DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-85 are pending in this application.
IDS filled on 04/27/2022 have been considered.

Claim Objections
Claim 49 is objected to because of the following:
Claim 49 recites “the server is configured use deployment information” which should be rewritten as “the server is configured to use deployment information”
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1-2, 4-6, 9-10, 12-14 and 60-78 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-21 and 23-29 of copending Application No. 17/405,608 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-21 and 23-29 of copending Application No. 17/405,608 contains every element of claims 1-2, 4-6, 9-10, 12-14 and 60-78 of the instant application and thus anticipate the claims of the instant application (see Claim Comparison Table below).
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Instant Application 17/443,077
Copending Application No. 17/405,608
1. A computer-implemented method for classifying a data sample comprising: 

creating a plurality of k-mers from the data sample, each k-mer having a first length; 
generating a vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; 
comparing the vector to at least one other vector to determine at least one distance metric, the at least one other vector representing at least one other sample; and 
(claim 4. The computer-implemented method of claim 1, wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics.)

based on the at least one distance metric, determining a characteristic of the data sample.

1. (Currently Amended) A computer-implemented method for classifying a data sample comprising:        

creating a plurality of k-mers from the data sample, each k-mer having a first length; 
generating a vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; 
comparing the vector to a plurality of vector clusters, each vector cluster of the plurality of vector clusters comprising one or more vectors representing at least one other data sample that share common characteristics; 
identifying membership of the data sample to one of the plurality of vector clusters by determining  a plurality of distance metrics between the vector and each vector cluster of the plurality of vector clusters; and 

based on the plurality of distance metrics, determining a characteristic of the data sample.
2. The computer-implemented method of claim 1, wherein the at least one other sample is associated with malware or a program that causes damage.
2. (Original) The computer-implemented method of claim 1, wherein the at least one other sample is associated with malware or a program that causes damage.
4. The computer-implemented method of claim 1, wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics.
3. (Currently Amended) The computer-implemented method of claim 1, wherein identifying membership of the data sample to one of the plurality of vector clusters comprises:  iterating through the plurality of clusters  based on the plurality of distance metrics.
5. The computer-implemented method of claim 1, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the at least one other vector.
4. (Original) The computer-implemented method of claim 1, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the at least one other vector.
6. The computer-implemented method of claim 5, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions.
5. (Original) The computer-implemented method of claim 4, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions.
9. The computer-implemented method of claim 1 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers.
6. (Original) The computer-implemented method of claim 1 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k- mers.
10. The computer-implemented method of claim 9, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.
7. (Original) The computer-implemented method of claim 6, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.
12. The computer-implemented method of claim 1 comprising, prior to creating the plurality of k-mers from the data sample, measuring a level of information content in the data sample.
8. (Original) The computer-implemented method of claim 1 comprising, prior to creating the plurality of k-mers from the data sample, measuring a level of information content in the data sample.
13. The computer-implemented method of claim 12 comprising, in response to determining that the level of information content is above a pre-defined threshold, creating the plurality of k-mers from the data sample.
9. (Original) The computer-implemented method of claim 8 comprising, in response to determining that the level of information content is above a pre-defined threshold, creating the plurality of k-mers from the data sample.
14. The computer-implemented method of claim 12, wherein measuring the level of information content comprises at least one of calculating an entropy of the data sample or calculating a cardinality of the data sample.
10. (Original) The computer-implemented method of claim 8, wherein measuring the level of information content comprises at least one of calculating an entropy of the data sample or calculating a cardinality of the data sample.
60. A computer-implemented method for preventing data leaks from a protected environment: 

detecting, at an egress gateway, a data sample being transmitted outside of the protected environment; 



creating a plurality of k-mers from the data sample, each k-mer having a first length; 
generating a vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; 
comparing the vector to a set of protected vectors to determine at least one distance metric, the protected vectors representing a plurality of protected data samples; and 


based on the at least one distance metric, preventing the data sample from leaving the protected environment.
11. (Currently Amended) A computer-implemented method for preventing data leaks from a protected environment, the method comprising: 
detecting, at an egress gateway, a data sample being transmitted outside of the protected environment, the data sample comprising confidential information; 

creating a plurality of k-mers from the data sample, each k-mer having a first length; 
generating a vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; 3 of 14 WEST\298451705.1Application Serial No. 17/405,608Docket No.: 427824-000049 
comparing the vector to a set of protected vectors to determine at least one distance metric, the set of protected vectors representing a plurality of data samples that are to remain within the protected environment; and 
based on the at least one distance metric, preventing the data sample from leaving the protected environment.
61. The computer-implemented method of claim 60, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the set of protected vectors.
12. (Original) The computer-implemented method of claim 11, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the set of protected vectors.
62. The computer-implemented method of claim 61, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions.
13. (Original) The computer-implemented method of claim 12, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions.
63. The computer-implemented method of claim 60, where the first length is at least three bytes.
14. (Original) The computer-implemented method of claim 11, where the first length is at least three bytes.
64. The computer-implemented method of claim 60 comprising determining the first length based on at least one statistical property of the data sample.
15. (Original) The computer-implemented method of claim 11 comprising determining the first length based on at least one statistical property of the data sample.
65. The computer-implemented method of claim 60 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers.
16. (Original) The computer-implemented method of claim 11 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k- mers.
66. The computer-implemented method of claim 65, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.
17. (Currently Amended) The computer-implemented method of claim 16, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.
67. The computer-implemented method of claim 65, wherein the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another.

18. (Currently Amended) The computer-implemented method of claim 11, wherein the plurality of k-mers is generated such that at least one of the plurality of k-mers partially overlaps another.
68. A computer-implemented method for vectorizing a data sample comprising: 
executing the data sample; collecting runtime data associated with the execution of the data sample; 
creating a plurality of k-mers from the runtime data, each k-mer having a first length; 
mapping the plurality of k-mers to a plurality of integers with a plurality of hash functions; and 
generating a vector from the mapped plurality of k-mers with a MinHash function.
71. The computer-implemented method of claim 68 comprising: comparing the vector to at least one other vector to determine at least one distance metric, the at least one other vector representing at least one other sample; 




based on the at least one distance metric, determining a characteristic of the data sample.

19. (Currently Amended) A computer-implemented method for vectorizing a data sample comprising: 

executing the data sample; 
collecting runtime data associated with the execution of the data sample; 
creating a plurality of k-mers from the runtime data, each k-mer having a first length; 
mapping the plurality of k-mers to a plurality of integers with a plurality of hash functions; 

generating a vector from the mapped plurality of k-mers with a MinHash function; 
comparing the vector to a plurality of vector clusters, each vector cluster of the plurality of vector clusters comprising one or more vectors representing at least one other data sample that share common characteristics; 
identifying membership of the data sample to one of the plurality of vector clusters by determining a plurality of distance metrics between the vector and each vector cluster of the plurality of vector clusters; and 
based on the plurality of distance metrics, determining a characteristic of the data sample.
69. The computer-implemented method of claim 68, wherein the data sample is executed in a sandbox.

20. (Original) The computer-implemented method of claim 19, wherein the data sample is executed in a sandbox.
70. The computer-implemented method of claim 68, wherein the runtime data comprises at least one of memory buffers, intermediate files, or API tracing information.

21. (Original) The computer-implemented method of claim 19, wherein the runtime data comprises at least one of memory buffers, intermediate files, or API tracing information.
72. The computer-implemented method of claim 71, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the set of protected vectors.

23. (Currently Amended) The computer-implemented method of claim 19, wherein determining the plurality of distance metrics comprises approximating a similarity between the vector and each vector cluster of the plurality of vector clusters.
73. The computer-implemented method of claim 72, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions.

24. (Currently Amended) The computer-implemented method of claim 23, wherein approximating the similarity comprises using [[a]] the MinHash function on each of the plurality of hash functions.
74. The computer-implemented method of claim 68, where the first length is at least three bytes.

25. (Original) The computer-implemented method of claim 19, where the first length is at least three bytes.
75. The computer-implemented method of claim 68 comprising determining the first length based on at least one statistical property of the data sample.

26. (Original) The computer-implemented method of claim 19 comprising determining the first length based on at least one statistical property of the data sample.
76. The computer-implemented method of claim 68 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers.

27. (Original) The computer-implemented method of claim 19 comprising, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k- mers.
77. The computer-implemented method of claim 76, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.

28. (Original) The computer-implemented method of claim 27, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value.
78. The computer-implemented method of claim 76, wherein the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another.

29. (Currently Amended) The computer-implemented method of claim 27, wherein the plurality of k-mers is generated such that at least one of the plurality of k-mers partially overlaps another.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-6, 9-10, 12, 14-16, 21-22, 25-26, 28, 30-31, 33-34, 41-42, 44, 46, 48, 50-51, 54-55, 57, 59, 60-62, 65-66, 68, 70-73, 76-77, 79-81 and 85 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor et al. (Patent No.: US 10,880,270 B1) (hereinafter, “Rigor”) in view of Morkovsky (Publication No.: US 2018/0096149 A1).

As to claim 1, Rigor discloses a computer-implemented method for classifying a data sample comprising: 
creating a plurality of k-mers from the data sample (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation), each k-mer having a first length (column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
generating a vector from the plurality of k-mers (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector ) by processing the plurality of k-mers with … [a hash function] (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); 
comparing the vector to at least one other vector to determine at least one distance metric (column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set of network data 510”); and 
based on the at least one distance metric, determining a characteristic of the data sample (column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match).
Rigor does not explicitly disclose using a plurality of hash functions. However, in an analogous art, Morkovsky discloses each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events (paragraph [0024]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include a plurality of hash functions in order to detect malicious within event data.

As to claim 2, Rigor discloses wherein the at least one other sample is associated with malware or a program that causes damage (column 9, lines 61-67, malware associated with second set of data is detected when the second set of data is matched at least 75% of token in the feature vector, thus, the second data (other sample) is associated with malware).

As to claim 5, Rigor discloses wherein determining the at least one distance metric comprises approximating a similarity between the vector and the at least one other vector (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).

As to claim 6, Morkovsky discloses wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (paragraph [0020] and [0032], comping plurality of hash values and fingerprints for similarity, plurality hash values are generated through a MinHash function).
It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor to include approximating the similarity comprises using a MinHash function on each of the plurality of hash functions, as disclosed by Morkovsky. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to quickly determining similarities between sets of data elements.

As to claims 9, 41 and 54, Rigor discloses, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers (column 8, lines 30-34, the transformation involve tokenizing each URL into all possible substring of length (manipulating) and counting each k-length substring appearing in the URLs of the attack sequence network data).

As to claims 10, 42 and 55, Rigor discloses, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value (column 10, lines 26-26, comparing the counts of the K-mer tokens with the counts (representative value) stored).
As to claims 12, 28 and 57, Rigor disclose prior to creating the plurality of k-mers from the data sample, measuring a level of information content in the data sample (column 9, lines 40-41, tracking the number of times specific k-length tokens appears in the first set of the network data).

As to claims 14, 30 and 59, Rigor discloses, wherein measuring the level of information content comprises at least one of calculating an entropy of the data sample or calculating a cardinality of the data sample (column 11, lines 15-22, “a count of five (indicating that five instances of the token were identified in the network data sequence 710)…a count of six…(indicating that six instances of the same token were found in the attack pattern)”, which corresponds to calculating a cardinality of the data sample).

As to claim 15, Rigor discloses a computer-implemented method for classifying a data sample comprising: 
identifying a subsequence of the data sample (column 5, lines 33-45, “The process 200 commences with the PLVA firewall obtaining (at 210) network data of a suspected attack sequence. The network data for the suspected attack sequence can be obtained from a log of the PLVA firewall or other servers that are communicably coupled with the PLVA firewall.”);  
creating a plurality of k-mers from the subsequence of the data sample (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation), each k-mer having a first length (column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
generating a vector from the plurality of k-mers (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector) by processing the plurality of k-mers with a hash function (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); 
comparing the vector to at least one other vector to determine at least one distance metric, the at least one other vector representing at least one subsequence of other samples (column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set of network data 510”); and 
based on the at least one distance metric, determining a characteristic of the data sample (column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match).
Rigor does not explicitly disclose using a plurality of hash functions. However, in an analogous art, Morkovsky discloses each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events (paragraph [0024]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include a plurality of hash functions in order to detect malicious within event data.

As to claim 16, Rigor discloses wherein the at least one other sample is associated with malware or a program that causes damage (column 9, lines 61-67, malware associated with second set of data is detected when the second set of data is matched at least 75% of token in the feature vector, thus, the second data (other sample) is associated with malware).

As to claim 21, Rigor discloses wherein determining the at least one distance metric comprises approximating a similarity between the vector and the at least one other vector (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).
As to claim 22, Morkovsky discloses wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (paragraph [0020] and [0032], comping plurality of hash values and fingerprints for similarity, plurality hash values are generated through a MinHash function).
It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor to include approximating the similarity comprises using a MinHash function on each of the plurality of hash functions, as disclosed by Morkovsky. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to quickly determining similarities between sets of data elements.

As to claim 25, Rigor discloses, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers (column 8, lines 30-34, the transformation involve tokenizing each URL into all possible substring of length (manipulating) and counting each k-length substring appearing in the URLs of the attack sequence network data).

As to claim 26, Rigor discloses, where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value (column 10, lines 26-26, comparing the counts of the K-mer tokens with the counts (representative value) stored).
As to claims 31 and 44, Rigor discloses wherein identifying the subsequence of the first data sample comprises dividing the first data sample into parts of constant size (column 8, lines 30-34, the transformation involve tokenizing each URL into all possible substring of length (dividing) and counting each k-length substring appearing in the URLs of the attack sequence network data).

As to claim 33, Rigor discloses wherein: identifying the subsequence of the first data sample comprises: parsing the first data sample to identify a plurality of components; and selecting at least one of the components as the subsequence; wherein the at least one subsequence of other samples has a component type related to the selected components of the first data sample (column 5, lines 33-45, “The process 200 commences with the PLVA firewall obtaining (at 210) network data of a suspected attack sequence. The network data for the suspected attack sequence can be obtained from a log of the PLVA firewall or other servers that are communicably coupled with the PLVA firewall.”).

As to claim 34, Rigor discloses a computer-implemented method for scanning a data sample comprising: 
identifying a plurality of subsequences of the data sample (column 5, lines 33-45, “The process 200 commences with the PLVA firewall obtaining (at 210) network data of a suspected attack sequence. The network data for the suspected attack sequence can be obtained from a log of the PLVA firewall or other servers that are communicably coupled with the PLVA firewall.”); 
for each subsequence: creating a plurality of k-mers from the respective subsequence (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation), each k-mer having a first length (column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
generating a vector from the plurality of k-mers (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector ) by processing the plurality of k-mers with … [a hash function] (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); 
comparing the vector to a set of reference vectors to determine a set of distance metrics (column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set of network data 510”);  and 
based on the set of distance metrics, determining a characteristic of the data sample (column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match).
Rigor does not explicitly disclose using a plurality of hash functions. However, in an analogous art, Morkovsky discloses each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events (paragraph [0024]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include a plurality of hash functions in order to detect malicious within event data.

As to claim 46, Rigor discloses wherein: identifying the subsequence of the data sample comprises: parsing the data sample to identify a plurality of components; and selecting one of the components as the subsequence; wherein a subsequence of the set of reference vectors has a component type related to the selected components of the first data sample (column 5, lines 33-45, “The process 200 commences with the PLVA firewall obtaining (at 210) network data of a suspected attack sequence. The network data for the suspected attack sequence can be obtained from a log of the PLVA firewall or other servers that are communicably coupled with the PLVA firewall.”).

As to claim 48. Rigor discloses a system for protecting a plurality of endpoints comprising: 
a server communicably coupled to a plurality of endpoints, the server being configured to: identify a data sample on an endpoint of the plurality of endpoints (column 5, lines 6-22, “Execution of the PLVA firewall 110 on each server of the set of servers 130 can also form a distributed PLVA firewall. As part of the distributed PLVA firewall, the set of servers 130 can share network data with one another in order to identify persistent low volume attack patterns that span more than one server. The set of servers 130 can also share patterns of detected persistent low volume attacks with one another so that each individual server 130 does not have to independently detect the attack pattern before taking protective action.”); 
creating a plurality of k-mers from the data sample (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation), each k-mer having a first length (column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
generate a vector from the plurality of k-mers (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector) by processing the plurality of k-mers with a of hash function, wherein the hash function is chosen at random for each endpoint (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); 
determine a distance metric between the data sample and a reference data sample by comparing the vector to a reference vector, the reference vector representing the reference data sample (column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set of network data 510”); and 
based on the distance metric, determine a maliciousness level of the data sample (column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match).
Rigor does not explicitly disclose using a plurality of hash functions. However, in an analogous art, Morkovsky discloses each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events (paragraph [0024]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include a plurality of hash functions in order to detect malicious within event data.

As to claim 50, Rigor discloses wherein determining the distance metric comprises approximating a similarity between the vector and the reference vector (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).

As to claim 51, Morkovsky discloses wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (paragraph [0020] and [0032], comping plurality of hash values and fingerprints for similarity, plurality hash values are generated through a MinHash function).
It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor to include approximating the similarity comprises using a MinHash function on each of the plurality of hash functions, as disclosed by Morkovsky. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to quickly determining similarities between sets of data elements.

As to claim 60, Rigor discloses, a computer-implemented method for preventing data leaks from a protected environment: 
detecting, at a gateway, a data sample being transmitted (column 9, lines 16-17, the first set of network data arrives at the PLVA firewall);
creating a plurality of k-mers from the data sample, each k-mer having a first length (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation, column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
generating a vector from the plurality of k-mers (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector ) by processing the plurality of k-mers with …[a hash function] (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); 
comparing the vector to a set of protected vectors to determine at least one distance metric (column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the protected vectors representing a plurality of protected data samples  (“[t]he PLVA firewall 420 tokenizes the network data of the second set  of network data 510”); and 
based on the at least one distance metric (column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match), preventing sending the data sample  (column 7, line 61- column 8, line 1, when the network data sequence matches one of the configured pattern by a threshold performing a protective action including blocking the request).
	Rigor does not explicitly disclose using a plurality of hash functions. However, in an analogous art, Morkovsky discloses each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events (paragraph [0024]).
	Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include a plurality of hash functions in order to detect malicious within event data.
	While Rigor in view of Morkovsky discloses detecting at a gateway data transmission and blocking malicious data from being sent, as noted above, Rigor in view of Morkovsky does not explicitly disclose detecting at egress gateway data transmitted outside of protected environment and preventing data sample from leaving the protected environment. However, the process and step for detecting data sample by a gateway and preventing/blocking the data sample does not depend on whether data is leaving an environment or receiving by an environment, the process would have been performed the same regardless of  the data sample is leaving the environment or entering the environment. Therefore, such limitation does not include an inventive step and would have been predictable and obvious to one of ordinary skill in the art, providing the benefit of detecting malicious activity within a secure network environment. 

As to claim 61, Rigor discloses wherein determining the at least one distance metric comprises approximating a similarity between the vector and the set of protected vectors (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).
As to claim 62, Morkovsky discloses wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (paragraph [0020] and [0032], comping plurality of hash values and fingerprints for similarity, plurality hash values are generated through a MinHash function).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor to include approximating the similarity comprises using a MinHash function on each of the plurality of hash functions, as disclosed by Morkovsky. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to quickly determining similarities between sets of data elements.

As to claim 65, Rigor discloses prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers (column 8, lines 30-34, the transformation involve tokenizing each URL into all possible substring of length (manipulating) and counting each k-length substring appearing in the URLs of the attack sequence network data).
As to claim 66, Rigor discloses where manipulating the plurality of k-mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value (column 10, lines 26-26, comparing the counts of the K-mer tokens with the counts (representative value) stored).

As to claim 68, Rigor discloses, a computer-implemented method for vectorizing a data sample comprising: 
creating a plurality of k-mers from the [runtime] data, each k-mer having a first length (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation, and  column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
mapping the plurality of k-mers to a plurality of integers with a … hash function (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); and 
generating a vector from the mapped plurality of k-mers with a Hash function (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector, and column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”).
	Rigor does not explicitly teach executing the data sample; collecting runtime data associated with the execution of the data sample; mapping with plurality of hash function and generating a vector with MinHash function. However, in an analogous art, Morkovsky teaches executing the data sample (paragraph [0006], program being evaluated is executed on a computer system); collecting runtime data associated with the execution of the data sample (paragraph [0006], “monitoring an event stream for the program, wherein the event stream incudes a plurality of events. [t]he events may include or relate to event data for Application Program Interface (API) calls made by the program being evaluated”); mapping with plurality of hash function (paragraph [0024], each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events); and generating a vector with MinHash function (paragraph [0020], ‘’the plurality of hash values…generated through a MinHash hashing method).
	Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include “executing the data sample; collecting runtime data associated with the execution of the data sample; mapping with plurality of hash function and generating a vector with MinHash function” in order to detect malicious within event stream.

As to claim 70, Morkovsky discloses wherein the runtime data comprises at least one of memory buffers, intermediate files, or API tracing information (paragraph [0006], the event includes to data for Application Program Interface (API) calls made by the program).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor  to include API calls, as disclosed by Morkovsky. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to evaluate and detect malware Application Programing Interface calls.

As to claim 71, Rigor discloses comparing the vector to at least one other vector to determine at least one distance metric (column 8, lines 65-67, “[pattern matching can be found using the feature vectors”) ,  the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set (one other sample) of network data 510”); based on the at least one distance metric, determining a characteristic of the data sample(column 9, lines 63-67, a threshold match to the pattern of the persistent low volume attack represented by the feature vector is made when there is at least 75% match).

As to claim 72, Rigor furthermore discloses, wherein determining the at least one distance metric comprises approximating a similarity between the vector and the set of protected vectors (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).

As to claim 73, Morkovsky further discloses, wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (paragraph [0020] and [0032],comping plurality of hash values and fingerprints for similarity,  plurality hash values are generated through a MinHash function).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor to include approximating the similarity comprises using a MinHash function on each of the plurality of hash functions, as disclosed by Morkovsky. This  would have been obvious because  one of ordinary skill in the art would have been motivated to do so in order to quickly determining similarities between sets of data elements.

As to claim 76, Rigor furthermore discloses, prior to generating the vector, at least one of manipulating, modifying, or selecting the plurality of k-mers (column 8, lines 30-34, the transformation involve tokenizing each URL into all possible substring of length (manipulating) and counting each k-length substring appearing in the URLs of the attack sequence network data).

As to claim 77, Rigor furthermore discloses, where manipulating the plurality of k- mers comprises at least one of removing at least one k-mer or mapping two or more k-mers to a representative value (column 10, lines 26-26, comparing the counts of the K-mer tokens with the counts (representative value) stored).

As to claim 79, Rigor discloses a computer-implemented method for vectorizing a data sample comprising: 
creating a plurality of k-mers from the data sample, each k-mer having a first length (column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation, column 6, lines 34-35, “different K-Length segments extracted from one or more elements of the network data”); 
mapping the plurality of k-mers to a plurality of integers with a hash functions (column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”); and 
generating a vector from the mapped plurality of k-mers with a Hash function (column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector, and column 8, lines 37-38, “[a] hashing function can be used to map the tokens to the feature vector array”).
	Rigor does not explicitly disclose mapping with a plurality of hash function; and generating Vector with MinHash function.  However, in an analogous art, Morkovsky teaches mapping with a plurality of hash function (paragraph [0024], each entry in the vector represent an output of a hash function. Event data for an event processed using multiple hash functions to produce entries in the vector for the events); and generating a vector with MinHash function (paragraph [0020], ‘’the plurality of hash values…generated through a MinHash hashing method”).
	Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor with the teaching of Morkovsky to include “mapping with a plurality of hash function; and generating Vector with MinHash function” in order to detect malicious within event stream.

As to claim 80, Rigor disclose comprising using the vector to determine a characteristic of the data sample by comparing the vector to at least one other vector (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).

As to claim 81, Rigor discloses comprising using the vector to determine a maliciousness level of the data sample (column 9, lines 61-67, malware associated with second set of data is detected when the second set of data is matched at least 75% of token in the feature vector, thus, the second data (other sample) is associated with malware; column 9, lines 40-41, tracking the number of times specific k-length tokens appears in the first set of the network data).

As to claim 85, Rigor discloses wherein measuring the level of information content comprises performing an information theoretic measurement of the data sample (column 11, lines 15-22, “a count of five (indicating that five instances of the token were identified in the network data sequence 710)…a count of six…(indicating that six instances of the same token were found in the attack pattern)”).

Claims 3 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Howard et al. (US 2019/0199736 A1) (hereinafter, “Howard”).

As to claims 3 and 17, neither Rigor nor Morkovsky explicitly disclose wherein the at least one other samples is known to be benign.
However, in an analogous art, Howard discloses wherein the at least one other samples is known to be benign (Howard: paragraph [0072], A set of training binaries (“Feature Reduction Training Binaries”), including both benign and malicious samples, has their features extracted by the Feature Extractor 252. These features are then passed to a Feature Reduction Trainer 254-1. Various methods can be used for feature reduction, including, but not limited to, neural network autoencoders, see also, Howard: [0074], [0095]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Howard to include wherein the at least one other samples is known to be benign in order to detect malicious binaries without increasing its false positive rate.

Claims 4, 18 and 84 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Majumdar (Patent No.: US 8,566,321 B2).

As to claim 4, neither Rigor nor Morkovsky explicitly disclose wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics.
However, in an analogous art, Majumdar discloses wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics (column 24, lines 27-60, the ontology can be induced by application of the Rvachev-functions and a suitable vector valued function to induce an ordering or ranking b by annealing the field through iterative computations such that paths 95 cluster the virtual particle data in the field, 96 of FIG. 10. … The task is to obtain the matrix D of all the distances between concepts and training data. … Given the distance matrix D all the properties of the field can be obtained by simple algebra performed on D).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Majumdar to include “wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics” in order to provide similarity, search and reasoning processes in an effective manner.
As to claim 18, neither Rigor nor Morkovsky explicitly disclose wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics with a Nearest Neighbor search or a Fixed-Radius Near Neighbors method.
However, in an analogous art, Majumdar discloses wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics with a Nearest Neighbor search or a Fixed-Radius Near Neighbors method (column 24, lines 27-60, the ontology can be induced by application of the Rvachev-functions and a suitable vector valued function to induce an ordering or ranking b by annealing the field through iterative computations such that paths 95 cluster the virtual particle data in the field, 96 of FIG. 10. … The task is to obtain the matrix D of all the distances between concepts and training data. … Given the distance matrix D all the properties of the field can be obtained by simple algebra performed on D; column 26, lines 6-22, the decision boundaries from such semantic field data filter should converge to the Voronoi diagram reflecting a nearest neighbor rule. The algorithm for computing the signed, oriented critical points which correspond the critical conceptual entities in the field, and from this, that the Morse-Graph is produced that represents the concept network based on the input data).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Majumdar to include “wherein the at least one other vector comprises a cluster of other vectors, wherein comparing the vector to the cluster of other vectors comprises iterating through the cluster of other vectors based on distance metrics” in order to provide similarity, search and reasoning processes in an effective manner.

As to claim 84, the combination of Rigor, Morkovsky and Majumdar disclose comprising using a Nearest Neighbor search or a Fixed-Radius Near Neighbors method (Majumdar: column 26, lines 6-22, the decision boundaries from such semantic field data filter should converge to the Voronoi diagram reflecting a nearest neighbor rule. The algorithm for computing the signed, oriented critical points which correspond the critical conceptual entities in the field, and from this, that the Morse-Graph is produced that represents the concept network based on the input data).

Claims 7, 23, 39, 52, 63 and 74 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Venkatraman et al.  (Publication No. US 2014/0344345) (hereinafter, “Venkatraman”).

As to claims 7, 39, 52, 63 and 74, neither Rigor nor Morkovsky explicitly disclose where the first length is at least three bytes. However, in an analogous art, Venkatraman discloses where the first length is at least three bytes (paragraph [0283] and [0284], “hashing is done on successive four-byte sequences”). 
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkoysky to include at least three bytes for the first length, as disclosed by Venkatraman. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in order to allow customization and  a wide selection of byte numbers for data sequencing. 

As to claim 23, neither Rigor nor Morkovsky explicitly disclose where the first length is at least three bytes. However, in an analogous art, Venkatraman discloses where the first length is at least three bytes (paragraph [0283] and [0284], “hashing is done on successive four-byte sequences”). 
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkoysky to include at least three bytes for the first length, as disclosed by Venkatraman. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in order to allow customization and a wide selection of byte numbers for data sequencing. 


Claims 8, 24, 40, 53, 64 and 75 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Solapurkar  (Patent No.: US 11,075,987).

As to claims 8, 40, 53, 64 and 75, neither Rigor nor Morkovsky explicitly disclose comprising determining the first length based on at least one statistical property of the data sample. However, in an analogous art, Solapurkar discloses determining the first length based on at least one statistical property of the data sample (column 3, lines 47-55, assign size of data object based on property of data object request).
	 It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkoysky to include determining the first length based on at least one statistical property of the data sample, as disclosed by Solapurkar. This would have been obvious because one of ordinary skill in the art would have been motivated to determine the size of a content resource based on the characteristics of the content, to reduce the latency when delivering the content resource to a requesting entity.

As to claim 24, neither Rigor nor Morkovsky explicitly disclose comprising determining the first length based on at least one statistical property of the data sample. However, in an analogous art, Solapurkar discloses determining the first length based on at least one statistical property of the data sample (column 3, lines 47-55, assign size of data object based on property of data object request).
	 It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkoysky to include determining the first length based on at least one statistical property of the data sample, as disclosed by Solapurkar. This would have been obvious because one of ordinary skill in the art would have been motivated to determine the size of a content resource based on the characteristics of the content, in order to reduce the latency when delivering the content resource to a requesting entity.
Claims 11, 27, 32, 43, 45, 56, 67 and 78 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Van et al.  (WO2017/004589 A1) (hereinafter, “Van”).

As to claims 11, 27, 43, 56, 67 and 78, neither Rigor nor Morkovsky explicitly disclose wherein the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another. However, in an analogous art, Van discloses, wherein the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another (paragraph [00359], “[t]he generated K-mers may then be aligned with one another such that areas of identical matching between the generated k-mers are matched to the areas where they overlap”).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkovsky to include the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another, as disclosed by Van. This would have been obvious because one of ordinary skill in the art would have been motivated to build up a data structure that can be scanned in order to determine the percentage of matching and mismatching of data.

As to claims 32 and 45, neither Rigor nor Morkovsky explicitly disclose wherein two or more of the parts overlap. However, in an analogous art, Van discloses wherein two or more of the parts overlap (paragraph [00359], “[t]he generated K-mers may then be aligned with one another such that areas of identical matching between the generated k-mers are matched to the areas where they overlap”).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to modify Rigor and Morkovsky to include the plurality of k-mers is generated such that at least one of the k-mers partially overlaps another, as disclosed by Van. This would have been obvious because one of ordinary skill in the art would have been motivated to build up a data structure that can be scanned in order to determine the percentage of matching and mismatching of data.


Claims 13, 29 and 58 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Dupont et al. (Patent No. US 10,491,240) (hereinafter, “Dupont”).

As to claims 13, 29 and 58, neither Rigor nor Morkovsky explicitly disclose in response to determining that the level of information content is above a pre-defined threshold, creating the plurality of k-mers from the data sample. However, in an analogous art, Dupont discloses when the file size is above threshold size a query of a hash table is performed and data segments encoding performed for each segment of data (column 8, lines 45-68).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Rigor and Morkoysky with Dupont, in order to decrease the bandwidth used for transmitting data segments over a communication medium.


Claims 35-38 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Subbian et al. (US 2019/0114362 A1) (hereinafter, “Subbian”).

As to claim 35, neither Rigor nor Morkovsky explicitly disclose wherein identifying the plurality of subsequences of the data sample comprises using at least one of a sliding window or a rolling hash to identify each of the subsequences.
However, in an analogous art, Subbian discloses wherein identifying the plurality of subsequences of the data sample comprises using at least one of a sliding window or a rolling hash to identify each of the subsequences (“ In an iteration of the stochastic gradient descent process, the social-networking system 160 may sample, for each entity in the training entity pool, a term sequence of k terms from a sliding window over the selected text, where k is a fixed-length of the term sequence. The social-networking system 160 may perform a backpropagation process on a current iteration of the initialized entity embedding matrix in order to maximize, for each entity embedding in the entity embedding matrix, a probability that an embedding vector 705 that is a combination of the entity embedding 703 and term embeddings 704 corresponding to the first k-1 terms 702 of the sampled term sequence correctly predicts a k-th term 706 in the term sequence.” -e.g. see, Subbian: [0085]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Subbian to include wherein identifying the plurality of subsequences of the data sample comprises using at least one of a sliding window or a rolling hash to identify each of the subsequences in order to maximize, for each entity embedding in the entity embedding matrix.

As to claim 36, the combination of Rigor, Morkovsky and Subbian disclose wherein using the sliding window comprises: creating a first plurality of k-mers for a first subsequence (Rigor: column 8, lines 27-29, “PLVA firewall performs a K-mer transformation on a set of elements associated with the network data”, column 10, lines 20-22, PLVA firewall 420 transforms the network data into its K-mer canonical representation); generating a first vector from the first plurality of k-mers by processing the first plurality of k-mers with the plurality of hash functions (Rigor: column 6, lines lies 36-39, generating a pattern from the tokens, the pattern is a feature vector; Morkovsky: paragraph [0024]); creating a second plurality of k-mers for a second subsequence, wherein the second subsequence is offset from the first subsequence by one byte (Rigor: column 8, lines 27-29); comparing a last k-mer of the first plurality of k-mers and a last k-mer of the second plurality of k-mers; in response to determining that the last k-mers are equal, reusing the first vector for the second subsequence (Rigor: column 8, lines 65-67, “[p]attern matching can be found using the feature vectors”), the at least one other vector representing at least one other sample (column 9, lines 60-62,“[t]he PLVA firewall 420 tokenizes the network data of the second set of network data 510”).

As to claim 37, Rigor discloses wherein determining the set of distance metrics comprises approximating a similarity between the vector and the set of reference vectors (column 3, lines 44-46, the firewall detects subsequent iterations of a persistent low volume attack based on transformations of subsequent network data sequences producing similar patterns to the stored pattern).

As to claim 38, the combination of Rigor and Morkovsky disclose wherein approximating the similarity comprises using a MinHash function on each of the plurality of hash functions (Morkovsky: paragraph [0020] and [0032], comping plurality of hash values and fingerprints for similarity, plurality hash values are generated through a MinHash function).

Claims 20, 47 and 83 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Steinfadt et al. (US 10,783,247 B1) (hereinafter, “Steinfadt”).

As to claims 20, neither Rigor nor Morkovsky explicitly disclose prior to creating the plurality of k-mers, determining that the subsequence of the data sample does not match any of a predetermined set of excluded subsequences.
However, in an analogous art, Steinfadt discloses prior to creating the plurality of k-mers, determining that the subsequence of the data sample does not match any of a predetermined set of excluded subsequences (“The effect of preprocessing the dynamic instruction traces by removing all repeating subsequences of five or more contiguous instructions was investigated. After the removal of repeats, binary and occurrence frequency matrices were constructed from the feature vectors extracted from the preprocessed instruction traces as above. It was found that preprocessing improved malware phylogeny reconstruction using distance measures based on the occurrence frequency of n-grams.” -e.g. see, Steinfadt: column 8, lines 31-47).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Steinfadt to include “prior to creating the plurality of k-mers, determining that the subsequence of the data sample does not match any of a predetermined set of excluded subsequences” in order to improve malware phylogeny reconstruction using distance measures based on the occurrence frequency.


As to claim 47, it is rejected using the similar rationale as for the rejection of claim 20.

As to claim 83, neither Rigor nor Morkovsky explicitly disclose prior to creating the plurality of k-mers, determining that the subsequence of the first data sample has a prevalence within a predetermined range. 
However, in an analogous art, Steinfadt discloses prior to creating the plurality of k-mers, determining that the subsequence of the first data sample has a prevalence within a predetermined range (“The effect of preprocessing the dynamic instruction traces by removing all repeating subsequences of five or more contiguous instructions was investigated. After the removal of repeats, binary and occurrence frequency matrices were constructed from the feature vectors extracted from the preprocessed instruction traces as above. It was found that preprocessing improved malware phylogeny reconstruction using distance measures based on the occurrence frequency of n-grams.” -e.g. see, Steinfadt: column 8, lines 31-47).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Steinfadt to include “prior to creating the plurality of k-mers, determining that the subsequence of the data sample does not match any of a predetermined set of excluded subsequences” in order to improve malware phylogeny reconstruction using distance measures based on the occurrence frequency.

Claim 49 is rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Zhuang et al. (US 2020/0050941 A1) (hereinafter, “Zhuang”).

As to claim 49, neither Rigor nor Morkovsky explicitly disclose wherein the server is configured use deployment information associated with the plurality of endpoints to determine the distance metric.
However, in an analogous art, Zhuang discloses wherein the server is configured use deployment information associated with the plurality of endpoints to determine the distance metric (“… executing unsupervised or supervised training steps of a machine learning model, executing feature embedding steps of a machine learning model, executing distance metric evaluation steps, or executing fraud detection steps. Such a processing unit or module may comprise executable code executing at a single location on a single processing device, or may comprise cooperating executable code modules executing in multiple locations and/or on multiple processing devices. For example, in some embodiments of the invention, embedding of data samples may be performed entirely by code executing on a single system, such as the fraud detection system 102, while in other embodiments corresponding processing may be performed in a distributed manner over a plurality of systems.” -e.g. see, Zhuang: [0042]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor and Morkovsky with the teaching of Zhuang to include wherein the server is configured use deployment information associated with the plurality of endpoints to determine the distance metric in order to perform evaluation steps in a distributed manner over a plurality of systems.

Claims 69 and 82 are rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Morkovsky and further in view of Mitra et al. (US 2021/0279330) (hereinafter, “Mitra”).

As to claim 69, neither Rigor nor Morkovsky explicitly disclose wherein the data sample is executed in a sandbox. However, in an analogous art, Mitra discloses wherein the data sample is executed in a sandbox (paragraph [0012], the runtime sandboxes the execution of an app). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Rigor and Morkovsky with Mitra. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to prevent malicious code from affecting the computer system.

As to claim 82, neither Rigor nor Morkovsky explicitly disclose comprising preventing the data sample from leaving a protected environment based on the vector. However, in an analogous art, Mitra discloses comprising preventing the data sample from leaving a protected environment based on the vector (paragraph [0012], the runtime sandboxes the execution of an app). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Rigor and Morkovsky with Mitra. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to prevent malicious code from affecting the computer system.

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Rigor in view of Rigor in view of Morkovsky in view of Majumdar and further in view of Jones et al. (US 2020/0314122 A1) (hereinafter, “Jones”).

As to claim 19, neither Rigor nor Morkovsky nor Majumdar explicitly disclose wherein the Nearest Neighbors search comprises performing a number of reverse lookup operations for the vector equal to a number of hash functions in the plurality of hash functions.
However, in an analogous art, Jones discloses wherein the Nearest Neighbors search comprises performing a number of reverse lookup operations for the vector equal to a number of hash functions in the plurality of hash functions (Jones: paragraph [0067],  the visual comparison and classification platform 150 may use a hash table lookup function to determine whether an exact match exists between the image data and a specific page element (e.g., without using the computer vision vector representation of the image data or the one or more stored numeric vectors representing page elements). In doing so, the visual comparison and classification platform 150 may perform this relatively quick matching function prior to performing more computationally intensive and/or inexact matching (e.g., using a nearest neighbor search, radius search, or the like), comparing, or the like (e.g., if an exact match is identified, the visual comparison and classification platform 150 does not need to move to the more computationally intensive matching) and thus optimize computing resource consumption, thereby providing one or more technical advantages.).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Rigor, Morkovsky and Majumdar with the teaching of Jones to include “wherein the Nearest Neighbors search comprises performing a number of reverse lookup operations for the vector equal to a number of hash functions in the plurality of hash functions” in order to optimize computing resource consumption, thereby providing one or more technical advantages.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Wu et al.  (US Publication No. 2019/0172553) discloses,	extracting a plurality of k-mers from the plurality of reads; identifying, using the plurality of extracted k-mers, one or more of a plurality of annotated k-mers found in the plurality of reads, gathering, based on the identified annotated k-mers found in the plurality of reads, annotation information about the plurality of reads; and determining, based on the gathered annotation information, a quality control metric for at least some of the plurality of reads.
	Xi  et al.,  (US Publication No. 2020/0074275) discloses, Methods and systems for detecting and correcting anomalies include comparing a new time series segment, generated by a sensor in a cyber-physical system, to previous time series segments of the sensor to generate a similarity measure for each previous time series segment. It is determined that the new time series represents anomalous behavior based on the similarity measures. A corrective action is performed on the cyber-physical system to correct the anomalous behavior.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495

/Jeremy S Duffield/Primary Examiner, Art Unit 2498