DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.	
Claims 1, 4, 7, 9-12, 15, 16, 18, 19, 22, 23, 25, 28, 30-33, 37, 39, 40 and 43-62, now renumbered as claims 1-42, have been examined. 

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Ms. Katherine Koebrich on 08/02/2022.
Claims 16, 46 and 57-62 have been amended as follows:
16. (Currently Amended) The system of claim 11 further comprising instructions executable by corresponding ones of the hardware processors to cause corresponding ones of the plurality of nodes to, based on a determination by the plurality of full nodes that the first risk score is not outside of the accepted risk score range, 
inform, by the plurality of full nodes, the master node that the first risk score is inside of the accepted risk score range; and 
reward, by the master node, the plurality of light nodes for behaving honestly.
46. (Currently Amended) The system of claim 1, wherein the instructions executable by corresponding ones of the hardware processors to cause the plurality of full nodes to verify if the first incoming data correspond to malicious behavior comprise instructions executable by corresponding ones of the hardware processors to cause the plurality of full nodes to utilize a [[on a]] proof-of-stake (PoS)-based consensus to verify if the first incoming data correspond to malicious behavior. 
(Currently Amended) One or more non-transitory computer-readable media having computer-readable instructions stored thereon, the computer-readable instructions executable by one or more hardware processors to:
monitor, by a plurality of light nodes, a blockchain for events corresponding to malicious behavior; 
determine, by the plurality of light nodes, whether first incoming data observed for the blockchain correspond to malicious behavior based on application of a trained malware detection model to the first incoming data, wherein a plurality of full nodes supplied the trained malware detection model to the plurality of light nodes; 
based on the plurality of light nodes reaching a consensus that the first incoming data correspond to malicious behavior, report, by the plurality of light nodes, the first incoming data to the plurality of full nodes; 
verifying, by the plurality of full nodes, whether the first incoming data reported by the plurality of light nodes correspond to malicious behavior based on the trained malware detection model; and 
based on the plurality of full nodes verifying that the first incoming data correspond to malicious behavior, informing, by at least a first of the plurality of full  nodes, a master node that the first incoming data have been determined to correspond to malicious behavior.
(Currently Amended) The non-transitory computer-readable media of claim 57 further comprising computer-readable instructions to train, by the plurality of full nodes, a machine learning model to generate the trained malware detection model based on a plurality of cybersecurity artifacts associated with the blockchain.
(Currently Amended) The non-transitory computer-readable media of claim 57, wherein the computer-readable instructions to monitor the blockchain for malicious behavior comprise computer-readable instructions to monitor, by the plurality of light nodes, at least one of incoming network traffic, smart contracts, and security data associated with the blockchain.
(Currently Amended) The non-transitory computer-readable media of claim 57, wherein the computer-readable instructions to determine if the first incoming data correspond to malicious behavior comprise computer-readable instructions to calculate, by the plurality of light nodes, a first risk score based on application of the trained malware detection model to the first incoming data.
(Currently Amended) The non-transitory computer-readable media of claim 60, wherein the computer-readable instructions to reach a consensus by the plurality of light nodes that the first incoming data correspond to malicious behavior comprise computer-readable instructions to,
calculate, by a first of the plurality of light nodes, the first risk score; and
reach a consensus on the first risk score by the plurality of light nodes. 
(Currently Amended) The non-transitory computer-readable media of claim 60, wherein the computer-readable instructions to verify whether the first incoming data correspond to malicious behavior comprise computer-readable instructions to calculate, by the plurality of full nodes, a second risk score based on the incoming first data and the trained malware detection model and determine whether the first risk score is outside of a first range, wherein the first range is based on a difference between the first risk score and the second risk score.

Allowable Subject Matter
Claims 1, 4, 7, 9-12, 15, 16, 18, 19, 22, 23, 25, 28, 30-33, 37, 39, 40 and 43-62 are allowed over prior art of record.

Response to Arguments
Applicant’s arguments, see Remarks filed on 06/03/2022, have been fully considered.

Examiner's Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Independent claims 1, 22 and 57 are allowed in view of the examiner’s amendment and for reasons presented by the applicant in the Remarks. Claims 4, 7, 9-12, 15, 16, 18, 19, 23, 25, 28, 30-33, 37, 39, 40, 43-56 and 58-62 depend on one of the above independent claims and are therefore, allowed by virtue of their dependency.
Prior art of record Sachkov teaches: A set of computer devices are connected to each other to form a peer-to-peer network. Each of the computer devices is a node of the peer-to-peer network and is configured to receive and transmit blocks of transactions in accordance with the blockchain technology. Each node contains a distributed malware register, a transaction pool, a machine learning module that is pre-trained on malware-related data and virtual machines to execute files containing potential malware in a virtual environment. Each node monitors the blockchain and performs malware check on the data in the blockchain using the same check parameters and stores the results and parameters of the malware check in the transaction pool. A first device of the set of computer devices receives results of the  distributed check of potential malware from at least a portion of the set of devices. The first device determines the harmfulness parameter of the potential malware based on the received results and if the harmfulness parameter exceeds a predetermined threshold value, the first device identifies the malware. The first device stores the malware-related data in the distributed malware register. Prior art of record Selinger teaches: A central sever sends a trained neural network model to a group of remote servers. Prior art of record Katragadda teaches: Nodes receive input data, evaluate the input data for vectors of attack, validate the vectors of attack and log the vectors of attack using machine learning techniques. The validating, evaluating, logging etc. is by network consensus. The nodes record the vectors of attacks into a blockchain database as a transaction. Prior art of record Konda teaches: When a new block in a blockchain is created, the new block is marked as pending until validating nodes validate the new block and the DDoS attack details included in the new block. Once a consensus is reached between the validating nodes about the validity of the new block, the new block is published for addition to a blockchain. 
However, Sachkov, Selinger, Katragadda and Konda fail to teach: “based on the plurality of light nodes reaching a consensus that the first incoming data correspond to malicious behavior, report, by the plurality of light nodes, the first incoming data to the plurality of full nodes; verifying, by the plurality of full nodes, whether the first incoming data reported by the plurality of light nodes correspond to malicious behavior based on the trained malware detection model”, i.e., the prior arts teach a plurality of nodes reporting results of a malware check to a first device and validating nodes validating a new block comprising DDoS attack details based on a consensus algorithm but fail to teach the plurality of nodes reaching a consensus that data in the blockchain corresponds to malware before reporting the data to a plurality of validating nodes and validating nodes using a machine detection model to verify the malware in the reported data. 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
	
	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
WO 2020209413 A1 to Moon et al: Proposed are a blockchain-based anomaly detection apparatus and a method for detecting an anomaly occurring in operations between each node on a blockchain network. The proposed apparatus comprises: a learning unit for analyzing and learning data between each node on the blockchain network; and an anomaly notifying unit for detecting an anomaly in an information exchange between each node on the blockchain network, on the basis of the learning result from the learning unit, and notifying of an anomaly detection history corresponding thereto.
On Blockchain Architectures for Trust-based Collaborative Intrusion Detection by Kolokotronis et al: This paper considers the use of novel technologies for mitigating attacks that aim at compromising intrusion detection systems (IDSs). Solutions based on collaborative intrusion detection networks (CIDNs) could increase the resilience against such attacks as they allow IDS nodes to gain knowledge from each other by sharing information. However, despite the vast research in this area, trust management issues still pose significant challenges and recent works investigate whether these could be addressed by relying on blockchain and related distributed ledger technologies. Towards that direction, the paper proposes the use of a trust-based blockchain in CIDNs, referred to as trust-chain, to protect the integrity of the information shared among the CIDN peers, enhance their accountability, and secure their collaboration by thwarting insider attacks. A consensus protocol is proposed for CIDNs, which is a combination of a proof-of-stake and proof-of-work protocols, to enable collaborative IDS nodes to maintain a reliable and tampered-resistant trust-chain.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438