DETAILED ACTION
This action is responsive to the Application filed 4/29/2020.
Accordingly, claims 1-20 are submitted for prosecution on merits.
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-9, 14-15 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Nguyen et al, USPubN: 2020/0327225 (herein Nguyen) in view of Hammond et al, USPubN: 2017/0213132 (herein Hammond) and Batmaz et al, USPubN: 2019/0303567 (herein Batmaz) 
As per claim 1, Nguyen discloses a system comprising: one or more processors coupled to a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions that:
obtain a command and a parameter of the command (bytes, Unicode code points, UTF-8 – para 0098; tokens, spans of characters in command line data – para 0037; command-line text 404 – Fig. 4), the command of a command line interface (CLI – command-line text 404 – para 0083);
predict a event type (predicted event-data value – para 0139 – Note1: event-data values encoding- Fig. 3 -  and prediction techniques using LSTM units and command line characters – text 404, Fig. 4 - and encoded vectors for each of the characters and parameters in the representation model – para 0135-0136 – subjected to classification or neural network techniques – para 0077, 0087, 0089-  that associate vector encoding of a value to an event – para 0086, para 0137 -  reads on prediction or training techniques that associate a event type – see para 0050 - with a corresponding value as encoded pair part of the vectorizing and representation model purported for classifier/decoder output – para 0139; Fig. 3-4 – and determination of mapping violation – Fig. 4-5 – based on the mapping and tokenization of the characters sequence) of a parameter value (LSTM parameters – Fig. 3; parameters … in a decision tree , mapping can include … some parameters of a CM, e.g. LSTM parameters  – para 0077; para 0098; train trees or forest, random forest … decision trees … based on values in classification data, each leaf can hold a value – para 0097) of the parameter using a machine learning model (Fig.4; para 0133);
use the predicted event type (see Note1) to search for a first parameter value (see above) from a plurality of parameter values for the parameter, the first parameter value having a same data type (determine represnetation mapping 410, classifier 420, tokens 424, determine that event is associated with violation – Fig. 4, determine that event is associated with … violation based on token – Fig. 5) as the predicted data type (see Note1); and
generate a CLI example of usage of the command (classification can include a number of clean samples that is substantially different from the number of dirty samples – para 0090; para 0091-0092) with the first parameter value.
A) Nguyen does not explicitly disclose processor instructions to predict of event type of a paramter value (using a machine learning) as 
prediction of data type with a parameter value (using a machine learning).
But events registered for a classifier training in Nguyen entails data extracted from a command line which is being encoded on basis of one character at a time into a vector value pair (Fig. 3), each value being paired thereby being a node of a decision tree or LSTM network for use with a classification that matches a type for a given event among events recorded, the type identifiable as a floating, fixed-point, a bitmask, rational or real number, or Boolean value; hence conventional data type to correspond with each event is recognized (*).
Hammond discloses artificial intelligence IDE (neural network layers – para 0007; Fig.2A,3A;  para 0059-0060) coupled with training (para 0057) or neural network for use with different user interfaces to solve types related problems from training of data source (Figs 4; para 0054) or user inputted parameters (para 0115), where schema type data (para 0097) structured into nodes of a neural network enable data type for each node/block to provide meaning and possible values to the data, the data type selected from string, integers, Double, Float, Booleans of structured data types (para 0098)
Batmaz also discloses use of neural network (NN training – Fig. 5-6) to predict data values for initial data types received into a first neural network for determination of type/value deviation (from comparing real values against predicted ones) and implementing a second neural network from the deviation values to consolidate probability of an attack on the data interface (para 0005, 0007); hence neural network prediction to determine violation between a data type mapped with its corresponding value is recognized.
Therefore, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement neural network training and prediction of modeled information thereby in Nguyen so that parameter data extracted as event from a command line for use with the classifier training would associate data type for each event – as per (*) – with a corresponding value, to form a encoded vector pair or mapping by which prediction of data type with a parameter value by a machine learning technique (NN or classifier) would be able to validate proper type/value as predicted or else detecting a violation thereof; because
Events elements as extracted element from a command line or tokenized input stream can include lexical constituents underlying a computer structure, a programming format or architectural representation otherwise understood as data type such as integers, floating, fixed-point, a bitmask, rational or real number, or Boolean format, and deriving and encoding each such type with a corresponding value (using a prediction technique as set forth above) would support a iterative classifier approach as endeavored in Nguyen, so that based on the initially predicted type mapped to its value, a training run can be set to determine correctness of the mapping or else detect a violation, or else, violation data can be retrained – as per Batmaz - with additional classifier runs to affirm on status of the initial prediction, e.g. the identification of type/value violation indicative of  or inferring likelihood or actual presence of a vulnerability attack incurred upon integrity of a particular element of input sequence of a command line interface associated with Nguyen’s malware identification framework. 
As per claims 2-3, Nguyen does not explicitly disclose ( system of claim 1), wherein the one or more programs include further instructions that:
use a first classifier to predict a likelihood whether a first data type of a plurality of data types corresponds to the first parameter value
wherein the one or more programs include further instructions that:
use a second classifier to predict a likelihood whether a second data type of the plurality of data types corresponds to the parameter value when the first classifier fails to predict that the parameter value takes on the first type.
But use of successive neural network runs to respectively detect type/value mapping violation and retesting of the mapping using result from a previous run has been shown in Bitmaz, per rationale A in claim 1; therefore, use of first classifier and second classifier in form of neural network training to predict a likelihood whether a first data type of a plurality of data types corresponds to the first parameter value per use of a first classifier and use a second classifier to predict a likelihood whether a second data type of the plurality of data types corresponds to the parameter value when the first classifier fails to predict that the parameter value takes on the first type would have been obvious for the same obvious reasons set forth with the teachings by Bitmaz in claim 1.
As per claim 5, Nguyen does not explicitly disclose (system of claim 3), wherein the one or more programs include further instructions that:
train the second classifier using features extracted from command descriptions and parameter descriptions.
Information gathered from descriptive statistics associated with tokenized data or tokens stream derived from a command-line is shown in Nguyen (para 0197), where metadata associated with JSON, XML, CSV can be used to organize the configuration models (CMs - Fig. 2) in Nguyen for encoding vector, structuring  LSTM sets and generating prediction data for use with stages of the classification (para 0039-0040; Fig. 3-5); thus, training data using descriptive information or metadata associated with command line data or characters is recognized (**).
Based on the teachings by Bitmaz where sucessive instance of neural network instances can be created to reinforce the output from a preceding training, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement a first classifier training with a predetermined set of input (e.g. use of historical data) where non-conformant mappings obrained from the first training can be reassessed with use of a second classifier as illustrated in Bitmaz, the information trained as input with the second classifier expanding the knowledge of the first classifier with use of command line descriptive statistics or structured metadata – per (**) – as set forth above; because
consolidating a deficient classifier output with an augmented classifier effect that retrains or revalidates suspected deficient output via an additive training of features extracted from command-line descriptions and informative metadata thereof, would take into consideration of a larger pool of information that further explains on the first set of data used with a first classifier, achieving thereby a in-depth machine learning over a preliminary configured training input, in the sense that any left out parametric setting or import thereof (e.g. from a first classifier) can be factored in and properly weighted with the second in-depth machine learning (e.g. second classifier) for more convincing result to be derived in reinforcing the malware detection technique in Nguyen.
As per claim 8, Nguyen discloses system of claim 3, wherein the first classifier and the second classifier are random forest classifiers (RANDOM FOREST, decision trees … based on values in classification training - para 0097; decision forest – para 0046, 0087, 0101).
As per claim 9, Nguyen discloses a method, comprising:
generating a CLI example of usage of the paired command and parameter including the obtained parameter value (refer to claim 1), and a paired encoding of event and value (event-data values – para 0227-0231) for testing violation via different classifier runs.
Nguyen does not explicitly disclose generating a CLI example on basis of:
(i) using a first classifier to predict a first data type of a parameter value of a paired command and parameter of a command line interface (CLI);
(ii) when the first classifier fails to predict that the parameter value is of the first data type, using a second classifier to predict a second data type for the parameter value of the paired command and parameter;
(iii) obtaining a parameter value matching the predicted second data type for the paired command and parameter from a plurality of parameter values for the paired command and parameter
Event of a command line and its values is structured as a value that is to be mapped to a type per the teachings by Hammond and Batmaz; hence structuring a vector encoding that pair a event type or command type with its type value would have been obvious.
Obtaining a classifier result and following its outcome with a second classifier run to confirm on state of a violation or validity of predicted data has been rendered obvious with rataionale set forth in claims 2-3; hence use of a first classifier to predict correctness of a paired command and parameter of a command line interface (CLI) as per (i), coupled to a second classifier to predict paired command and parameter as per (ii) to obtain a confirmed verified mapping per (iii) would have been obvious for the same reasons set forth with using follow-up classifier instance in claims 2-3, where the validation based thereon is purported to ensure whether a command and its paired value would be deemed a proper mapping, which is indicative of source text  not get inflicted by any tampering or malware infringement.
As per claims 14-15, Nguyen discloses (method of claim 9), wherein the first classifier is a random forest trained on. (refer to rejection of claim 8) command names, parameter names, and a module name (see parameter values – para 0087 – and command line text, event, action function – para 0027; Fig. 3-4) from which an example (refer to claim 1) was extracted
wherein the second classifier is a random forest (refer to rationale in claim 8) trained on descriptions of a command and descriptions (refer to claim 5) of a parameter
Claims 4, 6, 13, 16-17 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Nguyen et al, USPubN: 2020/0327225 (herein Nguyen) in view of Hammond et al, USPubN: 2017/0213132 (herein Hammond) and Batmaz et al, USPubN: 2019/0303567 (herein Batmaz), further in view of Dubey et al, USPubN: 2018/0173698 (herein Dubey), and Medlock et al, USPubN: 2017/0199664 (herein Medlock)
As per claim 4, Nguyen does not explicitly disclose (system of claim 2), wherein the one or more programs include further instructions that:
train the first classifier using features extracted from historical usage patterns of the command, the features including a command name, a parameter name and a module name.
use of a historical data or dictionary of a knowledge base (para 0118, 0138) to configure a classifier-based training is shown in Dubey (para 0139, 0141), the knowledge base including ontology data including class name, function and labels (para 0112) where input into a classification module include a command (para 0218) for use to reject or accept a word or phrase or class (Fig. .11-12) as well as attributes belonging to a text segement (classification module, respective attributes - para 0140) or part of the dictionary attributes (para 0139); thus past knowledge recorded as ontology of class/function name, attributes name and text command input used to configure training of classification model is recognized.
Medlock also discloses predictor model or algorithm using text terms of a phrase (para 0062) and any knowledge the system has (para 0063) on the terms, where historical user interaction with the system can be included as part of the text prediction (para 0007-0009) by a training model.
Hence, past user text input recorded and used to configure training of predictive model is recongnized.
Therefore, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement classifier and machine learning per Nguyen’s encoded vector training so that first classifier instance can be set to use features extracted from historical usage patterns of the command, the features including a command name, a parameter name and a module name as set forth per Dubey and Medlock; because
patterns from learned experimentation, persisted ontology, dictionary or historical record as part of a reusable knowledge base can not only alleviate effort in training parameterization and cost in preparing new training set, but would afford selective reuse of name, input or associated information that would help achieving a faster solution purported by the training, one bearing findings and consolidated verification from cycles of prediction runs to support an highly effective malware check by Nguyen’s classification engine. 
As per claim 6, Nguyen does not explicitly disclose ( system of claim 1), wherein the one or more programs include further instructions that:
incorporate the generated CLI example into online documentation of the command and the parameter.
Based on use of historical data for configuring subsequent training where information obtained from knowledge base can be structured for reuse as in Dubey (para 0118, 0138), or structured metafile (per Nguyen) such as in consultable JSON, XML, YAML descriptive format/schema (Nguyen: para 0038-0039), It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement  outcome from the classifier approach in Nguyen so that command line samples illustrating examples of clean and dirty command (para 0090; para 0091-0092) would be stored in a knowledge base – as in Dubey – which serve as a persisted domain that incorporate the generated CLI example as a form of online documentation of the command and the parameter, for use by internet users; because
internet storage of knowledge base – for consolidating command line samples – provided as consultable domains or aggregation of learnings resulting from machine learning as per Nguyen constitutes a reliable source of applicable data or repeatable patterns as well as a rich pool of metadata, on-line description endowed with verified testing established over time to depict how information or text presented as input reflects a integrity-checked set of information or command syntax or structured sequences of token stream confirmed as free of malware insurgence, or dirty contamination.
As per claim 13, Nguyen discloses method of claim 9, further comprising:
incorporating the generated CLI example into online documentation of the command and the parameter. (refer to rationale in claim 6)
As per claim 16, Nguyen discloses a device, comprising: a processor and a memory; wherein the at least one processor is configured to: 
generate a plurality of CLI examples showing usage of a command with a parameter (samples that is substantially different from the number of dirty samples – para 0090; para 0091-0092) and without a parameter value from a first historical usage source of CLI commands; 
obtain parameter values from a second historical usage source (refer to rationale in claim 4) of CLI commands, wherein a parameter value is associated with a command and parameter of the plurality of CLI examples (event-data values – Fig. 3-5); 
infer a data type (refer to rationale A in claim 1) of a parameter value for a requested command and parameter pair using a machine learning model (refer to claim 1); 
find a select one of the parameter values (data values 714(1) … 714(V), 714(I)-714(J) value 712 – Fig. 7-8; para 0225-0226; data values 714 – para 0231;) having a same data type (refer to rationale A in claim 1) as the inferred data type from the second historical usage source; and 
generate a CLI example for the requested command (samples that is substantially different from the number of dirty samples – para 0090; para 0091-0092) and parameter pair (event-data values – para 0229-0231) using a select one of the plurality of CLI examples matching (Fig. 3-5) the requested command and parameter pair with the select one of the parameter values.
As per claim 17, Nguyen discloses (device of claim 16), wherein the machine learning model is composed of a first classifier and a second classifier, the first classifier predicts whether the requested command and parameter pair is of a first data type, the second classifier predicts whether the requested command and parameter pair are of a second data type, the first data type differs from the second data type.
( all of which being addressed in claim 9)
Claims 7 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Nguyen et al, USPubN: 2020/0327225 (herein Nguyen) in view of Hammond et al, USPubN: 2017/0213132 (herein Hammond) and Batmaz et al, USPubN: 2019/0303567 (herein Batmaz), and further of Gorelik, USPubN: 2017/0060894 (herein Gorelik)
As per claim 7, Nguyen does not explicitly disclose (system of claim 1), wherein the one or more programs include further instructions that:
obtain a data type format for the predicted data type; and use the data type format to find the first parameter value having the data type.
Gorelik discloses metadata repositories for use in inferring lineage information associated with business application and data organization (para 0007-0008), where replacement or transformation of a value related to a schema element uses value inference from other schemas, each schema structuring with key, element, name and attribute (para 0019-0020) as part of the schema hierarchy (JSON, XML, Graph DB – see para 0035, 0042) that includes values, min and max, attributes and regular expression for the value (para 0145), the regular expression to be matched to a string on basis of characters occurrences, frequencies in the string (para 0025) or values patterns and their distribution (para 0041, 0046) for a particular schema element, where a bitmap or format can be a regular expression describing how the data looks (para 0086); hence data type (key, name, attribute, element) associated with a inferred value expressed as part of the schema hierarchy or regular expressions therein, the regular expression also structured to represent how the data looks in terms of format is recognized.
Therefore, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement the JSON, XML descriptive schema support in Nguyen ( para 0038-0039; para 0174) for use in the configuration of machine learning, so that for a given prediction run implementation, training configuration software would utilize description from the schema descriptive files, obtain a data type format for the predicted data type; and use the data type format – the type format as per a regular expression in a schema element per Gorelik -  to find the first parameter value having the data type, the value and type as structured among the schema element hierarchy per Gorelik; because
structured information as schema as set forth above not only proffer name and type of a element with its corresponding value, so that name/value pair inferred from a schema element can be used a paired input into a stage of a prediction model to be evaluated via successive classifier stages; but would also correlate a format by way of a corresponding regular expression as part of the hierarchy (as per Gorelik) describing the given element name in terms of how the element should looks, in the sense that not only value/name pairing can be used to detect syntax violation, but how a given format on basis of said element value can be additionally verified towards identififying a violation as part of Nguyen’s  neural network regression and classification-driven detection of malware.  
Claims 10, 12 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Nguyen et al, USPubN: 2020/0327225 (herein Nguyen) in view of Hammond et al, USPubN: 2017/0213132 (herein Hammond) and Batmaz et al, USPubN: 2019/0303567 (herein Batmaz), and further in view of Gorelik, USPubN: 2017/0060894 (herein Gorelik) and Medlock et al, USPubN: 2017/0199664 (herein Medlock)
As per claims 10, 12, Nguyen does not explicitly disclose (method of claim 9), further comprising:
obtaining a plurality of parameter values for the paired command and parameter from historical usage;
generating a regular expression that matches a data format of the data type of the parameter value; and
using the regular expression to find the parameter value for the paired command and parameter;
wherein the regular expression represents a single value, range of values or character string.
Use of historical data stored as knowledge base recording user interactions has been addressed as obvious per Medlock predictor model or algorithm using text terms of a phrase (para 0062) and any knowledge the system has (para 0063) on the terms, where historical user interaction with the system can be included as part of the text prediction (para 0007-0009) by a training model.
Use of schema similar to Nguyen’s use of descriptive JSON, XML  (para 0038-0039; para 0174) having structured information describing each schema element in terms of hierarchy that include name, value, key, regular expression for each element is shown in Gorelik (para 0019-0020, 0041, 0046, 0145) including a regular expression for its format (para 0086); that is, regular expression (RE) in terms of syntax presented as a single grammar lexicon, range of grammar elements or tuples or concatenated string thereof is a well-known representation of standard REs
Hence use of a RE to find a parameter value whereby to configure vector encoding that pairsa command type with its parameter value is recognized.
Nguyen discloses use of unicode to represent text serialization (para 0039) and structuring the sequence into CM (para 0040),  for use with a security-related command recommendation, according to which, a classifier type training would be generating a CLI examples of usage of the paired command and parameter including the obtained parameter value (refer to claim 1), and a paired encoding of event and value (event-data values – para 0227-0231) for testing violation via different classifier runs; whereas event of a given type or name oi a command line (Event-data values 312 – Fig. 3) and its values per Nguyen’s encoding is structured as a value that is to be mapped to a type per the teachings by Hammond and Batmaz; 
Hence collecting of event and parsing of command line text (Nguyen: Fig. 4-5) for the purpose of structuring vectors (for use with a susequent classifier) that each encodes text blocks into a pairing that maps a text block type with its type value in the scheme of subjecting the mappings with a classifier and a tokenizer (Fig. 4-6) per Nguyen training purpose in generating of security command (step 628 – Fig. 6) would entail obtaining a plurality of values corresponding to sub-components of a command line or subtext blocks (data values 714(1) … 714(V), 714(I)-714(J) value 712 – Fig. 7-8).
Therefore, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to configure machine learning in accordance to vector encoding in Nguyen’s classification technique for verifying paired setting therein so that (1) a plurality of parameter values for the paired command and parameter are collected, using recorded command blocks and value pairing from a historical data as in Medlock; (2) descriptive information – such as schema files -  is processed so that a regular expression (RE) for a given schema element that matches a data format of the data type of the parameter value can be derived – as per Gorelik -  whereby the vector-based trainining configuration would be able to match the regular expression with the format and data type with the parameter value for effect of configuring a paired command and parameter; in accordance to the concept that (3) the regular expression represents a single value, range of values or character string as established from well-known representation of standard Res; because
Selective integration of of historical data and persisted metadata into the effort of configuring pairing as endeavored for a classifier approach would yield benefits set forth with obviousness in reuse of knowledge base per claim 4; whereas extracting of regular expression from existing descriptive schema and a corresponding data type and format for effect of structuring paired command type and value would also yield benefits (see rationale of claim 7) addressing correctness on how a command type/element name and its data type should mutually comply, how the command-line element should looks, in the sense that not only value/name pairing can be used to detect syntax violation, but how a given format (single value, range of values or character string) on basis of said element value can be also verified towards identififying a violation using Nguyen’s  NN regression and classification-based detection of malware. 
Claims 18 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Nguyen et al, USPubN: 2020/0327225 (herein Nguyen) in view of Hammond et al, USPubN: 2017/0213132 (herein Hammond) and Batmaz et al, USPubN: 2019/0303567 (herein Batmaz), further in view of Dubey et al, USPubN: 2018/0173698 (herein Dubey), Medlock et al, USPubN: 2017/0199664 (herein Medlock) and Gorelik, USPubN: 2017/0060894 (herein Gorelik)
As per claim 18, Nguyen does not explicitly disclose (device of claim 16), wherein the at least one processor is further configured to: 
associate a data type format for the inferred data type; and find the select one of the parameter values having a same data type as the inferred data type in the data type format.
Associating a data format from processing a descriptive schema in line with extraction of paramter values for the corresponding data type matching the regular expression that also identifies a format is shown in Gorelik, and this data type format has been deemed obvious in the rationale of claim 7.
Thus, instructions provided in Nguyen’s system to associate a data type format for the inferred data type; and find the select one of the parameter values having a same data type as the inferred data type in the data type format, would have been obvious for the same reasons set forth with claim 7. 
Allowable subject matter
Claim 11, 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims (e.g. claim 20), the subject matter being objected to as following:
( claim 11), method of claim 9, further comprising:
ranking the plurality of parameter values of the paired command and parameter in descending order of usage frequency; and
generating a regular expression that represents a highest-ranked data format of the parameter values of the paired command and parameter; and
using the regular expression to obtain a parameter value that matches the predicted data type.
(claim 19) device of claim 18, wherein the at least one processor is further configured to:
analyze frequency of occurrence of data type formats of a parameter from the parameter values;
generate a regular expression representing a data type format having a highest frequency; and
use the regular expression to find the select one of the parameter values having the same data type in the same data type format.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tuan A Vu whose telephone number is (571) 272-3735.  The examiner can normally be reached on 8AM-4:30PM/Mon-Fri.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Chat Do can be reached on (571)272-3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273-3735 ( for non-official correspondence - please consult Examiner before using) or 571-273-8300 ( for official correspondence) or redirected to customer service at 571-272-3609.
Any inquiry of a general nature or relating to the status of this application should be directed to the TC 2100 Group receptionist: 571-272-2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Tuan A Vu/
Primary Examiner, Art Unit 2193
July 02, 2022