Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/16/2022 has been entered.
Claims 1, 3-8, 10-15 and 17-23 are pending.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 8/23/2022 and 10/18/2022 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 3-8, 10-15 and 17-23 are  rejected on the ground of nonstatutory double patenting as being unpatentable over claim1, 5-6 of U.S. Patent No. 10922409 , hereinafter ‘409.  Although the claims at issue are not identical, they are not patentably distinct from each other because:
Claims 1, 8, 15 are anticipated by claim 1, 4-6 of ‘409:
Regarding claims 1, 8 and 15, ‘409 discloses 
A method, the method comprising: executing a file (cl1of ‘0409);  building an event state based on events detected during execution of the file, the event state storing the events in a sequence each event of the events is performed during the execution of the file, the event state comprising (cl1of ‘0409): event identifiers that identify an event type of each event of the events (cl5 of 409); event position numbers that identify a position of each event within the sequence (cl4 of 409);  and a histogram of the event identifiers (cl1of ‘0409); determining an event score for at least one event of the events based on the event state , wherein determining the event score comprises: providing the event state to a reinforcement learning model; and receiving from the reinforcement learning model a value indicating an expected utility of a given action while in a given state (cl6 of ‘409); and based on the event score, determining whether to halt the execution of the file (cl1of ‘0409).

Claims 3-4, 10-11, and 17-18 and 21-23 are rejected as being unpatentable over ‘409 (see above) in view of US 20180082060  to Toplin et al., hereinafter Toplin.
Regarding claims 3-4, 10-11, 17-18, 21-23, claims in ‘409 do not explicitly teach the claims. However, Toplin remedies the teachings as presented in the 103 section. It would have been obvious to a skilled artisan before the instant application was filed to modify ‘409 by Toplin to teach these claims because Toplin is directed to detecting malware based on file execution, and histogram (counts) of system calls or sequence of events and provides an improved detection method ([0003]) that identifies known malware processes as well as new malware processes (Toplin [0018]).
Claims 5-6, 19-20 are rejected as being unpatentable over ‘409 (see above) in view of US 10282546 to Parikh et al., hereinafter Parikh.
Regarding claims 5-6, 12-13, 19-20, claims in ‘409 do not explicitly teach the claims. However, Parikh remedies the teachings as presented in the 103 section. It would have been obvious to a skilled artisan before the instant application was filed to modify ‘409 by the teachings of Parikh about the event score because it would set numeric threshold for establishing maliciousness of a process and would improve malware detection (Parikh col.1:29-34).
Claims 7 and 14 are rejected as being unpatentable over ‘409 (see above) in view of Parikh and further view of publication by Khan et al., titled “Defending malicious script attacks using machine learning classifiers”, 2017, 9 pages, hereinafter Khan.
Regarding claims 7, 14, claims in ‘409 do not explicitly teach the claims. However, Khan teaches filtering based on majority vote (see below).It would have been obvious to a skilled artisan before the instant application was effectively filed to use a filtering based on a majority of vote because “it is the simplest machine learning algorithm” (Khan p.4, 3.3.3.) and is a well-known classification technique that would not need any testing to implement.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6, 13, 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 6, 13, 20 recite “wherein forming the decision variable comprises using a plurality of a K most recent utility values”. The “decision variable” lacks antecedent basis and renders the claim indefinite. Additionally claims 6, 13 and 20 recites a wherein clause that seems to further limit this limitation: “forming the decision variable ...”, while that limitation is not included in the base claims. The claims may be written, for instance for claim 6, as “the method of claim 6, further comprising forming a decision variable using a plurality of a K most recent utility values”. Correction or clarification is kindly requested.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 8, 10-13, 15 and 17-23 are rejected under 35 U.S.C. 103 as being unpatentable US 20180082060 to Toplin et al., hereinafter Toplin, and further in view of US 10282546 to Parikh et al., hereinafter Parikh and further view of US 6473707 to Grey, hereinafter Grey..
Regarding claim 1, Toplin discloses 
A method, the method comprising: executing a file ([0030]: application 108 executes); building an event state based on events detected during execution of the file, the event state storing the events in a sequence each event of the events is performed during the execution of the file, the event state comprising: event identifiers that identify an event type of each event of the events ([0042] sequence of system calls or events “write, read, write, close, exit” , the events identifiers corresponding to the names of the events and identifying the type of event: read, write ...); a histogram of the event identifiers ([0040][0041][0042]: a count of each event Fig. 3C) ; 
Toplin discloses a machine learning model including a training phase comprising  malicious and benign processes, used to detect malware in process execution ([0050]-[0053]), but does not explicitly teach the rest of the claim. 
In an analogous art, Parikh discloses deriving an event sequence from the execution of an application (col.1:35-45; col.6:32-42), determining an event score for at least one event of the events based on the event state, wherein determining the event score comprises: providing the event state to a reinforcement learning model (col.8:17-38: event sequence with confidence score of each event, shown in Fig.4; col.5:47-67, col.6:1-8: malware detection system uses a neural network model for calculating the event score); and receiving from the reinforcement learning model a value indicating an expected utility of a given action while in a given state (col.9:65-67, col.10:1-14: the event score indicates an expected utility, for instance score less than 0.9 indicates a benign step, while a score exceeding 0.9 is a malicious step- see Fig. 4 different scores for different events in the sequence); and based on the event score, determining whether to halt the execution of the file (col.10:35-47: terminate events with score exceeding a threshold, without executing the subsequent events within the sequence i.e terminate file execution). It would have been obvious to a skilled artisan before the instant application was effectively field to generate event scores during file execution as taught by Parikh because it would allow to flag malicious steps and provide an “improved systems and methods for accurately detecting malware (Parikh col.1:29-34).
Toplin discloses a count vector associated with the sequence of events ([0041]), the count vector comprising a position of each component mapped to a type of system call ([0034]), however, Toplin combined to Parikh does not explicitly teach event position numbers that identify a position of each event within the sequence.
In an analogous art, Grey discloses executing a test sequence file including multiple steps (col.5:60-67); the result from each step is collected and includes a name of the step and a position of the step in the sequence (Col.8:16-29), therefore Grey discloses the limitation. It would have been obvious to a skilled artisan before the instant application was effectively field to specify event position numbers that identify a position of each event within the sequence as taught By Grey because it would allow an efficient control of the file execution and pinpoint steps associated with a pass or fail result (col.1:43-46).

Regarding claim 3, Toplin in view of Parikh and Grey discloses the method of claim  1 where the histogram corresponding to a latest event identifier provides an event score histogram (Toplin [0041][0042] sequence of system calls implies latest event, each event associated with a component or identifier, and a count (histogram). 

Regarding claim 4, Toplin in view of Parikh and Grey discloses the method of claim 1 further comprising building a most recent event history relative to a latest monitored event (Toplin [0040]:  receive system call traces from a process over a time interval, for instance, the vector generator  receive system call traces for system calls generated by process 202 such as “fork, open, read, write, read, write, read, write, read” ).  

Regarding claim 5, Toplin in view of Parikh and Grey discloses the method of claim 1 further comprising generating at least one utility score corresponding to a latest monitored event (Parikh col.10:1-14, Fig. 4: the event score indicates malicious/benign events for the sequence of events, including latest events).

 Regarding claim 6, Toplin in view of Parikh and Grey discloses the method of claim 5 wherein forming the decision variable comprises using a plurality of a K most recent utility values (Parikh, Fig. 4, 6: event scores calculated for all events in the sequence including the K most recent).  

Regarding claims 8 and 15, the claim recites substantially the same content as claim 1 and are rejected by the rationales set forth for claim 1.
Regarding claims 10 and 17, the claim recites substantially the same content as claim 3 and are rejected by the rationales set forth for claim 3.
Regarding claims 11 and 18, the claim recites substantially the same content as claim 4 and are rejected by the rationales set forth for claim 4.
Regarding claims 12 and 19, the claim recites substantially the same content as claim 5 and are rejected by the rationales set forth for claim 5.
Regarding claims 13 and 20, the claim recites substantially the same content as claim 6 and are rejected by the rationales set forth for claim 6.

Regarding claim 21, Toplin in view of Parikh and Grey discloses the method of claim 1 wherein the histogram is an ordered array representing monitored event types (Toplin, Fig.2,3A-D: count vector is an array of event types and corresponding number of times a particular event is called).  

Regarding claim 22, Toplin in view of Parikh and Grey discloses the method of claim 1 wherein the event identifiers include at least one of a file open event type or a file close event type (Toplin Fig. 3D).  
Regarding claim 23, Toplin in view of Parikh and Grey discloses the method of claim 1 wherein a decision to halt the execution of the file includes classifying the file as malicious (Parikh col.10:35-47).  


Claims 7 and 14 are rejected under 35 USC 103 as being unpatentable over Toplin, Parikh and Grey, in view of publication by Khan et al., titled “Defending malicious script attacks using machine learning classifiers”, 2017, 9 pages, hereinafter Khan.
Regarding claim 7, Toplin in view of Parikh and Grey discloses the method of claim 6 but does not explicitly teach: where the using a plurality of the K most recent utility values comprises filtering based on majority vote.  
In an analogous art, Khan discloses machines learning classifiers used for classifying malware in scripts. Khan discloses popular known machine learning algorithms including KNN (p.4, 3.3.), KNN performs similarity test between training data and an input, by measuring the distance between the training instance and the unknown instance, and classifies the unknown instance based upon a majority vote of neighbor (p.4, 3.3.3.). Therefore, Khan discloses using a plurality of the K most recent utility values comprises filtering based on majority vote. It would have been obvious to a skilled artisan before the instant application was effectively filed to use a filtering based on a majority of vote because “it is the simplest machine learning algorithm” (Khan p.4, 3.3.3.) and is a well-known classification technique that would not need any testing to implement.
Regarding claim 14, the claims recites substantially the same content as claim 7 and is rejected by the rationales set forth for claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Hoermann 20190303270, Pal et al 20170171224, Saito 7895655, Berry et al 6732357 disclose file execution and counting of occurrences of system calls in a sequence.
Pieczul 20170206354 disclsoes a runtime verification of software execution events against a behavioral model, halting software execution when events comprised in the software execution are determined to be anomalous against a threshold.
Keromytis et al  20100153785 discloses detecting an anomalous sequence of function calls.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        12/16/2022