Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Status
Claims 1-4, 6-11,13-18, and 20 are pending.
Claims 1, 8, 15 have been amended.
Claims 5, 12, and 19 have been canceled.
Response to Arguments
Applicants arguments are persuasive. As a result, a new 103 rejection has been formulated.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6, 7, 8, 13, 14, 15, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasagopalan et al (US 20200074080 A1) hereafter Srinivasagopalan further in view of Humble et al (US 20150186649 A1) hereafter Humble.
Regarding claim 1, Srinivasagopalan teaches a computer-implemented method, comprising: obtaining, by a server, a plurality of software samples (Para 0021, the systems receives malware samples and groups them into clusters of related malware samples that have similar characteristics, “malware samples” is analogous to “software samples”); computing, by the server, one or more first hash results for each of the plurality of software samples by performing a first hashing for each of the one or more determined functions to obtain the one or more first hash results (Para 0020, reports specify the set of features related to the execution behavior of a corresponding malware sample, “reports specifying set of features” is analogous to “determined functions”) (Para 0037, processing derives a set of data shingles based on each of the reports, these sets of data shingles are used to generate hash values ); computing, by the server, one or more second hash results for each of the plurality of software samples based on the one or more first hash results, wherein an amount of the one or more second hash results is less than an amount of the one or more first hash results (Para 0041, hash generator may generate a second hash result when generating the hash values, which may further help generate hash values that are more manageable in size than their associated data shingles, “more manageable in size” is analogous to “less than an amount of the one or more first hash results”); determining, by the server, a similarity output based on the one or more second hash results of two of the plurality of software samples (Para 0042, hash values are converted into vectors which are used to generate similarity values); clustering, by the server, the plurality of software samples based on the similarity output to generate one or more software sample clusters (Para 0049, cluster determination module 210, in various embodiments, is operable to receive similarity values for each of the malware samples and assign the malware samples into malware clusters of related malware samples); and detecting malware samples by using the one or more software sample clusters (Para 0018, once a population of malware samples has been clustered, useful insights may be determined from each of the clusters in order to detect a significant portion of the members of the cluster).
Srinivasagopalan does not appear to explicitly teach disassembling each of the plurality of software samples to determine one or more functions. In analogous art, Humble teaches disassembling each of the plurality of software samples to determine one or more functions (Para 007, disassembling the received file into assembly code instructions; breaking the disassembled assembly code instructions into functional groups). It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention  to modify the method of Srinivasagopalan to include disassembling each of the plurality of software samples to determine one or more functions, as taught by Humble. One of ordinary skill in the art would be motivated to modify the method of Srinivasagopalan to include disassembling each of the plurality of software samples to determine one or more functions in order to compare functions in the received software sample to functions in known malicious files, as taught by Humble (Para 007, comparing function identification codes generated for the received file against function identification codes for the plurality of known executable malicious files in the database).
Regarding claim 6, Srinivasagopalan in view of Humble hereafter Srinivasagopalan-Humble teaches the computer-implemented method of claim 1, further comprising: obtaining an additional software sample (Srinivasagopalan, Para 0019, FIG. 1 includes malware samples 102A-102N, “Malware Sample 102N”  is analogous to additional software sample); computing one or more second hash results for the additional software sample (Srinivasagopalan, Para 0041, hash generator may generate a second hash result when generating the hash values); and clustering the additional software sample with the plurality of software samples (Srinivasagopalan, Para 0049, the cluster determination module assign the malware samples into malware clusters of related malware samples).
Regarding claim 7, Srinivasagopalan-Humble teaches the computer-implemented method of claim 6, wherein the clustering the additional software sample with the plurality of software samples comprises: for each of the software sample clusters, selecting one software sample in a corresponding software sample cluster (Srinivasagopalan, Para 0022, These function call graphs, in turn, may be used to identify malware samples); and clustering the additional software sample with the selected one software sample of each software sample cluster (Srinivasagopalan, Para 0022, to assign the malware samples to clusters of related malware samples).
Claim 8 is the medium claim corresponding to the method claim 1, and is analyzed and rejected accordingly.
Claim 13 is the medium claim corresponding to the method claim 6, and is analyzed and rejected accordingly.
Claim 14 is the medium claim corresponding to the method claim 7, and is analyzed and rejected accordingly.
Claim 15 is the system claim corresponding to the method claim 1, and is analyzed and rejected accordingly.
Claim 20 is the system claim corresponding to the method claim 6, and is analyzed and rejected accordingly.
Claims 2, 3, 4, 9, 10 , 11, 16, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasagopalan-Humble in view of Dertat (https://towardsdatascience.com/applied-deep-learning-part-4-convolutional-neural-networks-584bc134c1e2) hereafter Dertat.
Regarding claim 2, Srinivasagopalan-Humble teaches the computer-implemented method of claim 1 as shown above. However, Srinivasagopalan-Humble does not appear to explicitly teach further comprising: computing stride hash results based on the one or more second hash results; and wherein the two of the plurality of software samples are selected based on the stride hash results. In analogous art, Dertat teaches computing stride hash results based on the one or more second hash results (Para 2.1, aggregate the convolution results in the feature map, “computing stride hash results” is analogous to “performing convolutions in a feature set” given the BRI of the claim); and wherein the two of the plurality of software samples are selected based on the stride hash results (Dertat, Sect. 3, The fully connected layers learn how to use these features produced by convolutions in order to correctly classify the images, classifying images being analogous to selecting software samples given the BRI of the claim). It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Srinivasagopalan-Humble to include computing stride hash results based on the one or more second hash results; and wherein the two of the plurality of software samples are selected based on the stride hash results, as taught by Dertat. One of ordinary skill in the art would be motivated to modify the method of Srinivasagopalan-Humble to include computing stride hash results(convolutions) based on the one or more second hash results; and wherein the two of the plurality of software samples are selected based on the stride hash results in order to perform feature extraction, as suggested by Dertat (Sect. 3, The convolution + pooling layers perform feature extraction).
Regarding claim 3, Srinivasagopalan-Humble in view of Dertat teaches the computer-implemented method of claim 2, wherein the computing stride hash results based on the one or more second hash results comprises: for each of the plurality of software samples, grouping the one or more second hash results of the respective software sample into a plurality of stride subgroups (Dertat, Para 2.1, We perform multiple convolutions on an input, each using a different filter and resulting in a distinct feature map, each convolution being analogous to a stride subgroup); and computing a stride hash result for each of the stride subgroups (Dertat, Para 2.1, The convolution operation for each filter is performed independently).  
Regarding claim 4, Srinivasagopalan-Humble in view of Dertat teaches the computer-implemented method of claim 2, wherein the selecting the two of the plurality of software samples based on the stride hash results comprises: generating a plurality of software sample groups based on the stride hash results (Dertat, Sect 3, The fully connected layers learn how to use these features produced by convolutions in order to correctly classify the images, image classification being analogous to software sample groups given the BRI of the claim limitation), wherein each software sample in a same software sample group has at least a same stride hash result (Dertat, Sect 3, For example given an image, the convolution layer detects features such as two eyes, long ears, four legs, a short tail and so on, similar features being analogous to a same stride hash result); and wherein the two of the plurality of software samples belong to a same software sample group (Dertat, Sect 3, The fully connected layers then act as a classifier on top of these features, and assign a probability for the input image being a dog, images of dogs being analogous to a software sample group given the BRI of the claim limitation).
Claim 9 is the medium claim corresponding to the method claim 2, and is analyzed and rejected accordingly.
Claim 10 is the medium claim corresponding to the method claim 3, and is analyzed and rejected accordingly.
Claim 11 is the medium claim corresponding to the method claim 4, and is analyzed and rejected accordingly.
Claim 16 is the system claim corresponding to the method claim 2, and is analyzed and rejected accordingly.
Claim 17 is the system claim corresponding to the method claim 3, and is analyzed and rejected accordingly.
Claim 18 is the system claim corresponding to the method claim 4, and is analyzed and rejected accordingly.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BROOKS T HALE whose telephone number is (571)272-0160. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mark Featherstone can be reached on (571) 270-3750. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/B.T.H./Examiner, Art Unit 2166                                                                                                                                                                                                        

/MARK D FEATHERSTONE/Supervisory Patent Examiner, Art Unit 2166