DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on November 17, 2022 in response to the first office action on merit.

Remarks
Pending claims for reconsideration are claims 1-20. Applicant has
Amended claims 1-4, 8-10, and 16-20. 

Claim Rejections - 35 USC § 112 
Applicant’s amendments overcome the AIA  35 U.S.C. 112 (b) rejection of claims 1-20.

Claim Rejections - 35 USC § 101

Applicant’s amended claims 16-20, which were rejected under 35 U.S.C. 101; therefore, the rejection is withdrawn.

Response to Arguments
Applicant’s arguments filed on November 17, 2022 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
In response to argument (Page 10, Para: 1) - Examiner respectfully disagrees with applicant’s argument that the prior art Smyth fails to specially disclose “evaluating the sequence of computer instructions in the recurrent neural network at multiple points within the sequence” in regard to the independent claims 1, 18 and 21.  Smyth determines if the input text i.e., “sequence of computer instruction” or portion of the input text i.e., “multiple points within the sequence”  is malicious (Para 0111, and 0120). Applicant provided specification in explaining “multiple points with the sequence” says “…The output indicates whether the network has determined the code sequence to that point is likely malicious, such as by outputting a variable indicating a determined likelihood of the code sequence to that point being malicious” (Para 0027:8-10). As such Smyth evaluating a portion of the input text is similar to evaluating a “code sequence to a point”; therefore, Smyth discloses the claimed limitation. 
Furthermore, dependent claims 2, and 17 which seek limitations similar to that of explained above in regard to independent claims. See above for further explanation.   


Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Smyth et al. (U.S. Patent Application Publication No.: US 2018/0285740 A1 / or “Smyth” hereinafter).

Regarding claim 1, Smyth discloses “A method of identifying malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code): 
“providing a sequence of computer instructions into a recurrent neural network configured to provide an output based on both a current instruction being input and at least one prior instruction in the sequence of computer instructions” (Para 0111, determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”); 
“evaluating the sequence of computer instructions in the recurrent neural network at multiple points within the sequence” (Para 0111, 0120: determines if the input text or portion of the input text i.e., “multiple points within the sequence”  is malicious);
“and providing an output indicating whether the recurrent neural network has determined the sequence of computer instructions to that point is malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious; and Para 0121: an output provided based the one decision).

Regarding claim 2, in view of claim 1, Smyth discloses “wherein the output is a variable indicating a determined likelihood of the sequence of computer instructions to that point being malicious” (Para 0092).

Regarding claim 3, in view of claim 1, Smyth discloses “wherein the point in the sequence of computer instructions where the output indicates the sequence of computer instructions is malicious indicates a portion of the sequence of computer instructions at that point is malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious).

Regarding claim 4, in view of claim 1, Smyth discloses “further comprising at least one of: blocking installation of the sequence of computer instructions once the output indicates the code sequence is malicious, or blocking execution of the sequence of computer instructions once the output indicates the sequence of computer instructions is malicious” (Para 0122, block code from executing).

Regarding claim 5, in view of claim 1, Smyth discloses “wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network” (Para 0092: disclose use of LSTM and GRU in the RNN).

Regarding claim 6, in view of claim 1, Smyth discloses “wherein the recurrent neural network evaluates the provided sequence of computer instructions for malicious activity on an end-user device” (Para 0117: the system 10 i.e., the malicious code detection system resides on the computing device itself i.e., an “end-user device”).

Regarding claim 7, in view of claim 6, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity on a service provider device different from the end- user device” (Para 0117: inspects code segments received over the internet or intranet).

Regarding claim 8, in view of claim 1, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by using a loss function indicating the output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence” (Para 0154-0158: use of loss function).
Regarding claim 9, in view of claim 1, Smyth discloses “wherein the recurrent neural network is trained to evaluate the provided sequence of computer instructions for malicious activity by establishing an output threshold for which the false positive rate is acceptable” (Para 0123, 0174: determines false positive).

Regarding claim 10, Smyth discloses “A method of creating a recurrent neural network operable to identify malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code; and Para 0083, training is performed):  
“providing a training sequence of computer instructions and an expected output based on both a current instruction being input and at least one prior instruction in the training sequence of computer instructions, the expected output indicating whether the training sequence of computer instructions to that point in the sequence are malicious” (Para 0083, 0148: training is performed; and Para 0111: determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”);
“providing an error signal to the recurrent neural network based on a difference between the expected output and an actual output of the recurrent neural network to that point in the sequence” (Para 0090, errors are corrected using back propagation; and Para 0111, 0120: determines if the portion of a code segment is malicious); 
“and modifying the recurrent neural network to reduce the difference between the expected output and the actual output, thereby training the recurrent neural network to identify whether the training sequence of computer instructions is malicious” (Para 0079: retrains the model).

Regarding claim 11, in view of claim 10, Smyth discloses “wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises backpropagation of the difference between the expected output and the actual output” (Para 0090: discloses back propagation).

Regarding claim 12, in view of claim 10, Smyth discloses “wherein modifying the recurrent neural network to reduce the difference between the expected output and the actual output comprises training the output at the point in the sequence of computer instructions that results in an output having the maximum prediction level for the sequence” (Para 0090: discloses back propagation; and Para 0079: retrains the model).

Regarding claim 13, in view of claim 10, Smyth discloses “wherein the recurrent neural network comprises one of a long short-term memory (LSTM) recurrent neural network and a gated recurrent unit (GRU) recurrent neural network” (Para 0092: disclose use of LSTM and GRU in the RNN).

Regarding claim 14, in view of claim 10, Smyth discloses “further comprising configuring the recurrent neural network to evaluate the training sequence of computer instructions for malicious activity on an end-user device different from the computerized device on which the recurrent neural network is trained” (Para 0117: the system 10 i.e., the malicious code detection system resides on the computing device itself i.e., an “end-user device”).

Regarding claim 15, in view of claim 10, Smyth discloses “wherein the recurrent neural network is trained to evaluate the training sequence of computer instructions for malicious activity by establishing an output threshold for which a false positive rate is acceptable” (Para 0123, 0174: determines false positive).

Regarding claim 16, Smyth discloses “A computerized device configured to identify malicious activity in a sequence of computer instructions, comprising” (Para 0093: method and system of malicious code detection using neural network is disclosed; and Para 0030: discloses recurrent neural network (RNN) in detecting malicious code):  
“a computerized device having stored thereon a sequence of computer application instructions executed on the computerized device” (Para 0100, sequence of characters or instruction; and Para 0092); 
“a recurrent neural network malware evaluation module executing on the computerized device, and operable to evaluate the sequence of computer application instructions and to provide an output based on both a current instruction being input and at least one prior instruction in the sequence of computer application instructions” (Para 0111, determines if input text or portion of the input text i.e., a “current instruction being input” is malicious using the RNN; and Para 0106: RNN remembers the previous output i.e., “one prior instruction”);  
“wherein the provided sequence of computer instructions is evaluated in the recurrent neural network malware evaluation module at multiple points within the provided sequence of computer application instructions” (Para 0111, 0120: determines if the portion of a code segment is malicious), 
“and the output of the recurrent neural network malware evaluation module indicates whether the sequence of computer application instructions to that point is malicious” (Para 0111, 0120: determines if the portion of a code segment is malicious; and Para 0121: an output provided based the one decision).

Regarding claim 17, in view of claim 16, Smyth discloses “wherein the output is a variable indicating a determined likelihood of the sequence of computer application instructions to that point being malicious” (see rejection of claim 2).

Regarding claim 18, in view of claim 16, Smyth discloses “wherein the point in the sequence of computer application instructions where the output indicates the code sequence is malicious indicates the portion of the sequence that is malicious” (see rejection of claim 3).

Regarding claim 19, in view of claim 16, Smyth discloses “further comprising at least one of: blocking installation of the sequence of computer application instructions once the output indicates the sequence of computer application instructions is malicious, or blocking execution of the sequence of computer application instructions once the output indicates the sequence of computer application instructions is malicious” (see rejection of claim 4).

Regarding claim 20, in view of claim 16, Smyth discloses “wherein the recurrent neural network is trained to evaluate the sequence of computer application instructions for malicious activity by using a loss function indicating an output error coupled to the recurrent neural network output at a point in the sequence of computer instructions producing the maximum output in the sequence” (see rejection of claim 8).

Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Brown (U.S. Patent No.: US 2019/0205530 A1) discloses detecting malware “…locating a point of commonality among a plurality of stack traces associated with respective events within the loop; and determining a malware module of the plurality of software modules, wherein the malware module comprises the point of commonality” (Para 0193).



Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431