AUTOMATED MALWARE CLASSIFICATION WITH HUMAN-READABLE EXPLANATIONS

DETAILED ACTION Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/10/2025 has been entered. Claims 1-2, 5-16 and 18-20 are pending with claims 1, 8, 9, 14 and 15 having been amended. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 12/10/2025 have been fully considered. A) Applicant’s arguments with respect to the 35 USC 112 rejection have been fully considered and are persuasive. The 35 USC 112 of claims 9-14 has been withdrawn. B) Applicant’s arguments with respect to the rejection(s) of claim(s) 1 9 and 15 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Brown (US 2019/0205530) in view of McLarnon et al (US 2015/0121526) in view of Pevny et al (US 2020/0364334). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 5-10, 13-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brown (US 2019/0205530) in view of McLarnon et al (US 2015/0121526) in view of Pevny et al (US 2020/0364334). With respect to claim 1 Brown teaches a method of generating a malware classification for an input data set with a human- readable explanation, comprising: receiving an input data set having a hierarchical structure (see Brown 0035 i.e. In illustrated example 114, computing devices 104 perform execution 116 of sample(s) 118, e.g., executables to be tested for the presence of malware. Computing devices 104 can record event records 120 during execution 116 and transmit the event records 120 via network 110 to computing devices 102. Computing devices 102 can analyze the event records 120 to determine suspicious events), wherein the input data set comprises observed characteristics of files to be analyzed (see Brown paragraph 0078-0079 i.e. In some examples, detection module 226 produces a sequence of E events, represented by the plate marked “E” in FIG. 3. Each event e has a respective event record 120, and each event record 120 has a respective event type 304. The E events form a sequence 306 of events e.sub.1 . . . e.sub.E. The events are ordered in sequence 306 in substantially the order they occurred or were detected…an event record 120, or any other record described herein, can include one or more fields, each of which can have a name or other identifier, and each of which can include or be associated with one or more values. For example, event record 120 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees); analyzing the input data set using an artificial intelligence module to automatically output a malware classification for the received input data set (see Brown paragraph 0024 i.e. for example, behavior patterns represented as distributions 314, determinations that modules are malicious or not, or other analysis results herein can be used as input to supervised training processes for neural networks. Classifications can include, e.g., malware vs. non-malware, type of malware (e.g., virus vs. Trojan), or family of malware (WannaCry, Cryptolocker, PoisonIvy, etc.). Some examples permit more effectively detecting or classifying malware samples, e.g., without requiring retraining of a computational model and paragraph 0064 i.e. Analyzing module 228 can determine whether sequences of events are associated with malware, or locate malware modules); and generating a human readable explanation regarding the malware classification wherein the human-readable explanation comprises an explanation of why a file was assigned a particular malware classification, wherein the human-readable explanation comprises data encoded in a human-readable form comprising a plurality of human-readable words and a structural relationship or organization of data, further comprises a subset of the input data set that is determined most responsible or statistically deterministic in the data’s classification that explains the contribution of the identified subset to the classification decision (see Brown Paragraph 0089 i.e. in some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”). In some examples, result records 122 and data therein can be used by a security analyst in triaging or analyzing events also see paragraph 0033 and paragraph 0105 i.e. In some examples, at operation 408, analyzing module 228 can determine that the sequence of events, or the execution set that generated it, is associated with malware based at least in part on the distribution of event types 304 within the loop). Brown does not teach wherein the artificial intelligence module is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data; further comprises providing as an explanation as to which elements of the hierarchical input data set resulted in the assigned output malware classification, a subset of the input data set that is determined most responsible or statistically deterministic in the data's classification; or which elements of the hierarchical input data correspond to learned feature representations that, based on evaluation metrics or statistical weights, contributed most significantly to the classification decision. McLarnon teaches further comprises providing as an explanation as to which elements of the hierarchical input data set resulted in the assigned output malware classification, a subset of the input data set that is determined most responsible or statistically deterministic in the data's classification; or which elements of the hierarchical input data correspond to learned feature representations that, based on evaluation metrics or statistical weights, contributed most significantly to the classification decision (see figure 5-2, 5-3 and paragraphs 0044-0045 i.e. FIG. 5-3 depicts an exemplary analytic summary 501 in accordance with one or more embodiments. Analytic summary 501 may include several examples of the actionable data or one or more analyzed samples. For example, analytic summary 501 includes the actionable data "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etc.). (70%)." From this actionable data, a user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. Actionable data may include a percentage which indicates the system's confidence level and paragraph 0089 i.e. in some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”). In some examples, result records 122 and data therein can be used by a security analyst in triaging or analyzing events. Paragraph 0105 i.e. In some examples, at operation 408, analyzing module 228 can determine that the sequence of events, or the execution set that generated it, is associated with malware based at least in part on the distribution of event types 304 within the loop) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of McLarnon to have the result record of Brown include an explanation as to why the actionable data is malware such as "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etcas a way for the user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. (see McLarnon paragraph 0044). Therefore one would have been motivated to have included an explanation as to why the actionable data is malware. Brown in view of McLarnon does not disclose wherein the artificial intelligence module is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data. Pevny teaches disclose wherein the artificial intelligence module is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 2 Brown teaches the method of generating a malware classification for an input data set with a human- readable explanation of claim 1, further comprising constructing the hierarchical multi-instance-learning neural network using a hierarchy of the input data set (see Brown paragraph 180 i.e. Various examples using operations 1116 and 1118 provide finer-grained analysis of malware. For example, malware module 714 may include library code provided by parties other than the malware author. Such library code can include, e.g., standard libraries; C++ template libraries; or statically-linked modules used by both malicious and non-malicious code. Operations 1116 and 1118 permit excluding the non-malicious portions of malware module 714 from analysis, which can permit more effectively mitigating the effects of malware module 714. In some examples, the malicious region 1120 is used as a known-malicious training sample for a supervised learning process that trains a neural network to distinguish malicious code from non-malicious code and Pevny paragraph 0038). With respect to claim 5 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 1, wherein the input data set having a hierarchical structure comprises JavaScript Object Notation (JSON) data or an Extensible Markup Language (XML) data (See Brown paragraph 0079 i.e. For example, event record 120 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees, associative arrays, or other forms of tagged or key-value storage). With respect to claim 6 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 1. Pevny further teaches wherein the input data set is derived from at least one of sandbox execution of a file, static Portable Executable (PE) file analysis, or disassembly of executable code (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 7 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 1, wherein the malware classification comprises at least one of types of malware and families of malware (see Brown Paragraph 0089 i.e. The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”)). With respect to claim 8 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 1, wherein the explanation comprises one or more logical rules that cause the subset of the input data set to produce the output malware classification via the hierarchical multi-instance-learning neural network (see Brown Paragraph 0089 i.e. n some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”) and Pevny paragraph 0038). With respect to claim 9 Brown teaches a method of generating a malware classification for an input data set with a human- readable explanation, comprising: receiving a plurality of input data sets having a hierarchical structure (see Brown 0035 i.e. In illustrated example 114, computing devices 104 perform execution 116 of sample(s) 118, e.g., executables to be tested for the presence of malware. Computing devices 104 can record event records 120 during execution 116 and transmit the event records 120 via network 110 to computing devices 102. Computing devices 102 can analyze the event records 120 to determine suspicious events) wherein the input data set comprises observed characteristics of files to be analyzed (see Brown paragraph 0078-0079 i.e. In some examples, detection module 226 produces a sequence of E events, represented by the plate marked “E” in FIG. 3. Each event e has a respective event record 120, and each event record 120 has a respective event type 304. The E events form a sequence 306 of events e.sub.1 . . . e.sub.E. The events are ordered in sequence 306 in substantially the order they occurred or were detected…an event record 120, or any other record described herein, can include one or more fields, each of which can have a name or other identifier, and each of which can include or be associated with one or more values. For example, event record 120 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees); processing the received plurality of input data set in a neural network configured to process the hierarchical input data (see Brown paragraph 0024 i.e. for example, behavior patterns represented as distributions 314, determinations that modules are malicious or not, or other analysis results herein can be used as input to supervised training processes for neural networks. Classifications can include, e.g., malware vs. non-malware, type of malware (e.g., virus vs. Trojan), or family of malware (WannaCry, Cryptolocker, PoisonIvy, etc.). Some examples permit more effectively detecting or classifying malware samples, e.g., without requiring retraining of a computational model and paragraph 0064 i.e. Analyzing module 228 can determine whether sequences of events are associated with malware, or locate malware modules); training the neural network using the received plurality of input data sets to classify the received input data sets into one or more of a plurality of malware classes (see Brown paragraph 180 i.e. Various examples using operations 1116 and 1118 provide finer-grained analysis of malware. For example, malware module 714 may include library code provided by parties other than the malware author. Such library code can include, e.g., standard libraries; C++ template libraries; or statically-linked modules used by both malicious and non-malicious code. Operations 1116 and 1118 permit excluding the non-malicious portions of malware module 714 from analysis, which can permit more effectively mitigating the effects of malware module 714. In some examples, the malicious region 1120 is used as a known-malicious training sample for a supervised learning process that trains a neural network to distinguish malicious code from non-malicious code); providing a human readable explanation wherein the human-readable explanation comprises an explanation of why a file was assigned a particular malware classification, and further comprises a subset of the input data set that is determined most responsible or statistically deterministic in the data’s classification, wherein the human-readable explanation comprises data encoded in a human-readable form comprising a plurality of human-readable words and a structural relationship or organization of data (see Brown Paragraph 0089 i.e. in some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”). In some examples, result records 122 and data therein can be used by a security analyst in triaging or analyzing events also see paragraph 0033 and paragraph 0105 i.e. In some examples, at operation 408, analyzing module 228 can determine that the sequence of events, or the execution set that generated it, is associated with malware based at least in part on the distribution of event types 304 within the loop) Brown does not teach wherein the neural network is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data and configured to classify the input data sets into one or more malware classes; wherein the human-readable explanation comprises data encoded in a human- readable form comprising a plurality of human-readable words and a structural relationship or organization of data that identifies features of the input data set determined, usinq evaluation metrics or statistical weiqhts, to have contributed most significantly to the classification decision, wherein the subset and the identified features correspond to specific elements of the hierarchical input data whose respective learned feature representations or contributions durinq classification were statistically weiqhted as most influential. McLarnon teaches wherein the human-readable explanation comprises data encoded in a human- readable form comprising a plurality of human-readable words and a structural relationship or organization of data that identifies features of the input data set determined, usinq evaluation metrics or statistical weiqhts, to have contributed most significantly to the classification decision, wherein the subset and the identified features correspond to specific elements of the hierarchical input data whose respective learned feature representations or contributions durinq classification were statistically weiqhted as most influential (see figure 5-2, 5-3 and paragraphs 0044-0045 i.e. FIG. 5-3 depicts an exemplary analytic summary 501 in accordance with one or more embodiments. Analytic summary 501 may include several examples of the actionable data or one or more analyzed samples. For example, analytic summary 501 includes the actionable data "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etc.). (70%)." From this actionable data, a user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. Actionable data may include a percentage which indicates the system's confidence level and paragraph 0089 i.e. in some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”). In some examples, result records 122 and data therein can be used by a security analyst in triaging or analyzing events. Paragraph 0105 i.e. In some examples, at operation 408, analyzing module 228 can determine that the sequence of events, or the execution set that generated it, is associated with malware based at least in part on the distribution of event types 304 within the loop) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of McLarnon to have the result record of Brown include an explanation as to why the actionable data is malware such as "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etcas a way for the user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. (see McLarnon paragraph 0044). Therefore one would have been motivated to have included an explanation as to why the actionable data is malware. Brown in view of McLarnon does not disclose wherein the neural network is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data and configured to classify the input data sets into one or more malware classes. Pevny teaches wherein the neural network is a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data and configured to classify the input data sets into one or more malware classes (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 10 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 9, wherein the input data set having a hierarchical structure comprises JavaScript Object Notation (JSON) data or an Extensible Markup Language (XML) data (See Brown paragraph 0079 i.e. For example, event record 120 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees, associative arrays, or other forms of tagged or key-value storage). With respect to claim 11 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 9. Pevny further teaches wherein the neural network comprises a hierarchical multiple- instance-learning neural network (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 12 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 9. Pevny further teaches wherein the neural network comprises a hierarchical multiple- instance-learning neural network (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 13 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 9, wherein the malware classification comprises at least one of types of malware and families of malware (see Brown Paragraph 0089 i.e. The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”)). With respect to claim 14 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 9, wherein the explanation comprises one or more logical rules that cause the subset of the input data set to produce the output malware classification via the hierarchical multi-instance-learning neural network (see Brown Paragraph 0089 i.e. n some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”) and Pevny paragraph 0038). With respect to claim 15 Brown teaches a method of generating a malware classification for an input data set with a human- readable explanation, comprising: receiving an input data sets having hierarchical structure (see Brown 0035 i.e. In illustrated example 114, computing devices 104 perform execution 116 of sample(s) 118, e.g., executables to be tested for the presence of malware. Computing devices 104 can record event records 120 during execution 116 and transmit the event records 120 via network 110 to computing devices 102. Computing devices 102 can analyze the event records 120 to determine suspicious events) wherein the input data set comprises observed characteristics of files to be analyzed (see Brown paragraph 0078-0079 i.e. In some examples, detection module 226 produces a sequence of E events, represented by the plate marked “E” in FIG. 3. Each event e has a respective event record 120, and each event record 120 has a respective event type 304. The E events form a sequence 306 of events e.sub.1 . . . e.sub.E. The events are ordered in sequence 306 in substantially the order they occurred or were detected…an event record 120, or any other record described herein, can include one or more fields, each of which can have a name or other identifier, and each of which can include or be associated with one or more values. For example, event record 120 or other records herein can be represented as ASN.1-defined data structures, GOOGLE protobufs, JSON records, XML documents or subtrees); processing the received input data set in a neural network, the neural network having an architecture based on a schema determined from a plurality of second input data sets and trained to classify received input data sets into one or more of a plurality of classes (see Brown paragraph 0024 i.e. for example, behavior patterns represented as distributions 314, determinations that modules are malicious or not, or other analysis results herein can be used as input to supervised training processes for neural networks. Classifications can include, e.g., malware vs. non-malware, type of malware (e.g., virus vs. Trojan), or family of malware (WannaCry, Cryptolocker, PoisonIvy, etc.). Some examples permit more effectively detecting or classifying malware samples, e.g., without requiring retraining of a computational model and paragraph 0064 i.e. Analyzing module 228 can determine whether sequences of events are associated with malware, or locate malware modules); and providing a human readable explanation regarding the malware classification wherein the human-readable explanation comprises an explanation of why a file was assigned a particular malware classification, and further comprises a subset of the input data set that is determined most responsible or statistically deterministic in the data’s classification, wherein the human-readable explanation comprises data encoded in a human-readable form comprising a plurality of human-readable words and a structural relationship or organization of data and wherein the human-readable explanation further identifies which features of the input data set contributed to the classification result and describes their influence in a form understandable to a human analyst (see Brown Paragraph 0089 i.e. in some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”). In some examples, result records 122 and data therein can be used by a security analyst in triaging or analyzing events also see paragraph 0033 and paragraph 0105 i.e. In some examples, at operation 408, analyzing module 228 can determine that the sequence of events, or the execution set that generated it, is associated with malware based at least in part on the distribution of event types 304 within the loop). Brown does not teach the neural network comprising a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data; wherein the human-readable explanation comprises data encoded in a human- readable form comprising a plurality of human-readable words and a structural relationship or organization of data, and wherein the human-readable explanation further identifies elements of the hierarchical input data corresponding to learned feature representations that, based on evaluation metrics or statistical weights, contributed most significantly to the classification result and describes their influence in a form understandable to a human analyst. McLarnon teaches wherein the human-readable explanation comprises data encoded in a human- readable form comprising a plurality of human-readable words and a structural relationship or organization of data, and wherein the human-readable explanation further identifies elements of the hierarchical input data corresponding to learned feature representations that, based on evaluation metrics or statistical weights, contributed most significantly to the classification result and describes their influence in a form understandable to a human analyst (see figure 5-2, 5-3 and paragraphs 0044-0045 i.e. FIG. 5-3 depicts an exemplary analytic summary 501 in accordance with one or more embodiments. Analytic summary 501 may include several examples of the actionable data or one or more analyzed samples. For example, analytic summary 501 includes the actionable data "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etc.). (70%)." From this actionable data, a user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. Actionable data may include a percentage which indicates the system's confidence level) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of McLarnon to have the result record of Brown include an explanation as to why the actionable data is malware such as "The target was observed installing a function hook for all desktop programs to interrupt all graphical actions (e.g. mouse clicks, menu options, new windows, etcas a way for the user may gain an understanding of the behavior of the sample, and determine whether or not to pursue further action, e.g. removing the malware, alerting someone about the malware, etc. (see McLarnon paragraph 0044). Therefore one would have been motivated to have included an explanation as to why the actionable data is malware. Brown in view of McLarnon does not disclose the neural network comprising a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data. Pevny teaches disclose the neural network comprising a hierarchical multi-instance-learning neural network configured to process the hierarchical input data using feature representations corresponding to the hierarchical organization of the input data (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 16 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 15, further comprising constructing the neural network constructed using a hierarchy of the input data set (see Brown paragraph 180 i.e. Various examples using operations 1116 and 1118 provide finer-grained analysis of malware. For example, malware module 714 may include library code provided by parties other than the malware author. Such library code can include, e.g., standard libraries; C++ template libraries; or statically-linked modules used by both malicious and non-malicious code. Operations 1116 and 1118 permit excluding the non-malicious portions of malware module 714 from analysis, which can permit more effectively mitigating the effects of malware module 714. In some examples, the malicious region 1120 is used as a known-malicious training sample for a supervised learning process that trains a neural network to distinguish malicious code from non-malicious code). With respect to claim 18 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 15. Pevny teaches wherein the input data set is derived from at least one of sandbox execution of a file, static Portable Executable (PE) file analysis, or disassembly of executable code (see Pevny paragraph 0038 i.e. detecting malware that relies on the hierarchical modeling of an executable or other file under scrutiny. In some aspects, a hierarchical neural network model is introduced that is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. To do so, each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy. This can be applied at different levels, from individual instructions of an executable to a higher function level. The approach itself learns which patterns in the file structure signify maliciousness). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Pevny to have used a hierarchical neural network model since a hierarchical neural network model is capable of detecting malicious executables on the basis of patterns automatically learned in their inner structure. Were each executable may be treated as groups/bags of data, where each bag may comprise lower level bags, thus creating a hierarchy since this approach learns which patterns in the file structure signify maliciousness. Therefore one would have been motivated to have used a hierarchical neural network model. With respect to claim 19 Brown, McLarnon and Pevny teach the method of generating a malware classification for an input data set with a human- readable explanation of claim 15, wherein the explanation comprises one or more logical rules that cause the subset of the input data set to produce the output malware classification via the neural network (see Brown Paragraph 0089 i.e. n some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”)). With respect to claim 20 Brown teaches the method of generating a malware classification for an input data set with a human- readable explanation of claim 19, wherein the explanation is derived from the statistical contribution of one or more features of the input data set that caused the at least one input data set to be classified into a certain class (see Brown Paragraph 0089 i.e. n some examples, at least one result record 122 can include a classification. The classification can include, e.g., a bitmask, attribute list, or other representation of categories to which a particular event or related system component belongs, or tags with which the particular event or system component is associated. For example, a classification can include a Boolean value indicating whether or not the event or system component is suspicious (e.g., associated with malware), or an enumerated value indicating with which of several categories the event or system component is associated (e.g., “benign,” “virus,” or “spyware”). The classification can additionally or alternatively include one or more confidence values or other values indicating the likelihood of a classification, e.g., a “spyware” value of 0.42 indicating a 42% likelihood that a particular newly-created proc is spyware. In an example, the classification can include multiple confidence values for respective categories of malware or other fields (e.g., “spyware=0.42; worm=0.05”)). Prior Art Ferrara et al (US 2017/0154182) titled “SYSTEM, METHOD AND APPARATUS FOR USABLE CODE-LEVEL STATISTICAL ANALYSIS WITH APPLICATIONS IN MALWARE DETECTION”. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /DEVIN E ALMEIDA/Examiner, Art Unit 2492