Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to the communication filed on 10/21/2022.
Claims 1-20 are examined. 
Claims 1-5, 7, 9, 12-14, 18 and 20 are rejected. 
Claims 6, 8, 10, 11, 15-17 and 19 are objected. 

				Allowable Subject Matter
Claim 6, 8, 10, 11, 15-17 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Response to Arguments
Applicant arguments, dated 10/21/2022 have been fully considered. 
Applicant argues that references do not teach newly amended limitation of ‘generating a signature of the data to be processed, using the hash and based in part on the classification’. 
In summary applicant argues that combination of references as mentioned above fails to teach above claimed combination of limitations. 
Examiner does not find argument persuasive. 
Examiner describes that the way the claim limitation(s) have been structured can broadly be interpreted as – ‘ .. wherein processing the data to be processed comprises at least one of: 
A - Generated a hash of the data to be processed;
B – comparing the data to be processed .. or 
C – generating a signature .. classification. 
Examiner interprets that if reference teaches A, B or C then the claim limitations are covered. In above example – Reference teaches, A and B as described in office action therefore reference covers the claimed limitation. 
As applicant argues for limitation C – however due to claim language of ‘or’ and ‘one of the ’ the applicant’s argument is moot in view of claim language.   
Thus examiner concludes that reference teaches the claim limitation of A or B and thus covers claimed limitation. 
Examiner is open for phone call interview to discuss further with applicant’s representative for the purpose of compact prosecution. 

				Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 7, 9, 12-14, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2019/0007434 McLane et al. (hereinafter known as "McLane”) and U.S. Patent 9,843,596 to Averbuch et al. (hereinafter known as "Averbuch”).

As per claim 1 McLane teaches, a method comprising: 
extracting a plurality of byte n-grams from a training set of data (McLane para 70); 
using the plurality of byte n-grams extracted from the training set of data to train a neural network to determine a probability of occurrence of any byte n-gram, wherein the neural network comprises at least one embedding model layer (McLane para 41, 55 teaches data model and para 70-71 teaches bi-gram data extraction vector feature); 
receiving data to be processed; 
extracting a plurality of byte n-grams from the data to be processed (McLane para 70-72); and 
after training the neural network, using the neural network to process the data to be processed based, at least in part, on the plurality of byte n-grams extracted from the data to be processed (McLane para 38, 69-71), wherein processing the data to be processed comprises at least one of: 
generating a hash of the data to be processed; comparing the data to be processed to a file having a known classification (McLane para 85-89); 
generating a signature of the data to be processed (McLane para 88), using the hash and based at least in part on the classification (McLane para 44-46 and 84-86).
Although McLane teaches the domain of Bi-Gram data analysis with training data, McLane does not teach however Averbuch teaches, 
classifying the data to be processed into one of a plurality of predefined classes (Averbuch Fig 4 element 416 – Col 20 lines 20-35).  
McLane teaches automated malware detection based on application file packages using machine learning with bi-gram analysis of data (abstract and as mapped in claim 1). McLane does not teach however Averbuch teaches classification of data in predefined classes (Averbuch abstract). 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention taught by McLane of bi-gram analysis of data with neural network and machine learning with the invention of Averbuch to classify data into classes. The motivation for doing so would be to detect anomalies that deviate from normal behavior in multi-dimensional data in real-time frame (Averbuch col 1 lines 15-20). 

As per claim 2 combination of McLane – Averbuch teaches, the method as recited in claim 1, wherein using the plurality of byte n-grams extracted from the training set of data to train the neural network comprises: 
extracting features from individual byte n-grams of the plurality of byte n-grams extracted from the training set of data (McLane para 77 and 82-84); and 
training the neural network based on the extracted features (McLane para 82-84).
As per claim 3 combination of McLane – Averbuch teaches,  the method as recited in claim 2, wherein: the byte n-grams comprise byte 4-grams; and the features comprise a plurality of 4-bit nibbles (McLane para 83-86 – configurable number of grams / nibbles).
As per claim 4 combination of McLane – Averbuch teaches,  the method as recited in claim 1, wherein the data to be processed comprises one or more of: 
a complete binary file (McLane para 6); 
a complete text file (McLane para 91); 
a portion of a binary file that is currently being downloaded; or 
network traffic (McLane Fig 1 element 140 – above mapping covers one of the condition in claim limitation(s)).
As per claim 5 combination of McLane – Averbuch teaches,  the method as recited in claim 1, wherein the embedding model layer of the neural network is configured to output an array of values (McLane para 103-104).
As per claim 7 combination of McLane – Averbuch teaches,  the method as recited in claim 5, wherein the array of values comprises an array of 64 values (McLane para 108).
As per claim 9 combination of McLane – Averbuch teaches, the method as recited in claim 1, wherein comparing the data to be processed to a file having a known classification comprises: 
comparing the hash of the data to be processed to a hash of the file having the known classification to determine a similarity score that indicates a degree of similarity between the hash of the data to be processed and the hash of the file having the known classification (McLane para 45 and 85).
Claim 12,
Claim 12 is rejected in accordance with claim 1.

As per claim 13 McLane teaches,  a system comprising: one or more processors; a memory communicatively coupled to the one or more processors; a feature extractor stored in the memory and executable by the processor, the feature extractor configured to: extract a plurality of byte n-grams from data to be processed (McLane para 70); 
extract one or more features from individual byte n-grams of the plurality of byte n-grams (McLane para 41, 55 teaches data model and para 70-71 teaches bi-gram data extraction vector feature); 
a neural network stored in the memory and executable by the processor, the neural network configured to receive the features of a byte n-gram as input (McLane para 82-84), and 
in response, to output from an embedding model layer of the neural network, an embedding array of values that is calculated based on the features of the byte n-gram (McLane para 83-86 – configurable number of grams / nibbles to generate hash / value).
Although McLane teaches the domain of Bi-Gram data analysis with training data, McLane does not teach however Averbuch teaches, 
and a classifier module stored in the memory and executable by the processor, the classifier configured to classify the data to be processed based at least in part on statistics of the arrays of values (Averbuch Fig 4 element 416 – Col 20 lines 20-35); 
embedding model layer of the neural network (Averbuch Fig 12 Col 20 lines 20-35).  
McLane teaches automated malware detection based on application file packages using machine learning with bi-gram analysis of data (abstract and as mapped in claim 1). McLane does not teach however Averbuch teaches embedding model layer of the neural network (Averbuch Fig 12). 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention taught by McLane of bi-gram analysis of data with neural network and machine learning with the invention of Averbuch to embedding model layer of the neural network. The motivation for doing so would be to detect anomalies that deviate from normal behavior in multi-dimensional data in real-time frame (Averbuch col 1 lines 15-20). 

As per claim 14 combination of McLane – Averbuch teaches,  the system as recited in claim 13, further comprising: a hash generator stored in the memory and executable by the processor, the hash generator configured to generate a hash of the data to be processed based on the embedding arrays of values output from the embedding model layer of the neural network (McLane para 45 and 85).
Claim 18,
Claim 18 is rejected in accordance with claim 9.

As per claim 20 combination of McLane – Averbuch teaches,  the system as recited in claim 13, further comprising a signature generator module stored in the memory and executable by the processor to generate a Yara signature of the data to be processed (McLane para 103-104).





Conclusion 

Claims 1-5, 7, 9, 12-14, 18 and 20 are rejected.  
Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431