DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d).

Drawings
The drawing of the disclosure is objected to because #810 in FIG. 8 indicated Network and#104 in FIG. 1 also indicated Network. Correction is required.
The drawing of the disclosure is objected to because #700 in FIG. 7 and FIG. 8 indicated Processor Platform. However, #700 in the specification Para. [0079] indicated processing platform. Correction is required.
The drawing of the disclosure is objected to because #732 in FIG. 7 indicated coded instructions. However, in the #732 in the specification Para. [0086] indicated machine executable instructions and #732 in the specification Para. [0087] indicated computer readable instructions. Correction is required.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.



Examiner Notes
With respect to claim 8 and its dependent claims 9-14 the office did not give a rejection under 35 U.S.C. 101 because applicant clearly stated in specification dated 07/28/2020, paragraph [63] “As used herein, the term non-transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media” thus claimed 8 computer readable storage medium is a non-transitory medium. 
The office however respectfully request applicant to amend claim 8 along with its dependent claims 9-14 with the term “non-transitory computer readable medium for clarity”.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-10,12-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over SMITH et al. (US 2014/0215617 A1), hereinafter referenced as Smith in view of SAXE et al. (US 2019/0236273 A1), hereinafter referenced as Saxe.

Regarding claim 1, Smith teaches an apparatus comprising: Smith explicitly teaches a log file filtration controller (Fig. 1, #114 called Risk Evaluator, Para. [0018]) to exclude at least one known clean function from a log file to generate a filtered log file (FIG. 2, #202, Para. [0006]-Smith discloses the method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files); a log file normalization controller (Fig. 1, #112 called Results Normalizer Para. [0024]) to normalize mnemonics of functions in the filtered log file to generate normalized functions (FIG. 1, #112, Para. [0024]-Smith discloses test results for each message's attachment(s), including detected malware, analysis and forensic data, are forwarded from MAP sandboxes 110 to results normalizer 112. Results normalizer 112 normalizes the test results.);
 Smith fails to explicitly teach a feature vector generation controller to populate a feature vector with n-gram groupings of the normalized functions; and a machine learning engine to train a machine learning model with the feature vector, the machine learning model to be deployed to an end-user device to detect malware in executable code.
 However, Saxe explicitly teaches a feature vector generation controller (Fig. 1, #118 called feature vector, Para. [0003]) to populate a feature vector with n-gram groupings of the normalized functions (FIG. 1A and 9, #118 and #926, Para. [0003]-Saxe discloses the processor performs feature vector-based maliciousness classification for the first and second potentially malicious files by extracting a first set of strings from the first potentially malicious file, and extracting a second set of strings from the second potentially malicious file. Para [0041]-Saxe further discloses a feature vector generator (e.g., feature vector generator 118 of FIG. 1A) can generate a set of n-gram representations having n-grams of varying length 'n'); and a machine learning engine (Fig. 1B, #112 called Machine Learning Software, Para. [0034]) to train a machine learning model (Fig. 8, #810 called Machine Learning Model, Para. [0046]) with the feature vector, the machine learning model (Fig. 8, #810 called Machine Learning Model, Para. [0046]) to be deployed to an end-user device to detect malware in executable code (FIG. 7A, Para. [0046]-Saxe discloses such a value (and/or set of values for each combination in a file) can then be input into a machine learning model to train the machine learning model and/or to identify a file as containing malicious code).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).


Regarding claim 2, Smith in view of Saxe teaches the apparatus of claim 1, Smith fails to explicitly teach wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment.
However, Saxe explicitly teaches wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment (FIG. 1A, Para. [0032]-Saxe discloses the processor can be, for example, a general-purpose   processor, a field programmable gate array (FPGA), and/or an application specific integrated circuit (ASIC). Software modules (executed on hardware) can be expressed in a variety of software languages (e.g., computer code), including C, C++, Java™, Ruby, Visual Basic™, and/or other object-oriented, procedural, or other programming language and development tools. Para. [0078]-Saxe further discloses systems and methods set forth herein establish that machine learning is a viable approach for certain malicious email attachment scanner applications, particularly those tuned for a high false positive rate, where false positives are passed to a secondary scanner for enhanced detection-e.g., a dynamic detection engine in a sandbox.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of having instructions or computer code thereon for performing various computer-implemented operations. The computer-readable medium (or processor-readable medium) is non-transitory in the sense that it does not include transitory propagating signals per se (e.g. a propagating electromagnetic wave carrying information on a transmission medium such as space or a cable). The media and computer code (also can be referred to as code) may be those designed and constructed for the specific purpose or purposes. (Saxe, para. [0089]).


Regarding claim 3, Smith in view of Saxe teaches the apparatus of claim 1, Smith fails to explicitly teach wherein the n-gram groupings include bigram groupings.
However, Saxe explicitly teaches wherein the n-gram groupings include bigram groupings (FIG. 1A, Para. [0041]-Saxe discloses a feature vector generator (e.g., feature vector generator 118 of FIG. lA) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations, etc.).).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the n-gram representations can serve to 'normalize' the raw bytes and/or strings by defining a bounded feature space suitable for use as an input for machine learning. (Saxe, para. [0041]).


Regarding claim 5, Smith in view of Saxe teaches the apparatus of claim 1, Smith fails to explicitly teach wherein the feature vector generation controller is to generate an empty version of the feature vector prior to populating the feature vector.
However, Saxe explicitly teaches wherein the feature vector generation controller is to generate an empty version of the feature vector prior to populating the feature vector (FIG. 7B, Para. [0005]-Saxe discloses the first set of strings can be from a file having the first file format and the second set of strings can be from a file having the second file format. The method also includes defining a first feature vector based on a length of a set of strings within a first potentially malicious file having the first file format and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of specifically, in such instances, a feature vector generator ( e.g., feature vector generator 118 of FIG. lA) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations,etc... the feature vector generator can be configured to provide each n-gram as in input to a hash function to define a feature vector based on the representation-grams of varying lengths.). (Saxe, para. [0041]).
	

Regarding claim 6, Smith in view of Saxe teaches the apparatus of claim 1, Smith explicitly teaches wherein the executable code includes a portable executable file (Para. [0005]-Smith discloses if an incoming message matches the watch-list, forwarding the message to a malware detection engine, stripping the one or more attachments from the forwarded message, the one or more attachments including one or more executable files).


Regarding claim 7, Smith in view of Saxe teaches the apparatus of claim 1, Smith fails to explicitly teach wherein the feature vector is to reduce latency between a query of the machine learning model and an inference of whether the executable code is malicious or benign.
However, Saxe explicitly teaches wherein the feature vector (Fig. 8, #806 called feature vector, Para. [0003]) is to reduce latency (Para. [0064]-Saxe discloses only strings between 5 and 128 characters were considered, with the remainder ignored. The bins of the feature vector were also logarithmically scaled, as it was observed that this resulted in a slight performance increase.) between a query of the machine learning model (Fig. 8, #810 is called Machine Learning Model, Para. [0017]) and an inference of whether the executable code is malicious or benign (FIG. 1B, Para. [0007]-Saxe discloses a flow chart showing an anti-malware machine learning process, according to an embodiment. Para. [0026]-Saxe further discloses in both malicious and benign settings, archives have been used to store code fragments that are later executed by software external to the archive, or conversely, archives have been embedded into other programs to form self-extracting archives.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation to such a value (and/or set of values for each combination in a file) can then be input into a machine learning model to train the machine learning model and/or to identify a file as containing malicious code, as described in further detail herein. In other embodiments, any other suitable method (e.g., a numerical value or score) can be used to represent the frequency of the combination within the file.). (Saxe, para. [0052]).

Regarding claim 8, Smith teaches a computer readable storage medium (Fig. 3, #304 called Secondary Storage, Para. [0038]) comprising instructions which, when executed, cause one or more processors (Fig.3, #306 called Processor, Para. [0038]) to at least: Smith explicitly teaches exclude at least one known clean function from a log file to generate a filtered log file (FIG. 2, #202, Para. [0006]-Smith discloses the method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files); normalize mnemonics of functions in the filtered log file to generate normalized functions (FIG. 1, #112, Para. [0024]-Smith discloses test results for each message's attachment(s), including detected malware, analysis and forensic data, are forwarded from MAP sandboxes 110 to results normalizer 112. Results normalizer 112 normalizes the test results.); 
Although Smith fails to explicitly teach populate a feature vector with n-gram groupings of the normalized functions; and train a machine learning model with the feature vector, the machine learning model to be deployed to an end-user device to detect malware in executable code.
However, Saxe explicitly teaches populate a feature vector with n-gram groupings of the normalized functions (FIG. 1A and 9, #118 and #926, Para. [0003]-Saxe discloses the processor performs feature vector-based maliciousness classification for the first and second potentially malicious files by extracting a first set of strings from the first potentially malicious file, and extracting a second set of strings from the second potentially malicious file. Para [0041]-Saxe further discloses a feature vector generator (e.g., feature vector generator 118 of FIG. 1A) can generate a set of n-gram representations having n-grams of varying length 'n'); and train a machine learning model (Fig. 8, #810 called Machine Learning Model, Para. [0046]) with the feature vector, the machine learning model to be deployed to an end-user device to detect malware in executable code (FIG. 7A & 8, Para. [0046]-Saxe discloses such a value (and/or set of values for each combination in a file) can then be input into a machine learning model to train the machine learning model and/or to identify a file as containing malicious code.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).


Regarding claim 9 Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith fails to explicitly teach wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment.
However, Saxe explicitly teaches wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment (FIG. 1A, Para. [0032]-Saxe discloses the processor can be, for example, a general-purpose   processor, a field programmable gate array (FPGA), and/or an application specific integrated circuit (ASIC). Software modules (executed on hardware) can be expressed in a variety of software languages (e.g., computer code), including C, C++, Java™, Ruby, Visual Basic™, and/or other object-oriented, procedural, or other programming language and development tools. Para. [0078]-Saxe further discloses systems and methods set forth herein establish that machine learning is a viable approach for certain malicious email attachment scanner applications, particularly those tuned for a high false positive rate, where false positives are passed to a secondary scanner for enhanced detection-e.g., a dynamic detection engine in a sandbox.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of having instructions or computer code thereon for performing various computer-implemented operations. The computer-readable medium (or processor-readable medium) is non-transitory in the sense that it does not include transitory propagating signals per se (e.g. a propagating electromagnetic wave carrying information on a transmission medium such as space or a cable). The media and computer code (also can be referred to as code) may be those designed and constructed for the specific purpose or purposes. (Saxe, para. [0089]).


Regarding claim 10, Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith fails to explicitly teach wherein the n-gram groupings include bigram groupings.
However, Saxe explicitly teaches wherein the n-gram groupings include bigram groupings (FIG. 1A, Para. [0041]-Saxe discloses a feature vector generator (e.g., feature vector generator 118 of FIG. lA) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations, etc.).).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the n-gram representations can serve to 'normalize' the raw bytes and/or strings by defining a bounded feature space suitable for use as an input for machine learning. (Saxe, para. [0041]).


Regarding claim 12, Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith fails to explicitly teach wherein the instructions cause the one or more processors to at least generate an empty version of the feature vector prior to populating the feature vector.
However, Saxe explicitly teaches wherein the instructions cause the one or more processors (Fig.3, #306 called Processor, Para. [0038]) to at least generate an empty version of the feature vector (Fig. 8, #806 called feature vector, Para. [0003]) prior to populating the feature vector (FIG. 7B, Para. [0005]-Saxe discloses the first set of strings can be from a file having the first file format and the second set of strings can be from a file having the second file format. The method also includes defining a first feature vector based on a length of a set of strings within a first potentially malicious file having the first file format and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of specifically, in such instances, a feature vector generator ( e.g., feature vector generator 118 of FIG. lA) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations, etc... the feature vector generator can be configured to provide each n-gram as in input to a hash function to define a feature vector based on the representation-grams of varying lengths.). (Saxe, para. [0041]).


Regarding claim 13, Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith explicitly teaches wherein the executable code includes a portable executable file (Para. [0005]-Smith discloses if an incoming message matches the watch-list, forwarding the message to a malware detection engine, stripping the one or more attachments from the forwarded message, the one or more attachments including one or more executable files).


Regarding claim 14, Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith fails to explicitly teach wherein the feature vector is to reduce latency between a query of the machine learning model and an inference of whether the executable code is malicious or benign.
However, Saxe explicitly teaches wherein the feature vector (Fig. 8, #806 called feature vector, Para. [0003]) is to reduce latency (Para. [0064]-Saxe discloses only strings between 5 and 128 characters were considered, with the remainder ignored. The bins of the feature vector were also logarithmically scaled, as it was observed that this resulted in a slight performance increase.) between a query of the machine learning model and an inference of whether the executable code is malicious or benign (FIG. 1B, Para. [0007]-Saxe discloses a flow chart showing an anti-malware machine learning process, according to an embodiment. Para. [0026]-Saxe further discloses in both malicious and benign settings, archives have been used to store code fragments that are later executed by software external to the archive, or conversely, archives have been embedded into other programs to form self-extracting archives.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation to such a value (and/or set of values for each combination in a file) can then be input into a machine learning model to train the machine learning model and/or to identify a file as containing malicious code, as described in further detail herein. In other embodiments, any other suitable method (e.g., a numerical value or score) can be used to represent the frequency of the combination within the file.). (Saxe, para. [0052]).


Regarding claim 15, Smith teaches an apparatus comprising: Smith explicitly teaches means for filtering log files (Fig. 1, #114 called Risk Evaluator, Para. [0018]) to exclude at least one known clean function from a log file to generate a filtered log file (FIG. 2, #202, Para. [0006]-Smith discloses the method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files); means for normalizing log files to normalize mnemonics of functions in the filtered log file to generate normalized functions (FIG. 1, #112, Para. [0024]-Smith discloses test results for each message's attachment(s), including detected malware, analysis and forensic data, are forwarded from MAP sandboxes 110 to results normalizer 112. Results normalizer 112 normalizes the test results.);
Although Smith fails to explicitly teach means for generating feature vectors to populate a feature vector with n-gram groupings of the normalized functions; and means for training a machine learning model with the feature vector, the machine learning model to be deployed to an end-user device to detect malware in executable code.
However, Saxe explicitly teach means for generating feature vectors (Fig. 8, #806A-B called feature vector, Para. [0003]) to populate a feature vector with n-gram groupings of the normalized functions (FIG. 1A and 9, #118 and #926, Para. [0003]-Saxe discloses the processor performs feature vector-based maliciousness classification for the first and second potentially malicious files by extracting a first set of strings from the first potentially malicious file, and extracting a second set of strings from the second potentially malicious file. Para [0041]-Saxe further discloses a feature vector generator (e.g., feature vector generator 118 of FIG. 1A) can generate a set of n-gram representations having n-grams of varying length 'n'); and means for training a machine learning model with the feature vector (Fig. 1, #118 called feature vector, Para. [0003]), the machine learning model to be deployed to an end-user device to detect malware in executable code (FIG. 7A, Para. [0046]-Saxe discloses such a value (and/or set of values for each combination in a file) can then be input into a machine learning model to train the machine learning model and/or to identify a file as containing malicious code.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).


Regarding claim 16, Smith in view of Saxe teaches the apparatus of claim 15, Smith fails to explicitly teach wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment.
However, Saxe explicitly teaches wherein the log file includes low-level programming language functions corresponding to executable code that at least one of (a) executed or (b) crashed at a computer in a sandbox environment (FIG. 1A, Para. [0032]-Saxe discloses the processor can be, for example, a general-purpose   processor, a field programmable gate array (FPGA), and/or an application specific integrated circuit (ASIC). Software modules (executed on hardware) can be expressed in a variety of software languages (e.g., computer code), including C, C++, Java™, Ruby, Visual Basic™, and/or other object-oriented, procedural, or other programming language and development tools. Para. [0078]-Saxe further discloses systems and methods set forth herein establish that machine learning is a viable approach for certain malicious email attachment scanner applications, particularly those tuned for a high false positive rate, where false positives are passed to a secondary scanner for enhanced detection-e.g., a dynamic detection engine in a sandbox.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of having instructions or computer code thereon for performing various computer-implemented operations. The computer-readable medium (or processor-readable medium) is non-transitory in the sense that it does not include transitory propagating signals per se (e.g. a propagating electromagnetic wave carrying information on a transmission medium such as space or a cable). The media and computer code (also can be referred to as code) may be those designed and constructed for the specific purpose or purposes. (Saxe, para. [0089]).


Regarding claim 17, Smith in view of Saxe teaches the apparatus of claim 15, Smith fails to explicitly teach wherein the n-gram groupings include bigram groupings.
However, Saxe explicitly teaches wherein the n-gram groupings include bigram groupings (FIG. 1A, Para. [0041]-Saxe discloses a feature vector generator (e.g., feature vector generator 118 of FIG. 1A) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations, etc.).).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the n-gram representations can serve to 'normalize' the raw bytes and/or strings by defining a bounded feature space suitable for use as an input for machine learning. (Saxe, para. [0041]).


Regarding claim 19, Smith in view of Saxe teaches the apparatus of claim 15, Smith fails to explicitly teach wherein the means for generating feature vectors is to generate an empty version of the feature vector prior to populating the feature vector.
 However, Saxe explicitly teaches wherein the feature vector generation controller is to generate an empty version of the feature vector (Fig. 8, #806 called feature vector, Para. [0003]) prior to populating the feature vector (FIG. 7B, Para. [0005]-Saxe discloses the first set of strings can be from a file having the first file format and the second set of strings can be from a file having the second file format. The method also includes defining a first feature vector based on a length of a set of strings within a first potentially malicious file having the first file format and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of specifically, in such instances, a feature vector generator ( e.g., feature vector generator 118 of FIG. lA) can generate a set of n-gram representations having n-grams of varying length 'n' (e.g., including a unigram, bigram, 3-gram, 4-gram, 5-gram representations, etc... the feature vector generator can be configured to provide each n-gram as in input to a hash function to define a feature vector based on the representation-grams of varying lengths.). (Saxe, para. [0041]).


Regarding claim 20, Smith in view of Saxe teaches the apparatus of claim 15 Smith explicitly teaches wherein the executable code includes a portable executable file (Para. [0005]-Smith discloses if an incoming message matches the watch-list, forwarding the message to a malware detection engine, stripping the one or more attachments from the forwarded message, the one or more attachments including one or more executable files).




Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Smith in view of Saxe as stated above and further in view of Leon et al. (US Patent No.: 10,680,978 B2), hereinafter referenced as Leon.


Regarding claim 4, Smith in view of Saxe teaches the apparatus of claim 1, Smith explicitly teaches wherein the log file normalization controller (Fig. 1, #112 called Results Normalizer Para. [0024]) is to: identify arguments of the functions in the filtered log file (Para. [0014]-Smith discloses raw data results are analyzed to determine the impact against a known endpoint posture state using anomalous behavior detection, configuration compliance analysis, and other methods.);
Page 2 of 7U.S. Serial No.: Not Yet AssignedAttorney Docket No.: P300081Preliminary AmendmentSmith fails to explicitly teach determine one or more data types of each of the arguments of the functions;
However, Saxe explicitly teaches determine one or more data types of each of the arguments of the functions (FIG. 1A, Para. [0041]-Saxe discloses the concatenated vector can take the form, for example, of a Receiver Operating Characteristics (ROC) curve, as described and shown in greater detail below. At 138, the concatenated vector can be used to train one or more classifiers ( e.g., a DNN and/or XGB classifier), as part of the machine learning process, for example, to refine one or more data models.); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).
Smith in view of Saxe fails to explicitly teach and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions.
However, Leon explicitly teaches and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions (FIG. 4, #404, Col. 10, Line [22-33]-Saxe discloses the normalization module 404 identifies these types of personalized terms on the messages and replaces the terms with placeholders indicating the type of term that was replaced. For example, a user's first name is replaced with a placeholder such as [first name]. Likewise, a date is replaced with a placeholder such as [current date]. In addition to replacing personalized terms with placeholders, the normalization module 404 further normalizes the messages to remove unnecessary characters, spacing, etc. For example, the normalization module 404 removes additional white spaces between words, additional or repeat punctuation, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Leon’s system into Smith’s system as modified by Saxe, with a motivation of the normalization module 404 normalizes the messages from the historical message data. Nominalizing the messages may include multiple steps. For example, normalizing the message data includes replacing personalized data with placeholders. Personalized data is data that is unique to the context of the communication session. Examples of personalized data are names, dates, email addresses, addresses, phone numbers, URLs, etc. (Leon, Col. 10, Line. [15-22]).


Regarding claim 11, Smith in view of Saxe teaches the computer readable storage medium of claim 8, Smith explicitly teaches wherein the instructions cause the one or more processors (Fig.3, #306 called Processor, Para. [0038]) to at least: identify arguments of the functions in the filtered log file (Para. [0014]-Smith discloses raw data results are analyzed to determine the impact against a known endpoint posture state using anomalous behavior detection, configuration compliance analysis, and other methods.); 
Page 2 of 7U.S. Serial No.: Not Yet AssignedAttorney Docket No.: P300081Preliminary AmendmentSmith fails to explicitly teach determine one or more data types of each of the arguments of the functions;
However, Saxe explicitly teaches determine one or more data types of each of the arguments of the functions (FIG. 1A, Para. [0041]-Saxe discloses the concatenated vector can take the form, for example, of a Receiver Operating Characteristics (ROC) curve, as described and shown in greater detail below. At 138, the concatenated vector can be used to train one or more classifiers ( e.g., a DNN and/or XGB classifier), as part of the machine learning process, for example, to refine one or more data models.); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).
Smith in view of Saxe fails to explicitly teach and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions.
However, Leon explicitly teaches and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions (FIG. 4, #404, Col. 10, Line [22-33]-Saxe discloses the normalization module 404 identifies these types of personalized terms on the messages and replaces the terms with placeholders indicating the type of term that was replaced. For example, a user's first name is replaced with a placeholder such as [first name]. Likewise, a date is replaced with a placeholder such as [current date]. In addition to replacing personalized terms with placeholders, the normalization module 404 further normalizes the messages to remove unnecessary characters, spacing, etc. For example, the normalization module 404 removes additional white spaces between words, additional or repeat punctuation, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Leon’s system into Smith’s system as modified by Saxe, with a motivation of the normalization module 404 normalizes the messages from the historical message data. Nominalizing the messages may include multiple steps. For example, normalizing the message data includes replacing personalized data with placeholders. Personalized data is data that is unique to the context of the communication session. Examples of personalized data are names, dates, email addresses, addresses, phone numbers, URLs, etc. (Leon, Col. 10, Line. [15-22]).


Regarding claim 18, Smith in view of Saxe teaches the apparatus of claim 15, Smith explicitly teaches wherein the means for normalizing log files (Fig. 2, #216 is called Normalize Analysis Results, Para. [0036]) is to: identify arguments of the functions in the filtered log file (Para. [0014]-Smith discloses raw data results are analyzed to determine the impact against a known endpoint posture state using anomalous behavior detection, configuration compliance analysis, and other methods.); 
Smith fails to explicitly teach determine one or more data types of each of the arguments of the functions; 
However, Saxe explicitly teaches determine one or more data types of each of the arguments of the functions (FIG. 1A, Para. [0041]-Saxe discloses the concatenated vector can take the form, for example, of a Receiver Operating Characteristics (ROC) curve, as described and shown in greater detail below. At 138, the concatenated vector can be used to train one or more classifiers ( e.g., a DNN and/or XGB classifier), as part of the machine learning process, for example, to refine one or more data models.); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxe’s system into Smith’s system, with a motivation of the method also includes defining a first feature vector based on a length a set of strings within a first potentially malicious file having the first file format, and providing the first feature vector to the machine learning model to identify a maliciousness classification of the first potentially malicious file.. (Saxe, para. [0005]).
Smith in view of Saxe fails to explicitly teach and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions.
However, Leon explicitly teaches and replace each of the arguments with one or more placeholders representative of the one or more data types of the arguments to generate the normalized functions (FIG. 4, #404, Col. 10, Line [22-33]-Saxe discloses the normalization module 404 identifies these types of personalized terms on the messages and replaces the terms with placeholders indicating the type of term that was replaced. For example, a user's first name is replaced with a placeholder such as [first name]. Likewise, a date is replaced with a placeholder such as [current date]. In addition to replacing personalized terms with placeholders, the normalization module 404 further normalizes the messages to remove unnecessary characters, spacing, etc. For example, the normalization module 404 removes additional white spaces between words, additional or repeat punctuation, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Leon’s system into Smith’s system as modified by Saxe, with a motivation of the normalization module 404 normalizes the messages from the historical message data. Nominalizing the messages may include multiple steps. For example, normalizing the message data includes replacing personalized data with placeholders. Personalized data is data that is unique to the context of the communication session. Examples of personalized data are names, dates, email addresses, addresses, phone numbers, URLs, etc. (Leon, Col. 10, Line. [15-22]).






Conclusion

Listed below are the prior arts made of record and not relied upon but are considered pertinent to applicant`s disclosure.
Yang et al. – (US 20180089424 A1)- Methods, apparatus, systems and articles of manufacture are disclosed to improve feature engineering efficiency. An example method disclosed herein includes retrieving a log file in a first file format, the log file containing feature occurrence data, generating a first unit operation based on the first file format to extract the feature occurrence data from the log file to a string, the first unit operation associated with a first metadata tag, generating second unit operations to identify respective features from the feature occurrence data, the second unit operations associated with respective second metadata tags, and generating a first sequence of the first metadata tag and the second metadata tags to create a first vector output file of the feature occurrence data….…Fig. 1. Abstract.

(b)        Leddy et al. -   (US 20200067861 A1) -Dynamically updating a filter set includes: obtaining a first message from a first user; evaluating the obtained first message using a filter set; determining that the first message has training potential; updating the filter set in response to training triggered by the first message having been determined to have training potential; obtaining a second message from a second user; and evaluating the obtained second message using the updated filter set.......... Fig. 1. Abstract.

Choi et al.  – (US 20200082083 A1) - Disclosed is an apparatus for verifying a malicious code machine learning classification model, which includes: a main feature processing subsystem performing feature extracting and processing functions in an input file; and a multi-layer cyclic verification subsystem performing multi-layer verification in order to determine whether the file is normal or malicious based on the extracted and processed features to verify a machine learning model that classifies malicious codes, thereby ensuring reliability of a prediction result for a machine learning model............ Fig. 1. Abstract.

Gil et al. – (US 10958613 B2)- Systems and methods for passive monitoring of computer communication that does not require performing any decryption. A monitoring system receives the traffic exchanged with each relevant application server, and identifies, in the traffic, sequences of messages—or “n-grams”—that appear to belong to a communication session between a pair of users. Subsequently, based on the numbers and types of identified n-grams, the system identifies each pair of users that are likely to be related to one another via the application, in that these users used the application to communicate (actively and/or passively) with one another. The system may identify those sequences of messages that, by virtue of the sizes of the messages in the sequence, and/or other properties of the messages that are readily discernable, indicate a possible user-pair relationship.……Fig. 1. Abstract.

Kurtz et al. – (US 20210117544 A1)- A security service can determine a synthetic context based at least in part on context data associated with a first malware sample, and detonate the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation. Additionally or alternatively, the security service can detonate the first malware sample and locate a second malware sample in a corpus based at least in part on the one or more first event records. Additionally or alternatively, the security service can receive event records representing events detected during a detonation of a first malware sample, the detonation based at least in part on context data, and locate a second malware sample in the corpus based at least in part on the one or more reference event records........... Fig. 1. Abstract.

Kutt et al. –( US 20210240825 A1)- Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes storing on a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one stored MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the received sample, and in response to determining that the sample is malicious, perform an action based on a security policy............. Fig. 1. Abstract.

GURURAJAN et al. – (US 20210312041 A1)- The technology described herein identifies malicious URLs using a classifier that is both accurate and fast. Aspects of the technology are particularly well adapted for use as a real-time URL security analysis tool because the technology is able to quickly process a URL and produce a warning when a malicious URL is identified. The rapid processing speed of the technology described herein is produced, in part, by use of only a single input signal, which is the URL itself. The high accuracy produced by the technology described herein is achieved by analyzing the unstructured text on both a character-by-character level and a word-by-word level. The technology described herein uses both character-level and word-level information from the incoming URL........... Fig. 1. Abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nhat Tran whose telephone number is 571-338-4326.  The examiner can normally be reached on Monday -Friday, 7:00 am - 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached on 571-270-3351.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/NT/Examiner, Art Unit 4163                  

/CHINEYERE D WILLS-BURNS/Primary Examiner, Art Unit 2628