DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-19 as submitted on 7/21/22 were examined.  Claim 20 was cancelled.


Claim Rejections - 35 USC § 112
Claim 4 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
The limitation further recited in claim 4 is a repeat if the last limitation of claim 1, which is the parent claim of claim 4.  Thus claim 4 does not further limit what is already recited in parent claim 1.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 11-18 are is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Johns et al (US 2019/0132334).
Claim 11:
	Johns discloses:
provide training data comprising features of artifacts and an attribute indicator for the artifacts (paragraphs 16, 22-23, 28, 58, and 61; Training data sets provided for executable files, which can include Portable Executable format), the attribute indicator comprising a type of artifact (paragraph 22; Training sets are labeled as malicious or benign binary code files).;
train a machine learning model using the training data to detect malware (paragraphs 19, 22, and 61); and
use the trained machine learning model to recognize malware by providing features of an artifact as input and providing both a threat score and an attribute indicator of the type of artifact as output (paragraphs 16, 18, 21-22, 32, 34, 57, and 58; Threat scores and features outputted, see especially paragraphs 32 and 34).

Claim 12:
	Johns further discloses wherein the artifact is at least one of a portable executable file, a script, a Hypertext Markup Language (HTML) file, a JavaScript file, or a Hypertext Preprocessor (PHP) file (paragraph 23).

Claim 13:
	Johns further discloses wherein the machine learning model is a neural network (paragraphs 19, 22, and 28).

Claim 14:
	Johns further discloses taking a remedial action based on the output (paragraphs 33 and 51; Alert and blocking if malware is detected due to threat score exceeding a predetermined value).

Claim 15:
	Johns further discloses wherein the remedial action includes at least one of quarantining the artifact, notifying a user or administrator that the artifact is malicious, displaying an indication that the artifact is malicious, displaying an indication of the type of artifact, or removing the artifact (paragraphs 33 and 51).

Claim 16:
	Johns further discloses wherein the features are determined using a feature extractor (paragraphs 16, 18, 22, 26, and 61) and the artifact type is determined by distilling a detection name to provide labels (paragraphs 22 and 61).

Claim 17:
	Johns further discloses wherein the distilling comprises determining attributes of a detected artifact (paragraphs 20-22).

Claim 18:
	Johns further discloses wherein the training data is generated using static detections and behavior analysis (paragraphs 20, 26, 35, and 71).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1 and 3-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Johns et al (US 2019/0132334) in view of McLane et al (US 2019/0007434).



Claim 1:
	Johns discloses:
providing training data comprising features of portable executable files and an attribute indicator for the portable executable files (paragraphs 16, 22-23, 28, 58, and 61; Training data sets provided for executable files, which can include Portable Executable format), the attribute indicator comprising a type of artifact (paragraph 22; Training sets are labeled as malicious or benign binary code files;
training a model using the training data to detect malware (paragraphs 19, 22, and 61);
using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and an attribute indicator as output (paragraphs 16, 18, 21-22, 32, 34, 57, and 58; Threat scores and features outputted, see especially paragraphs 32 and 34); and
taking a remedial action based on the output (33 and 51; Alert and blocking if malware is detected due to threat score exceeding a predetermined value).

Johns does not disclose, but McLane discloses the type of artefact being a family or type of malware (paragraphs 7, 41, and 52).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate McLane’s teachings within Johns’s invention such that the type of artefact indicated by the attribute indicator was a family or type of malware instead of just being malware or not.  The rationale for why it would be obvious is that doing so is nothing more than simple substitution of one known element for another to yield predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  One skilled would also have been motivated to do so as indicating the family or type of malware specifically rather than would allow an administrator more information as to how to respond to any malware detected as different types of malware may need to be handled differently.

Claim 3:
	Johns further discloses wherein the trained model is a neural network (paragraph 16).

Claim 4:
	Johns further discloses taking a remedial action based on the output (paragraphs 33 and 51).

Claim 5:
	Johns further discloses wherein the remedial action includes at least one of quarantining the file, notifying a user or administrator that the file is malicious, displaying an indication that the file is malicious, displaying an indication of the type of file, or removing the file (paragraphs 33 and 51).

Claim 6:
	As per claim 6, McLane further discloses wherein the attribute indicator includes at least one type of attribute indicator selected from the list of: adware, crypto-miner, downloader, dropper, fileinfector, flooder, installer, packed, ransomware, spyware, and worm (paragraph 52).

Claim 7:
	Johns further discloses wherein the features are determined using a feature extractor (paragraphs 16, 18, 22, 26, and 61).

Claim 8:
	Johns further discloses wherein the malware type is determined by distilling a detection name to provide labels (paragraphs 22 and 61).

Claim 9:
	Johns further discloses wherein the distilling comprises determining attributes of a malware file (paragraphs 22 and 61).

Claim 10:
	Johns further discloses wherein the training data is generated using static detections and behavior analysis (paragraphs 20-22).


Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Johns et al (US 2019/0132334) in view of McLane et al (US 2019/0007434) in further view of Pan el al (“Transfer Joint Embedding for Cross-Domain Named Entity Recognition”).
Claim 2:
	Johns further discloses wherein the training further comprises training a neural network model using portable executable files and tags (paragraphs 19, 22-23, and 28).  Johns does not disclose, but Pan discloses training the neural network in a joint embedding model thereby generating a latent space (abstract).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Pan’s teachings within Johns’s modified invention by replacing how Johns trains his neural network model with how Pan trains neural network models, using a joint embedding model to thereby generating a latent space.  The rationale for why it would be obvious is that doing so is nothing more than simple substitution of one known element (i.e. type of neural network training) for another (i.e. different type of neural network training) to yield predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).   

Allowable Subject Matter
Claim 19 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art does not teach the combination of limitations recited further in claim 19, in the context of what is also recited in parent claim 11.

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495