SYSTEM FOR DETECTING MALWARES IN A RESOURCES CONSTRAINED DEVICE

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Continued Examination Under 37 CFR 1.114 1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 2-12-2026 has been entered. 2. Claims 1 - 3, 5 - 13 are pending. Claims 1, 5, 12, 13 are amended. Claims 4, 14 are canceled. Claims 1, 12, 13 are independent. This application was filed on 2-14-2023. Response to Arguments 3. Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 2-12-2026, with respect to the rejection(s) in view of Hunt in view of Chang and further in view of Suzuki and Chen have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri. A. The 101 Rejection for Claims 1 - 11 is withdrawn due to addition of a hardware component (a memory) to the claimed invention. B. Applicant argues on page 8 of Remarks: ... "transmitting the stored monitored data, at a predefined transmission rate to a remote server.". The Examiner respectfully disagrees. Chen discloses transmitting data between network connected entities at a predefined transmission rate. (see Chen pages 13-14: In the embodiment of the present invention, for any TCP data stream, the transmission rate of the TCP data stream may be the transmission rate of the TCP data stream or the receiving rate of the TCP data stream. The rate characterization value of the TCP data stream may be the transmission rate itself of the TCP data stream, for example, may be the reception rate or transmission rate of the TCP data stream. For any TCP data stream, the rate representation value of the TCP data stream may also be the amount of data of the IP data packet belonging to the TCP data stream received or transmitted within a preset duration.; (transmission and reception rate for network connected device stream communications)) C. Applicant argues on page 8 of Remarks: ... "the local machine learning module being configured to send the monitored data stored in the data memory to the remote machine learning module at the predefined transmission rate.". The Examiner respectfully disagrees. Chen discloses transmitting data between network connected entities at a predefined transmission rate. (see Chen pages 13-14: In the embodiment of the present invention, for any TCP data stream, the transmission rate of the TCP data stream may be the transmission rate of the TCP data stream or the receiving rate of the TCP data stream. The rate characterization value of the TCP data stream may be the transmission rate itself of the TCP data stream, for example, may be the reception rate or transmission rate of the TCP data stream. For any TCP data stream, the rate representation value of the TCP data stream may also be the amount of data of the IP data packet belonging to the TCP data stream received or transmitted within a preset duration.; (transmission and reception rate for network connected device stream communications)) D. Applicant argues on page 9 of Remarks: ... "the local machine learning module implements a first machine learning algorithm and the remote machine learning module implements a second machine learning algorithm being different from the first machine learning algorithm and having a detection accuracy higher than the first machine learning algorithm.". The Examiner respectfully disagrees. Elango discloses a first machine learning model is different from the second machine learning model. (see Elango paragraph [0110]: The second machine-learning model may be implemented as a multiple linear regression. Thus, the second machine-learning model is a different machine-learning model type than the first machine-learning model, such that each machine-learning model is specifically tailored and structured to address the data to be provided as input thereto.) E. Applicant argues on page 9 of Remarks: ... "the remote machine learning module is configured to generate a notification for appropriate local action if the received data corresponds to malware.". The Examiner respectfully disagrees. Hunt discloses generation of a notification if malware data is received. (see Hunt paragraph [0048]: User event monitor 180 may receive alerts from other components in the malware detection system.; paragraph [0036]: The scans using the modules of data monitoring program may be scheduled (predefined transmission rate) to ensure the least trade-off impact on real-time application performance versus detection. In an embodiment, scans by data monitoring program may be performed at Boot-up, during software updates, and daily full scan of memory (e.g., cache, ROM, firmware-Bios, flash memory, SRAM, DRAM).; (transmissions at a scheduled or pre-defined rate); paragraph [0044]: Spectral analysis 132 is able to detect code anomalies that may fit signatures of malware in situations where a score based on the attributes and behavior of the code anomaly is above a threshold level for the given malware threat (e.g., suspicious, malicious).) F. Applicant argues on page 9 of Remarks: ... does not disclose if the confidence score is lower than first predefined alert threshold and higher than a second predefined suspicious threshold, do not store monitored data. The Examiner respectfully disagrees. Suzuki discloses to output data to a memory when priority (confidence score) is less than a first threshold value and higher than a second threshold value. (see Suzuki page 2: outputs log data (first log data) to the first area 13 of the memory 12 when the importance of the log data is higher than a predetermined first threshold, (current value greater than threshold value, store data memory; first threshold greater than second threshold)) G. Applicant argues on page 10 of Remarks: ... Suzuki only discloses comparing data to one threshold and outputting data in different memory areas when higher or lower than the threshold. In contrast, the independent claims require storing monitored data in a data memory if the confidence score is between two different thresholds (i.e., the first predefined alert threshold and the second predefined suspicious threshold). The Examiner respectfully disagrees. Suzuki discloses to output data to a memory when priority (confidence score) less than a first threshold value and higher than a second threshold value (two threshold values are compared to determine whether to output data). (see Suzuki page 2: outputs log data (first log data) to the first area 13 of the memory 12 when the importance of the log data is higher than a predetermined first threshold, (first value greater than threshold value, store data memory; first threshold greater than second threshold)) H. Applicant argues on page 10 of Remarks: ... does not disclose to store the IP packet in a memory when the packet loss rate is between the first and the second packet loss threshold. The Examiner respectfully disagrees. Chen discloses processing data based upon a first threshold and a second threshold. (see Chen page 25: the IP data packet is discarded. If the packet loss rate is greater than the second packet loss threshold and is less than the first packet loss threshold, the IP packet is randomly generated. If the random number is not less than the pre-configured packet threshold, the IP packet is discarded. If the packet rate is not greater than the second packet loss threshold, the IP packet is not discarded (between two thresholds, packet not discarded or is stored).; (packet discarded or not stored due to values of first and second threshold parameters)) Claim Rejections - 35 USC § 103 4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 5. Claims 1, 5, 10, 12, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Hunt et al. (US PGPUB No. 20210110037) in view of Chang et al. (US PGPUB No. 20170316284) and further in view of Suzuki (Patent No. JP 5496377 B1) and Chen et al. (Patent No. WO 2019153931 A1) and Elango et al. (US PGPUB No. 20230102179) and Bonageri et al. (US Patent No. 11,526,953). Regarding Claims 1, 12, 13, Hunt discloses a system for detecting malwares in a resources constrained device and a computer implemented method for detecting malwares in a resources constrained device and a computer program product for detecting malwares in a resources constrained device, the system, computer implemented method, and computer program product, comprising: a) a monitoring module, embedded on the device, for measuring, at a predefined adaptable monitoring period, internal hardware events related data, (see Hunt paragraph [0048]: User event monitor 180 may receive alerts from other components in the malware detection system. These alerts include detection of malicious and/or suspicious code confirmed by the spectral analysis module 132 as well as any quarantine responses from the Quarantine Process 190. The contents of the alerts will be logged, conveyed to a user through an interface, or sent to another system for analysis.; paragraph [0036]: The scans using the modules of data monitoring program may be scheduled to ensure the least trade-off impact on real-time application performance versus detection. In an embodiment, scans by data monitoring program may be performed at Boot-up, during software updates, and daily full scan of memory (e.g., cache, ROM, firmware-Bios, flash memory, SRAM, DRAM).) b) a data memory for storing monitored data, (see Hunt paragraph [0045]: Data Store 150 may act as a repository of all data coming from data monitoring program 110 and data analysis module 120. Data Store 150 may contain results about benign, malicious, or suspicious samples from the other components in the system such as data analysis module 120, malware tracker 170, and model training module 160.) c) a machine learning module for providing a confidence score that each monitored data is a malware; (see Hunt paragraph [0042]: calculations to extract entropy transition and value coefficients features for machine and deep learning models. ... enables the spectral analysis module 132 to ingest the extracted and formatted features and perform the classification and scoring analysis (benign, malicious, suspicious) based on the respective detector class.; paragraph [0044]: Spectral analysis 132 is able to detect code anomalies that may fit signatures of malware in situations where a score based on the attributes and behavior of the code anomaly is above a threshold level for the given malware threat (e.g., suspicious, malicious).) and d) a machine learning module, for receiving the stored monitored data at a predefined transmission rate and process the received data to detect if it corresponds to malware. (see Hunt paragraph [0036]: The scans using the modules of data monitoring program may be scheduled to ensure the least trade-off impact on real-time application performance versus detection. In an embodiment, scans by data monitoring program may be performed at Boot-up, during software updates, and daily full scan of memory (e.g., cache, ROM, firmware-Bios, flash memory, SRAM, DRAM).; (transmissions at a scheduled or pre-defined rate); paragraph [0044]: Spectral analysis 132 is able to detect code anomalies that may fit signatures of malware in situations where a score based on the attributes and behavior of the code anomaly is above a threshold level for the given malware threat (e.g., suspicious, malicious).) Furthermore, Hunt discloses wherein the remote machine learning module is configured to generate a notification for appropriate local action if the received data corresponds to malware (see Hunt paragraph [0048]: User event monitor 180 may receive alerts from other components in the malware detection system.; paragraph [0036]: The scans using the modules of data monitoring program may be scheduled (predefined transmission rate) to ensure the least trade-off impact on real-time application performance versus detection. In an embodiment, scans by data monitoring program may be performed at Boot-up, during software updates, and daily full scan of memory (e.g., cache, ROM, firmware-Bios, flash memory, SRAM, DRAM).; (transmissions at a scheduled or pre-defined rate); paragraph [0044]: Spectral analysis 132 is able to detect code anomalies that may fit signatures of malware in situations where a score based on the attributes and behavior of the code anomaly is above a threshold level for the given malware threat (e.g., suspicious, malicious).) Hunt does not specifically disclose local machine learning module, embedded on the device, and remote machine learning module, embedded on a remote server. However, Chang discloses wherein a local machine learning module, embedded on the device, and a remote machine learning module, embedded on a remote server. (see Chang paragraph [0032]: the machine learning unit 3 may be disposed in the vehicle 9, or may be disposed in a remote server.; paragraph [0043]: providing the detection unit 2 in a vehicle embedded system (local embedded machine learning system) of the vehicle 9, and by providing the machine learning unit 3 in a server that is wirelessly connected to the detection unit 2 (remote embedded machine learning system)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for local machine learning module, embedded on the device, and remote machine learning module, embedded on a remote server as taught by Chang. One of ordinary skill in the art would have been motivated to employ the teachings of Chang for the benefits achieved from the flexibility of a system enabling the processing of data by locally embedded and remotely embedded systems. (see Chang paragraph [0032]; paragraph [0043]) Furthermore, Hunt discloses wherein to raise an alert. (see Hunt paragraph [0048]: User event monitor 180 may receive alerts from other components in the malware detection system.) Hunt does not specifically disclose local machine learning module configured wherein if the confidence score is higher than a first predefined alert threshold and to locally store monitored data in memory. However, Suzuki discloses wherein the local machine learning module being configured wherein if the confidence score is higher than a first predefined alert threshold and to locally store the monitored data in a memory. (see Suzuki page 2: outputs log data (first log data) to the first area 13 of the memory 12 when the importance of the log data is higher than a predetermined first threshold, (first threshold greater than baseline value, store data memory)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for local machine learning module configured to if the confidence score is higher than a first predefined alert threshold and to locally store monitored data in memory as taught by Suzuku. One of ordinary skill in the art would have been motivated to employ the teachings of Suzuki for the flexibility achieved from a system that enables predetermined threshold parameters to manage data processing states of a processing environment. (see Suzuki page 2) Hunt does not specifically disclose if the confidence score is lower than first predefined alert threshold and higher than a second predefined suspicious threshold, do not store monitored data. However, Chen discloses wherein if the confidence score is lower than the first predefined alert threshold and higher than a second predefined suspicious threshold and do not store the monitored data. (see Chen page 25: the IP data packet is discarded. If the packet loss rate is greater than the second packet loss threshold and is less than the first packet loss threshold, the IP packet is randomly generated. If the random number is not less than the pre-configured packet threshold, the IP packet is discarded.; (packet discarded or not stored due to values of first and second threshold parameters)) Furthermore, Hunt does not specifically disclose local machine learning module configured to send monitored data to remote machine learning module at predefined transmission rate (network communications). However, Chen discloses wherein the local machine learning module being configured to send the monitored data stored in the data memory to the remote machine learning module at the predefined transmission rate. (see Chen pages 13-14: In the embodiment of the present invention, for any TCP data stream, the transmission rate of the TCP data stream may be the transmission rate of the TCP data stream or the receiving rate of the TCP data stream. The rate characterization value of the TCP data stream may be the transmission rate itself of the TCP data stream, for example, may be the reception rate or transmission rate of the TCP data stream. For any TCP data stream, the rate representation value of the TCP data stream may also be the amount of data of the IP data packet belonging to the TCP data stream received or transmitted within a preset duration.; (transmission and reception rate for network connected device stream communications)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for if the confidence score is lower than first predefined alert threshold and higher than a second predefined suspicious threshold, do not store monitored data and local machine learning module configured to send monitored data to remote machine learning module at predefined transmission rate (network communications) as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that enables network communication utilized a predefined transmission rate. (see Chen pages 13-14) Furthermore, Hunt does specifically disclose local machine learning module implements a first machine learning algorithm and remote machine learning module implements a second machine learning algorithm being different from first machine learning algorithm. However, Elango discloses wherein the local machine learning module implements a first machine learning algorithm and the remote machine learning module implements a second machine learning algorithm being different from the first machine learning algorithm. (see Elango paragraph [0110]: The second machine-learning model may be implemented as a multiple linear regression. Thus, the second machine-learning model is a different machine-learning model type than the first machine-learning model, such that each machine-learning model is specifically tailored and structured to address the data to be provided as input thereto.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for local machine learning module implements a first machine learning algorithm and remote machine learning module implements a second machine learning algorithm being different from first machine learning algorithm as taught by Elango. One of ordinary skill in the art would have been motivated to employ the teachings of Elango for the flexibility of a system that enables multiple processing parameters such as multiple machine learning modes. (see Elango paragraph [0110]) Hunt does not specifically disclose a second machine learning algorithm having a detection accuracy higher than the first machine learning algorithm. However, Bonageri discloses wherein a second machine learning algorithm having a detection accuracy higher than the first machine learning algorithm. (see Bonageri col 2: determining that output provided by the first model is likely to have higher accuracy than output provided by the second model. Additionally, based on determining that the output provided by the first model is likely to have higher accuracy than the output provided by the second model, the method also includes: assigning a first weight to the first score, and assigning a second weight to the second score, where a value of the first weight exceeds a value of the second score.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for a second machine learning algorithm having a detection accuracy higher than the first machine learning algorithm as taught by Bonageri. One of ordinary skill in the art would have been motivated to employ the teachings of Bonageri for the flexibility of a system that enables a first machine learning model to have higher accuracy than a second machine learning model. (see Bonageri col 2) Furthermore, Hunt discloses wherein the device comprising a first processor and a first instructions memory having computer executable instructions embodied therewith, the computer executable instructions being executable by the first processor to cause the first processor to perform steps from the monitoring module and the local machine learning module, the remote server comprising a second processor and a second instructions memory having computer executable instructions embodied therewith, the computer executable instructions being executable by the second processor to cause the second processor to perform steps from the remote machine learning module. (see Hunt paragraph [0067]: The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).; (computer executable instruction for monitoring module can operate as a local executable program or as a remote executable program)) Furthermore, for Claim 13, Hunt discloses wherein a computer program product, the computer program product comprising a memory having computer executable instructions embodied therewith, the computer executable instructions being executable by a processor to cause the processor to perform operations. (see Hunt paragraph [0069]: These computer readable program instructions may be provided to a processor of a computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.) Regarding Claim 5, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 4, including the second machine learning algorithm is a time-series machine learning algorithm having a history table for storing a predefined number n of samples, and store the monitored data and at most n consecutive previous monitored data. (see Hunt paragraph [0045]: Data Store 150 may act as a repository of all data coming from data monitoring program 110 and data analysis module 120. Data Store 150 may contain results about benign, malicious, or suspicious samples from the other components in the system such as data analysis module 120, malware tracker 170, and model training module 160. Data store 150 may contain histories of activity of specific programs, specific states of the computing device, or any other relevant activity logs that can be referred to, or used by model training module 160, to improve spectral detector 132.; paragraph [0048]: User event monitor 180 may receive alerts from other components in the malware detection system. These alerts include detection of malicious and/or suspicious code confirmed by the spectral analysis module 132 as well as any quarantine responses from the Quarantine Process 190. The contents of the alerts will be logged, conveyed to a user through an interface, or sent to another system for analysis.; paragraph [0036]: The scans using the modules of data monitoring program may be scheduled to ensure the least trade-off impact on real-time application performance versus detection. In an embodiment, scans by data monitoring program may be performed at Boot-up, during software updates, and daily full scan of memory (e.g., cache, ROM, firmware-Bios, flash memory, SRAM, DRAM).; paragraph [0032]: techniques may reduce (e.g., minimize) an amount of intermediate data stored locally in store(s) of a database ... )) Hunt does not specifically disclose when the confidence score is lower than first predefined alert threshold and higher than second predefined suspicious threshold, store monitored data. However, Chen discloses wherein the local machine learning module is furthermore configured to, when the confidence score is lower than the first predefined alert threshold and higher than the second predefined suspicious threshold, store the monitored data and at most n consecutive previous monitored data having a confidence score lower than the second predefined suspicious threshold. (see Chen page 25: If the second packet loss rate threshold is greater than the first packet loss rate threshold, a random number Y is generated for the IP data packet, and if Y is not less than X, the IP data packet is determined to be discarded, ... , Since 50 (Y) is smaller than the packet loss threshold 60 (X), the IP data packet is not discarded (IP data packet is stored).) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for when the confidence score is lower than first predefined alert threshold and higher than second predefined suspicious threshold, store monitored data as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that enables multiple machine learning models including local and remote machine learning models to be utilized in the processing of data within a network environment. (see Chen page 25) Regarding Claim 10, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 1, comprising a data limiter module configured for scaling monitored data to a normalized range. (see Hunt paragraph [0050]: This captured information will be sent to module 120 for extraction and data normalization. Module 120 will then store the ID tags in the Data Store 150 and send the extracted features to the spectral analysis module 132 for analysis and scoring.; (normalization of captured data, normalization range)) 6. Claims 2, 3 are rejected under 35 U.S.C. 103 as being unpatentable over Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri and Tamir et al. (US Patent No. 9,842,209). Regarding Claim 2, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares of claim 1. Hunt does not specifically disclose hardware events related data are hardware events counters. However, Tamir discloses wherein internal hardware events related data are hardware events counters. (see Tamir col 4, lines 6-17: the hardware event counters utilized by the techniques described herein can never be reset, and are either invisible or ‘read-only’ to the OS software. Second, the dynamic analysis of trusted hardware counters and the tracking of accessed instruction memory addresses over time; (events counters)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for hardware events related data are hardware events counters as taught by Tamir. One of ordinary skill in the art would have been motivated to employ the teachings of Tamir for the benefits achieved from a system that enables a more resilient system due to the utilization of hardware event counters. (see Tamir col 4, lines 6-17; col 4, lines 40-43) Regarding Claim 3, Hunt-Chang-Suzuki-Chen discloses the system for detecting malwares of claim 2. Hunt does not specifically disclose dedicated hardware performance counters configured to store hardware events counters and being inaccessible by operating system. However, Tamir discloses wherein furthermore comprising dedicated hardware performance counters configured to store hardware events counters and being inaccessible by the operating system of the device. (see Tamir col 4, lines 6-17: the hardware event counters utilized by the techniques described herein can never be reset, and are either invisible or ‘read-only’ to the OS software (inaccessible to OS). Second, the dynamic analysis of trusted hardware counters and the tracking of accessed instruction memory addresses over time; (invisible, counters inaccessible by OS)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for dedicated hardware performance counters configured to store hardware events counters and being inaccessible by operating system as taught by Tamir. One of ordinary skill in the art would have been motivated to employ the teachings of Tamir for the benefits achieved from a system that enables a more resilient system due to the utilization of hardware event counters. (see Tamir col 4, lines 6-17; col 4, lines 40-43) 7. Claims 6, 7 are rejected under 35 U.S.C. 103 as being unpatentable over Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri and Roundy et al. (US PGPUB No. 20170093902). Regarding Claim 6, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 1. Hunt does not specifically disclose first predefined alert threshold is determined in such a way that monitored data for which an alert is raised has a predetermined amount of false positives. However, Roundy discloses wherein the first predefined alert threshold is determined in such a way that the monitored data for which an alert is raised by the local machine learning module has a predetermined amount of false positives. (see Roundy paragraph [0050]: thresholds that can be used to separate known incidents from false positive alert identifications) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for first predefined alert threshold is determined in such a way that monitored data for which an alert is raised has a predetermined amount of false positives as taught by Roundy. One of ordinary skill in the art would have been motivated to employ the teachings of Roundy for the enhance data processing enabling the system to better distinguish false positives. (see Roundy paragraph [0050]) Regarding Claim 7, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 6. Hunt does not specifically disclose that an amount, equal to said predetermined amount of false positives, of confidence scores corresponding to normal applications are above the first predefined alert threshold. However, Roundy discloses wherein the first predefined alert threshold is determined after the local machine learning module is trained in such a way that an amount, equal to said predetermined amount of false positives, of confidence scores of training data corresponding to normal applications are above the first predefined alert threshold. (see Roundy paragraph [0050]: thresholds that can be used to separate known incidents from false positive alert identifications) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for that an amount, equal to said predetermined amount of false positives, of confidence scores corresponding to normal applications are above the first predefined alert threshold as taught by Roundy. One of ordinary skill in the art would have been motivated to employ the teachings of Roundy for the enhance data processing enabling the system to better distinguish false positives. (see Roundy paragraph [0050]) 8. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri and Zhu et al. (US PGPUB No. 20220092067). Regarding Claim 8, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 1, wherein data stored that is not malware. (see Hunt paragraph [0042]: calculations to extract entropy transition and value coefficients features for machine and deep learning models. ... enables the spectral analysis module 132 to ingest the extracted and formatted features (non-malware processed data) and perform the classification and scoring analysis (benign, malicious, suspicious) based on the respective detector class.; paragraph [0044]: Spectral analysis 132 is able to detect code anomalies that may fit signatures of malware in situations where a score based on the attributes and behavior of the code anomaly is above a threshold level for the given malware threat (e.g., suspicious, malicious).) Hunt discloses minimize amount of data storage to minimize the amount of data locally stored to a predefined amount. However, Zhu discloses wherein the second predefined suspicious threshold is determined in such a way to minimize the amount of data locally stored to a predefined amount. (see Zhu paragraph [0032]: techniques may reduce (e.g., minimize) an amount of intermediate data stored locally in store(s) of a database ... ) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for to minimize the amount of data locally stored to a predefined amount as taught by Zhu. One of ordinary skill in the art would have been motivated to employ the teachings of Zhu for the efficient usage of data storage by minimizing the amount of data stored locally. (see Zhu paragraph [0032]) 9. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri and Saville, III (US Patent No. 9,507,637). Regarding Claim 9, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 1. Hunt does not specifically disclose each process must run on the device before being preempted by operating system. However, Saville wherein the predetermined monitoring period is equal to at most half a minimum amount of time each process must run on the device before being preempted by the operating system of the device. (see Saville col 4, lines 30-42: The thread can be put to sleep before completing its task by the operating system, typically because some other thread, application, or process preempted execution of the thread. Preemption can occur for a number of reasons—some examples include a priority of the other thread, application, or process can be higher than a priority of the thread, the other thread, application, or process can require resources uses by the thread, the thread may have been scheduled to run for a fixed period of time (e.g., a fixed time slice) and the time has expired.; (process preempted by OS due to time slice expiration)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for each process must run on the device before being preempted by operating system as taught by Saville. One of ordinary skill in the art would have been motivated to employ the teachings of Saville for enhanced process management protocols such as execution time slice expiration when a currently executing process has utilized its execution time slice and a next process is given execution control. (see Saville col 4, lines 30-42) 10. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Hunt in view of Chang and further in view of Suzuki and Chen and Elango and Bonageri and Kueny (US PGPUB No. 20040185582) and Horie (US PGPUB No. 20100020964). Regarding Claim 11, Hunt-Chang-Suzuki-Chen-Elango-Bonageri discloses the system for detecting malwares according to claim 10. Hunt does not specifically disclose wherein maximum value of the monitored data, minimum value of the monitored data, calculate scaled data. However, Kueny discloses wherein the data limiter module is configured to: determine integer values a and b such that a is at least equal to the maximum value of the monitored data, b is at most equal to the minimum value of the monitored data and a-b is equal to a power of two, calculate the scaled data. (see Kueny paragraph [0040]: the vertical range of the data, whether calculated or observed, is scaled according to the maximum and minimum values contained within it.; paragraph [0073]: Every spectrum, whether a calculated spectrum or an observed spectrum, is scaled according to the maximum and minimum R.sub.ivalues contained within it.; (minimum value, maximum data, scaled data)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for maximum value of the monitored data, minimum value of the monitored data, calculate scaled data as taught by Kueny. One of ordinary skill in the art would have been motivated to employ the teachings of Kueny for the flexibility of a system that enables the utilization of multiple types of data included within data processing. (see Kueny paragraph [0040]; paragraph [0073]) Hunt does not specifically disclose wherein calculate the data y as y=(x-b).2®°, where x is the monitored data and a-b=2°. However, Horie discloses wherein calculate the data y as y=(x-b).2®°, where x is the monitored data and a-b=2°. (see Horie paragraph [0026]: In the key generation method according to the second aspect of the present invention, said quadratic-hyperbolic function may be given by the following expression: y=(x-b)/(x.sup.2+cx-a),) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hunt for wherein calculate the data y as y=(x-b).2®°, where x is the monitored data and a-b=2° as taught by Horie. One of ordinary skill in the art would have been motivated to employ the teachings of Horie for the flexibility of a system that enables the processing of monitoring data and the generation of scaled data. (see Horie paragraph [0026]) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CJ/ March 9, 2026 /KHOI V LE/Primary Examiner, Art Unit 2436