Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sethumadhavan (US20180268142) in view of Patel (Analyzing Hardware Based Malware Detectors) and in further view of Koelle (US20120072987).

	Regarding Claims 1,8 and 15 Sethumadhavan discloses A method comprising: generating a first set of hardware performance counter (HPC) events that is ranked based on an ability of an individual HPC event to profile a malware class; (Figure 4 E.N. Events are ranked by their F-scores. The larger the F-score, the more discriminative power the feature is likely to have (See Paragraph [0072]).
generating, from a subset of the first set of HPC events, a second set of HPC event combinations that is ranked based on an ability of a set of at least two joint HPC events to profile a malware class; (Paragraph [0073] and Figure 4 E.N. The top 4 event from each row (Architectural Events and Microarchitectural Events which can be considered two joint events) may be selected to produce 9 candidate event sets that can be used to build characteristic models that can be evaluated for its effectiveness in detection of malware code execution.)
	Sethumadhavan does not, but in related art, Patel teaches: generating, from a subset of the second set of HPC event combinations, a third set of extended HPC event combinations; (Page 3 Section 4.2 Result Analysis E.N. Feature Reduction can be used to find the top 8 or 4 feature (events) wherein the events are combined and used with a Machine Learning Classifier)
profiling one or more malware events and one or more benign applications to obtain a detection accuracy parameter for each malware event in the one or more malware events; ([Page 1 Section 1 Introduction Col 2 lines 37-41] E.N. Machine Learning is used to classify (profile) benign and malware applications by testing various parameters such as accuracy, hardware implementation cost, area etc.) 
applying a machine learning (ML) model using the third set of HPC event combinations to rank the third set of HPC event combinations based on malware detection accuracy; (Page 4 Figure 4: Accuracy comparisons of ML classifiers) E.N. Multiple Machine Learning classifiers are used in combination with varying sets of features such as top 8 or 4 features (sets of HPC events) to determine the change in accuracy in the number of features used (combinations). The accuracy percentages shown can be used to find the most effective (highest ranked) machine learning classifier and number of features used.)
to the third set of HPC event combinations to identify a subset of the third set of extended combinations of HPC events to be used for malware detection and classification. (Page 3 Section 4.2 Result Analysis E.N. One in the art can make the connection to use genetic algorithm to find the best combination of the 32 features to be used in combination with the multiple machine learning classifiers that can output the highest accuracy when detecting malware.)
	Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the invention to have modified Sethumadhavan to incorporate the teachings of Patel because Sethumadhavan does not explicitly disclose generating HPC event combinations, profiling malware and benign applications as well as applying machine learning models to find malware detection accuracy which is all taught by Patel. Incorporating the teachings of Patel to Sethumadhavan allows for the use of Hardware Performance Counters combining with Machine Learning models to find the best combinations/events that will have the highest success of profiling the difference between a malware and a benign application. 
	Sethumadhavan and Patel do not, but in related art, Koelle teaches: applying a genetic algorithm (Paragraph [0059]).
	Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan in view of Patel to incorporate the teachings of Koelle because, neither Sethumadhavan nor Patel explicitly teach genetic algorithms which is taught by Koelle. Incorporating the teachings of Koelle to Sethumadhavan and Patel allows for the benefits of Genetic Algorithm such as mutations and combination to be incorporated with Hardware Performance counters to eventually give the best counters or combined events that can be used with a machine learning model/classifier to be used to find malware in a system.
	Regarding Claim 8, Sethumadhavan discloses a processor, (Paragraph [0102]).
and a computer readable memory comprising instructions (Paragraph [0022 lines 1-2])
	Regarding Claim 15, Sethumadhavan discloses one or more computer-readable storage media comprising instructions stored thereon that, in response to being executed, cause the computer device (Paragraph [0022 lines 1-2])
	
	Regarding Claims 2,9 and 16 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 1, the apparatus of Claim 8 and the computer readable storage media of Claim 15. Sethumadhavan further teaches applying an information gain analysis to determine the ability of an individual HPC event to profile a malware class. (Paragraph [0072] E.N. F-score is used to provide a quantities measure of how effective a feature (event) can be used to determine the difference between a clean execution and an infected infection.)

	Regarding Claims 3,10 and 17 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 2, the apparatus of Claim 9 and the computer readable storage media of Claim 16. Sethumadhavan further teaches creating a candidate set of two-event HPC event combinations from the subset of the first set of HPC events; (Paragraph [0073] E.N. The top 4 events from architectural and microarchitectural events are selected to produce 9 candidate sets) 
for the candidate set of two-event HPC event combinations; (Paragraph [0008] E.N. One or more features (which is used interchangeably with events See paragraph [0033]) can be used to obtain hardware performance data. Multiple features imply different combinations used.)
applying an information gain analysis to measure a joint information gain of the candidate set of two-event HPC event combinations; (Paragraph [0008] E.N. The one or more features are selected based on their computed scores (information gain) which represents the effectiveness of indicating that the hardware performance data is infected.)
and ranking the candidate set of two-event HPC event combinations based on the joint information gain. (Paragraph [0009] E.N. The scores computed may be Fisher Scores which can be used for ranking HPC events (See Figure 4))
	Sethumadhavan does not but in related art, Patel teaches collecting data records of benign classes and malicious classes (Page 2 Section 2 Background: lines 18-20 E.N. HPCs are used to collect traces of events by executing collected malware and benign applications)
	Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan to incorporate the teachings of Patel because Sethumadhavan does not explicitly disclose collecting data records of benign and malware classes which is taught by Patel. Incorporating the teachings of Patel to Sethumadhavan allows for finding information related to benign and malware classes which in turn can be used effectively by machine learning classifiers/models for better accuracy in detecting malware on a system.
 
	Regarding Claims 4,11 and 18 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 3, the apparatus of Claim 10 and the computer readable storage media of Claim 17. Sethumadhavan does not, but in related art, Patel teaches applying a machine learning (ML) model using the second set of HPC event combinations to rank the second set of HPC event combinations based on malware detection accuracy. (Page 3-4 Section 4.2 Result analysis and Figure 4 E.N. Machine Learning is used in combination with different amounts of features (sets of HPC events) where the classifier’s accuracy can be determined. The different machine learning classifiers can be easily ranked based on their accuracy percentage on how well they are able to accurately detect malware.)
	Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan to incorporate the teachings of Patel because Sethumadhavan does not explicitly disclose using machine learning models to view the different accuracy regarding the amount of hardware performance counter events used which is taught by Patel. Incorporating the teaching of Patel to Sethumadhavan allows for the user to determine the best machine learning model to use when there are a variety of amounts of HPC events and determine based on their accuracy percentage, which classifier ranks as the best when it comes to determining if there is malware in the system.

Regarding Claims 5,12 and 19 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 4, the apparatus of Claim 11 and the computer readable storage media of Claim 18. Sethumadhavan does not, but in related art, Patel teaches to the second set of HPC event combinations to creating a candidate set of two-event HPC event combinations from the subset of the first set of HPC events. (Page 2 Table 1: List of HPC events under PERF E.N. One in the art can make the connection to use the list of HPC events can be used as an input to the Genetic Algorithm wherein the output provides different combinations of HPC events.)
Patel does not, but in related art, Koelle teaches applying a genetic algorithm (Paragraph [0059]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan to incorporate the teachings of Patel and Koelle because Sethumadhavan does not explicitly disclose using Genetic Algorithm to create a candidate set of HPC event combination from the first set of HPC events. Koelle teaches Genetic Algorithm while Patel teaches HPC events. Incorporating the teachings of Patel and Koelle to Sethumadhavan allows for the use of genetic algorithm which would be used with the first set of HPC events to come up with the best HPC event combinations using techniques such as cross-over and mutations, increasing the probability of detecting malware when used with a machine learning classifier/model.

Regarding Claims 6,13 and 20 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 5, the apparatus of Claim 12 and the computer readable storage media of Claim 19. Sethumadhavan does not, but in related art, Patel teaches to create a candidate set of two-event HPC event combinations from the subset of the first set of HPC events. (Page 2 (Table 1 List of HPC events under PERF) E.N. One in the art can make the connection to combine the list of HPC events (first set) to a Genetic Algorithm which uses cross-over operators and mutation operators to create a candidate set HPC event combination.) 
Patel does not, but in related art, Koelle teaches wherein the genetic algorithm applies one or more cross- over operators and one or more mutation operators (Paragraph [0058-0059]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan to incorporate the teachings of Patel and Koelle because Sethumadhavan does not explicitly disclose using Genetic Algorithm to create a candidate set of HPC event combination from the first set of HPC events. Koelle teaches Genetic Algorithm while Patel teaches HPC events. Incorporating the teachings of Patel and Koelle to Sethumadhavan allows for the use of genetic algorithm which would be used with the first set of HPC events to come up with the best HPC event combinations using techniques such as cross-over and mutations, increasing the probability of detecting malware when used with a machine learning classifier/model.

Regarding Claims 7,14 and 21 Sethumadhavan in view of Patel and in further view of Koelle teaches the method of Claim 1, the apparatus of Claim 8 and the computer readable storage media of Claim 15. Sethumadhavan does not but in related art, Patel teaches selecting, from the subset of the third set of extended combinations of HPC events, a single combination of HPC events to be used for malware detection and classification.  (Page 3-4 Section 4.2 Result analysis and Figure 4: Accuracy comparison of ML classifier E.N. The top 2 features are selected and used in different ML classifiers where they show the accuracy of using 2 features on the different classifiers.)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Sethumadhavan to incorporate the teachings of Patel because Sethumadhavan does not explicitly teach using a single HPC event combination to be used for malware detection and classification which is taught by Patel. Incorporating the teachings of Patel to Sethumadhavan allows for the use of a machine learning classifier to find the accuracy in determining if there is malware in the system.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AAYUSH ARYAL whose telephone number is (571)272-2838. The examiner can normally be reached 8:00 a.m. - 5:30 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/AAYUSH ARYAL/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435