DETAILED CORRESPONDENCE
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This non final office action is in response to the Patent Application filed on 22 July 2019.  Claims 1-21 are pending and considered below.         

Claim Rejections - 35 USC § 101
	The instant invention has been considered and evaluated in accord with the 2019 PEG and the Examiner has determined that the invention is directed to a judicial exception and is further directed to a practical application and is therefore eligible under 35 USC 101.
	The instant invention is determined to be directed to a judicial exception related to mathematical concepts such as mathematical relationships, formula or equations, or mathematical calculations and as well is directed to a judicial exception related to mental processes such as concepts performed in the human mind including observation, evaluation, judgment, and opinion.
	The instant invention is further determined to be directed to a practical application related to the detection and identification of processing related objects related to computer processes occurring simultaneously and network related features during runtime by the implementation of a one hot encoded vector system which processes and interprets ongoing computing processes.  See for instance paragraphs [17]-[22] of the written description.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (20200314117) in view of Li et al. (20200159534).

Claims 1, 8, and 15:	Nguyen discloses a method, computer readable medium, and system comprising: 
receiving, by a computer system, a name of a computing process and context information pertaining to the computing process ([89 “command line “whoami” may occur exactly twice in classification training data: a first time in association with a clean event 126, and a second time in association with a dirty event,” 144 “ fields can include, but are not limited to, timestamps, filenames, filehandles, userids (e.g., Windows SIDs), groupids, process identifiers, session identifiers, process command lines, command-line histories, universally unique identifiers (UUIDs), operating-system identifiers, e.g., from uname(1), permissions, access-control lists (ACLs), login types (e.g., with or without secure attention sequence), timestamps, blocks of data (e.g., headers or full contents of files or of regions of memory), hashes of data (e.g., of the blocks of data, such as file contents), IP or other network addresses (e.g., of computing device 104 or peers with which it is communicating or is attempting to communicate),” 145, 147, 148 “the at least two command lines (in command-line text 310) associated with the event 302 can include command lines of first, second, and third processes. The first process can be a process that triggered the event 302. The second process can be a parent process of the first process. The third process can be a parent process of the second process,”]); 
generating, by the computer system, a vector representation of the computing process based on the weight values, the vector representation encoding the context information ([150 “representation subsystem 244 can determine a respective event vector 316, 318 for each event 302, 304 of the plurality of events. Each event vector 316, 318 can be determined based at least in part on at least a portion of (e.g., all of) the respective command-line record,” 151 “representation mapping 320 can be the fixed portion (e.g., weights after the hidden layer) of the parameters of the trained doc2vec model,”]); and
performing, by the computer system, one or more analyses using the vector representation of the computing process ([150 “representation subsystem 244 can determine a respective event vector 316, 318 for each event 302, 304 of the plurality of events. Each event vector 316, 318 can be determined based at least in part on at least a portion of (e.g., all of) the respective command-line record,” 151 “representation mapping 320 can be the fixed portion (e.g., weights after the hidden layer) of the parameters of the trained doc2vec model,” 152]).  
Nguyen discloses the implementation of named computing processes and relevant context, but Nguyen does not explicitly disclose, however Li discloses:
training, by the computer system, a neural network based on the name and the context information, the training resulting in determination of weight values for one or more hidden layers of the neural network ([164 “logic 1600 to train a one-hot neural network,” 165, 166 “approximation can be performed based on the equations described herein, such that an approximated weight q.sub.i in approximated one-hot weight matrix Q can be determined by solving for a sign bit (b=sign(w.sub.i)),” 167, 168, 199 “predict an upcoming word given a previous sequence of words,” Fig. 16, Table 1]);
Therefore it would be obvious for Nguyen to train a neural network based on the name and the context information, the training resulting in determination of weight values for one or more hidden layers of the neural network as per the steps of Li in order to more precisely implement a one-hot based neural network functionality system and result in simplified calculations. (See Li [29])

Claims 2, 9, and 16:	Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 1, 8, and 15 above, and Nguyen further discloses wherein the context information comprises a relationship between the computing process and one or more other computing processes ([118 “notifications of the occurrence or non-occurrence of certain events, such as file creates, reads, and writes, and loading executables,” 120 “detection module 224 (e.g., running at a monitored computing device 104 or in cluster 106) can build and maintain a model representing chains of execution activities and genealogies of processes. This model can be used to track attributes, behaviors, or patterns of processes executing on the computing device,” 121]).  

Claims 3, 10, and 17:	Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 1, 8, and 15 above, and Nguyen further discloses wherein the context information comprises a relationship between the computing process and one or more features of a machine on which the computing process runs ([144 “event record 240, or any other record described herein, can include one or more fields , each of which can have a name or other identifier, and each of which can include or be associated with one or more values. For example, event record 240 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees, associative arrays, or other forms of tagged or key-value storage. Examples of fields can include, but are not limited to, timestamps, filenames, filehandles, userids (e.g., Windows SIDs), groupids, process identifiers, session identifiers, process command lines, command-line histories, universally unique identifiers (UUIDs), operating-system identifiers,” 145, 146]).

Claims 4, 11, and 18:	Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 1, 8, and 15 above, and Nguyen further discloses wherein the context information comprises information regarding one or more functions performed by the computing process during its runtime ([144-146]).  

Claims 5, 12, and 19:		Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 1, 8, and 15 above, and Nguyen further discloses wherein training the neural network comprises: 
creating a one-hot-encoded vector for the computing process ([95, 153 “word2vec-based x2vec representation mapping 320 comprises the coefficients of the hidden layer, and maps terms, e.g. in a one-hot encoding of the corpus, to term representations, e.g., vectors of numbers,”]); 
creating one-hot-encoded vectors for context-related objects of the computing process, the context-related objects being determined from the context information ([150 “representation subsystem 244 can determine a respective event vector 316, 318 for each event 302, 304 of the plurality of events,” 151, 152, 153 “word2vec-based x2vec representation mapping 320 comprises the coefficients of the hidden layer, and maps terms, e.g. in a one-hot encoding of the corpus, to term representations, e.g., vectors of numbers,” 154-157]); 
Nguyen discloses the creation of one-hot encoded vectors, but Nguyen does not explicitly disclose, however Li discloses:
setting the one-hot-encoded vector for the computing process as an input of the neural network ([162 “layers of neural network a neural network 1500 suitable for one-hot weight quantization, according to an embodiment. In one embodiment the neural network 1500 includes input values x of an input layer 1502 and output values y of an output layer,”]); 
setting the one-hot-encoded vectors for the context-related objects as outputs of the neural network ([162 “layers of neural network a neural network 1500 suitable for one-hot weight quantization, according to an embodiment. In one embodiment the neural network 1500 includes input values x of an input layer 1502 and output values y of an output layer,”]); and 
training the neural network to determine the weight values for the one or more hidden layers in a manner that predicts the outputs from the input ([165 “logic 1600 can initialize the weights in weight matrix W to within the range [−1, 1]. The initial weights may be an initial set of random weights within the range [−1,1] or can be trained or pre-trained weight data that is quantized into the range [−1,1],” 166, 167, 168, Table 4]).
Therefore it would be obvious for Nguyen to set the one-hot-encoded vector for the computing process as an input of the neural network; setting the one-hot-encoded vectors for the context-related objects as outputs of the neural network; and training the neural network to determine the weight values for the one or more hidden layers in a manner that predicts the outputs from the input as per the steps of Li in order to more precisely implement a one-hot based neural network functionality system in accordance with weights for hidden layers and result in simplified calculations. (See Li [29])

Claims 6, 13, and 20:	Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 5, 12, and 19 above, and Nguyen further discloses wherein the context-related objects are other computing processes that are determined to co-occur with the computing process ([144, 145 “event record 240 can include information about a process that is currently running on the computing device 104, or that has previously run on the computing device 104. In some examples, an event record 240 can include information about at least one currently-running process and at least one related process (e.g., still running or already terminated),” 146-148]).  

Claims 7, 14, and 21:	Nguyen in view of Li discloses a method, computer readable medium, and system as for claims 1, 8, and 15 above, and Nguyen further discloses wherein the one or more analyses include determining whether the computing process is similar to one or more other computing processes by calculating similarity scores between the vector representation of the computing process and vector representations of the one or more other computing processes ([153 “x2vec representation mapping 320 comprises at least some of the coefficients of the hidden layer or of portions of the model after the hidden layer. For example, in a skip-gram word2vec mapping, the model is trained to predict the probability that a pair of terms in a corpus will occur within a certain number of terms of each other. A word2vec-based x2vec representation mapping 320 comprises the coefficients of the hidden layer, and maps terms, e.g. in a one-hot encoding of the corpus, to term representations, e.g., vectors of numbers. In some examples of x2vec mapping 320, two terms have relatively more similar term representations if they occur together relatively more commonly than if they occur together relatively less commonly,” 154, 155, 157]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Please see attached References Cited form 892
See Nguyen et al. (20200327225) for disclosures related to the implementation of one-hot event occurrences related to the management and processing of processes and terms during security related events.  See at least paras. [98]-[109]
See Kelly et al. (20200242506) for disclosures related to the implementation of a variety of techniques including one-hot encoded vectors to detect data abnormalities. See at least paras. [79]-[88]
See Xu et al. (20200065616) for disclosures related to the detection of unsupervised exception access detection with the implementation of one-hot encoding mechanisms.  See at least paras. [58]-[77].
See Highnam et al. (10,496,924) for disclosures related to the detection of dictionary domain names using deep learning models including one-hot data representations.  See at least paras. 7:31-67
See Wolf (20190265955) for disclosures related to the comparison of data sequences by a variety of techniques including one-hot or zero-hot techniques.  See at least paras. [67]-[79]
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Stoltenberg whose telephone number is (571) 270-3472. 
The examiner can normally be reached on Monday-Friday 8:30AM to 5:00PM EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Waseem Ashraf, can be reached on (571) 270-3948.  The fax phone number for the organization where this application or proceeding is assigned is (571)-273-8300, or the examiner’s direct fax phone number is 571 270 4472.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published application may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center at (866) 217-9197 (toll free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/DAVID J STOLTENBERG/
Primary Examiner, Art Unit 3682