Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 

Double Patenting
A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
Applicant is advised that should claim 29 be found allowable, claim 36 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m).

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 22-42 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The claims have new matter which is not described in the specification. The independent claims have the limitation “storing, in decision nodes, the explanations of the decision determination information in association with the decision determination information;”. However no where in the specification does state that explanations are stored in decision nodes. Paragraphs [0013] cites “storing in the trained classifier, in association with the decision determining information, decision explanation information of the at least second data item”. This would indicate that explanation are stored in classifier some where, however there is no support storing the explanation in the decision nodes.  In the interest of compact prosecution the examiner interprets this to mean that explanation data is stored with the classifier in memory.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 22-24, 26-32, 34-39 and 41-42 are rejected under 35 U.S.C. 103 as being unpatentable Kopp et al. (US 2016/0036844 A1 – hereinafter referred to as Kopp) and further in view of Ghosh et al. (US 2013/0145463 A1- hereinafter referred to as Ghosh).

In regards to claim 22, Kopp discloses a computer-implemented method comprising: 
using a machine learning training process to train a classifier having decision nodes, by: (Kopp para. [0158] and fig. 11 teaches training a decision tree using training data. This teaches using machine learning training process to produce a classifier, wherein decision trees have nodes.)
training the decision nodes to use decision determination information to make classification decisions on training items to produce classifications of the training items; (Kopp para. [0167], where the decision tree is the trained classifier which also stores rules and features, in which the features are the decision determination information to classify the anomaly.”);
executing the training items to produce explanations of the decision determination information at the decision nodes; and ([par. 0097; par. 0245; par. 0247 and fig. 18], where the decision tree is the trained classifier, the stored decision tree contains both rules and features.  The rules and features are both extracted from the stored decision tree where features are the decision determining information that generates a decision tree for an anomaly. each feature, decision determining information, is associated with a rule, decision explanation information, that generated to give the reason for the decision made by the decision tree from the extracted rules. Also see figures 17 & 18 wherein the there is binary tree with nodes and decisions and explanations at each node. For example in fig. 17 at the first node data is seen, then based on the decision is X2 greater than 0.3, then the data is normal and if x2 is less than 0.3 then the data is suspicious. This in of itself demonstrates both an decision determination information, is x2 greater or less than 0.3, and the explanation for the decision. If the data was found to be normal, then it can be explained that x2 was greater than 0.3 otherwise it was not and found to be suspicious.)
storing, in the decision nodes, the explanations of the decision determination information in association with the decision determination information; ([par. 0062; par. 0245; par. 0247; Figure 11], where the decision tree is the trained classifier, where the stored decision tree contains both rules and features.  The rules and features are both extracted from the decision tree. The features are the decision determining information that generates a decision tree for an anomaly. Each feature is associated with a rule, decision explanation information.).
once the classifier has been trained, using the classifier, classifying an unknown item by making particular classification decisions, at particular decision nodes among the decision nodes visited by the unknown item, leading to a classification; and ([par. 0097; par. 0245; par. 0247], where the decision tree is the trained classifier, the stored decision tree contains both rules and features.  The rules and features are both extracted from the stored decision tree where features are the decision determining information that generates a decision tree for an anomaly. each feature, decision determining information, is associated with a rule, decision explanation information, that generated to give the reason for the decision made by the decision tree from the extracted rules.).
outputting the classification and reasons for the classification to include particular explanations and particular classification decision information associated with the particular classification decision information as stored in the particular decision nodes. (Kopp para. [0192] teaches wherein a decision for the reason that a classification was made based on the particular rules visited in the decision tree.)

However Kopp does not disclose wherein training is in controlled execution environment.
	
	Ghosh discloses training in a controlled execution environment. (Ghosh para. [0056] cites “Additionally, in some instances, the sandboxed protection system 121a can be set to a training mode.” It goes on to explain that this allow for sandbox protection wherein infections can be distinguished from safe samples with protection and rules can be generated for each.)

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kopp with that Ghosh in order to allow the user a controlled environment (sandbox) when training a system as both reference deal with classification and rules and the benefit of doing so it allows it be done ins safe environment, which is the sandbox. 

In regards to claim 23, Kopp in view of Ghosh disclose the computer-implemented method of claim 22, wherein: the controlled execution environment is available when performing the machine learning training process, but is not available thereafter when performing classifying the unknown item.  (Ghosh para. [0056] teaches training in the sandbox and creating rules that can be downloaded and later used by the system for detection, which is classification. This would indicate that the training sandbox mode is only for training and the rules from it are used in the classifying process.)

In regards to claim 24, Kopp in view of Ghosh disclose the computer-implemented method of claim 22, wherein: the training items comprise executable data items; and the explanations include behavior of the executable data items when executed in the controlled execution environment. (Ghosh et al. para. [0035-0036; 0038], Where sandbox monitor module 125 sends a notification to the event engine module 127 about the behavior of the Web browser, an executable data item, in a sandbox. The event engine module 127 then receives a set of rules, the reasons, for allowing the behavior of the web browser based on a set of allowed behaviors for the web browser. Also see Ghosh para. [0056-0057] wherein it discloses training in sandbox and behavior of executable items in the sanbox).


In regards to claim 26, Kopp in view of Ghosh disclose the computer-implemented method of claim 24, wherein: executing includes executing the executable data items in the controlled execution environment to include a sandbox. (Ghosh para. [0056-0057] wherein it discloses training in sandbox and behavior of executable items in the sandbox).

In regards to claim 27, Kopp in view of Ghosh disclose the computer-implemented method of claim 22, wherein, when the classification includes suspicious behavior, the explanations include one or more of: accessing a Windows registry; modifying or attempting to modify an executable file; executing portions of memory in a way that is deemed suspicious; and creating or attempting to create a dynamic link library (DLL) file.  (Ghosh fig. 17 discloses classification of suspicious behavior and  [par. 0015, lines 1-4; par. 0035] disclose where unrecognized behaviors of software are considered suspect or suspicious. For example, the web browser trying to modify a file is behavior will be considered suspect, if that behavior is not an allowed behavior for that application.).

In regards to claim 28, Kopp in view of Ghosh disclose the computer-implemented method of claim 27, wherein the explanations further include sending a number of emails which exceeds a particular limit.  (Kopp para. [0118, 0122-0123 and 0167] teaches wherein email count and volume are features that are tracked and an explanation for it derived from the decision tree.)

In regards to claim 29, Kopp in view of Ghosh disclose the computer-implemented method of claim 22, wherein the decision nodes form a decision tree having a root decision node, leaf decision nodes that represent the classifications, and decision nodes that form branches connecting the root decision node to the leaf decision nodes.  (Kopp figure 18 teaches a decision tree with decision nodes, root decision node, lead decision nodes, branches between the root and leaves, and leaf decision nodes with classifications of normal and anomaly.)

In regards to claim 36, Kopp in view of Ghosh disclose the computer-implemented method of claim 22, wherein the decision nodes form a decision tree having a root decision node, leaf decision nodes that represent the classifications, and decision nodes that form branches connecting the root decision node to the leaf decision nodes. (Kopp figure 18 teaches a decision tree with decision nodes, root decision node, lead decision nodes and branches between the root and leaves.)

In regards to claim 30, it is the system embodiment of claim 22 with similar limitations and thus rejected using the reasoning found in claim 22. 
In regards to claim 31, it is the system embodiment of claim 23 with similar limitations and thus rejected using the reasoning found in claim 23. 
In regards to claim 32, it is the system embodiment of claim 24 with similar limitations and thus rejected using the reasoning found in claim 24. 
In regards to claim 34, it is the system embodiment of claim 26 with similar limitations and thus rejected using the reasoning found in claim 26. 
In regards to claim 35, it is the system embodiment of claim 27 with similar limitations and thus rejected using the reasoning found in claim 27. 
In regards to claim 37, it is the non-transitory computer readable medium embodiment of claim 22 with similar limitations and thus rejected using the reasoning found in claim 22. 
In regards to claim 38, it is the non-transitory computer readable medium embodiment of claim 23 with similar limitations and thus rejected using the reasoning found in claim 23. 
In regards to claim 39, it is the non-transitory computer readable medium embodiment of claim 24 with similar limitations and thus rejected using the reasoning found in claim 24. 
In regards to claim 41, it is the non-transitory computer readable medium embodiment of claim 26 with similar limitations and thus rejected using the reasoning found in claim 26. 
In regards to claim 42, it is the non-transitory computer readable medium embodiment of claim 27 with similar limitations and thus rejected using the reasoning found in claim 27. 


Claims 25, 33 and 40 are rejected under 35 U.S.C. 103 as being unpatentable Kopp et al. (US 2016/0036844 A1 – hereinafter referred to as Kopp) in view of Ghosh et al. (US 2013/0145463 A1- hereinafter referred to as Ghosh) and further in view of Santos et al. (“Collective Classification for Packed Executable Identification” – hereinafter referred to as Santos).


In regards to claim 25, Kopp in view of Ghosh disclose the method of cliam 24, but does not explicitly disclose wherein: the executable data items are encrypted.  
Santos teaches wherein the event comprises receiving an encrypted data item (Santos abstract teaches “In this paper, we propose a new method for packed executable detection that adopts a collective learning approach to reduce the labelling requirements of completely supervised approaches.”, where a packed executable is received for classification, and a packed executable is an encrypted data item).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kopp in view Ghosh with that Santos in order to allow for using encrypted data as the all the references deal with classification of suspicious behavior and content and the benefit of doing using encrypted data it allows for preserving the confidentiality of the information inside as suggested in Santos.

In regards to claim 33, it is the system embodiment of claim 25 with similar limitations and thus rejected using the reasoning found in claim 25. 

In regards to claim 40, it is the non-transitory computer readable medium embodiment of claim 25 with similar limitations and thus rejected using the reasoning found in claim 25. 

Response to Arguments
Applicant’s arguments with respect to claims 22-42 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAULINHO E SMITH whose telephone number is (571)270-1358. The examiner can normally be reached Mon-Fri. 10AM-6PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Abdullah Kawsar can be reached on 571-270-3169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PAULINHO E SMITH/Primary Examiner, Art Unit 2127