Detailed Action
This Office Action is in response to the remarks entered on 04/07/2026. Claims 1-2, 4-9, 11-16 and 18-20 are currently pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Interpretation
Amended claims were received on 04/07/2026. Claim interpretation has been withdrawn.
Claim Rejections - 35 USC § 112
Amended claims were received on 04/07/2026. 35 U.S.C. 112 rejections have been withdrawn.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-2, 4-9, 11-16, and 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claim 1,
Step 1: Claim 1 recites a method. Therefore, it is directed to the statutory category of processes.
2A Prong 1: A method comprising: extracting a labeled feature from executable file samples of a malware family dataset for each malware family therein by seeded pseudo-random sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executables and Linkable Format, linked object code, and linked library, wherein executable file samples of each malware family of the malware family dataset are discriminated from executable files of each other malware family of the malware family dataset by a respective labeled feature, and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family; and (a mental process of evaluation as the limitation merely recites selecting features from executable file which encompasses evaluation/selection process based on the differences between different malware families which can be done in human mind without a computer component. “excluding an executable section of object code” is a mental process as the limitation appears to recite mere sample selection from a set of samples which can be done in human mind and does not require a computer component)
2A Prong 2:
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function.)
loading the weight set into dedicated memory of the processor. (insignificant extra-solution activity MPEP 2106.05(g)(iii) of gathering statistics)
The additional elements as disclosed above alone or in combination do not integrate the judicial exception into practical application as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
2B:
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function.)
loading the weight set into dedicated memory of the processor. (indicated as an insignificant extra-solution activity MPEP 2106.05(g) in Step 2A Prong 2. Therefore, it is re-evaluated in Step 2B as well understood, routine and conventional activity MPEP 2106.05(d)(II)(i) of transmitting and receiving data over a network)
The additional elements as disclosed above in combination of the abstract idea are not sufficient to amount to significantly more than the judicial exception as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
Regarding claim 2,
Step 1: Processes, as above.
2A Prong 1: Incorporates the rejection of claim 1.
2A Prong 2: wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
2B: wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
Regarding claim 4,
Step 1: Processes, as above.
2A Prong 1: Incorporates the rejection of claim 1.
2A Prong 2: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes the type of the loss function.)
2B: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes the type of the loss function.)
Regarding claim 5,
Step 1: Processes, as above.
2A Prong 1: Incorporates the rejection of claim 4.
2A Prong 2: wherein training the embedding learning model on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely describes the components of the triplet loss function.)
2B: wherein training the embedding learning model on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely describes the components of the triplet loss function.)
Regarding claim 6,
Step 1: Processes, as above.
2A Prong 1: Incorporates the rejection of claim 5.
2A Prong 2: wherein training the embedding learning model further comprises at least a first training phase wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
2B: wherein training the embedding learning model further comprises at least a first training phase wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
Regarding claim 7,
Step 1: Processes, as above.
2A Prong 1: Incorporates the rejection of claim 6.
2A Prong 2: wherein training the embedding learning model further comprises a subsequent training phase wherein hardest-positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely defines the hardest-positive data points and hardest-negative data points that are used to train the machine learning model.)
2B: wherein training the embedding learning model further comprises a subsequent training phase wherein hardest-positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely defines the hardest-positive data points and hardest-negative data points that are used to train the machine learning model.)
Regarding claim 8,
Step 1: Claim 8 recites a system comprising: one or more processors and memory. Therefore, it is directed to the statutory category of a machine.
2A Prong 1:
excluding each executable section of compiled object code, linked object code, and linked library, wherein executable file samples of each malware family of the malware family dataset are discriminated from executable files of each other malware family of the malware family dataset by a respective labeled feature and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family; (a mental process of evaluation as the limitation merely recites selecting features from executable file which encompasses evaluation/selection process based on the differences between different malware families which can be done in human mind without a computer component. “excluding an executable section of object code” is a mental process as the limitation appears to recite mere sample selection from a set of samples which can be done in human mind and does not require a computer component)
The additional elements as disclosed above alone or in combination do not integrate the judicial exception into practical application as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
2A Prong 2:
A system comprising: one or more processors hosted at a data center; and memory communicatively coupled to the one or more processors, the memory storing computer-executable modules executable by the one or more processors that, when executed by the one or more processors, perform associated operations comprising: (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites performing machine learning operations using processors and memories.)
extracting (mere instructions to apply an exception using a computer MPEP 2106.05(f).)
training an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function)
loading the weight set into dedicated memory of the processor. (insignificant extra-solution activity MPEP 2106.05(g)(iii) of gathering statistics)
The additional elements as disclosed above alone or in combination do not integrate the judicial exception into practical application as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
2B:
A system comprising: one or more processors hosted at a data center; and memory communicatively coupled to the one or more processors, the memory storing computer-executable modules executable by the one or more processors that, when executed by the one or more processors, perform associated operations comprising: (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites performing machine learning operations using processors and memories.)
extracting (mere instructions to apply an exception using a computer MPEP 2106.05(f).)
training an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function)
loading the weight set into dedicated memory of the processor. (indicated as an insignificant extra-solution activity MPEP 2106.05(g) in Step 2A Prong 2. Therefore, it is re-evaluated in Step 2B as well understood, routine and conventional activity MPEP 2106.05(d)(II)(i) of transmitting and receiving data over a network)
The additional elements as disclosed above in combination of the abstract idea are not sufficient to amount to significantly more than the judicial exception as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
Regarding claim 9,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 8.
2A Prong 2: wherein the operations further comprise extracting (mere instructions to apply an exception using a computer MPEP 2106.05(f) as it merely recites extracting features using a computer.), for each executable file sample of the executable file samples, a labeled feature comprising a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
2B: wherein the operations further comprise extracting (mere instructions to apply an exception using a computer MPEP 2106.05(f) as it merely recites extracting features using a computer.), for each executable file sample of the executable file samples, a labeled feature comprising a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
Regarding claim 11,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 8.
2A Prong 2: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the type of the loss function.)
2B: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the type of the loss function.)
Regarding claim 12,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 11.
2A Prong 2: wherein training the embedding learning model on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data and loss function.)
2B: wherein training the embedding learning model on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data and loss function.)
Regarding claim 13,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 12.
2A Prong 2: wherein training the embedding learning model comprises at least a first training phase wherein hardest- positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
2B: wherein training the embedding learning model comprises at least a first training phase wherein hardest- positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
Regarding claim 14,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 13.
2A Prong 2: wherein training the embedding learning model comprises a subsequent training phase wherein hardest- positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely defines the hardest-positive data points and hardest-negative data points that are used to train the machine learning model.)
2B: wherein training the embedding learning model comprises a subsequent training phase wherein hardest- positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point. (a field of use and technological environment MPEP 2106.05(h), it merely defines the hardest-positive data points and hardest-negative data points that are used to train the machine learning model.)
Regarding claim 15,
Step 1: Claim 15 recites a non-transitory computer-readable storage medium storing computer-readable instructions executable by one or more processors. Therefore, it is directed to the statutory category of a machine.
2A Prong 1:
extracting a labeled feature from executable file samples of a malware family dataset for each malware family therein by seeded pseudo-random sampling excluding each executable section of compiled object code, linked object code, and linked library, wherein executable file samples of each malware family of the malware family dataset are discriminated from executable files of each other malware family of the malware family dataset by a respective labeled features, and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family; (a mental process of evaluation as the limitation merely recites selecting features from executable file which encompasses evaluation/selection process based on the differences between different malware families which can be done in human mind without a computer component. “excluding an executable section of object code” is a mental process as the limitation appears to recite mere sample selection from a set of samples which can be done in human mind and does not require a computer component)
2A Prong 2: This judicial exception is not integrated into a practical application.
A non-transitory computer-readable storage medium storing computer-readable instructions executable by one or more processors, that when executed by the one or more processors, cause the one or more processors to perform operations comprising: (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites performing machine learning operations using processors and memories.)
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function)
loading the weight set into dedicated memory of the processor. (insignificant extra-solution activity MPEP 2106.05(g)(iii) of gathering statistics)
The additional elements as disclosed above alone or in combination do not integrate the judicial exception into practical application as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
A non-transitory computer-readable storage medium storing computer-readable instructions executable by one or more processors, that when executed by the one or more processors, cause the one or more processors to perform operations comprising: (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites performing machine learning operations using processors and memories.)
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites standard training process of a learning model using training data and a loss function.)
loading the weight set into dedicated memory of the processor. (indicated as an insignificant extra-solution activity MPEP 2106.05(g) in Step 2A Prong 2. Therefore, it is re-evaluated in Step 2B as well understood, routine and conventional activity MPEP 2106.05(d)(II)(i) of transmitting and receiving data over a network)
The additional elements as disclosed above in combination of the abstract idea are not sufficient to amount to significantly more than the judicial exception as they are generic computer functions that are implemented to perform the disclosed abstract idea above.
Regarding claim 16,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 15.
2A Prong 2: wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
2B: wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the labeled feature.)
Regarding claim 18,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 15.
2A Prong 2: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the type of the loss function.)
2B: wherein the loss function is a triplet loss function. (a field of use and technological environment MPEP 2106.05(h), it merely describes and defines the type of the loss function.)
Regarding claim 19,
Step 1: A machine, as above.
2A Prong 1: The computer-readable storage medium of claim 18,
2A Prong 2: wherein the operations further comprise training the embedding learning model on the triplet loss function by embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data and loss function.)
2B: wherein the operations further comprise training the embedding learning model on the triplet loss function by embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data and loss function.)
Regarding claim 20,
Step 1: A machine, as above.
2A Prong 1: Incorporates the rejection of claim 19.
2A Prong 2: wherein the operations further comprise training the embedding learning model during least a first training phase wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
2B: wherein the operations further comprise training the embedding learning model during least a first training phase wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point. (mere instructions to apply an exception using a computer MPEP 2106.05(f), as it merely recites training a machine learning model using training data which does not contain specific types of data.)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 8-9, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Ducau (Ducau et al, “SMART: Semantic Malware Attribute Relevance Tagging”, 2019, hereinafter ‘Ducau’) in view of Stennett (US 20200004751 A1, hereinafter ‘Stennet’) in view of Bai et al. (“A Malware Detection Scheme Based on Mining Format Information”, 2014, hereinafter ‘Bai’) and further in view of Bhandarkar (US 20190266070 A1, hereinafter ‘Bhandarkar’).
Regarding claim 1, Ducau teaches:
a method comprising: extracting a labeled feature from executable file samples of a malware family dataset for each malware family [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. (executable file sample of a malware) [Ducau, page 5, left col, 3.1.2 Token to Tag Mapping] Tags (labels) are extracted from the tokens (feature). Based on the extracted Tags, Token to Tag Mapping is performed (extracting the labeled feature). The paragraph discloses that there may be a plurality of features extracted, a plurality of distillation processes and labels or tags, each of the distillation processes corresponds to the extracting a labeled feature from each labeled family. Each of distilled dataset contains different tags (labels) which indicates that the tokens (features) mapped to the label discriminates the file sample from another family); and
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; and ([Ducau, page 7, left col, Figure 1] discloses training two neural network architectures to predict malware tags. [page 7, right col, las para - page 8, left col, first para] discloses optimizing (training) parameters of both embedding functions by calculating loss function. [Ducau, page 9, left col, 5.2 Training Details, line 1 – right col, line 18] discloses that each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training. [Ducau, page 3, left col, lines 26-33] indicates that the detection technology can be used for cloud (data center) look-ups)
loading the weight set into dedicated memory of the processor. ([Ducau, page 9, left col, 5.2 Training Details, line 1 – right col, line 18] discloses training two models based on the training dataset by adjusting learnable parameters with size T x 32. It is inherent that the weights are loaded (stored) in a memory of the processor as the method is implemented using a computer [page 8, right col, 5 EXPERIMENTS, lines 1-10] “Windows Portable Executables (PE) files”)
Ducau does not specifically disclose:
extracting a feature from executable file by seeded pseudo-random sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library, and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family.
Stennett teaches:
extracting a feature from executable file by seeded pseudo-random sampling [Stennett, 0054-0055] The pseudo-random sample of records are selected based on the random seed)
wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each [Stennett, 0054-0055] The pseudo-random sample of records are selected based on the random seed. All records have the same probability of being selected and the sampling model function selects the records for every Nth record which means that the methodology is consistent for each data)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau and Stennett to use the seeded pseudo-random sampling methodology of Stennett to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy and efficiency of the algorithm, as seeded pseudo-random sampling provides a computationally efficient way to generate a seemingly random sequence of data within a computer program and provides approach for generating strong predictive models [Stennett, 0054-0055] and [Stennett, 0059].
Ducau in view of Stennett does not specifically disclose:
extracting a feature from executable file by … excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library.
Bai teaches:
extracting a feature from executable file by excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, [Bai, page 4, right col, 5.2. Feature Extraction, line 1-19] and [Bai, page 5, Table 2: List of features extracted from PE files] collectively discloses extracting features from PE files by excluding DLLs and APIs (executable sections) appeared less than 100 times from the Portable Executable (PE) format and [page 5, left col, 5.2.3. PE File Header, lines 1-9] disclose excluding useless executables from PE format)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett and Bai to use the method of extracting a feature from executable file by sampling excluding an executable section of object code of Bai to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing any features that are not helpful in distinguishing malware and benign software [Bai, page 4, right col, 5.2. Feature Extraction].
However, Bai does not specifically disclose:
extracting a feature from executable file by excluding each executable section of
Bhandarkar teaches:
extracting a feature from executable file by excluding each executable section of [Bhandarkar, 0055] discloses that software components that are not modifiable by a developer, or which do not reflect potential bugs or issue are excluded. For example, components of an operating system, library (linked library), or repository provided by a third party (linked object code) are excluded)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai and Bhandarkar to use the method of extracting a feature from executable file by excluding an executable section of linked object code and linked library of Bhandarkar to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing undesired information that do not reflect any issue and that are not modifiable by a developer [Bhandarkar, 0055].
Regarding claim 2, Ducau teaches:
wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample ([Ducau, page 8, right col, 5.1 Data Description, 2nd paragraph] The first training set Dtrain contains 7,330,971 unique binary files, and the second dataset Dtest contains 1,608,265 unique entries. The unique entries are the header as entries of file describes files and directory, and the unique binary files are the resource section, as the binary files contains readable sections.).
Regarding claim 8, Ducau teaches:
A system comprising: one or more processors hosted at a data center; and memory communicatively coupled to the one or more processors, the memory storing computer-executable modules executable by the one or more processors that, when executed by the one or more processors, perform associated operations comprising: ([Ducau, page 9, left col, 2nd paragraph] Binary files in the three datasets are used to extract feature vectors. This indicates that the operation is performed in a generic computer which contains one or more processors and memories. [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. which is a file from generic computer)
extracting a labeled feature from executable file samples of a malware family dataset for each malware family ([Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. (executable file sample of a malware) [Ducau, page 5, left col, 3.1.2 Token to Tag Mapping] Tags (labels) are extracted from the tokens (feature). Based on the extracted Tags, Token to Tag Mapping is performed (extracting the labeled feature). The paragraph discloses that there may be a plurality of features extracted, a plurality of distillation processes and labels or tags, each of the distillation processes corresponds to the extracting a labeled feature from each labeled family. Each of distilled dataset contains different tags (labels) which indicates that the tokens (features) mapped to the label discriminates the file sample from another family); and
training an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; and ([Ducau, page 8, right col, 5.1 Data Description, 4th paragraph, line 1-7] indicates that a set of tokens and mappings, which are the labeled features, are used to derive Dtrain and Dtest. [Ducau, page 9, right col, 2nd paragraph] Each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training)
loading the weight set into dedicated memory of the processor. ([Ducau, page 9, left col, 5.2 Training Details, line 1 – right col, line 18] discloses training two models based on the training dataset by adjusting learnable parameters with size T x 32. It is inherent that the weights are loaded (stored) in a memory of the processor as the method is implemented using a computer [page 8, right col, 5 EXPERIMENTS, lines 1-10] “Windows Portable Executables (PE) files”)
Ducau does not specifically disclose:
extracting a feature from executable file by seeded pseudo-random sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library, and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family.
Stennett teaches:
extracting a feature from executable file by seeded pseudo-random sampling [Stennett, 0054] The pseudo-random sample of records are selected based on the random seed)
wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each [Stennett, 0054-0055] The pseudo-random sample of records are selected based on the random seed. Every records have the same probability of being selected and the sampling model function selects the records for every Nth record which means that the methodology is consistent for each data)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau and Stennett to use the seeded pseudo-random sampling methodology of Stennett to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy and efficiency of the algorithm, as seeded pseudo-random sampling provides a computationally efficient way to generate a seemingly random sequence of data within a computer program and provides approach for generating strong predictive models [Stennett, 0054-0055] and [Stennett, 0059].
Ducau and Stennett does not specifically disclose:
extracting a feature from executable file by sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library.
Bai teaches:
extracting a feature from executable file by sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, [Bai, page 4, right col, 5.2. Feature Extraction, line 1-19] discloses excluding DLLs and APIs (executable sections) appeared less than 100 times from the Portable Executable (PE) format and [page 5, left col, 5.2.3. PE File Header, lines 1-9] disclose excluding useless executables from PE format)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett and Bai to use the method of extracting a feature from executable file by sampling excluding an executable section of object code of Bai to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing any features that are not helpful in distinguishing malware and benign software [Bai, page 4, right col, 5.2. Feature Extraction].
However, Ducan in view of Stennett and further in view of Bai does not specifically disclose:
extracting a feature from executable file by sampling excluding each executable section of
Bhandarkar teaches:
extracting a feature from executable file by sampling excluding each executable section of [Bhandarkar, 0055] discloses that software components that are not modifiable by a developer, or which do not reflect potential bugs or issue are excluded. For example, components of an operating system, library (linked library), or repository provided by a third party (linked object code) are excluded)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai and Bhandarkar to use the method of extracting a feature from executable file by excluding an executable section of linked object code and linked library of Bhandarkar to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing undesired information that do not reflect any issue and that are not modifiable by a developer [Bhandarkar, 0055].
Regarding claim 9, Ducau teaches:
wherein the operations further comprise extracting, for each executable file sample of the executable file samples, a labeled feature comprising a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample ([Ducau, page 8, right col, 5.1 Data Description, 2nd paragraph] The first training set Dtrain contains 7,330,971 unique binary files, and the second dataset Dtest contains 1,608,265 unique entries. The unique entries are the header as entries of file describes files and directory, and the unique binary files are the resource section, as the binary files contains readable sections.).
Regarding claim 15, Ducau teaches:
A non-transitory computer-readable storage medium storing computer-readable instructions executable by one or more processors, that when executed by the one or more processors, cause the one or more processors to perform operations comprising ([Ducau, page 9, left col, 2nd paragraph] Binary files in the three datasets are used to extract feature vectors. This indicates that the operation is performed in a generic computer which contains one or more processors and memories. [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. which is a file from generic computer):
extracting a labeled feature from executable file samples of a malware family dataset for each malware family [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. (executable file sample of a malware) [Ducau, page 5, left col, 3.1.2 Token to Tag Mapping] Tags (labels) are extracted from the tokens (feature). Based on the extracted Tags, Token to Tag Mapping is performed (extracting the labeled feature). The paragraph discloses that there may be a plurality of features extracted, a plurality of distillation processes and labels or tags, each of the distillation processes corresponds to the extracting a labeled feature from each labeled family. Each of distilled dataset contains different tags (labels) which indicates that the tokens (features) mapped to the label discriminates the file sample from another family); and
training, by a processor hosted at a data center, an embedding learning model on a designated loss function for embedding each labeled feature of the malware family dataset in a feature space to update a weight set of the embedding learning model; and ([Ducau, page 8, right col, 5.1 Data Description, 4th paragraph, line 1-7] indicates that a set of tokens and mappings, which are the labeled features, are used to derive Dtrain and Dtest. [Ducau, page 9, right col, 2nd paragraph] Each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training)
loading the weight set into dedicated memory of the processor. ([Ducau, page 9, left col, 5.2 Training Details, line 1 – right col, line 18] discloses training two models based on the training dataset by adjusting learnable parameters with size T x 32. It is inherent that the weights are loaded (stored) in a memory of the processor as the method is implemented using a computer [page 8, right col, 5 EXPERIMENTS, lines 1-10] “Windows Portable Executables (PE) files”)
Ducau does not specifically disclose:
extracting a feature from executable file by seeded pseudo-random sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library, and wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each malware family.
Stennett teaches:
extracting a feature from executable file by seeded pseudo-random sampling [Stennett, 0054-0055] The pseudo-random sample of records are selected based on the random seed)
wherein a respective pseudo-random sampling methodology is consistent for executable file samples of each [Stennett, 0054-0055] The pseudo-random sample of records are selected based on the random seed. Every records have the same probability of being selected and the sampling model function selects the records for every Nth record which means that the methodology is consistent for each data)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau and Stennett to use the seeded pseudo-random sampling methodology of Stennett to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy and efficiency of the algorithm, as seeded pseudo-random sampling provides a computationally efficient way to generate a seemingly random sequence of data within a computer program and provides approach for generating strong predictive models [Stennett, 0054-0055] and [Stennett, 0059].
Ducau in view of Stennett does not specifically disclose:
extracting a feature from executable file by sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library.
Bai teaches:
extracting a feature from executable file by sampling excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, [Bai, page 4, right col, 5.2. Feature Extraction, line 1-19] discloses excluding DLLs and APIs (executable sections) appeared less than 100 times from the Portable Executable (PE) format and [page 5, left col, 5.2.3. PE File Header, lines 1-9] disclose excluding useless executables from PE format)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett and Bai to use the method of extracting a feature from executable file by sampling excluding an executable section of object code of Bai to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing any features that are not helpful in distinguishing malware and benign software [Bai, page 4, right col, 5.2. Feature Extraction].
However, Ducau in view of Stennett and further in view of Bai does not specifically disclose:
extracting a feature from executable file by sampling excluding each executable section of
Bhandarkar teaches:
extracting a feature from executable file by sampling excluding each executable section of [Bhandarkar, 0055] discloses that software components that are not modifiable by a developer, or which do not reflect potential bugs or issue are excluded. For example, components of an operating system, library (linked library), or repository provided by a third party (linked object code) are excluded)
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai and Bhandarkar to use the method of extracting a feature from executable file by excluding an executable section of linked object code and linked library of Bhandarkar to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the efficiency and accuracy of the machine learning method by removing undesired information that do not reflect any issue and that are not modifiable by a developer [Bhandarkar, 0055].
Regarding claim 16, Ducau teaches:
wherein for each executable file sample of the executable file samples, the labeled feature comprises a plurality of bytes sampled from at least one of a header, an executable section, a resource section, and an import table of the executable file sample ([Ducau, page 8, right col, 5.1 Data Description, 2nd paragraph] The first training set Dtrain contains 7,330,971 unique binary files, and the second dataset Dtest contains 1,608,265 unique entries. The unique entries are the header as entries of file describes files and directory, and the unique binary files are the resource section, as the binary files contains readable sections.).
Claims 4-5, 11-12, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu (Yu et al, “Hard-Aware Point-to-Set Deep Metric for Person Re-identification”, 2018, hereinafter ‘Yu’).
Regarding claim 4, Ducau in view of Stennett in view of Bai and further in view of Bhandarkar teaches:
The method of claim 1.
Ducau in view of Stennett in view of Bai in view of Bhandarker does not specifically disclose:
wherein the loss function is a triplet loss function.
Yu teaches wherein the loss function is a triplet loss function ([Yu, page 5, 3.2 Revisit Triplet Loss] The machine learning model in Yu reference is trained using a triplet loss function.).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar and Yu to use the triplet loss function of Yu to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the noise robustness of the machine learning system, as Triplet Loss does not have a side effect of urging to encode anchor and positive samples into the same point in the vector space as in cross entropy loss that is used on Ducau. This lets Triplet Loss tolerate some intra-class variance, unlike Contrastive Loss, as the latter forces the distance between an anchor and any positive essentially to 0.
Regarding claim 5, Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu teaches:
wherein training the embedding learning model ([Ducau, page 9, right col, 2nd paragraph] Each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training.) on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point ([Yu, page 5, 3.2 Revisit Triplet Loss – page 6, paragraph right above and under Equation (3)] The mini-batch which is selected to create the anchor-positive and the anchor-negative triplets contains labels. When calculating the triplet loss, the hardest positive and hardest negative for each anchor in a mini-batch (Batch Hard) are selected to constitute a triplet. ).
Regarding claim 11, Ducau in view of Stennett in view of Bai and further in view of Bhandarkar teaches:
The system of claim 8.
Ducau in view of Stennett in view of Bai and further in view of Bhandarkar does not specifically disclose:
wherein the loss function is a triplet loss function.
Yu teaches:
wherein the loss function is a triplet loss function ([Yu, page 5, 3.2 Revisit Triplet Loss] The machine learning model in Yu reference is trained using a triplet loss function.).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar and Yu to use the triplet loss function of Yu to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the noise robustness of the machine learning system, as Triplet Loss does not have a side effect of urging to encode anchor and positive samples into the same point in the vector space as in cross entropy loss that is used on Ducau. This lets Triplet Loss tolerate some intra-class variance, unlike Contrastive Loss, as the latter forces the distance between an anchor and any positive essentially to 0.
Regarding claim 12, Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu teaches:
wherein training the embedding learning model ([Ducau, page 9, right col, 2nd paragraph] Each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training.) on the triplet loss function comprises embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point ([Yu, page 5, 3.2 Revisit Triplet Loss – page 6, paragraph right above and under Equation (3)] The mini-batch which is selected to create the anchor-positive and the anchor-negative triplets contains labels. When calculating the triplet loss, the hardest positive and hardest negative for each anchor in a mini-batch (Batch Hard) are selected to constitute a triplet.).
Regarding claim 18, Ducau in view of Stennett in view of Bai and further in view of Bhandarkar teaches:
The non-transitory computer-readable storage medium of claim 15.
Ducau in view of Stennett in view of Bai and further in view of Bhandarkar does not specifically disclose:
wherein the loss function is a triplet loss function.
Yu teaches:
wherein the loss function is a triplet loss function ([Yu, page 5, 3.2 Revisit Triplet Loss] The machine learning model in Yu reference is trained using a triplet loss function.).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar and Yu to use the triplet loss function of Yu to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the noise robustness of the machine learning system, as Triplet Loss does not have a side effect of urging to encode anchor and positive samples into the same point in the vector space as in cross entropy loss that is used on Ducau. This lets Triplet Loss tolerate some intra-class variance, unlike Contrastive Loss, as the latter forces the distance between an anchor and any positive essentially to 0.
Regarding claim 19, Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu teaches:
wherein the operations further comprise training the embedding learning model ([Ducau, page 9, right col, 2nd paragraph] Each of the plurality of the file features and the tags for a plurality of detection names (family) are provided to a learning algorithm a Joint Embedding architecture. The sum of the per-tag binary cross-entropy losses are used as the mini-batch loss during model training.) on the triplet loss function by embedding, for an anchor data point of the labeled features, pairs of anchor-positive data points and anchor-negative data points with respect to the anchor data point ([Yu, page 5, 3.2 Revisit Triplet Loss – page 6, paragraph right above and under Equation (3)] The mini-batch which is selected to create the anchor-positive and the anchor-negative triplets contains labels. When calculating the triplet loss, the hardest positive and hardest negative for each anchor in a mini-batch (Batch Hard) are selected to constitute a triplet.).
Claims 6-7, 13-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ducau in view of Stennett in view of Bai in view of Bhandarkar in view of Yu and further in view of Tian (Tian et al, 2019, “OUTLIER-SUPPRESSED TRIPLET LOSS WITH ADAPTIVE CLASS-AWARE MARGINS FOR FACIAL EXPRESSION RECOGNITION”, hereinafter ‘Tian’).
Regarding claim 6, Ducau teaches:
wherein training the embedding learning model further comprises at least a first training phase (According to the paragraph 0073 in the specification, the first training phase is merely the first step of the training process. [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. The extraction process is interpreted as the first training phase. ).
Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu does not specifically disclose:
wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point.
Tian teaches:
wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point (According to the specification paragraph 0064, the term ‘hardest’ means that the point is further from the anchor point. [Tian, page 48, left col, paragraph right above and under the equation (8)] The triplets are withdrawn if the distance between x_a and x_n is bigger than
2
γ
+
γ
√
2
n
F
-
1
(
τ
n
)
, which means that the point x_a is further from the anchor x_n. ).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar, Yu, and Tian to exclude hardest-positive data points and hardest-negative data points of Tian to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy of the machine learning system, as removing the extremes (hardest-positive and hardest-negative points) from the samples (data points) reduces the influence of samples that are abnormally far from the normal data points [Tian, page 49, right col, 4. CONCLUSION].
Regarding claim 7, Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu teaches:
wherein training the embedding learning model further comprises a subsequent training phase wherein hardest-positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point ([Yu, page 5, 3.2 Revisit Triplet Loss – page 6, paragraph right above and under Equation (3)] The mini-batch which is selected to create the anchor-positive and the anchor-negative triplets contains labels. When calculating the triplet loss, the hardest positive and hardest negative for each anchor in a mini-batch (Batch Hard) are selected to constitute a triplet. ).
Regarding claim 13, Ducau teaches:
wherein training the embedding learning model comprises at least a first training phase (According to the paragraph 0073 in the specification, the first training phase is merely the first step of the training process. [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. The extraction process is interpreted as the first training phase.).
Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu does not specifically disclose:
wherein hardest- positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point.
Tian teaches:
wherein hardest- positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point (According to the specification paragraph 0064, the term ‘hardest’ means that the point is further from the anchor point. [Tian, page 48, left col, paragraph right above and under the equation (8)] The triplets are withdrawn if the distance between x_a and x_n is bigger than
2
γ
+
γ
√
2
n
F
-
1
(
τ
n
)
, which means that the point x_a is further from the anchor x_n.).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar, Yu, and Tian to exclude hardest-positive data points and hardest-negative data points of Tian to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy of the machine learning system, as removing the extremes (hardest-positive and hardest-negative points) from the samples (data points) reduces the influence of samples that are abnormally far from the normal data points [Tian, page 49, right col, 4. CONCLUSION].
Regarding claim 14, Ducau in view of Stennett in view of Bai in view of Bhandarkar and further in view of Yu teaches:
wherein training the embedding learning model comprises a subsequent training phase wherein hardest- positive data points and hardest-negative data points are embedded pairwise with respect to the anchor data point ([Yu, page 5, 3.2 Revisit Triplet Loss – page 6, paragraph right above and under Equation (3)] The mini-batch which is selected to create the anchor-positive and the anchor-negative triplets contains labels. When calculating the triplet loss, the hardest positive and hardest negative for each anchor in a mini-batch (Batch Hard) are selected to constitute a triplet.).
Regarding claim 20, Ducau teaches:
wherein the operations further comprise training the embedding learning model during least a first training phase (According to the paragraph 0073 in the specification, the first training phase is merely the first step of the training process. [Ducau, page 5, left col, 3.1.1 Token Extraction] Tokens are extracted from the file Win32.PolyRansom.k. The extraction process is interpreted as the first training phase).
Ducau, Stennett, Bai, Bhandarkar and Yu does not specifically disclose:
wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point.
Tian teaches wherein hardest-positive data points and hardest-negative data points are excluded from embedding with respect to the anchor data point (According to the specification paragraph 0064, the term ‘hardest’ means that the point is further from the anchor point. [Tian, page 48, left col, paragraph right above and under the equation (8)] The triplets are withdrawn if the distance between x_a and x_n is bigger than
2
γ
+
γ
√
2
n
F
-
1
(
τ
n
)
, which means that the point x_a is further from the anchor x_n).
Before the effective filing date of the invention to a person of ordinary skill in the art, it would have been obvious, having the teachings of Ducau, Stennett, Bai, Bhandarkar, Yu, and Tian to exclude hardest-positive data points and hardest-negative data points of Tian to implement the malware family information extraction method of Ducau. The suggestion and/or motivation for doing so is to improve the accuracy of the machine learning system, as removing the extremes (hardest-positive and hardest-negative points) from the samples (data points) reduces the influence of samples that are abnormally far from the normal data points [Tian, page 49, right col, 4. CONCLUSION].
Response to Arguments
112(f) Claim Interpretations
Amended claims were received on 04/07/2026. 112(f) Claim Interpretation has been withdrawn.
112(a) and 112(b)
Amended claims were received on 04/07/2026. 35 U.S.C. 112 rejections have been withdrawn.
Response to Arguments under 35 U.S.C. 101
Arguments: Applicant argues that Claim 1 is not directed to an abstract idea according to Finjan and Step 2A analysis as Claim 1 has been amended to recite “excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library” and “training, by a processor hosted at a data center, an embedding learning model … to update a weight set of the embedding learning model; and loading the weight set into dedicated memory of the processor” [Remarks, page 15]
Examiner’s Response: Examiner respectfully disagrees. First, the examiner notes that the limitation of “excluding each executable section of compiled object code comprising Portable Executable format, Mach object format, or the Executable and Linkable Format, linked object code, and linked library” as a whole, can be performed with the aid of pen and paper by copying the source code on a piece of paper and then erasing each executable section. Merely specifying the format of the excluded source code does not favor eligibility.
Second, Finjan and the present application are distinguishable. The court concluded that Finjan, Inc. v. Blue Coat Systems, Inc., is eligible because “Claim 1 of the '844 patent scans a downloadable and attaches the virus scan results to the downloadable in the form of a newly generated file: a "security profile that identifies suspicious code in the received Downloadable." … This operation is distinguished from traditional, "code-matching" virus scans that are limited to recognizing the presence of previously-identified viruses, typically by comparing the code in a downloadable to a database of known suspicious code” and claim 1 specifically reflects the improvement by reciting “generating by the inspector a first Downloadable security profile … and linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.”
In contrast, the present application merely discloses removing some portions from a source code and training a generic machine learning model based on the source code, which is not distinguished from traditional machine learning model training process of “Preprocessing – Training – Storing the trained weight into a memory”. Even though removing PE format, Mach object format, or Executable and Linkable Format object code is “a new kind of file that enables a computer security system to do things it could not do before” the limitation itself fails to disclose any technical details or structures that is specialized in executing the new kind of file or specialized in detecting malware.
Additionally, the limitation of “training, by a processor hosted at a data center’ and ‘loading the weight set into dedicated memory of the processor’ are additional elements and recited at a high-level of generality, as shown in 35 U.S.C. 101 rejections above.
Accordingly, the arguments to claim 1 are not persuasive and similarly the arguments to claims 8 and 15 are not persuasive. Similarly, the arguments to their respective dependent claims 2, 4-7, 9, 11-14, 16, and 18-20 are not persuasive.
Response to Arguments under 35 U.S.C. 103
Arguments: Applicant asserts that the cited references fail to teach or suggest “extracting a labeled feature from executable file samples of a malware family dataset for each malware family therein by seeded pseudo-random sampling excluding an executable section of object code” and Clemens, to the contrary of the Office’s allegations, teaches sampling executable sections of compiled object code rather than excluding executable sections of compiled object code [Remarks, pages 18-19].
Examiner’s Response: Applicant’s arguments with respect to claims 1, 8, and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for matter specifically challenged in the argument. Accordingly, the arguments to their respective dependent claims 2, 4-7, 9, 11-14, 16, and 18-20 are moot.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUN KWON whose telephone number is (571)272-2072. The examiner can normally be reached Monday – Friday 7:30AM – 4:30PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Abdullah Kawsar can be reached at (571)270-3169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JUN KWON/Examiner, Art Unit 2127
/ABDULLAH AL KAWSAR/Supervisory Patent Examiner, Art Unit 2127