Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 5/4/2022. Claims 1-20 are pending.

Response to Arguments
Applicant’s arguments received on 5/4/2022 are respectfully considered. Regarding the prior art rejection, the amendments changed the scope of the claims, a new ground of rejection is presented below.

Notes
The specification states:
[0036] The terms "computer-readable medium", "computer-readable media", and the like as used herein and in the claims are limited to referring strictly to one or more statutory apparatus, machine, article of manufacture, or the like that is not a signal or carrier wave per se. Thus, computer-readable media, as the term is used herein, is intended to be and shall be interpreted as statutory subject matter

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 6, 13 and 20 and dependent claims 7 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 6-7, 13-14 and 20 recite “wherein forming the decision variable comprises using a plurality of the K most recent utility values”. 
(1)  “wherein forming the decision variable” is unclear, as the base claims do not recite “forming a decision variable”, rather they recite “forming a decision”; 
(2) “the decision variable” lacks antecedent basis and renders the claims indefinite. 
(3) “the K most recent utility values” also lacks antecedent basis, and renders the claims more indefinite. For examination purpose, the limitation will be interpreted as “wherein forming the decision 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6,8-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20180082060 to Toplin et al., hereinafter Toplin, in view of US 8401982 to Satish et al., hereinafter Satish.
Regarding claim 1, Toplin discloses 
A method, the method comprising: [AltContent: rect]executing a file ([0030]: application 108 executes);  forming a feature vector based on a latest event state associated with executing the file, wherein the latest event state comprises a latest event identifier and a histogram of monitored event types ([0030][0031]: application spawns processes, and the processes generate system calls interpreted as the events; [0041][0042] sequence of system calls implies latest event, each event associated with a component or identifier , and a count (histogram)) ; accessing a trained learning network, wherein the trained learning network is trained using a set of training files with each training file associated with a label that indicates that each training file is malicious or benign, and a plurality of event states of each training file, each event state comprising an event histogram of  monitored event types and an event identifier (([0052][0053] train known processes, malicious processes, label as malicious or benign; the training set also include count vectors for a plurality of processes, each count vector representing systems calls (events) count and identifier ([0041][0042]). Toplin teaches using the trained machine learning system to classify processes as malware ([0018]) but does not explicitly teach the rest of the claim.
In an analogous art, Satish discloses detecting malicious software using machine learning techniques (col.1:8-12); Satish teaches training  the trained learning network generates halt-or-continue file execution control decisions associated with detecting malware on executing files; using the trained learning network and the feature vector, forming a decision based on the latest event state and a likelihood that the file is malicious, the decision is a halt file execution control decision; and in response to the decision, halting the execution of the file (col.4:45-67: construct decision tree based on attributes and behaviors of training files; apply the machine learning algorithm to a target process, if the target process is deemed malicious, terminate the target process, otherwise leave it alone;  the decision being based on events sequencing features from a start of the process to exit i.e based on the latest event (col.7:38-54) and on a confidence score i.e likelihood of the classification (malicious or legitimate ) is accurate (see col.4:15-36 )). 
It would have been obvious to a skilled artisan before the instant application was effectively field to generate file execution control decisions as taught by Satish and terminate malicious processes because it would provide a reliable malware detection technique by examining behaviors sequencing and timing of computer files (Satish col.1:38-49).
Regarding claim 2, Toplin in view of Satish discloses the method of claim 1 where the event state comprises the event position number (Toplin [0059]: map each event or system call to a first, second ... component of the vector count).  
Regarding claim 3, Toplin in view of Satish discloses the method of claim 2 where the histogram corresponding to the latest event identifier provides an event score histogram (Toplin [0041][0042] sequence of system calls implies latest event, each event associated with a component or identifier, and a count (histogram).
Regarding claim 4, Toplin in view of Satish discloses the method of claim 1 further comprising building a most recent event history relative to the latest monitored event (Toplin [0040]:  receive system call traces from a process over a time interval, for instance, the vector generator  receive system call traces for system calls generated by process 202 such as “fork, open, read, write, read, write, read, write, read” ).
Regarding claim 5, Toplin in view of Satish discloses the method of claim 1 further comprising generating at least one utility score corresponding to the latest monitored event (Satish col.8:1-25: set the sequence number of each event type, including the latest event, the sequence number being the value of the feature vector; see motivation to combine Toplin and Satish  in claim 1).
Regarding claim 6, Toplin in view of Satish discloses the method of claim 5 wherein forming the decision variable comprises using a plurality of the K most recent utility values. (Satish col.9:4-19: use the feature vectors in specific timing/sequencing information to build the decision tree).
Regarding claims 8 and 15, the claim recites substantially the same content as claim 1 and are rejected by the rationales set forth for claim 1.
Regarding claims 9 and 16, the claim recites substantially the same content as claim 2 and are rejected by the rationales set forth for claim 2.
Regarding claims 10 and 17, the claim recites substantially the same content as claim 3 and are rejected by the rationales set forth for claim 3.
Regarding claims 11 and 18, the claim recites substantially the same content as claim 4 and are rejected by the rationales set forth for claim 4.
Regarding claims 12 and 19, the claim recites substantially the same content as claim 5 and are rejected by the rationales set forth for claim 5.
Regarding claims 13 and 20, the claim recites substantially the same content as claim 6 and are rejected by the rationales set forth for claim 6.

Claims 7 and 14 are rejected under 35 USC 103 as being unpatentable over Toplin and Satish, in view of US publication by Khan et al., titled “Defending malicious script attacks using machine learning classifiers”, 2017, 9 pages, hereinafter Khan.

Regarding claim 7, Toplin in view of Satish discloses the method of claim 6 but does not explicitly teach where the using a plurality of the K most recent utility values comprises filtering based on majority vote.  
In an analogous art, Khan discloses machines learning classifiers used for classifying malware in scripts. Khan discloses popular known machine learning algorithms including KNN (p.4, 3.3.), KNN performs similarity test between training data and an input, by measuring the distance between the training instance and the unknown instance, and classifies the unknown instance based upon a majority vote of neighbor (p.4, 3.3.3.). Therefore, Khan discloses using a plurality of the K most recent utility values comprises filtering based on majority vote. It would have been obvious to a skilled artisan before the instant application was effectively filed to use a filtering based on a majority of vote because “it is the simplest machine learning algorithm” (Khan p.4, 3.3.3.) and is a well-known classification technique that would not need any testing to implement.
Regarding claim 14, the claims recites substantially the same content as claim 7 and is rejected by the rationales set forth for claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Davis et al 9705904 disclose a machine learning model to classify malware, using a module that makes a decision on whether or not to allow a file to execute.
 Harms et al 20170357807 discloses discerning a mismatch between classification generated by different versions of a machine learning model, determining whether to stop execution;
Guri et al 20180181752 disclose to detecting and/or neutralizing operation of malicious code being executed using machine learning.
Challita et al 20180248896 disclose an anti-ransomware system including a e component to suspend/kill the suspected ransomware.
Satpathy 20190266327 discloses a malware scanner including an analyzer to monitor execution of a computer file when an indicator of compromise associated with the computer  file is detected.
Avasarala et al 20140090061 disclose a set of training files which are each known to be either malign or benign, partitions the set of training files into a plurality of categories, and trains category-specific classifiers that distinguish between malign and benign files.
Weingarten et al 20160042179 discloses monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.
Miserendino et al 20170262633 disclose receiving a set of training files which are each known to be either malign or benign, partition the set of training files into a plurality of categories based on file-type, in which the partitioning file-types a subset of the training files into supported file-type categories, train file-type specific classifiers that distinguish between malign and benign files for the supported file-type categories of files ...
Brown 20190207969 discloses detecting incidents based on events from or at monitored computing devices,  detecting patterns within the events and pattern scores based on the probability of occurrence for the patterns, and determining a composite score based on the pattern scores; determining that an incident indicating malicious activity has been detected based in part determining that the composite score is above a predetermined threshold score. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        8/19/2020