metadata associated with the string.26. The non-transitory processor-readable medium of claim 21, wherein the set of values is a first set of values, the instructions to cause the processor to apply include instructions to cause the processor to apply the convolution matrix to the first set of values and a second set of values associated with the string to define the at least the portion of the feature vector.27. The non-transitory processor-readable medium of claim 21, wherein the convolution matrix is a first convolution matrix and the portion of the feature vector is a first portion of the feature vector, the method further comprising: applying a second convolution matrix to the set of values to define a second portion of the feature vector.28. An apparatus, comprising: a memory; and a hardware processor operatively coupled to the memory, the hardware processor configured to: identify a set of values associated with a string; select a convolution matrix based on metadata associated with the string; apply the convolution matrix to the set of values associated with the string to define at least a portion of a feature vector; provide the feature vector as an input to a machine learning threat model; and identify an artifact associated with the string as malicious based on an output of the machine learning threat model.29. The apparatus of claim 28, wherein the metadata associated with the string includes at least one of a source of the string, a type of information represented by the string, or a size of the string.30. The apparatus of claim 28, wherein the artifact is at least one of a function of software code, a webpage, a data file, a model file, a source file, a script, a binary executable file, a table in a database system, a development deliverable, a word-processing document, an email message, a text message, a network address, a file path, a device, or an entity.31. The apparatus of claim 28, wherein the hardware processor is configured to perform a remedial action on the artifact based on identifying the artifact as malicious.32. The apparatus of claim 28, wherein the set of values is a first set of values, the hardware processor configured to apply the convolution matrix to the first set of values and a second set of values associated with the string to define the at least the portion of the feature vector.33. The apparatus of claim 28, wherein the convolution matrix is a first convolution matrix and the portion of the feature vector is a first portion of the feature vector, the hardware processor configured to apply a second convolution matrix to the set of values to define a second portion of the feature vector.34. The apparatus of claim 28, wherein the machine learning threat model is at least one of a deep neural network threat model, a decision tree model, a Bayesian network or a clustering model.35. A method, comprising: applying a first convolution matrix to a set of values associated with a string to define a first portion of a feature vector, the string associated with an artifact; applying a second convolution matrix to the set of values associated with the string to define a second portion of the feature vector; providing the feature vector as an input to a machine learning threat model; and identifying the artifact associated with the string as malicious based on an output of the machine learning threat model meeting a predefined criterion.36. The method of claim 35, wherein the artifact is at least one of a function of software code, a webpage, a data file, a model file, a source file, a script, a binary executable file, a table in a database system, a development deliverable, a word-processing document, an email message, a text message, a network address, a file path, a device, or an entity.37. The method of claim 35, further comprising: performing a remedial action on the artifact based on identifying the artifact as malicious.38. The method of claim 35, wherein the first convolution matrix is selected to detect a first feature of the string and the second convolution matrix is selected to detect a second feature of the string different than the first feature.39. The method of claim 35, wherein the set of values is a first set of values, the hardware processor configured to apply the first convolution matrix to the first set of values and a second set of values associated with the string to define the first portion of the feature vector.40. The method of claim 35, wherein the machine learning threat model is at least one of a deep neural network threat model, a decision tree model, a Bayesian network or a clustering model.
10,878,093
17. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to: receive a file path associated with a potentially malicious data file; convert each character in the file path into a vector of values to define a character matrix; select a set of convolution matrices; apply each convolution matrix from the set of convolution matrices to the character matrix to define a subscore for that convolution matrix; combine the subscore for each convolution matrix from the set of convolution matrices with the subscore for each remaining convolution matrix from the set of convolution matrices to define a feature vector; provide the feature vector as an input to a machine learning threat model; and perform a remedial action on the potentially malicious data file based on an output of the machine learning threat model.  
18. The non-transitory processor-readable medium of claim 17, wherein the remedial action includes at least one of deleting the potentially malicious data file, quarantining the potentially malicious data file, or sending a notification indicating that the potentially malicious data file is malicious.  
19. The non-transitory processor-readable medium of claim 17, wherein the machine learning threat model is at least one of a deep neural network threat model, a decision tree model, a Bayesian network or a clustering model.  
20. The non-transitory processor-readable medium of claim 17, wherein code to cause the processor to select includes code to cause the processor to select the set of convolution matrices based on metadata associated with the file path.  
21. The non-transitory processor-readable medium of claim 17, wherein the code to cause the processor to apply includes code to cause the processor to: define a plurality of sets of values from the character matrix; and apply each convolution matrix to each set of values from the plurality of sets of values to define the subscore for that convolution matrix.  















9. An apparatus, comprising: a memory; and a processor operatively coupled to the memory, the processor configured to: receive a file path of  a data file, the file path being a string associated with the data file; define a character matrix based on each character in the file path; apply a convolution matrix to a first set of values within the character matrix to define a first portion of a score; 4 230531909 v1Application No.: 16/425,115Docket No.: INVI-017/02US 314067-2067 apply the convolution matrix to a second set of values within the character matrix to define a second portion of the score, the second set of values being different from the first set of values; provide the score as an input to a machine learning threat model; and identify the data file as malicious based on an output of the machine learning threat model.  
10. The apparatus of claim 9, wherein the machine learning threat model is at least one of a deep neural network threat model, a decision tree model, a Bayesian network or a clustering model.  
11. The apparatus of claim 9, wherein at least one value from the first set of values is within the second set of values.  
12. The apparatus of claim 9, wherein the convolution matrix is a first convolution matrix and the score is a first score, the processor configured to apply a second convolution matrix to the first set of values to define at least a portion of a second score, the processor configured to provide the first score and the second score as inputs to the machine learning threat model.  
13. The apparatus of claim 9, wherein the convolution matrix is selected from a set of convolution matrices based on metadata associated with the file path.  
14. The apparatus of claim 9, wherein a number of values in the first set of values is based on a size of the file path.  
15. The apparatus of claim 9, wherein the processor is configured to perform a remedial action on the data file based on identifying the data file as malicious.  
16. The apparatus of claim 9, wherein the processor is configured to define the character matrix by converting each character in the file path into a vector of values.






1. A method, comprising: receiving a file path associated with a data file; converting each character in the file path into a vector of values to define a character matrix; applying a convolution matrix to a set of values within the character matrix to define at least a portion of a score; providing the score as an input to a machine learning threat model; identifying the data file associated with the file path as malicious based on an output of the machine learning threat model meeting a predefined criterion; and performing a remedial action on the data file based on identifying the data file as malicious.  
2. The method of claim 1, further comprising: selecting the convolution matrix from a plurality of convolution matrices based on metadata associated with the file path.  
3. The method of claim 1, wherein the convolution matrix is a first convolution matrix and the portion of the score is a first portion of the score, the method further comprising: applying a second convolution matrix to the set of values to define a second portion of the score.  
4. The method of claim 1, wherein the set of values is a first set of values and the portion of the score is a first portion of the score, the method further comprising: 3 230531909 v1Application No.: 16/425,115Docket No.: INVI-017/02US 314067-2067 applying the convolution matrix to a second set of values within the character matrix to define a second portion of the score.  
5. The method of claim 1, wherein a number of values in the set of values is based on a size of the file path.  
6. The method of claim 1, wherein the convolution matrix is a first convolution matrix and the portion of the score is a first portion of the score, the first convolution matrix having a first size, the method further comprising: applying a second convolution matrix to the set of values to define a second portion of the score, the second convolution matrix having a second size different than the first size.  
7. The method of claim 1, wherein the convolution matrix is selected from a set of convolution matrices based on metadata associated with the file path.  
8. The method of claim 1, wherein the machine learning threat model is at least one of a deep neural network threat model, a decision tree model, a Bayesian network or a clustering model.  




Claims 21, 28, and 35 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 6, and 16 of U.S. Patent No. 10,318,735.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the patented claims in that the claims of the patent contain all of the limitations of that instant application.  Claims 21, 28, and 35 therefore are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable for obvious-type double patenting.
17/125,280

21. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to: receive a string associated with an artifact; apply a convolution matrix to a set of values associated with the string to define at least a portion of a feature vector; provide the feature vector as an input to a machine learning threat model; and identify the artifact associated with the string as malicious based on an output of the machine learning threat model meeting a predefined criterion.









28. An apparatus, comprising: a memory; and a hardware processor operatively coupled to the memory, the hardware processor configured to: identify a set of values associated with a string; select a convolution matrix based on metadata associated with the string; apply the convolution matrix to the set of values associated with the string to define at least a portion of a feature vector; provide the feature vector as an input to a machine learning threat model; and identify an artifact associated with the string as malicious based on an output of the machine learning threat model.




















35. A method, comprising: applying a first convolution matrix to a set of values associated with a string to define a first portion of a feature vector, the string associated with an artifact; applying a second convolution matrix to the set of values associated with the string to define a second portion of the feature vector; providing the feature vector as an input to a machine learning threat model; and identifying the artifact associated with the string as malicious based on an output of the machine learning threat model meeting a predefined criterion.
10,318,735

6. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
receive an input string associated with a potentially malicious artifact;
convert each character in the input string into a vector of values to define a character matrix;
select a convolution matrix;
apply the convolution matrix to a first window of the character matrix to define a first sub score;
apply the convolution matrix to a second window of the character matrix to define a second sub score;
combine the first sub score and the second sub score to define a score for the convolution matrix;
provide the score for the convolution matrix as an input to a machine learning threat model;
identify the potentially malicious artifact associated with the input string as malicious based on an output of the machine learning threat model; and
perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

1. An apparatus, comprising:
a memory; and
a processor operatively coupled to the memory, the processor configured to:
receive a Uniform Resource Locator (URL) associated with a web site;
convert each character in the URL into a vector of values to define a character matrix;
apply a first convolution matrix to a first set of values within the character matrix to define a first subscore;
apply the first convolution matrix to a second set of values within the character matrix to define a second subscore;
calculate a sum based on the first subscore and the second subscore to define a score for the first convolution matrix;
apply a second convolution matrix to the first set of values within the character matrix to define a third subscore;
apply the second convolution matrix to the second set of values within the character matrix to define a fourth subscore;
calculate a sum based on the third subscore and the fourth subscore to define a score for the second convolution matrix;
provide the score for the first convolution matrix and the score for the second convolution matrix as inputs to a machine learning threat model;
identify an artifact associated with the URL as malicious based on an output of the machine learning threat model meeting a predefined criterion; and
quarantine the artifact associated with the URL based on the identifying the URL as malicious.


16. A method, comprising:
receiving a Uniform Resource Locator (URL) associated with a website;
converting each character in the URL into a vector of values to define a character matrix;
applying a first convolution matrix to a set of values within the character matrix to define at least a portion of a first score;
applying a second convolution matrix to the set of values within the character matrix to define at least a portion of a second score;
providing the first score and the second score as inputs to a machine learning threat model;
identifying an artifact associated with the URL as malicious based on an output of the machine learning threat model meeting a predefined criterion; and
performing a remedial action on the artifact based on identifying the artifact as malicious.





Allowable Subject Matter
Claims 21-40 are allowed, however the claims are currently rejected under obvious-type double patenting requiring the filing of terminal disclaimers.
The following is a statement of reasons for the indication of allowable subject matter:
The closest prior art teachings of Bogorad, U.S. Patent 10,104,100 were relied upon for disclosing of receive a file path (sequence of activities) associated with a data file (col. 7, lines 6-8); define a character matrix based on the file path (col. 7, lines 8-10); apply a convolution matrix to a first set of values (distinct values per activity) within the character matrix to define a first portion of a score (col. 7, lines 8-10); apply the convolution matrix to a second set of values within the character matrix to define a second portion of the score, the second set of values being different from the first set of values (col. 6, lines 53-64 and col. 7, lines 13-22); provide the score as an input to a machine learning threat model, identify the data file as malicious based on an output of the machine learning model (col. 7, line 60 through col. 8, line 10), as applied in the Non-Final Rejection dated may 29, 2020 in serial application 16/425,115.
As argued by the Applicant in the Interview data August 2, 2020 for the same above listed application, Bogorad teaches “For examiner, as shown in Fig. 4, sequence of activities 208 may include multiple activities (e.g. “log in”, “open file”, and “log out”).(Bogorad, col. 7, lines 6-8).  The language of “receive a file path of a data file, the file path being a string associated with the data file; and determine a character matrix based on each character in the file path” was agreed to distinguish from the prior art teachings of Bogorad.
The instant application uses similar language, which distinguishes from the prior art teachings of Bogorad, whereby it was not found to be taught in the prior art for at least receiving a string associated with an artifact; apply a convolution matrix to a set of values associated with the string to define at least a portion of a feature vector, when used in combinations with the remaining features of the claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Morishita et al, US 2022/0215182 is relied upon for disclosing of an embedded matrix assigned to a character string, see paragraph 0085.
Sim et al, U.S. Patent 10,432,653 is relied upon for disclosing of determining if traffic data is abnormal for each session based upon output data in a data cluster.  Each character that constitutes a character string is converted into vectors, and then generating a matrix based upon the vectors, see claim 1 of the patent.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
























/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431