DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description:
Paragraph 0024 of specification storage is referred as 110. But in the drawing of Fig. 1, label 110 is not found to refer “STORAGE”. 
Paragraph 0043 of specification communication channels are referred as 414. But in the drawing of Fig. 4, communication channels are labeled as 714 NOT by 414.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.


Specification (Content)
The disclosure is objected to because of the following informalities:
In Paragraph 0048, in line 1, “700” should be read as 400.   
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 3, 4, 7, 9, 10, 11, 12, 13, 14, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gates et al US Patent No. 9805192 in view of Sun et al US PGPUB No. 20120260343 and further in view of Satish US Patent No. 9245123.

Regarding Claim 1: Gates teaches: A method of generating a reference file set having high-confidence malware severity classification, comprising: 
selecting a subset of files from a group of files first observed during a recent observation period; ([Gates Col. 4 Lines 55 – 59] “database 120 may be configured to store files 122, which may include both files under evaluation by a security software product as well as ground truth files that indicate a known classification as either safe or malicious, as discussed further below.” [Gates Col. 5 Lines 21 – 24] “Identification module 104 may identify, as part of a computer security system (e.g., system 200), a cluster 210 of files that co-occur with each other according to a statistical analysis.” [Gates Col. 9 Lines 53 – 55] “In this example, a file 402, among another file 404 and a file 406 in cluster 210, may be under evaluation.” This implies that a cluster of files (subset) are identified from the file database for evaluation.)  
…
determining a malware severity classification for the files in the subset by aggregating the polled classifications from the other antivirus providers for the files in the subset ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for files in the cluster is determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
However, Gates fails to disclose:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset;
	…
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.
However, Sun teaches:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset; ([Sun ¶0009] “An incoming file is classified as having a particular malware classification. Subsequently, a malware signature is generated for the incoming unknown file based on the particular malware classification.” [Sun ¶0024] “Referring again to FIG. 1A, server 111 is communicatively coupled to client 101 as a backend provider of services to client 101 (and it's users). As discussed above, in one embodiment, SMSG 113 executes on server 111 and monitors incoming unknown files that are received by client 101 for the presence of malware. … SMSG 113 classifies the incoming unknown files and generates a signature for incoming unknown files that are identified as belonging to a particular malware family as is discussed in detail herein” [Sun ¶0024] “Referring again to FIG. 1A, server 111 is communicatively coupled to client 101 as a backend provider of services to client 101 (and it's users). As discussed above, in one embodiment, SMSG 113 executes on server 111 and monitors incoming unknown files that are received by client 101 for the presence of malware.” [Sun ¶0021] “In one embodiment, SMSG 113 responds to unknown incoming files by generating a signature for them that can be used by an antivirus program as a part of the anti-virus program's virus identification processes.” Therefore, the classification or signature of any files can be casted through antivirus programs by SMSG executing on server which is a backend provider of services.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates’s system of classification of files assigning a security score or classification through ground truth files by enhancing Gates’s system by casting the signature or classification for any files (as for example ground truth files) with help of using antivirus programs as taught by Sun for identifying malware variant through the generic signature or classification obtained by antivirus programs for any type of malicious files. (Sun ¶0006)
The motivation is to improve Gates’s  system of creating a learning model for determining whether a file is malware through classification by further determining the classification or signature for any files with help of using antivirus programs to identify the malware variant through the generic signature for any type of malicious files. (Sun ¶0006)
But Gates in view Sun fails to disclose:
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.
However, Satish teaches
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.  ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” Thus, an additional file can be added database and because of that security policy may be adjusted to classify that file.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 2: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, but Gates in view of Sun fails to disclose:
further comprising adding one or more files to the subset of files selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset. 
However, Satish teaches: 
further comprising adding one or more files to the subset of files selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset. ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” [Satish Col. 10, Lines 28 – 37] “As described above, the disclosed systems and methods may enable security companies to detect malicious files that programmers have been disguising as safe by determining that the programmers have artificially associated the malicious files with applications that are known to be safe in order to avoid detection. In some examples, the systems and methods may increase an estimation that a file is malicious in proportion to a number of distinct files that are determined to be associated with the file and determined to be known as safe.” Thus, the improvement of adding any file is to make the systems and method increase the estimation that an earlier determined safe file is correctly classified as malicious.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 3: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 2, Gates teaches: wherein malware types comprise at least one of malware families, malware having similar functions, and malware having similar severity. ([Gates Col. 6 Lines 66 – 67 Col. 7 Line 1] “For example, the security score may include a discreet classification, such as safe, malicious, or unknown.” [Gates Col. 8 Lines 64 – 67 Col. 9 Lines 1 – 7] “… determination module 106 may compare two values for a field of file metadata according to one or more similarity algorithms that measure an alphanumeric and/or mathematical degree of similarity between the two. Determination module 106 may further compare the resulting calculated degree of similarity against a threshold to determine whether the two values satisfy the similarity threshold. Accordingly, system 200 may use the field of file metadata for these two similar values in a manner parallel to the manner in which system 200 uses the exact same values, as discussed above.” Thus, the files (malware) having metadata with any classification (say safe, malicious, or unknown) can have similarity according to similarity algorithm.)

Regarding Claim 4: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, Gates teaches further comprising determining a malware severity classification for the one or more added files having a third-party classification that changed during the stabilization by aggregating the polled classifications from the other antivirus providers for the one or more added files. ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for additional first, second and so on files in the cluster can also be determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)

Regarding Claim 7: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, Gates teaches: wherein selecting the subset of files from the group of files is done randomly. ([Gates Col. 5 Lines 20 – 24] “For example, and as will be described in greater detail below, identification module 104 may identify, as part of a computer security system (e.g., system 200), a cluster 210 of files that co-occur with each other according to a statistical analysis.” This suggests that identification module of the security computing system identifies a cluster of files which are co-occurring as per a statistical analysis which may include randomization as randomization is a very well-known statistical distribution.)   

Regarding Claim 9: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, Gates teaches: wherein determining classification further comprises using at least one of majority voting, statistical estimation, and machine learning using third-party classification of the files from the polled third-party antivirus providers. ([Gates Col. 2 Lines 4 – 7] “… assigning an overall security score to the entire cluster of files may include giving the file a vote in a vote on the overall security score for the entire cluster of files.” [Gates Col. 2 Lines 23 – 25] “assigning the overall security score to the entire cluster of files may include applying a machine learning model.” [Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” Therefore, the classification or security score is determined by voting, statistical estimation (weighting) and machine learning model.)

Regarding Claim 10: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, Gates teaches: … adding all files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period. ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for additional first and second files in the cluster, which is changed due to addition of the files, can also be determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
But Gates in view of Sun fails to disclose:
wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset comprises … 
However, Satish teaches:
wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset comprises … ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” Thus, an additional file can be added database and because of that security policy may be adjusted to classify that file.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 11: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, but Gates in view of Sun fails to disclose: 
	wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset increases the percentage of files in the subset that are more difficult to classify, thereby improving complexity of the subset.
	However, Satish teaches:
wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset increases the percentage of files in the subset that are more difficult to classify, thereby improving complexity of the subset. ([Satish Col. 10 Lines 8 – 23] “the classification may be a categorization, Such as “secure.” “insecure,” or “indeterminate.” In such embodiments, classification module 110 may classify a file as insecure that was previously classified as secure or may classify as insecure a file that was previously unclassified. Moreover, classification module 110 may classify the file by determining that its security score, such as those shown in FIG. 5, satisfies a maliciousness threshold. In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” [Satish Col. 10, Lines 28 – 37] “As described above, the disclosed systems and methods may enable security companies to detect malicious files that programmers have been disguising as safe by determining that the programmers have artificially associated the malicious files with applications that are known to be safe in order to avoid detection. In some examples, the systems and methods may increase an estimation that a file is malicious in proportion to a number of distinct files that are determined to be associated with the file and determined to be known as safe.” As it is seen that the classification of a file may be performed differently when it is classified at later stage. But addition of a file in an insecure database after classifying it as malicious (it is obvious that the percentage of file in database is increased because of adding the files), in this case the additional file in insecure database is classified correctly by classification module by adjusting the security policy. In this way the complexity of the subset classification is improved so that a file can be correctly classified say malicious instead of safe file.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 12: Gates teaches a method of estimating the effectiveness of an anti-malware algorithm, comprising:
testing the anti-malware algorithm against a reference file set; ([Gates Col. 1 Lines 46 - 51] “the instant disclosure generally relates to systems and methods that classify files by, for example, leveraging information from ground truth files to make educated estimates of security scores for other unknown or unclassified files and the corresponding file clusters. Thus, any unknown or unclassified files can be tested against truth files to estimate the security score) and
evaluating the accuracy of the malware algorithm in characterizing a malware severity of each file in the reference set; ([Gates Col. 1 Lines 57 – 61] “…(3) determining that a file in the cluster of files shares an item of file metadata with another file in the ground truth files, (4) assigning a security score to the file in the cluster of files based on a security score of the other file in the ground truth files that shares the item of file metadata,” Thus the security score of the cluster file is determined based on the security score of other files in the ground truth files.)
wherein the reference file set is constructed by: 
selecting a subset of files from a group of files first observed during a recent observation period; ([Gates Col. 4 Lines 55 – 59] “database 120 may be configured to store files 122, which may include both files under evaluation by a security software product as well as ground truth files that indicate a known classification as either safe or malicious, as discussed further below.” [Gates Col. 5 Lines 21 – 24] “dentification module 104 may identify, as part of a computer security system (e.g., system 200), a cluster 210 of files that co-occur with each other according to a statistical analysis.” [Gates Col. 9 Lines 53 – 55] “In this example, a file 402, among another file 404 and a file 406 in cluster 210, may be under evaluation.” This implies that a cluster of files (subset) are identified from the file database for evaluation.)  
…
determining a malware severity classification for the files in the subset by aggregating the polled classifications from the other antivirus providers for the files in the subset ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for files in the cluster is determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
However, Gates fails to disclose:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset;
	…
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.
However, Sun teaches:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset; ([Sun ¶0009] “An incoming file is classified as having a particular malware classification. Subsequently, a malware signature is generated for the incoming unknown file based on the particular malware classification.” [Sun ¶0024] “Referring again to FIG. 1A, server 111 is communicatively coupled to client 101 as a backend provider of services to client 101 (and it's users). As discussed above, in one embodiment, SMSG 113 executes on server 111 and monitors incoming unknown files that are received by client 101 for the presence of malware. … SMSG 113 classifies the incoming unknown files and generates a signature for incoming unknown files that are identified as belonging to a particular malware family as is discussed in detail herein” [Sun ¶0021] “In one embodiment, SMSG 113 responds to unknown incoming files by generating a signature for them that can be used by an antivirus program as a part of the anti-virus program's virus identification processes.” Therefore, the classification or signature of any files can be casted through antivirus programs by SMSG executing on server which is a backend provider of services.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates’s system of classification of files assigning a security score or classification through ground truth files by enhancing Gates’s system by casting the signature or classification for any files (as for example ground truth files) with help of using antivirus programs as taught by Sun for identifying malware variant through the generic signature or classification obtained by antivirus programs for any type of malicious files. (Sun ¶0006)
The motivation is to improve Gates’s system of creating a learning model for determining whether a file is malware through classification by further determining the classification or signature for any files with help of using antivirus programs to identify the malware variant through the generic signature for any type of malicious files. (Sun ¶0006)
But Gates in view Sun fails to disclose:
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.
However, Satish teaches
adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset.  ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” Thus, an additional file can be added database and because of that security policy may be adjusted to classify that file.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 13: Gates in view of Sun and further in view of Satish teaches the method of estimating the effectiveness of an anti-malware algorithm of claim 12, but Gates in view of Sun fails to disclose: 
wherein the reference file set is further constructed by adding one or more files to the subset of files selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset.
However, Satish teaches:
wherein the reference file set is further constructed by adding one or more files to the subset of files selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset. ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” [Satish Col. 10, Lines 28 – 37] “As described above, the disclosed systems and methods may enable security companies to detect malicious files that programmers have been disguising as safe by determining that the programmers have artificially associated the malicious files with applications that are known to be safe in order to avoid detection. In some examples, the systems and methods may increase an estimation that a file is malicious in proportion to a number of distinct files that are determined to be associated with the file and determined to be known as safe.” Thus, the improvement of adding any file is to make the systems and method increase the estimation that an earlier determined safe file is correctly classified as malicious.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 14: Gates in view of Sun and further in view of Satish teaches the method of estimating the effectiveness of an anti-malware algorithm of claim 12, Gates teaches: wherein the reference file set is further constructed by determining a malware severity classification for the one or more added files having a third-party classification that changed during the stabilization by aggregating the polled classifications from the other antivirus providers for the one or more added files. ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for additional first, second and so on files in the cluster can also be determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.) 

Regarding Claim 16: Gates teaches a method of generating a reference file set having high-confidence malware severity classification, comprising: 
selecting a subset of files from a group of files first observed during a recent observation period; ([Gates Col. 4 Lines 55 – 59] “database 120 may be configured to store files 122, which may include both files under evaluation by a security software product as well as ground truth files that indicate a known classification as either safe or malicious, as discussed further below.” [Gates Col. 5 Lines 21 – 24] “dentification module 104 may identify, as part of a computer security system (e.g., system 200), a cluster 210 of files that co-occur with each other according to a statistical analysis.” [Gates Col. 9 Lines 53 – 55] “In this example, a file 402, among another file 404 and a file 406 in cluster 210, may be under evaluation.” This implies that a cluster of files (subset) are identified from the file database for evaluation.)  
…
determining a malware severity classification for the files in the subset by aggregating the polled classifications from the other antivirus providers for the files in the subset ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for files in the cluster is determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
…
determining a malware severity classification for the one or more first and second additional files added to the subset by aggregating the polled classifications from the other antivirus providers for the added files. ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for additional first and second files in the cluster can also be determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
However, Gates fails to disclose:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset;
	…
adding one or more first additional files to the subset having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period; 
adding one or more second additional files to the subset selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset.
However, Sun teaches:
polling a plurality of other antivirus providers for their third-party classification of the files in the subset of files and for their third-party classification of a plurality of files from the group of files not in the subset; ([Sun ¶0009] “An incoming file is classified as having a particular malware classification. Subsequently, a malware signature is generated for the incoming unknown file based on the particular malware classification.” [Sun ¶0024] “Referring again to FIG. 1A, server 111 is communicatively coupled to client 101 as a backend provider of services to client 101 (and it's users). As discussed above, in one embodiment, SMSG 113 executes on server 111 and monitors incoming unknown files that are received by client 101 for the presence of malware. … SMSG 113 classifies the incoming unknown files and generates a signature for incoming unknown files that are identified as belonging to a particular malware family as is discussed in detail herein” [Sun ¶0021] “In one embodiment, SMSG 113 responds to unknown incoming files by generating a signature for them that can be used by an antivirus program as a part of the anti-virus program's virus identification processes.” Therefore, the classification or signature of any files can be casted through antivirus programs by SMSG executing on server which is a backend provider of services.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates’s system of classification of files assigning a security score or classification through ground truth files by enhancing Gates’s system by casting the signature or classification for any files (as for example ground truth files) with help of using antivirus programs as taught by Sun for identifying malware variant through the generic signature or classification obtained by antivirus programs for any type of malicious files. (Sun ¶0006)
The motivation is to improve Gates’s system of creating a learning model for determining whether a file is malware through classification by further determining the classification or signature for any files with help of using antivirus programs to identify the malware variant through the generic signature for any type of malicious files. (Sun ¶0006)
But Gates in view Sun fails to disclose:
adding one or more first additional files to the subset having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period; ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” Thus, an additional file can be added database and because of that security policy may be adjusted to classify that file.)
adding one or more second additional files to the subset selected to improve representation of malware types seen during recent observation period in a distribution of malware types in the subset. ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” [Satish Col. 10, Lines 28 – 37] “As described above, the disclosed systems and methods may enable security companies to detect malicious files that programmers have been disguising as safe by determining that the programmers have artificially associated the malicious files with applications that are known to be safe in order to avoid detection. In some examples, the systems and methods may increase an estimation that a file is malicious in proportion to a number of distinct files that are determined to be associated with the file and determined to be known as safe.” Thus, the improvement of adding any file is to make the systems and method increase the estimation that an earlier determined safe file is correctly classified as malicious.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 19: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 16, Gates teaches: … adding all files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period. ([Gates Col.9 Lines 32 – 38] “assignment module 108 may assign the security score by adjusting, or weighting, the security score of the ground truth file in proportion to a degree to which (1) the two files resemble each other, (2) two values for the field of file metadata resemble each other, and/or (3) the field of file metadata is calculated to be accurate or inaccurate, as discussed further above.” [Gates Col. 9 Lines 43 – 51] “assignment module 108 may institute a voting scheme in which each of the security scores of the files in the matching ground truth files contributes a vote on which security score should be assigned to the file in the cluster. For example, if 75% of the files in the ground truth files that share the item of metadata have a security score of malicious, then assignment module 108 may assign the file in the cluster a security score malicious.” [Gates Col. 10 Lines 51 – 63] “In further examples, assignment module 108 may assign an overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files. Accordingly, classifications of malicious for files within the cluster may count as votes to classify the entire cluster as malicious. Assignment module 108 may use any suitable voting scheme, including a majority vote where the threshold is 50% of the votes or another voting scheme that uses a lower threshold. For example, assignment module 108 may error on the side of caution by lowering the threshold to 10%, 20%, 30%, 40%, or another suitably low threshold that reflects the sensitivity of the computer security system to indications of malicious files.” Therefore, the classifications of malicious for additional first and second files in the cluster, which is changed due to addition of the files, can also be determined based on the adjusting, weighing or voting of the combined security score of the ground truth files which are already identified by the computer security system.)
But Gates in view of Sun fails to disclose:
wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset comprises …
However, Satish teaches:
wherein adding one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset comprises … ([Satish Col. 10 Lines 17 – 23] “In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” Thus, an additional file can be added database and because of that security policy may be adjusted to classify that file.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Regarding Claim 20: Gates in view of Sun and further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 16, but Gates in view of Sun fails to disclose:
wherein adding one or more first additional files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset increases the percentage of files in the subset that are more difficult to classify, thereby improving complexity of the subset.
However, Satish teaches:
wherein adding one or more first additional files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset increases the percentage of files in the subset that are more difficult to classify, thereby improving complexity of the subset. ([Satish Col. 10 Lines 8 – 23] “the classification may be a categorization, Such as “secure.” “insecure,” or “indeterminate.” In such embodiments, classification module 110 may classify a file as insecure that was previously classified as secure or may classify as insecure a file that was previously unclassified. Moreover, classification module 110 may classify the file by determining that its security score, such as those shown in FIG. 5, satisfies a maliciousness threshold. In some examples, classification module 110 may add the file to a database of insecure files after classifying the file as malicious. Additionally, or alternatively, classification module 110 may classify an additional file as malicious based on a determination that the additional file has a feature in com mon with the file that was classified as malicious based on the adjusted security policy.” [Satish Col. 10, Lines 28 – 37] “As described above, the disclosed systems and methods may enable security companies to detect malicious files that programmers have been disguising as safe by determining that the programmers have artificially associated the malicious files with applications that are known to be safe in order to avoid detection. In some examples, the systems and methods may increase an estimation that a file is malicious in proportion to a number of distinct files that are determined to be associated with the file and determined to be known as safe.” As it is seen that the classification of a file may be performed differently when it is classified at later stage. But addition of a file in an insecure database after classifying it as malicious (it is obvious that the percentage of file in database is increased because of adding the files), in this case the additional file in insecure database is classified correctly by classification module by adjusting the security policy. In this way the complexity of the subset classification is improved so that a file can be correctly classified say malicious instead of safe file.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs by enhancing Gates in view of Sun’s system by adding the file to database for adjusting the security policy as taught by Satish to make the security system robust as that any malicious file cannot be known as safe. (Satish Col. 10 Lines 28 – 37) 
The motivation is to improve Gates in view of Sun’s system of classification of files assigning a security score or classification through ground truth files where the signature or classification is casted by antivirus programs by further adding the file to database for adjusting the security policy to make the security system robust as that any malicious file cannot be determined as safe. (Satish Col. 10 Lines 28 – 37)

Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gates et al US Patent No. 9805192 in view of Sun et al US PGPUB No. 20120260343 further in view of Satish US Patent No. 9245123 and in view of Harms et al US PGPUB No. 20170357807.

Regarding Claim 5: Gates in view of Sun further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, but Gates in view of Sun further in view of Satish fails to disclose: further comprising assigning the subset and malware severity classifications for the subset as immutable truth for the recent observation period for purposes of future testing.
	However, Harms teaches: 
further comprising assigning the subset and malware severity classifications for the subset as immutable truth for the recent observation period for purposes of future testing. ([Harms ¶0040] “For example, files that are trusted or labeled as malware or PUP based on human - generated classification remain unchanged (regardless of the production status) if the new model classification is consistent with the manual classification.” Therefore unchanged (immutable) trust on malware labels is possible.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing an unchanged labeled malware classification as taught by Harms so that any customer can work with turn-off mode of auto-upload to avoid sharing proprietary applications or a sample may not yet have been processed by the one or more threat analysts. (Harms ¶0040) 
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing an unchanged labeled malware classification to facilitate any customer to work with turning of auto-upload mode for avoiding any proprietary applications or a sample may not yet have been processed by the one or more threat analysts. (Harms ¶0040)

Regarding Claim 17: Gates in view of Sun further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 16, but Gates in view of Sun further in view of Satish fails to disclose:  further comprising assigning the subset and malware severity classifications for the subset as immutable truth for the recent observation period for purposes of future testing.
	However, Harms teaches:
	further comprising assigning the subset and malware severity classifications for the subset as immutable truth for the recent observation period for purposes of future testing. ([Harms ¶0040] “For example, files that are trusted or labeled as malware or PUP based on human - generated classification remain unchanged (regardless of the production status) if the new model classification is consistent with the manual classification.” Therefore unchanged (immutable) trust on malware labels is possible.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing an unchanged labeled malware classification as taught by Harms so that any customer can work with turn-off mode of auto-upload to avoid sharing proprietary applications or a sample may not yet have been processed by the one or more threat analysts. (Harms ¶0040) 
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing an unchanged labeled malware classification to facilitate any customer to work with turning of auto-upload mode for avoiding any proprietary applications or a sample may not yet have been processed by the one or more threat analysts. (Harms ¶0040)

Claims 6, 8, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gates et al US Patent No. 9805192 in view of Sun et al US PGPUB No. 20120260343 further in view of Satish US Patent No. 9245123 and in view of Chrysaidos US PGPUB No. 20210019408.
  
Regarding Claim 6: Gates in view of Sun further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, but Gates in view of Sun further in view of Satish fails to disclose: wherein the recent observation period comprises a day, three days, or a week. 
	However, Chrysaidos teaches: wherein the recent observation period comprises a day, three days, or a week. ([Chrysaidos ¶0019] “Some examples provided herein therefore seek to improve upon tracking the evolution of malware threats by automatically tracking families sharing certain features in a timeline, including in further examples geographic information and static and dynamic features of families of related malware. In a further example, the tracking includes providing a visualization of the malware threats over time, such as by showing changes in characteristics of a particular family of malware with data clustered by a time period such as a week or a month.” Therefore, tracking (visualizing) malware family during time period such as a week or a month is possible.)
	Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing a time period of visualizing the malware threats over a time of a week or a month as taught by Chrysaidos for automatically tracking malware families in a certain timeline to improve the difficulties of compiling and interpreting the ever increasing volume of malware. (Chrysaidos ¶0018 and ¶0019)
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing a time period of visualizing the malware threats over a time of a week or a month to improve the difficulties of compiling and interpreting the ever increasing volume of malware through automatically tracking malware families. (Chrysaidos ¶0018 and ¶0019)  
	
 Regarding Claim 8: Gates in view of Sun further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 1, but Gates in view of Sun further in view of Satish fails to disclose: wherein the stabilization period comprises a period of two days to one week. 
However, Chrysaidos teaches: wherein the stabilization period comprises a period of two days to one week. ([Chrysaidos ¶0025] “At 206, the malware detections are grouped by detection time, such as by day, week, month, quarter, year, or other suitable period of time. Various features of the malware are extracted at 208, including both static features that do not change across samples from the same family (but can be added or removed) and dynamic features that change across samples within the family.” The static and dynamic features of malware are extracted within a detection time period such as day, week, etc.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing a time period to detect the static and dynamic features of the malware over a time of day, week, month, etc. as taught by Chrysaidos for timely detection of vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005)  
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing a time period to detect the static and dynamic features of the malware to timely detect vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005)

Regarding Claim 15: Gates in view of Sun further in view of Satish teaches the method of estimating the effectiveness of an anti-malware algorithm of claim 12, but Gates in view of Sun further in view of Satish fails to disclose: wherein the recent observation period comprises a period of one day to one week, and the stabilization period comprises a period of two days to one week.
However, Chrysaidos teaches: wherein the recent observation period comprises a period of one day to one week, ([Chrysaidos ¶0019] “Some examples provided herein therefore seek to improve upon tracking the evolution of malware threats by automatically tracking families sharing certain features in a timeline, including in further examples geographic information and static and dynamic features of families of related malware. In a further example, the tracking includes providing a visualization of the malware threats over time, such as by showing changes in characteristics of a particular family of malware with data clustered by a time period such as a week or a month.” Therefore, tracking (visualizing) malware family during time period such as a week or a month is possible.) and the stabilization period comprises a period of two days to one week. ([Chrysaidos ¶0025] “At 206, the malware detections are grouped by detection time, such as by day, week, month, quarter, year, or other suitable period of time. Various features of the malware are extracted at 208, including both static features that do not change across samples from the same family (but can be added or removed) and dynamic features that change across samples within the family.” The static and dynamic features of malware are extracted within a detection time period such as day, week, etc.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing a time period of visualizing the malware threats over a time of a week or a month and a time period to detect the static and dynamic features of the malware over a time of day, week, month, etc. as taught by Chrysaidos for automatically tracking malware families and timely detection of vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005, ¶0018 and ¶0019)  
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing a time period of visualizing the malware threats and a time period to detect the static and dynamic features of the malware to automatically track malware families and timely detect vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005, ¶0018 and ¶0019)

 Regarding Claim 18: Gates in view of Sun further in view of Satish teaches the method of generating a reference file set having high-confidence malware severity classification of claim 16, but Gates in view of Sun further in view of Satish fails to disclose: wherein the recent observation period comprises a period of one day to one week, and the stabilization period comprises a period of two days to one week.
	However, Chrysaidos teaches: wherein the recent observation period comprises a period of one day to one week, ([Chrysaidos ¶0019] “Some examples provided herein therefore seek to improve upon tracking the evolution of malware threats by automatically tracking families sharing certain features in a timeline, including in further examples geographic information and static and dynamic features of families of related malware. In a further example, the tracking includes providing a visualization of the malware threats over time, such as by showing changes in characteristics of a particular family of malware with data clustered by a time period such as a week or a month.” Therefore, tracking (visualizing) malware family during time period such as a week or a month is possible.) and the stabilization period comprises a period of two days to one week. ([Chrysaidos ¶0025] “At 206, the malware detections are grouped by detection time, such as by day, week, month, quarter, year, or other suitable period of time. Various features of the malware are extracted at 208, including both static features that do not change across samples from the same family (but can be added or removed) and dynamic features that change across samples within the family.” The static and dynamic features of malware are extracted within a detection time period such as day, week, etc.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by enhancing Gates in view of Sun’s further in view of Satish’s system by providing a time period of visualizing the malware threats over a time of a week or a month and a time period to detect the static and dynamic features of the malware over a time of day, week, month, etc. as taught by Chrysaidos for automatically tracking malware families and timely detection of vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005, ¶0018 and ¶0019)  
The motivation is to improve Gates in view of Sun further in view of Satish’s system of classification of files assigning a security score or classification through ground truth files where the signature (security score) or classification is casted by antivirus programs even when any files are added to the database by further providing a time period of visualizing the malware threats and a time period to detect the static and dynamic features of the malware to automatically track malware families and timely detect vulnerabilities within a computer system where new threats are constantly emerging. (Chrysaidos ¶0005, ¶0018 and ¶0019)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARIF KHAN whose telephone number is (571)272-6528. The examiner can normally be reached Monday - Friday: 8:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.K./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491