Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
This office action is responsive to the Amendment filed on 11 April 2022.  As directed by the Amendment, claims 1, 11, 19, and 20 have been amended, and claim 10 has been canceled.  Claims 1-9 and 11-20 are pending in the application.

Response to Arguments
The arguments presented on pages 8-10 of the Remarks filed on 11 April 2022 have been fully considered by the Examiner.  In the case of currently amended independent claim 20 and its added recitation that a number of exemplars is based on a spread of a cluster, the arguments are moot in view of the new grounds of rejection presented below.


Regarding amended independent claims 1 and 11, on page 9 of the Remarks, the Applicant states:


    PNG
    media_image1.png
    365
    724
    media_image1.png
    Greyscale


	The Examiner respectfully disagrees, and contends that the method of Hu is operable both to generate outliers when appropriate, and to use those outliers in a malware classification model.  Hu, § 6.2 “Prototype-Based Clustering,” paragraphs 2 and 4 teaches “Prototype-based clustering extracts a set of prototypes each of which serves as the representative for a small group.” […] Clustering with prototypes. Instead of working on the huge number of original data, the algorithm performs agglomerative hierarchical clustering only on the prototypes. Specifically, the algorithm starts with individual prototypes as singleton clusters, successively merges two closest clusters, and terminates when the distance between the closest clusters is larger than a predefined distance threshold Mind. Then, prototypes within the same cluster are assigned the same cluster label and subsequently propagate the label to their associated data points.”)

	The clustering algorithm of Hu begins with each of the prototypes as a “singleton cluster” (a cluster consisting of only one prototype).  Then, the method “successively merges the two closest clusters, and terminates when the distance between the closest clusters is larger than a predefined distance threshold Mind.”  Therefore, if at the end of a merging step, the remaining clusters (including one or more unmerged “singleton clusters”) are all a distance greater than Mind apart from each other, then the clustering algorithm terminates without merging those singleton clusters with any other clusters.  These singleton clusters that remain unmerged when the algorithm terminates based on their distances from all other prototypes in the set fairly read on the claimed term “outliers.”  

	Further, the method of Hu may use these singleton clusters in a malware classification models in the same manner that that merged clusters are used. (Hu, § 7.6 “Predicting Labels of Unknown Malware,” first two paragraphs, “Given any training set, MutantX-S creates a set of clusters Ci (i=0,1, . . . ,n). Each cluster has a label L(Ci) determined by the majority family labels of the constituent malware samples. Then MutantX-S determines the family label L(x j) of the new sample x j in the test month based on the label of the cluster that is closest to x j.” [The classifier system labels an unknown input file with the label of the cluster prototype that is closest to the feature vector for the input file.]
	The “cluster prototype that is closest to the feature vector for the input file” above may be a merged cluster of multiple prototypes, or it may be a singleton cluster (i.e. an outlier) that remained unmerged during Hu’s hierarchical agglomerative clustering algorithm as described above.  Specifically, the set of clusters Ci (i=0,1, . . . ,n) may contain both merged clusters and unmerged singleton clusters (outliers).
	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-2, 6-9, 11-12, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Robinson (US 2013/0322760) (previously cited) in view of Hu, Xin et al., "MutantX-S: Scalable Malware Clustering Based on Static Features," 2013 USENIX Annual Technical Conference (USENIX ATC'13), June 26-28, 2013, San Jose, CA, hereinafter “Hu” (previously cited).

Regarding claim 1, Robinson discloses [a] computer-implemented method (Robinson, Fig. 4 showing the computing environment for the invention) comprising generating reduced dimensionality vectors from a plurality of original dimensionality vectors representing features in a plurality of samples, (Robinson, Fig. 1 HSI [Hyper-Spectral Imaging] data is dimensionally reduced at element 120 and used to create a “Normalized Reduced Dim HSI Cube” at element 130;
Robinson, ¶ [0021] “It may be appreciated that the method of clustering 100 may be configured to utilize basis vectors associated with the hyperspectral image data, and a dimensionally reduced configuration of the hyperspectral image data [corresponds to claimed “reduced dimensionality vectors”], to improve clustering of the pixels thereof.”)
the reduced dimensionality vectors having lower dimensionality than an original dimensionality of the plurality of original dimensionality vectors; (Robinson, ¶ [0021] “in one non-limiting embodiment, the hyperspectral image data may include approximately 256 spectral dimensions [corresponds to claimed “original dimensionality”], while the reduced dimensionality data may include approximately 15 spectral dimensions.” [corresponds to claimed “reduced dimensionality vectors”])
first determining a first plurality of clusters, the first determining comprising first applying a first clustering algorithm to the reduced dimensionality vectors; (Robinson, Fig. 1, element 170 “Iteratively Cluster DIMRED [i.e. DIMensionally REDuced] Vectors”;
Robinson, ¶ [0030] Having formed the initial cluster centers at 160, the method of clustering 100 may continue at 170 by iteratively clustering the reduced dimensionality vectors. Specifically, all pixels are assigned to a cluster, and the average values of all those pixels in each cluster are computed. The average then becomes the new center (as it is likely different than the initial average). The distance from each pixel to each new cluster center is then tested. If a pixel is closer to the center of a different cluster, it is reassigned to that cluster.” [Clusters of reduced dimensionality vectors are formed and re-formed iteratively.];
Robinson, ¶ [0009] “a stability condition may ultimately be reached, which signifies the end of the iterative process. For example, the cluster center may stop moving, or may move less than a certain distance. As another example, fewer than a certain percentage of pixels may change clusters from the past iteration. In still another example, each of the clusters may settle into a predetermined size or density range (e.g., the iterations end when clusters are not too small, too large, or insufficiently dense.” [The iterative process may continue until the clusters are in a predetermined size range.])
second determining a second plurality of clusters, […] the second determining comprising second applying a second clustering algorithm to original dimensionality vectors corresponding to the reduced dimensionality vectors in the first plurality of clusters; (Robinson Fig. 1 element 180 “Refine Clusters with full dimension data”;
Robinson, ¶ [0031] “As a "safety net" to ensure that all pixels are assigned to the correct cluster, once the iterative clustering at 170 is complete, the method of clustering 100 may continue at 180 by optionally refining the clusters with full dimension hyperspectral image data. In an embodiment, such refining may comprise replacing the dimensionally reduced pixels in each cluster with the original hyperspectral image data associated therewith.” [corresponds to claimed “applying a second clustering algorithm to original dimensionality vectors corresponding to the reduced dimensionality vectors”] 
the second plurality of clusters being smaller than the first plurality of clusters (Robinson, ¶ [0031] “the refining at 180 may utilize a separate set of termination conditions. For example, in an embodiment the refining at 180 may include only a single further iteration to incorporate the full dimension data (e.g., including the anomalies). In an embodiment, the refining at 180 may include a plurality of further iterations including the same. In some embodiments where the refining at 180 includes a plurality of further iterations, the number of further iterations may be user defined, or may utilize a stability condition to terminate, including but not limited to those described above.” [The second clustering in the refining process 180 may use a separate set of termination conditions, including a stability condition such as a predetermined cluster size as described above.  Accordingly, the method is operable to generate a refined plurality of clusters of original dimensionality data that is smaller than the first plurality of clusters of reduced dimensionality data.]

[…] wherein at least one of the generating, the first determining, the second determining, the adding, and the training is performed by at least one processor of at least one computing system. (Robinson, Fig. 4 and ¶ [0038] “FIG. 3 [sic] illustrates a high level block diagram of an exemplary computer system 360 which may be used to perform the method of clustering 100, and/or similar embodiments. […] . The main board has a system bus 390, connection ports 400, a processing unit, such as Central Processing Unit (CPU) 410, and a data storage device, such as main memory 420, storage drive 430, and optical drive 440.”)

	Robinson does not explicitly disclose and a plurality of outliers not forming part of one of the second plurality of clusters
-or-
adding at least one exemplar from each of at least a portion of the clusters of the second plurality of clusters to a training set; adding the plurality of outliers to the training set; and training a machine learning model for identifying a file containing malicious code, the training comprising use of the training set;

Hu teaches adding an exemplar from at least a portion of the clusters of the second plurality of clusters to a training set; (Hu, § 6.2 “Prototype-Based Clustering,” paragraphs 2 and 4, “Prototype-based clustering extracts a set of prototypes each of which serves as the representative for a small group.” […] Clustering with prototypes. Instead of working on the huge number of original data, the algorithm performs agglomerative hierarchical clustering only on the prototypes. Specifically, the algorithm starts with individual prototypes as singleton clusters, successively merges two closest clusters, and terminates when the distance between the closest clusters is larger than a predefined distance threshold Mind. Then, prototypes within the same cluster are assigned the same cluster label and subsequently propagate the label to their associated data points. Because each prototype is a good representation of its associated data points (all within a radius of Pmax), the algorithm avoids expensive distance computation between the original data points without too much loss in the overall accuracy.” [Each “prototype” serves as the representative for either itself (in the case of a prototype that was not merged with others) or a small group of prototypes and corresponds to the claimed “exemplar.”]
and a plurality of outliers not forming part of one of the second plurality of clusters (Hu, § 6.2 “Prototype-Based Clustering,” paragraphs 2 and 4 teaches “Prototype-based clustering extracts a set of prototypes each of which serves as the representative for a small group.” […] Clustering with prototypes. Instead of working on the huge number of original data, the algorithm performs agglomerative hierarchical clustering only on the prototypes. Specifically, the algorithm starts with individual prototypes as singleton clusters, successively merges two closest clusters, and terminates when the distance between the closest clusters is larger than a predefined distance threshold Mind. Then, prototypes within the same cluster are assigned the same cluster label and subsequently propagate the label to their associated data points.”) 
[The clustering algorithm of Hu begins with each of the prototypes as a “singleton cluster” (a cluster consisting of only one prototype).  Then, the method “successively merges the two closest clusters, and terminates when the distance between the closest clusters is larger than a predefined distance threshold Mind.”  Therefore, if at the end of a merging step, there remain one or more “singleton clusters” whose distance to the nearest merged cluster or other singleton clusters is greater than Mind, then the clustering algorithm terminates without merging those singleton clusters with any other clusters.  These singleton clusters that remain unmerged when the algorithm terminates based on their distances from all other prototypes in the set fairly read on the claimed term “outliers.”]
adding the plurality of outliers to the training set; and training a machine learning model for identifying a file containing malicious code, the training comprising use of the training set; (Hu, § 7.6 “Predicting Labels of Unknown Malware,” first two paragraphs, “So far, we have evaluated MutantX-S using the data set of known malware families. In a realistic scenario, e.g., in AV companies, MutantX-S is more likely to be used to analyze new incoming malware and predict their family labels. […] Next, we use these malware to simulate the process of determining the labels for new incoming samples. […] Given any training set, MutantX-S creates a set of clusters Ci (i=0,1, . . . ,n). Each cluster has a label L(Ci) determined by the majority family labels of the constituent malware samples. Then MutantX-S determines the family label L(x j) of the new sample x j in the test month based on the label of the cluster that is closest to x j.” [The system labels an unknown input file with the label of the cluster prototype that is closest to the feature vector for the input file. The “cluster prototype that is closest to the feature vector for the input file” above may be a merged cluster of multiple prototypes, or it may be a singleton cluster (i.e. an outlier) that remained unmerged during Hu’s hierarchical agglomerative clustering algorithm as described above.  Specifically, the set of clusters Ci (i=0,1, . . . ,n) may contain both merged clusters and unmerged singleton clusters (outliers).]

	Hu is analogous art, as it is in the field of clustering high-dimensionality data.
	It would have been obvious to one of ordinary skill in the art to combine the clustered low-dimensionality data and refined clusters of high-dimensionality data of Robinson with the static malware features, exemplar determination, and machine learning model training of Hu, the benefit being that identifying clusters, each with a center that represents a small number of data points, reduces computation time significantly, as recited by Hu at § 6.2 “Prototype-Based Clustering” “The key idea
of Prototype-based algorithm is to perform computation (e.g. clustering) only on the prototypes which are a small subset of original data points, thus reducing the computation time significantly.”

	Claim 11 recites similar limitations as claim 1 and is rejected under the same rationale as applied to claim 1 above.

	Regarding claim 2, the combination of references as applied to claim 1 above teaches [t]he method according to claim 1.  Further, Robinson discloses wherein the first and second clustering algorithms are the same. (Robinson, ¶ [0031] “As a "safety net" to ensure that all pixels are assigned to the correct cluster, once the iterative clustering at 170 is complete, the method of clustering 100 may continue at 180 by optionally refining the clusters with full dimension hyperspectral image data. In an embodiment, such refining may comprise replacing the dimensionally reduced pixels in each cluster with the original hyperspectral image data associated therewith. […] In some embodiments, the refining at 180 may utilize a separate set of termination conditions. For example, in an embodiment the refining at 180 may include only a single further iteration to incorporate the full dimension data (e.g., including the anomalies). In an embodiment, the refining at 180 may include a plurality of further iterations including the same.” [The refining using original dimensionality data uses the same iterative clustering as the initial clustering on reduced dimensionality data, although different termination conditions may be used.]

	Claim 12 recites similar limitations as claim 2 and is rejected under the same rationale as applied to claim 2 above.

	Regarding claim 6, the combination of references as applied to claim 1 above teaches [t]he method according to claim 1.  Further, Hu teaches wherein the adding further comprises selecting the exemplars corresponding to at least one of the following: a point in each cluster in the second plurality of clusters, a point approximately close to a center of a cluster in the second plurality of clusters, and a number of points in a cluster in the second plurality of cluster determined based on size of the cluster in the second plurality of clusters. (Hu, § 6.2 “Prototype-Based Clustering,” third paragraph “Prototype extraction: The quality of final clusters depends on the choice of the prototypes. Well-positioned prototypes can accurately capture the distribution of input data and allows creating accurate class boundaries in the feature space. […] During each iteration, the data point with the largest distance to existent prototypes is selected as the next prototype (the first prototype is selected randomly). The process repeats until the distance from all the data points to their nearest prototype is smaller than a predefined threshold Pmax, i.e., all the data points are located within a certain radius from their closest prototypes.”  [Each resultant cluster has one labeled prototype used as an exemplar in the model, as well as other data points within a predefined radius Pmax from the prototype.  Each prototype point corresponds to the claimed “a point in each cluster in the second plurality of clusters.”)

	Claim 16 recites similar limitations as claim 6, and is rejected under the same rationale as applied to claim 6 above.

	Regarding claim 7, the combination of references as applied to claim 6 above teaches [t]he method according to claim 6.  Further, Hu teaches wherein the cluster of the second plurality of clusters has a predetermined radius, wherein pairwise distances between points contained in the cluster of the second plurality of clusters are less than the predetermined radius. (Hu, § 6.2 “Prototype-Based Clustering,” third paragraph “During each iteration, the data point with the largest distance to existent prototypes is selected as the next prototype (the first prototype is selected randomly). The process repeats until the distance from all the data points to their nearest prototype is smaller than a predefined threshold Pmax, i.e., all the data points are located within a certain radius from their closest prototypes.” [Pmax corresponds to the claimed “predetermined radius,” and each data point and its corresponding prototype point (corresponds to claimed “points” are within the predetermined radius Pmax from each other]

	Claim 17 recites similar limitations as claim 7 and is rejected under the same rationale as applied to claim 7 above.

Regarding claim 8, the combination of references as applied to claim 6 above teaches [t]he method according to claim 6.  Further, Hu teaches wherein the cluster of the second plurality of clusters has a predetermined radius, wherein pairwise distances between some points contained in the cluster of the second plurality of clusters are greater than the predetermined radius (Hu, § 6.2 “Prototype-Based Clustering,” third paragraph “During each iteration, the data point with the largest distance to existent prototypes is selected as the next prototype (the first prototype is selected randomly). The process repeats until the distance from all the data points to their nearest prototype is smaller than a predefined threshold Pmax, i.e., all the data points are located within a certain radius from their closest prototypes.” [Pmax corresponds to the claimed “predetermined radius,” and although each point in the cluster must be within the Pmax radius from its corresponding prototype, two non-prototype data points in the same cluster (corresponding to claimed “some points”) may be separated by as much as twice the Pmax radius.]

	Claim 18 recites similar limitations as claim 8, and is rejected under the same rationale as applied to claim 8 above.

	Regarding claim 9, the combination of references as applied to claim 6 above teaches [t]he method according to claim 6.  Further, Hu teaches wherein the cluster of the second plurality of clusters has a predetermined minimum number of points. (Hu, § 6.2 “Prototype-Based Clustering,” second and third paragraph “Prototype-based clustering extracts a set of prototypes each of which serves as the representative for a small group. The remaining data points are associated with their closest prototype in the feature space. […] During each iteration, the data point with the largest distance to existent prototypes is selected as the next prototype (the first prototype is selected randomly). The process repeats until the distance from all the data points to their nearest prototype is smaller than a predefined threshold Pmax, i.e., all the data points are located within a certain radius from their closest prototypes.” [By the nature of the clustering algorithm, each prototype represents a small group, and each data point is associated with its nearest prototype and must be within Pmax distance of its prototype.  Thus, each cluster comprises a prototype point and at least one non-prototype data point, for a minimum of two points.]

	Claim 19 recites similar limitations as claim 9 [the additional limitation of claim 19 is presented in an alternative “and/or” fashion.]  Claim 19 is rejected under the same rationale as applied to claim 9 above.



Claims 3-5 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Robinson in view of Hu and further in view of Soni et al. (US 2018/0053097, hereinafter “Soni”) (previously cited).

Regarding claim 3, the combination of references as applied to claim 1 above teaches [t]he method according to claim 1.
The above combination does not explicitly teach where the generating of the reduced dimensionality vectors comprises applying a random projection to the original dimensionality vectors.
Soni teaches where the generating of the reduced dimensionality vectors comprises applying a random projection to the original dimensionality vectors (Soni, ¶ [0030] “The approach according to the present teaching benefits from a simple random projection based dimensionality reduction technique during training […] During training, the present teaching exploits the inherent sparsity in the label space by using random projections as a means to reduce the dimensionality of the label space. By the virtue of Restricted Isometry Property (RIP) which is satisfied by many random ensembles, the distances between the sparse label vectors are approximately preserved in the low-dimensional space.”)

Soni is analogous art, as it is in the field of artificial intelligence and is directed to the task of reducing the dimensionality of label vectors.
It would have been obvious to one of ordinary skill in the art to modify the feature vectors of Hu with the random projection of Soni, the benefit being that random projection is “simple” (Soni, ¶ [0030]) and that “the distances between the sparse label vectors are approximately preserved in the low-dimensional label space.” (Ibid.)

Claim 13 recites similar limitations as claim 3 and is rejected under the same rationale as applied to claim 3 above.

Regarding claim 4, the combination of references as applied to claim 3 above teaches [t]he method according to claim 3. Further, Soni teaches wherein the random projection approximately preserves all pairwise distances between the original dimensionality vectors (Soni, ¶ [0030] “The approach according to the present teaching benefits from a simple random projection based dimensionality reduction technique during training […] During training, the present teaching exploits the inherent sparsity in the label space by using random projections as a means to reduce the dimensionality of the label space. By the virtue of Restricted Isometry Property (RIP) which is satisfied by many random ensembles, the distances between the sparse label vectors are approximately preserved in the low-dimensional space.”) [The distances between the original-dimensionality vectors are approximately preserved when the dimensionality is reduced.]

Claim 14 recites similar limitations as claim 4 and is rejected under the same rationale as applied to claim 4 above.

Regarding claim 5, the combination of references as applied to claim 3 above teaches [t]he method according to claim 3. Further, Soni teaches wherein the random projection has a predetermined size (Soni, ¶ [0038] “Dimension reducer 310 is configured to perform a dimension reduction on the label space to generate a lower-dimensional label space. The lower-dimensional label space has the same dimension d representing the features but lower dimension L' representing the labels (L'<<L).”) [The dimension of the label space is reduced by lowering the dimension of the labels from L to L’, where L’ (corresponds to claimed “predetermined size”) is much less than L.]

Claim 15 recites similar limitations as claim 5 and is rejected under the same rationale as applied to claim 5 above.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Robinson in view of Hu and further in view of Luigi Grimaudo et al., “Self-Learning Classifier for Internet Traffic,” 5th IEEE International Traffic Monitoring and Analysis Workshop (TMA 2013), hereinafter “Grimaudo.”

	Regarding claim 20, Robinson discloses [a] computer program product comprising a non-transitory machine readable medium storing instructions (Robinson, ¶ [0037] “For example, the systems and methods for reducing dimensionality of hyperspectral images may be implemented as computer executable instructions stored on a non-transitory machine readable medium, which may be read and executed using one or more physically separate or communicatively coupled computer systems or other processing devices.”) that, when executed by one or more programmable processors, cause the one or more programmable processors (Robinson, Fig. 4 and ¶ [0038] “FIG. 3 [sic] illustrates a high level block diagram of an exemplary computer system 360 which may be used to perform the method of clustering 100, and/or similar embodiments. […] . The main board has a system bus 390, connection ports 400, a processing unit, such as Central Processing Unit (CPU) 410, and a data storage device, such as main memory 420, storage drive 430, and optical drive 440.”) to perform operations comprising: generating reduced dimensionality vectors from a plurality of original dimensionality vectors representing features in a plurality of samples, (Robinson, Fig. 1 HSI [Hyper-Spectral Imaging] data is dimensionally reduced at element 120 and used to create a “Normalized Reduced Dim HSI Cube” at element 130;
Robinson, ¶ [0021] “It may be appreciated that the method of clustering 100 may be configured to utilize basis vectors associated with the hyperspectral image data, and a dimensionally reduced configuration of the hyperspectral image data [corresponds to claimed “reduced dimensionality vectors”], to improve clustering of the pixels thereof.”)
the reduced dimensionality vectors having lower dimensionality than an original dimensionality of the plurality of original dimensionality vectors; (Robinson, ¶ [0021] “in one non-limiting embodiment, the hyperspectral image data may include approximately 256 spectral dimensions [corresponds to claimed “original dimensionality”], while the reduced dimensionality data may include approximately 15 spectral dimensions.” [corresponds to claimed “reduced dimensionality vectors”])
first determining a first plurality of clusters, the first determining comprising first applying a first clustering algorithm to the reduced dimensionality vectors; (Robinson, Fig. 1, element 170 “Iteratively Cluster DIMRED [i.e. DIMensionally REDuced] Vectors”;
Robinson, ¶ [0030] Having formed the initial cluster centers at 160, the method of clustering 100 may continue at 170 by iteratively clustering the reduced dimensionality vectors. Specifically, all pixels are assigned to a cluster, and the average values of all those pixels in each cluster are computed. The average then becomes the new center (as it is likely different than the initial average). The distance from each pixel to each new cluster center is then tested. If a pixel is closer to the center of a different cluster, it is reassigned to that cluster.” [Clusters of reduced dimensionality vectors are formed and re-formed iteratively.];
Robinson, ¶ [0009] “a stability condition may ultimately be reached, which signifies the end of the iterative process. For example, the cluster center may stop moving, or may move less than a certain distance. As another example, fewer than a certain percentage of pixels may change clusters from the past iteration. In still another example, each of the clusters may settle into a predetermined size or density range (e.g., the iterations end when clusters are not too small, too large, or insufficiently dense.” [The iterative process may continue until the clusters are in a predetermined size range.])
second determining a second plurality of clusters, the second determining comprising second applying a second clustering algorithm to original dimensionality vectors corresponding to the reduced dimensionality vectors in the first plurality of clusters; (Robinson Fig. 1 element 180 “Refine Clusters with full dimension data”;
Robinson, ¶ [0031] “As a "safety net" to ensure that all pixels are assigned to the correct cluster, once the iterative clustering at 170 is complete, the method of clustering 100 may continue at 180 by optionally refining the clusters with full dimension hyperspectral image data. In an embodiment, such refining may comprise replacing the dimensionally reduced pixels in each cluster with the original hyperspectral image data associated therewith.” [corresponds to claimed “applying a second clustering algorithm to original dimensionality vectors corresponding to the reduced dimensionality vectors”] 
the second plurality of clusters being smaller than the first plurality of clusters (Robinson, ¶ [0031] “the refining at 180 may utilize a separate set of termination conditions. For example, in an embodiment the refining at 180 may include only a single further iteration to incorporate the full dimension data (e.g., including the anomalies). In an embodiment, the refining at 180 may include a plurality of further iterations including the same. In some embodiments where the refining at 180 includes a plurality of further iterations, the number of further iterations may be user defined, or may utilize a stability condition to terminate, including but not limited to those described above.” [The second clustering in the refining process 180 may use a separate set of termination conditions, including a stability condition such as a predetermined cluster size as described above.  Accordingly, the method is operable to generate a refined plurality of clusters of original dimensionality data that is smaller than the first plurality of clusters of reduced dimensionality data.]

	Robinson does not explicitly disclose adding, from each cluster in the second plurality of clusters, a plurality of exemplars to a training set, […] and training a machine learning model for identifying a file containing malicious code, the training comprising use of the training set.

Hu teaches adding, from each cluster in the second plurality of clusters, a plurality of exemplars to a training set, […] and training a machine learning model for identifying a file containing malicious code, the training comprising use of the training set.; (Hu, § 7.6 “Predicting Labels of Unknown Malware,” first two paragraphs, “So far, we have evaluated MutantX-S using the data set of known malware families. In a realistic scenario, e.g., in AV companies, MutantX-S is more likely to be used to analyze new incoming malware and predict their family labels. […] Next, we use these malware to simulate the process of determining the labels for new incoming samples. […] Given any training set, MutantX-S creates a set of clusters Ci (i=0,1, . . . ,n). Each cluster has a label L(Ci) determined by the majority family labels of the constituent malware samples. Then MutantX-S determines the family label L(x j) of the new sample x j in the test month based on the label of the cluster that is closest to x j.” [The label of each cluster prototype acts as an exemplar, and the classifier of Hu labels an unknown input file with the label of the cluster prototype that is closest to the feature vector for the input file. The “cluster prototype that is closest to the feature vector for the input file” above may be a merged cluster of multiple prototypes, or it may be a singleton cluster (i.e. an outlier) that remained unmerged during Hu’s hierarchical agglomerative clustering algorithm as described above.  Specifically, the set of clusters Ci (i=0,1, . . . ,n) may contain both merged clusters and unmerged singleton clusters (outliers). Each “prototype” serves as the representative for either itself (in the case of a prototype that was not merged with others) or a small group of prototypes and corresponds to the claimed “exemplar.”]

	Hu is analogous art, as it is in the field of clustering high-dimensionality data.
	It would have been obvious to one of ordinary skill in the art to combine the clustered low-dimensionality data and refined clusters of high-dimensionality data of Robinson with the static malware features, exemplar determination, and machine learning model training of Hu, the benefit being that identifying clusters, each with a center that represents a small number of data points, reduces computation time significantly, as recited by Hu at § 6.2 “Prototype-Based Clustering” “The key idea
of Prototype-based algorithm is to perform computation (e.g. clustering) only on the prototypes which are a small subset of original data points, thus reducing the computation time significantly.”

	The combination of Robinson and Hu does not teach the number of exemplars from each cluster in the second plurality of clusters being proportional to a spread of each such cluster;
	Grimaudo teaches the number of exemplars from each cluster in the second plurality of clusters being proportional to a spread of each such cluster; (Grimaudo, pg. 3383 last paragraph – pg. 3384 first paragraph, “C - Self-seeding: Once some clusters have been labeled, SeLeCT is able to automatically reuse this information to process next batches. This is simply achieved by extracting some seeding flows from labeled clusters by means of the extractSeeds(C) procedure. To avoid the bias due to classes having much more flows than others (unbalanced classes), we support the adoption of a proportional sampling technique. Let numSeeds be the target number of seeding flows, i.e., numSeeds = ||NS||. For each labeled cluster I, a number of labeled flows proportional to the cluster size is extracted at random. That is ||I|| ||NS|| / ||C|| flows are randomly selected. This simple sampling process guarantees that all clusters will have a number of representatives  (corresponds to claimed “exemplars”) in NS that is proportional to the cluster size. This mechanism enforces a self training process that allows the system to grow the set of labeled data and thus augment the coverage of the classification process.”

	Grimaudo is analogous art, as it addresses the task of extracting representative samples from labeled clusters.
	It would have been obvious to one of ordinary skill in the art to incorporate the proportional sampling technique of Grimaudo into the clustering and exemplar extraction of Robinson and Hu, the benefit being that such proportional sampling avoids bias due to “unbalanced classes”, wherein some clusters have many more data points than other clusters, as cited by Grimaudo above (Grimaudo, pg. 3384 first paragraph “To avoid the bias due to classes having much more flows than others (unbalanced classes), we support the adoption of a proportional sampling technique.”)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT R GARDNER whose telephone number is (469)295-9128. The examiner can normally be reached 8:00am - 5:00pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J Lo can be reached on 571-272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SCOTT R GARDNER/Examiner, Art Unit 2126       
/ANN J LO/Supervisory Patent Examiner, Art Unit 2126