DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-19 are pending in this application.
IDS submitted on 4/21/2020 and 11/01/2021 have been considered.
Claim Objections
Claims 6 and 15 are objected to because of the following:
Claims 6 and 15 recites “a the amount of time” in last line of the claims which should be written as “the amount of time”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 6, 9, 10, 13, 15, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US 2018/0063181 A1) (hereinafter, “Jones”) in view of Powers et al. (US 11,010,472 B1) (hereinafter, “Powers”).

As to claim 1, Jones discloses a computer system comprising at least one hardware processor (fig. 7, item 706, [0077]) configured to: 
execute a behavior analyzer to determine whether a software entity is malicious (“The threat analysis system may obtain the collected information from the threat analysis tool and identify malware through the analysis of threat indicators present in the collected system information. For example, the system may perform a signature analysis of files and configuration settings of the system information as well as perform a behavioral analysis to track behavior of the system over time and identify changes in configuration settings and system performance over time.” -e.g. see, [0016], see also, [0033], [0104]); 
in response to executing the behavior analyzer, when the behavioral analyzer indicates that the software entity is not malicious, determine that the software entity is not malicious (“The behavioral analysis may compare and disregard the information that does not change between scans. Accordingly, the threat analysis system may compare the collected system data set for the collected system information to previously stored historical collected system data sets for each computing system and remove any identical system data that matches one or more of the previously stored historical system data sets. Accordingly, the remaining system information in the system data set associated with the computing system may include the changes between scans of the computing system.” -e.g. see, [0103]; herein, the behavioral analysis identifies the software entity is not malicious by disregarding the information when the collected system data set matches the previously stored historical collected system data sets; see also, [0016], [0033], [0105]); 
in response to executing the behavior analyzer, when the behavioral analyzer indicates that the software entity is malicious, execute a memory analyzer to determine whether the software entity is malicious (“The threat analysis system obtains the collected information, analyzes the collected information for known threats, indicators of compromise, threatening behavior, and known vulnerabilities, and generates alerts regarding known and potential threats for further analysis and mediation. If potential threats are identified, the threat analysis software tool may include or the system may deploy a memory analysis module that performs a deeper analysis of the potentially compromised/infected computer to obtain more information about the potential threat …” -e.g. see, [0013], see also: “Accordingly, if the tool is designed for another deployment, the method may start back over and the incident-response module based threat analysis tool may be deployed to the enterprise computing systems as described in step 306 above. The process may continue to identify any potential threats and perform the memory analysis if a potential threat is identified.” -e.g. see, [0090], see also, [0044]); 
in response to executing the memory analyzer, when the memory analyzer indicates that the software entity is malicious, determine that the software entity is malicious (“… the memory information that is collected from the computing system may indicate that a real threat exists based on the known threat indicators. Further, an alert may be sent to an analyst that may perform a forensic analysis of the system information, the identified computing system, and/or the memory information that is obtained from the identified computing system and the analyst may confirm that a real threat exists. Either way, the threat analysis system may receive confirmation that at least one of the one or more identified potential threats indicates a real threat and may update the threat indicator database to include the system information associated with the real threat.” -e.g. see, [0109], see also, [0088]); and 
in response to executing the memory analyzer, when the memory analyzer indicates that the software entity is not malicious, determine that the software entity is not malicious (“At step 322, the threat analysis system retrieves the collected memory data and analyzes the memory data associated with the identified computing systems for real threats. The threat analysis may be similar to those methods described herein related to the system information. For example, the memory data may be analyzed for known threat indicators, hash signatures of the memory or a portion of the memory, and/or may be delivered to an analyst for further investigation and forensic study to identify potential threats. If any of the threats are identified from the memory information using the similar techniques described above in reference to the system information analysis, a memory threat report may be generated that includes one or more identified real threats and the corresponding relevant information automatically provided to an analyst to allow the analyst to remediate the threat.” -e.g. see, [0088], see also, [0061], [0109]; herein, software entity may or may not be malicious based on analyzing the memory data); 
wherein: the behavior analyzer … configured to: receive … event indicators, each event indicator characterizing a distinct event caused by an execution of the software entity, …, and determine whether the software entity is malicious according to the sequence of event indicators (“… the threat analysis system compares the operating system information and/or differences between scans of file names, hash signatures of a file, file sizes, directory paths of files changing, and any other information associated with the configuration or the files present on the computing system.” -e.g. see, [0104]; see also: “… upon an event (e.g., along with system updates deliveries delivered to the enterprise computers), the tool may be re-deployed to the computing systems. Accordingly, if the tool is designed for another deployment, the method may start back over and the incident-response module based threat analysis tool may be deployed to the enterprise computing systems as described in step 306 above. The process may continue to identify any potential threats and perform the memory analysis if a potential threat is identified.” -e.g. see, [0090]; herein, an event and system updates deliveries are considered as occurrence of each distinct event); and 
the memory analyzer … configured to: receive a sequence of token indicators, each token indicator characterizing a distinct character string token extracted from a memory snapshot of the software entity, the sequence of token indicators ordered according to a memory location of each respective character string token, and determine whether the software entity is malicious according to the sequence of token indicators (“In some embodiments, a tool may be configured to obtain a memory dump or core dump of a snapshot of the memory 134A-C at any given time. Accordingly, the memory 134A-C may be accessible by the tool operating on the enterprise computing system and may be used to collect and transmit the volatile system information to a secure data collection system for analysis.” -e.g. see, [0043]; herein, “obtaining a memory dump or core dump of a snapshot of the memory” are considered as sequence of token indicators ordered according to a memory location; Further to clarify: “… the threat analysis system retrieves the collected memory data and analyzes the memory data associated with the identified computing systems for real threats. The threat analysis may be similar to those methods described herein related to the system information. For example, the memory data may be analyzed for known threat indicators, hash signatures of the memory or a portion of the memory” -e.g. see, [0088]; herein, “hash signatures of the memory” is equivalent to the sequence of token indicators).
Jones doesn’t explicitly disclose wherein: the behavior analyzer comprises a first neural network configured to: receive a sequence of event indicators, the sequence of event indicators ordered according to a time of occurrence of each distinct event; the memory analyzer comprises a second neural network.
However, Powers discloses wherein: the behavior analyzer comprises a first neural network (“The computer 102 may apply the neural networks to malware detection to achieve high detection accuracy for zero-day malware. ” -e.g. see, Powers: col. 4, lines 35-47; see also, col. 4, lines 15-34; herein, The computer 102 may learn to distinguish malware based on data points such as typical non-malicious software behavior, legitimate versus illegitimate data flow, and suspicious interactions or network traffic outside of the normal range of behavior. The computer 102 may determine a suspicion score that determines categorization as safe or malicious based on reaching a particular threshold.) configured to: receive a sequence of event indicators, the sequence of event indicators ordered according to a time of occurrence of each distinct event and determine whether the software entity is malicious according to the sequence of event indicators (“…the computer 102 may apply dynamic analysis to the executable files 122 by using binary instrumentation 128. For dynamic analysis, the computer 102 may capture system call sequences (the sequence of the process's interaction with the operating system and the environment) from individual processes and apply machine learning, in real time or near real time, to the sequences.” -e.g. see, Powers: col. 5, lines 12-30, see also, col. 4, lines 15-34); the memory analyzer comprises a second neural network (“The computer 102 may apply the neural networks to malware detection to achieve high detection accuracy for zero-day malware. ” -e.g. see, Powers: col. 4, lines 35-47; see also, col. 4, lines 15-34; furthermore: “The computer may also apply machine learning to the contents of memory pages in order to discover memory-only malware and malware that uses polymorphism, packing, encryption, and other file obfuscation techniques. In addition, the computer 102 may apply dynamic analysis to the executable files 122 by using binary instrumentation 128. For dynamic analysis, the computer 102 may capture system call sequences (the sequence of the process's interaction with the operating system and the environment) from individual processes and apply machine learning, in real time or near real time, to the sequences.” -e.g. see, Powers: col. 5, lines 11-30).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones with the teaching of Powers to include wherein: the behavior analyzer comprises a first neural network configured to: receive a sequence of event indicators, the sequence of event indicators ordered according to a time of occurrence of each distinct event; the memory analyzer comprises a second neural network in order to accurately detect malware by analysis of the unanimous consequences of all malwares on infected systems to detect and protect against zero-day exploits.
As to claims 10 and 19, these are rejected using the similar rationale as for the rejection of claim 1.

As to claim 4, the combination of Jones and Powers disclose wherein the at least one hardware processor is further configured to extract the memory snapshot in response to executing the behavior analyzer, when the behavioral analyzer indicates that the software entity is malicious, wherein extracting the memory snapshot comprises: identifying a memory page within a memory of the computer system according to whether the memory page is used by the software entity; and copying a set of data from the memory page into the memory snapshot (Jones: “In some embodiments, a tool may be configured to obtain a memory dump or core dump of a snapshot of the memory 134A-C at any given time. Accordingly, the memory 134A-C may be accessible by the tool operating on the enterprise computing system and may be used to collect and transmit the volatile system information to a secure data collection system for analysis.” -e.g. see, Jones: [0043]; see also, [0088], [0090]).
As to claim 13, it is rejected using the similar rationale as for the rejection of claim 4.

As to claim 6, the combination of Jones and Powers disclose wherein the at least one hardware processor is further configured to construct the sequence of event indicators in preparation for executing the behavior analyzer, and wherein constructing the sequence of event indicators comprises: determining an amount of time elapsed between a start of the execution of the software entity and the time of occurrence of the each distinct event; and determine whether to include the each event indicator characterizing the each distinct event into the sequence of event indicators according to  the amount of time (Powers: “…the computer 102 may apply dynamic analysis to the executable files 122 by using binary instrumentation 128. For dynamic analysis, the computer 102 may capture system call sequences (the sequence of the process's interaction with the operating system and the environment) from individual processes and apply machine learning, in real time or near real time, to the sequences.” -e.g. see, Powers: col. 5, lines 12-30; see also, Powers: “…wherein the binary instrumentation techniques comprise analyzing behavior of the plurality of computer program files at runtime through injection of an instrumentation code; train a second machine learning model detecting malicious inputs based on a dataset of non-executable portions of the plurality of computer program files by applying the static analysis and the dynamic analysis using the binary instrumentation techniques; and identify a malicious portion within an input file using the first and second machine learning models.” -e.g. see, Powers: col. 2, lines 42-56).
As to claim 15, it is rejected using the similar rationale as for the rejection of claim 6.
As to claim 9, Jones discloses wherein the each event indicator is determined according to a pre-determined event vocabulary, each member of the event vocabulary characterized by a tuple consisting of an event type co-occurring with at least another event feature (“ For example, after a predetermined amount of time has elapsed (e.g., every 24 hours) or upon an event (e.g., along with system updates deliveries delivered to the enterprise computers), the tool may be re-deployed to the computing systems. Accordingly, if the tool is designed for another deployment, the method may start back over and the incident-response module based threat analysis tool may be deployed to the enterprise computing systems as described in step 306 above. The process may continue to identify any potential threats and perform the memory analysis if a potential threat is identified.” -e.g. see, Jones: [0090]; herein, “system updates deliveries” is a pre-determined event vocabulary).
As to claim 18, it is rejected using the similar rationale as for the rejection of claim 9.


Claims 2-3 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Jones in view of Powers and further in view of Chen et al. (US 2020/0089556 A1) (hereinafter, “Chen”).

As to claim 2, neither Jones nor Powers explicitly disclose wherein the first neural network comprises a recurrent neural network.
However, in an analogous art, Chen discloses wherein the first neural network comprises a recurrent neural network (“Deep embedding features extraction 530 can utilize variants of recurrent neural network (e.g., gated recurrent unit (GRU) and long short-term memory (LSTM), etc.) to build an architecture that performs label prediction. In this architecture, the vector representations serving as input to the classification layer are embedding of devices. Embedding of devices refers to converting data to a feature representation where certain properties associated with the devices can be represented by (for example, notions of, relative, etc.) distance. Classification is the process of predicting the class of given data points.” -e.g. see, Chen: [0063]; see also, Chen: [0045]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones and Powers with the teaching of Chen to include wherein the first neural network comprises a recurrent neural network in order to accurately detect malware by training and analyzing of sequential data in an efficient manner.
  
As to claim 11, it is rejected using the similar rationale as for the rejection of claim 2.

As to claim 3, neither Jones nor Powers explicitly disclose wherein the first neural network comprises a convolutional neural network.
However, in an analogous art, Chen discloses wherein the first neural network comprises a convolutional neural network (“There exist different neural network structures as well, such as convolutional neural network, maxout network, etc. Finally, a set of output neurons 106 accepts and processes weighted input from the last set of hidden neurons 104.” -e.g. see, Chen: [0024], see also, Chen: [0033], [0045]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones and Powers with the teaching of Chen to include wherein the first neural network comprises a convolutional neural network in order to faster and automatically detection of malware by training and analyzing of sequential data in an efficient manner.

As to claim 12, it is rejected using the similar rationale as for the rejection of claim 3.

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Jones in view of Powers and further in view of Talagala et al. (US 2014/0089264 A1) (hereinafter, “Talagala”).

As to claim 5, neither Jones nor Powers explicitly disclose wherein extracting the memory snapshot comprises: identifying a first memory page within a memory of the computer system according to whether the first memory page currently stores header metadata of an executable file of the software entity; identifying a second memory page within the memory according to the metadata; and copying a set of data from the second memory page into the memory snapshot.
However, Talagala discloses wherein extracting the memory snapshot comprises: identifying a first memory page within a memory of the computer system according to whether the first memory page currently stores header metadata of an executable file of the software entity; identifying a second memory page within the memory according to the metadata; and copying a set of data from the second memory page into the memory snapshot (“The temporal order module 402, in certain embodiments, may maintain validity metadata, such as validity bitmaps or the like, for one or more different epochs, snapshots, clones, or the like of data. For a temporal range of data written during the course of an epoch, the non-volatile memory controller 124, the non-volatile memory media controller 126, the SML 130, or the like may modify and maintain validity metadata, logical-to-physical mappings, or other metadata as part of the metadata 135 as described above. In response to initializing or creating a new epoch, snapshot, clone or the like, in one embodiment, a state of the validity bitmap or other validity metadata may correspond to a current state of the non-volatile memory device 120 and the temporal order module 402 may preserve the validity bitmap or other validity metadata, such that the snapshot interface module 404 may determine which data is valid in the previous epoch, snapshot, clone, or the like.” -Talagala: [0136]; see also, [0097], [0139]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones and Powers with the teaching of Talagala to include wherein extracting the memory snapshot comprises: identifying a first memory page within a memory of the computer system according to whether the first memory page currently stores header metadata of an executable file of the software entity; identifying a second memory page within the memory according to the metadata; and copying a set of data from the second memory page into the memory snapshot in order to help improve the information that is available to debuggers, and thus will tend to improve the function of debugger computer systems by facilitating the mediation and eradication of their bugs and anomalies.

As to claim 14, it is rejected using the similar rationale as for the rejection of claim 5.


Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Jones in view of Powers and further in view of Coskun et al. (US 11,374,952 B1) (hereinafter, “Coskun”).

As to claim 7, neither Jones nor Powers explicitly disclose wherein the at least one hardware processor is further configured to construct the sequence of event indicators in preparation for executing the behavior analyzer, and wherein constructing the sequence of event indicators comprises: identifying a plurality of events occurring within a pre-determined time interval during the execution of the software entity; ordering the plurality of events according to occurrence time of to produce an ordered sequence; in response to determining a count of the plurality of events, when the count exceeds a pre-determined threshold, include in the sequence of event indicators a first set of indicators characterizing events belonging to a beginning of the ordered sequence, and a second set of indicators characterizing events belonging to an end of the ordered sequence.
However, in an analogous art, Coskun discloses wherein the at least one hardware processor is further configured to construct the sequence of event indicators in preparation for executing the behavior analyzer, and wherein constructing the sequence of event indicators comprises: identifying a plurality of events occurring within a pre-determined time interval during the execution of the software entity; ordering the plurality of events according to occurrence time of to produce an ordered sequence; in response to determining a count of the plurality of events, when the count exceeds a pre-determined threshold, include in the sequence of event indicators a first set of indicators characterizing events belonging to a beginning of the ordered sequence, and a second set of indicators characterizing events belonging to an end of the ordered sequence (“Generally, some amount of anomalous events may be expected to occur for each user of computing resources 140 in computing environment 100 during typical operations within the computing environment 100. However, a spike or other abnormality in the number of anomalous events detected for a given user within a given time period may be indicative of illegitimate activity being generated by a user of computing environment 100 (e.g., due to compromised credentials allowing other persons to impersonate a user, malware programmed to hijack a user's cloud computing instances, etc.). To determine whether the rate at which anomalous activity is generated for a user is within an expected amount for a given window of time, request processor 112 may maintain a counter that tracks a number of potentially anomalous events generated by each user of the computing environment 100 over the window of time. If the counter tracking events flagged as potentially anomalous by request anomaly detector 114 exceeds a threshold number of events over a time window, request processor 112 may take one or more actions to verify that the user has not been compromised and, if so, take one or more actions to rectify any compromise of user credentials or otherwise attempt to reduce the occurrence of potentially anomalous activity generated by the user.” -e.g. see, Coskun: col. 5, lines 5-28).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones and Powers with the teaching of Coskun to include disclose wherein the at least one hardware processor is further configured to construct the sequence of event indicators in preparation for executing the behavior analyzer, and wherein constructing the sequence of event indicators comprises: identifying a plurality of events occurring within a pre-determined time interval during the execution of the software entity; ordering the plurality of events according to occurrence time of to produce an ordered sequence; in response to determining a count of the plurality of events, when the count exceeds a pre-determined threshold, include in the sequence of event indicators a first set of indicators characterizing events belonging to a beginning of the ordered sequence, and a second set of indicators characterizing events belonging to an end of the ordered sequence in order to  identify potentially anomalous events based on reconstructions of these events through the autoencoders and to take action to respond to such potentially anomalous events..

As to claim 16, it is rejected using the similar rationale as for the rejection of claim 7.

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Jones in view of Powers and further in view of Smith et al. (US 2020/0097389 A1) (hereinafter, “Smith”).

As to claim 8, neither Jones nor Powers explicitly disclose wherein the at least one hardware processor is further configured to employ a trained event encoder to produce the each event indicator, wherein training the event encoder comprises: coupling the event encoder to an event decoder, the encoder-decoder pair configured to receive a first subset of a training event sequence and to output a predicted subset of events; and adjusting a set of parameters of the event encoder according to a difference between the predicted subset of events and a second subset of the training event sequence.
However, in an analogous art, Smith discloses wherein the at least one hardware processor is further configured to employ a trained event encoder to produce the each event indicator, wherein training the event encoder comprises: coupling the event encoder to an event decoder, the encoder-decoder pair configured to receive a first subset of a training event sequence and to output a predicted subset of events (“ The sequence to sequence model may be trained by inputting the training code sample to the first encoder model to create a first embedding vector. The first embedding vector may be input to the decoder model to create a code output result.” -e.g. see, Smith: [0064]); and adjusting a set of parameters of the event encoder according to a difference between the predicted subset of events and a second subset of the training event sequence (“The first embedding vector may be input to the decoder model to create a code output result. The code output result may be compared to the training corrected code, and the parameters of the first encoder and the decoder may be adjusted to reduce the difference between the code output result and the training corrected code.” -e.g. see, Smith: [0064]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Jones and Powers with the teaching of Smith to include wherein the at least one hardware processor is further configured to employ a trained event encoder to produce the each event indicator, wherein training the event encoder comprises: coupling the event encoder to an event decoder, the encoder-decoder pair configured to receive a first subset of a training event sequence and to output a predicted subset of events; and adjusting a set of parameters of the event encoder according to a difference between the predicted subset of events and a second subset of the training event sequence in order to provide better tools to help programmers eliminate errors in their code.

As to claim 17, it is rejected using the similar rationale as for the rejection of claim 8.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495