APPARATUS FOR PROVIDING CYBER THREAT INTELLIGENCE INFORMATION AND METHOD THEREOF

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Summary This action is a responsive to the request for continued examination filed on 1/26/2026. Claims 1-12 are pending and have been examined. Claims 1-12 are rejected. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/26/26 has been entered. Response to Arguments Objection to the Drawings Applicant’s Response: The drawings are objected to for the reasons set forth on page 6 of the office action. Applicant has amended the drawings, rendering this objection moot. Examiner’s Response: Some of the newly submitted drawings are still unclear. Drawings 21, 22, 39 are accepted. Drawings 23, 63, 65, 67 are objected. The text in the drawings are unreadable. Rejection of Claims under 35 USC 103 Applicant’s Response: Claims 1-12 are rejected as allegedly being unpatentable over Koo et al. (US 2023/0161879 Al, hereinafter "Koo") and further in view of Kumar et al. (US 2018/0137401 Al, hereinafter "Kumar") as set forth on pages 7-30 of the office action. Without acquiescing to the merits of this rejection, Applicant has amended independent claims 1, 3, and 5, on which the remaining claims depend on, to better capture the commercial embodiments. Applicant submits that none of the cited references teach or suggest a feature "wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code" as recited in the claims. The office action relies on Koo for teaching the CIT query. See Page 9 of the office action. Koo, however, simply suggests generating instruction code sequence as an input of assembly language model. There is no description in Koo that the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code. The office action does not rely on Kumar for this feature, and Kumar merely teaches or suggests a natural language dialogue between the security analyst and the security bot server. Thus, Kumar does not cure the deficiency of Koo. Since a supplementary query is generated based on a hash value obtained from a function of the assembly code, the supplementary query can include the feature information of the cyber threat of the assembly code, and a natural language description based on keywords can be obtained, thereby acquiring natural language information regarding the technical connection between the assembly code and the cyber threat. At least for the reasons set forth above, Applicant respectfully requests reconsideration and withdrawal of the above rejections. Examiner’s Response: Applicant’s arguments with respect to claims 1-6 have been considered but are moot because the arguments are directed to amended subject matter properly addressed with the newly cited references of KIM et al.(KR102411383B1). The combination of KOO et al. (US 20230161879 A1) and KUMAR et al. (US 20180137401 A1) and KIM et al. (KR102411383B1) teaches the language of the independent claims. All remaining arguments are now moot in regards to the new rejection. Drawings New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because FIGs. 23, 63, 65, 67 are unclear. In particular, the text in the drawings are unreadable. Corrected drawings are required in reply to the Office action to avoid abandonment of the application. Accordingly, replacement drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to this Office action. The replacement sheet(s) should be labeled "Replacement Sheet" in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any portion of the drawing figures. If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The requirement for corrected drawings will not be held in abeyance. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-12 are rejected under 35 U.S.C. 103 as being unpatentable over KOO et al. (US 20230161879 A1) and further in view of KUMAR et al. (US 20180137401 A1) and KIM et al. (KR102411383B1). As to claim 1, KOO et al. teaches a method of providing cyber threat information (CTI), the method comprising: receiving a CTI analysis request for assembly code from a client (See ¶ [0099], Teaches that Step S310, which is a process of generating an instruction code sequence of an input file for detecting a malicious code of a format to be input into an assembly language model, may include a process of generating an indexed instruction code sequence corresponding to an instruction code sequence by using an instruction code dictionary for indexing an instruction code by an integer and by indexing an instruction code in an instruction code sequence by an integer.); analyzing the assembly code to obtain analysis information of the CTI for the assembly code (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.); generating a CTI query related to the assembly code based on the analysis information of the CTI and delivering the CTI query to a natural language model (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.). However, it does not expressly teach the details of acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code; providing the natural language description information as visualization information based on a web service, wherein the natural language description information includes a malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action. KUMAR et al., from analogous art, teaches providing the natural language description information as visualization information based on a web service, wherein the natural language description information includes a malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action (See ¶¶ [0065]-[0066], [0042], Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into KOO et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). However, it does not expressly teach the details of acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code. KIM et al., from analogous art, teaches acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code (See ¶¶ [0014], [0034]-[0035], [0023]-[0024], Teaches that The disclosed embodiment includes the steps of: converting an input executable file into a code block of a predetermined format; determining a similarity to malicious code based on the converted code block and classifying an attack technique of the malicious code; registering a combination of a plurality of natural languages selected based on the characteristic information of the malicious code as an identifier of the malicious code; and providing the characteristic information of the classified malicious code and the combination word to the user in response to a user's search request. If the file is not already known, analysis information for identifying the file type can be obtained by inquiring the hash value and file information on pre-stored information or, if necessary, on an external reference website. For example, information according to file type can be obtained from sites such as C-TAS (Cyber Threats Analysis System) operated by Korea Internet & Security Agency, CTA (Cyber Threat Alliance) operating system, and VitusTotal as external reference websites. For example, you can search for a file in the site by using the hash value of a hash function such as MD5 (Message-Digest algorithm 5), SHA1 (Secure Hash Algorithm 1), and SHA 256 of the file. And the file can be identified using the search result. when searching for a malicious code, the user can obtain a natural language combination identifier or combined natural language related to the malicious code as identification information in addition to the technical characteristic information of the malicious code. According to the embodiment, in addition to detailed technical information about the malicious code, a natural language-based identifier that can be understood by the general public is provided so that the malicious code can be easily identified. Users can easily remember the malicious code using natural language combination information and use it for re-search later). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KIM et al. into the combination of KOO et al. and KUMAR et al. in order to provide the user with the characteristic information of the classified malicious code and the combination word in response to the user's search request (See KIM et al. ¶ [0017]). As to claim 2, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the method according to claim 1 above. However, it does not expressly teach the details of wherein the visualization information comprises at least one of a path according to a process by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag. KUMAR et al., from analogous art, teaches wherein the visualization information comprises at least one of a path according to a process by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). As to claim 7, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the method according to claim 1 above. KOO et al. further teaches further comprising: providing a candidate group when answering the CTI query with data stored in a database as evidence for the candidate group (See ¶¶ [0115]-[0116], Teaches that The detector 1540 detects a malicious code by using a prelearned malicious code classification model with an input of embedding result. In addition, although not illustrated in FIG. 15 , the malicious code detection apparatus 1500 may include a learning unit for prelearning an assembly language model and a malicious code detection model that are installed in the malicious code detection apparatus. Of course, the learning unit is a configuration means for learning an assembly language model and a malicious code detection model that are installed, and after the assembly language model and the malicious code detection model are learned, a configuration for the learning unit is not used to detect a malicious code.). As to claim 8, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the method according to claim 1 above. However, it does not expressly teach the details of wherein the visualization information further includes summary information of the CTI, wherein the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques. KUMAR et al., from analogous art, teaches wherein the visualization information further includes summary information of the CTI, wherein the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). As to claim 3, KOO et al. teaches An apparatus for providing CTI, the apparatus comprising: a database configured to store data (See ¶¶ [0056]-[0059], Teaches that the assembly language model is learned by performing a masked language model (MLM) task and a next sentence prediction (NSP) task of the assembly language model by using the indexed instruction code sequence. Herein, at step S120, the assembly language model may be learned by treating the indexed instruction code sequence as a sentence and each instruction code as a token. Furthermore, at step S120, the assembly language model may be learned using a vector that adds token embedding for an indexed instruction code sequence, position embedding for a position of an instruction code, and segment embedding for distinguishing two indexed instruction code sequences.); and a processor (See ¶ [0119], Teaches that a processor 1603), wherein the processor performs operations comprising: an operation of receiving a CTI analysis request for assembly code from a client (See ¶ [0099], Teaches that Step S310, which is a process of generating an instruction code sequence of an input file for detecting a malicious code of a format to be input into an assembly language model, may include a process of generating an indexed instruction code sequence corresponding to an instruction code sequence by using an instruction code dictionary for indexing an instruction code by an integer and by indexing an instruction code in an instruction code sequence by an integer.); an operation of analyzing the assembly code to obtain analysis information of the CTI for the assembly code (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.); an operation of generating a CTI query related to the assembly code based on the analysis information of the CTI and delivering the CTI query to a natural language model (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.). However, it does not expressly teach the details of an operation of acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code; an operation of providing the natural language description information as visualization information based on a web service wherein the natural language description information includes a malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action. KUMAR et al., from analogous art, teaches an operation of providing the natural language description information as visualization information based on a web service wherein the natural language description information includes a malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action (See ¶¶ [0065]-[0066], [0042], Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into KOO et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). However, it does not expressly teach the details of an operation of acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code. KIM et al., from analogous art, teaches an operation of acquiring natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code (See ¶¶ [0014], [0034]-[0035], [0023]-[0024], Teaches that The disclosed embodiment includes the steps of: converting an input executable file into a code block of a predetermined format; determining a similarity to malicious code based on the converted code block and classifying an attack technique of the malicious code; registering a combination of a plurality of natural languages selected based on the characteristic information of the malicious code as an identifier of the malicious code; and providing the characteristic information of the classified malicious code and the combination word to the user in response to a user's search request. If the file is not already known, analysis information for identifying the file type can be obtained by inquiring the hash value and file information on pre-stored information or, if necessary, on an external reference website. For example, information according to file type can be obtained from sites such as C-TAS (Cyber Threats Analysis System) operated by Korea Internet & Security Agency, CTA (Cyber Threat Alliance) operating system, and VitusTotal as external reference websites. For example, you can search for a file in the site by using the hash value of a hash function such as MD5 (Message-Digest algorithm 5), SHA1 (Secure Hash Algorithm 1), and SHA 256 of the file. And the file can be identified using the search result. when searching for a malicious code, the user can obtain a natural language combination identifier or combined natural language related to the malicious code as identification information in addition to the technical characteristic information of the malicious code. According to the embodiment, in addition to detailed technical information about the malicious code, a natural language-based identifier that can be understood by the general public is provided so that the malicious code can be easily identified. Users can easily remember the malicious code using natural language combination information and use it for re-search later). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KIM et al. into the combination of KOO et al. and KUMAR et al. in order to provide the user with the characteristic information of the classified malicious code and the combination word in response to the user's search request (See KIM et al. ¶ [0017]). As to claim 4, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the apparatus according to claim 3 above. However, it does not expressly teach the details of wherein the visualization information comprises at least one of a path of processes by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag. KUMAR et al., from analogous art, teaches wherein the visualization information comprises at least one of a path of processes by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). As to claim 9, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the apparatus according to claim 3 above. KOO et al. further teaches further wherein the processor performs operations further comprising: an operation of providing a candidate group when answering the CTI query with data stored in a database as evidence for the candidate group (See ¶¶ [0115]-[0116], Teaches that The detector 1540 detects a malicious code by using a prelearned malicious code classification model with an input of embedding result. In addition, although not illustrated in FIG. 15 , the malicious code detection apparatus 1500 may include a learning unit for prelearning an assembly language model and a malicious code detection model that are installed in the malicious code detection apparatus. Of course, the learning unit is a configuration means for learning an assembly language model and a malicious code detection model that are installed, and after the assembly language model and the malicious code detection model are learned, a configuration for the learning unit is not used to detect a malicious code.). As to claim 10, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the apparatus according to claim 3 above. However, it does not expressly teach the details of wherein the visualization information further includes summary information of the CTI, the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques. KUMAR et al., from analogous art, teaches wherein the visualization information further includes summary information of the CTI, the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). As to claim 5, KOO et al. teaches a non-transitory computer-readable storage medium for storing a program for providing CTI executable by a computer, the program comprising instructions configured to: receive a CTI analysis request for assembly code from a client (See ¶ [0099], Teaches that Step S310, which is a process of generating an instruction code sequence of an input file for detecting a malicious code of a format to be input into an assembly language model, may include a process of generating an indexed instruction code sequence corresponding to an instruction code sequence by using an instruction code dictionary for indexing an instruction code by an integer and by indexing an instruction code in an instruction code sequence by an integer.); analyze the assembly code to obtain analysis information of the CTI for the assembly code (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.); generate a CTI query related to the assembly code based on the analysis information of the CTI and deliver the CTI query to a natural language model (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.); acquire natural language description information according to the CTI query describing a malicious action that occurs when the assembly code is provided based on the natural language model (See ¶ [0105], Teaches that When the instruction collector 410 generates a segmented instruction code sequence file of an instruction for an unknown file, after the instruction code tokenizer 420 tokenizes (indexes) an instruction code sequence by using an instruction code dictionary that is used for prelearning of an assembly language model, an instruction code sequence is embedded by inputting an indexed instruction code sequence into the assembly language model 430 that is completely learned, and then an embedding result of the instruction code sequence is output. The malicious code classification model 440 checks whether an input unknown file is a malicious code or a benign code, by using the embedding result output from the assembly language model 430 as an input. Thus, in a method according to embodiments of the present disclosure, a technology of detecting an unknown malicious code based on an artificial intelligence may be used to generate an assembly language model through instruction information utilized for a static/dynamic malicious code analysis and to detect an unknown malicious code based on the model.). However, it does not expressly teach the details of acquire natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code; provide the natural language description information as visualization information based on a web service wherein the natural language description information includes the malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action. KUMAR et al., from analogous art, teaches provide the natural language description information as visualization information based on a web service wherein the natural language description information includes the malicious action generated by the assembly code, a process executed by the assembly code, and a measure to respond to the malicious action (See ¶¶ [0065]-[0066], [0042], Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into KOO et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). However, it does not expressly teach the details of acquire natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code. KIM et al., from analogous art, teaches acquire natural language description information according to the CTI query wherein the CTI query includes a supplementary query generated using a keyword for the analyzed assembly code and a hash value obtained from a function of the assembly code (See ¶¶ [0014], [0034]-[0035], [0023]-[0024], Teaches that The disclosed embodiment includes the steps of: converting an input executable file into a code block of a predetermined format; determining a similarity to malicious code based on the converted code block and classifying an attack technique of the malicious code; registering a combination of a plurality of natural languages selected based on the characteristic information of the malicious code as an identifier of the malicious code; and providing the characteristic information of the classified malicious code and the combination word to the user in response to a user's search request. If the file is not already known, analysis information for identifying the file type can be obtained by inquiring the hash value and file information on pre-stored information or, if necessary, on an external reference website. For example, information according to file type can be obtained from sites such as C-TAS (Cyber Threats Analysis System) operated by Korea Internet & Security Agency, CTA (Cyber Threat Alliance) operating system, and VitusTotal as external reference websites. For example, you can search for a file in the site by using the hash value of a hash function such as MD5 (Message-Digest algorithm 5), SHA1 (Secure Hash Algorithm 1), and SHA 256 of the file. And the file can be identified using the search result. when searching for a malicious code, the user can obtain a natural language combination identifier or combined natural language related to the malicious code as identification information in addition to the technical characteristic information of the malicious code. According to the embodiment, in addition to detailed technical information about the malicious code, a natural language-based identifier that can be understood by the general public is provided so that the malicious code can be easily identified. Users can easily remember the malicious code using natural language combination information and use it for re-search later). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KIM et al. into the combination of KOO et al. and KUMAR et al. in order to provide the user with the characteristic information of the classified malicious code and the combination word in response to the user's search request (See KIM et al. ¶ [0017]). As to claim 6, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the non-transitory computer-readable storage medium according to claim 5 above. However, it does not expressly teach the details of wherein the visualization information comprises at least one of a path of processes by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag. KUMAR et al., from analogous art, teaches wherein the visualization information comprises at least one of a path of processes by the assembly code, a degree of maliciousness or maliciousness as a probabilistic value, a hash value of a file for the assembly code, or a related tag (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). As to claim 11, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the non-transitory computer-readable storage medium according to claim 5 above. KOO et al. further teaches the program comprising instructions further configured to: provide a candidate group when answering the CTI query with data stored in a database as evidence for the candidate group (See ¶¶ [0115]-[0116], Teaches that The detector 1540 detects a malicious code by using a prelearned malicious code classification model with an input of embedding result. In addition, although not illustrated in FIG. 15 , the malicious code detection apparatus 1500 may include a learning unit for prelearning an assembly language model and a malicious code detection model that are installed in the malicious code detection apparatus. Of course, the learning unit is a configuration means for learning an assembly language model and a malicious code detection model that are installed, and after the assembly language model and the malicious code detection model are learned, a configuration for the learning unit is not used to detect a malicious code.). As to claim 12, the combination of KOO et al. and KUMAR et al. and KIM et al. teaches the non-transitory computer-readable storage medium according to claim 5 above. However, it does not expressly teach the details of wherein the visualization information further includes summary information of the CTI, the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques. KUMAR et al., from analogous art, teaches wherein the visualization information further includes summary information of the CTI, the summary information includes at least one of attack group information, attack target nation information, attack target industry information, or information on related attack techniques (See ¶¶ [0065]-[0066], [0042], Fig. 11, Teaches that Referring now to FIG. 11, an example of a natural language dialogue between the security analyst and the security bot server is shown. As can be appreciated, the security bot server provides responses and performs tasks that allow resolution of security alerts with improved response times to reduce cost. The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure. The network security server 64 also receives or has access to data relating to attacks occurring on other networks and/or remediation strategies that have been used for particular files or types of malware). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of KUMAR et al. into the combination of KOO et al. and KUMAR et al. and KIM et al. in order to security systems and methods using an automated bot with a natural language interface for improving response times for security alert response, and mediation (See KUMAR et al. ¶ [0001]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to James R Hollister whose telephone number is (571)270-3152. The examiner can normally be reached Mon - Fri 7:30 am - 4:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. James Hollister /J.R.H./Examiner, Art Unit 2499 3/6/26 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499