DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/27/2022 has been entered.

Terminal Disclaimer
The terminal disclaimer filed on 03/23/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of the full statutory term of prior patent numbers US 10,938,839 and US 10,938,838 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
As per claim 1:
Though Harris et al., (US 2016/0173510 A1), part of the prior art of record, teaches malicious code detection based on behavior tagging through behavioral based protection in paragraph [0042] and in paragraph [0052] through the use of definition files.
And though Thampy (US 2019/0068627 A1), part of the prior art made of record, teaches the training of models to determine malicious software based on behavior in paragraph [0128] through the use of training of threat models to determine software vulnerabilities and malicious software.
And Bazalgette et al., (US 2019/0260779 A1), part of the prior art made of record, teaches the training of models to detect malicious software based on behavior in paragraph [0036] through inappropriate network behavior.
The primary reason for marking of allowable subject matter of independent claim 1, in the instant application, is the combination with the inclusion in these claims of the limitations of a computer program product comprising:
“tagging each one of the threat samples with one or more tags that identify corresponding, observed behavior; training a first machine learning model to identify malicious code in the training set based on the one or more tags; training a second machine learning model to identify malicious code in the training set based on a corresponding file path for each of the threat samples; training a third machine learning model to identify malicious code in the training set based on one or more Uniform Resource Locators contained in each of the threat samples; creating an integrative model that evaluates a probability that an unknown threat sample is malicious based on a combination of the first machine learning model, the second machine learning model and the third machine learning model; and conditionally presenting a new threat sample for human intervention when the probability calculated by the integrative model identifies the new threat sample as an intermediate threat that fails to fall within a first predetermined threshold of likely safe or within a second predetermined threshold of likely malicious.”
The prior art of made of record above neither anticipates nor renders obvious the above-recited combinations. Specifically, though the prior art of made of record does teach the training of models and the use of behavior to detect malicious software threats, it does not teach the training and use of a first machine model to identify malicious code based on behavior tags in threat samples, a training and use of a second machine model to identify malicious code based on a file path of the threat samples, a training and use of third machine model to identify malicious code based on a Uniform Resource Locator the threat samples, and then creating an integrative model that combines the first, second, and third model to evaluate and conditionally to present the threat samples as an intermediate threat to a human user.

As per claim 5:
Though Harris et al., (US 2016/0173510 A1), part of the prior art of record, teaches malicious code detection based on behavior tagging through behavioral based protection in paragraph [0042] and in paragraph [0052] through the use of definition files.
And though Thampy (US 2019/0068627 A1), part of the prior art made of record, teaches the training of models to determine malicious software based on behavior in paragraph [0128] through the use of training of threat models to determine software vulnerabilities and malicious software.
And Bazalgette et al., (US 2019/0260779 A1), part of the prior art made of record, teaches the training of models to detect malicious software based on behavior in paragraph [0036] through inappropriate network behavior.
The primary reason for marking of allowable subject matter of independent claim 5, in the instant application, is the combination with the inclusion in these claims of the limitations of a method comprising:
“creating an integrative model that evaluates a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample; configuring a threat management facility to identify a new threat sample as an intermediate threat when the new threat sample is not within a predetermined confidence level of safe code or malicious code according to the integrative model; and providing a user interface for presenting the new threat sample with the intermediate threat for human evaluation.”
The prior art of made of record above neither anticipates nor renders obvious the above-recited combinations. Specifically, though the prior art of made of record does teach the training of models and the use of behavior to detect malicious software threats, it does not teach the use of a first machine model to identify malicious code based on behavior tags in threat samples, a use of a second machine model to identify malicious code based on a file path of the threat samples, a use of third machine model to identify malicious code based on a Uniform Resource Locator the threat samples, and then creating an integrative model that combines the first, second, and third model to evaluate and conditionally to present the threat samples as an intermediate threat to a human user.

Dependent claim(s) 6-17 are allowable at least for the reasons recited above as including all of the limitations of the allowable independent base claim 5 upon which claims 6-17 depend.

As per claim 18:
Though Harris et al., (US 2016/0173510 A1), part of the prior art of record, teaches malicious code detection based on behavior tagging through behavioral based protection in paragraph [0042] and in paragraph [0052] through the use of definition files.
And though Thampy (US 2019/0068627 A1), part of the prior art made of record, teaches the training of models to determine malicious software based on behavior in paragraph [0128] through the use of training of threat models to determine software vulnerabilities and malicious software.
And Bazalgette et al., (US 2019/0260779 A1), part of the prior art made of record, teaches the training of models to detect malicious software based on behavior in paragraph [0036] through inappropriate network behavior.
The primary reason for marking of allowable subject matter of independent claim 18, in the instant application, is the combination with the inclusion in these claims of the limitations of a system comprising:
“a memory storing an integrative model configured to evaluate a potential threat by a threat sample based on a combination of a first model configured to identify malicious code based on behavioral tags, a second model configured to identify malicious code based on an executable file path, and a third model configured to identify malicious code based on a Uniform Resource Locator within the threat sample; a threat management facility configured to apply the integrative model to a new threat sample and to identify a new threat sample as an intermediate threat; and a web server configured to display the intermediate threat in a user interface on an endpoint for evaluation.”
The prior art of made of record above neither anticipates nor renders obvious the above-recited combinations. Specifically, though the prior art of made of record does teach the training of models and the use of behavior to detect malicious software threats, it does not teach the use of a first machine model to identify malicious code based on behavior tags in threat samples, a use of a second machine model to identify malicious code based on a file path of the threat samples, a use of third machine model to identify malicious code based on a Uniform Resource Locator the threat samples, and then creating an integrative model that combines the first, second, and third model to evaluate and present the threat samples as an intermediate threat to a human user using a web server.

Dependent claim(s) 19-20 are allowable at least for the reasons recited above as including all of the limitations of the allowable independent base claim 5 upon which claims 19-20 depend.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Thampy (US 2019/0068627 A1) teaches the training of models to determine malicious software based on behavior of claim 1 and the determining of malicious software based on behavior of claims 5 and 18 through the use of training of threat models to determine software vulnerabilities and malicious software in paragraph [0128].
Bazalgette et al., (US 2019/0260779 A1), part of the prior art made of record, teaches the training of models to detect malicious software based on behavior of claim 1 and the detection of malicious software based on behavior of claims 5 and 18 through inappropriate network behavior analysis in paragraph [0036].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHANE D WOOLWINE whose telephone number is (571)272-4138. The examiner can normally be reached M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MIRANDA HUANG can be reached on (571) 270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SHANE D. WOOLWINE
Primary Examiner
Art Unit 2124



/SHANE D WOOLWINE/Primary Examiner, Art Unit 2124