DETAILED ACTION
Office Action Summary
Claims 1-20 are pending in the instant application.
Claims 1-20 are rejected under 35 USC § 103.
Applicant’s arguments/amendments filed 5/4/2022 have been considered but are moot based on new grounds of rejection found upon further search and consideration and necessitated by applicant’s amendments which changes the scope of the instant invention.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 rejected under 35 U.S.C. 103 as being unpatentable over Lem et al. (US Publication No. 20190132344), hereinafter Lem in view of Sethumadhavan et al. (US pre-Grant Publication No: 2016/0275288) hereinafter referred to as Sethumadhavan .

As per claim 1, Lem teaches A method for machine learning by a model for detection of malicious files, comprising: selecting a file from a database of files used to perform training of a model for detecting a malicious file; (Lem [0116])
Executing by a processor the plurality of selected files;
forming one or more behavior patterns from intercepted one or more commands and parameters during execution of the selected files; (Lem, [0132] and [0172])
forming a detection model, wherein the detection model selects a method of machine learning and is initialized with one or more hyper-parameters; (Lem, [0183], [0180] and [0189])
training the detection model by calculating the one or more hyper-parameters based on the one or more behavior patterns to form a group of rules for calculating a degree of maliciousness of a resource; and  (Lem, [0109]-[0110])
calculating a degree of maliciousness of another file based on the trained detection model. (Lem, [0071] and [0122]-[0124])
But Lem does not teach selecting a plurality of known safe files and known malicious files from a database of files used to perform training of a model for detecting a malicious file, wherein selecting of the files is based on predetermined rules of forming a training selection of files;
However Sethumadhavan  teaches a plurality of known safe files and known malicious files from a database of files used to perform training of a model for detecting a malicious file, wherein selecting of the files is based on predetermined rules of forming a training selection of files; (Sethumadhavan , [0091], teaches “trained with training data including micro-architectural data for variants of known malicious and non-malicious processes”)
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify the invention of Lem with the method of Sethumadhavan , as they both use training data to teach their models and this is a simple substitution on one training data with another.

As per claim 2, Lem in view of Sethumadhavan  teaches The method of claim 1, wherein the selecting predetermined rules of forming a training selection of files specify relative percentages and numbers of selected safe and malicious files selected from the database of files for training of the model. (Lem, [0006] and Sethumadhavan , [0091], teaches using malicious and on-malicious training data, the amount of each would make a percentage)

As per claim 3, Lem in view of Sethumadhavan  teaches The method of claim 2, wherein the database of files is a database of safe files comprising one or more of operating system files, backdoor files, applications carrying out unauthorized data access. (Le, [0065])

As per claim 4, Lem in view of Sethumadhavan  teaches The method of claim 2, wherein the distribution between safe and malicious files selected from the database of files corresponds to the distribution between safe and malicious files located on the computing device of the average user. (Lem, [0006])

As per claim 5, Lem in view of Sethumadhavan  teaches The method of claim 2, wherein the distribution between safe and malicious files selected from the database of files corresponds to the distribution between safe and malicious files collected with the help of antivirus web crawlers. (Lem, [0005])

As per claim 6, Lem in view of Sethumadhavan  teaches The method of claim 2, wherein at least one of the parameters of the files selected from the database of files correspond to the parameters of the files located on the computing device of the average user or the number of selected files corresponds to a predetermined value, while the files themselves are selected at random. (Lem, [0104])

As per claim 7, Lem in view of Sethumadhavan  teaches The method of claim 1, wherein training further comprises: selecting at least one more file from the database of files in accordance with predetermined rules of forming a test selection of files; verifying the trained detection model on the basis of an analysis of the selected files; and sending the selected files to form a behavior log. (Lem, [0136])

As per claim 8, Lem in view of Sethumadhavan  teaches The method of claim 7, further comprising: intercepting executable commands; determining parameters associated with each of the executable commands that were intercepted; forming the behavior log based on the parameters. (Lem, [0136]-[0137])

As per claim 9, Lem in view of Sethumadhavan  teaches The method of claim 8, wherein intercepting is performed using one of a specialized driver, a debugger and a hypervisor. (Lem, [0109]-[0110])

As per claim 10, Lem in view of Sethumadhavan  teaches The method of claim 1, wherein the method for machine learning is selected based on one or more of cross testing, sliding check, cross-validation, mathematical validation, A/B testing, split testing and stacking. (Le, [0141])

As per claim 11, Lem in view of Sethumadhavan  teaches The method of claim 1, further comprising: creating the detection model on demand based on machine learning, wherein the hyper parameters and methods of machine learning are selected to be different from the hyper parameters and machine learning methods chosen for a previous detection model. (Le, [0141])

As per claim 12, Lem in view of Sethumadhavan  teaches The method of claim 1, wherein the method for machine learning is selected to ensure a monotonic change in the degree of maliciousness of a file depending on the change in the number of behavior patterns formed on the basis of analysis of a behavior log. (Le, [0141], [0172] and [0184])

Claims 13-19 teach the system claims that correspond to the method claims 1-12 and are rejected using the same rational.
Claim 20 teaches non-transitory computer-readable medium that corresponds to the method claim 1 and is rejected using the same rational.

Other Related Art
Bigerstaff (2010/0199257) teaches “A method and a system for transformation-based program generation using two separate specifications as input: An implementation neutral specification of the desired computation and a specification of the execution platform. The generated implementation incorporates execution platform opportunities such as parallelism. Operationally, the invention has two broad stages. First, it designs the abstract implementation in the problem domain in terms of an Intermediate Language (IL) that is unfettered by programming language restrictions and requirements. Concurrently, the design is evolved by specializing the IL to encapsulate a plurality of desired design features in the implementation such as partitioning for multicore and/or instruction level parallelism. Concurrently, constraints that stand in for implied implementation structures are added to the design and coordinated with other constraints. Second, the IL is refined into implementation code. With this invention, porting an implementation neutral computation to an arbitrary architecture can be automated.”
Titonis (2018/0025157) teaches “The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers.”

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492