Rules-Based Malware Resolution Suggestions

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on March 27, 2026 has been entered. Response to Arguments Applicant’s amendments and arguments filed with respect to the grounds of the rejection of claims 8-20 under 35 U.S.C. 112 (a) as failing to comply with the written description requirement have been fully considered and are persuasive. The previous grounds of the rejection has been withdrawn. Applicant's arguments filed have been fully considered but they are not persuasive. With respect to the argument: “The Advisory Action legally errs. As the Applicant below shows, Ogle with Katz teaches away. In the Advisory Action dated April 13, 2026, Examiner Revak contends that the below textual evidence "are not cited by the Examiner" and thus not persuasive. This is legal error. "A prior art reference must be considered in its entirety, i.e., as a whole, including portions that would lead away from the claimed invention." See M.P.E.P. at § 2141.02(VI). See also W.L. Gore & Assoc., Inc. v. Garlock, Inc., 220 U.S.P.Q. (BNA) 303 (Fed. Cir. 1983), cert. denied, 469 U.S. 851 (1984) (finding the district court erred "in considering the references in less than their entireties, i.e., in disregarding disclosures in the references that diverge from and teach away from the invention at hand"). The Advisory Action shows that Examiner Revak wants to "cherry pick" only certain teachings of Ogle with Katz and to ignore teachings that are unfavorable. Simply put, the Examiner wants to exclude unfavorable evidence that diverges from and teaches away from the pending claims. The Examiner has legally erred. Ogle with Katz, though, teaches away. A proposed combination is improper when the "suggested combination of references would require a substantial reconstruction and redesign of the elements as well as a change in the basic principles under which the [reference] was designed to operate." See In re Ratti, 270 F.2d 810, 813 (CCPA 1959). See also M.P.E.P. § 2145 (X)(D)(2) and § 2143.01. "What the prior art teaches, whether a person of ordinary skill in the art would have been motivated to combine references, and whether a reference teaches away from the claimed invention are questions of fact." Apple Inc. V. Samsung Elecs. Co., 839 F.3d 1034, 1047 (Fed. Cir. 2016) (en banc). See also In re Mouttet, 686 F.3d 1322, 1330 (Fed. Cir. 2012). Obviousness may be defeated if the prior art indicates that the invention would not have worked for its intended purpose or otherwise teaches away from the invention. See DePuy Spine, Inc. V. Medtronic Sofamor Danek, Inc., 567 F.3d 1314, 1326 (Fed. Cir. 2009). A reference teaches away "when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken" in the claim. See Galderma Labs., L.P. V. Tolmar, Inc., 737 F.3d 731, 738 (Fed. Cir. 2013).” The Examiner acknowledges the Applicant’s application of case law. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Katz et al discloses of preemptive event management by preventing the processing of events by an operating system based on kernel level analysis of real time events in a computing device, col. 2, line 66 through col. 3, line 2, and further to preemptively block processes at detection before dispatching the detected event, col. 3 lines, 18-21. Although the teachings of Ogle et al fail to disclose of detection of kernel-level events, Katz et al offers an extension to Ogle et al by detection of kernel level events that would enable a malicious actor to obtain high-level privileged access to the operating system. The Applicant argues: “Ogle, for example, succinctly describes its principle of operation. Ogle's principle of operation detects malicious events by analyzing "attach requests" and other communications to a radio access network (or RAN), as Ogle's column 5 explains: When communication devices communicate attach requests (e.g., initial attach request; or an update attach request, such as an authentication update request) or other types of communications to the RAN to request connection to the RAN, requests updates in connection with a connection to the RAN, or for other reasons, the SMC can receive information comprising or relating to such attach requests or other types of communications. The SMC, employing a parser component and a filter component, can analyze the information comprising or relating to such attach requests or other types of communications. Based at least in part on the analysis, the parser component can parse the information and, from the parsed information, the filter component can determine which items of information are relevant. The filter component can filter (e.g., intelligently filter) the parsed information to generate filtered information, comprising the relevant information, and can purge the undesired information (e.g., information determined to not be sufficiently relevant). The filtered information (e.g., filtered information comprising or relating to such attach requests or other types of communications) can be provided to the detector component. See U.S. Patent 11,588,850 to Ogle, et al. at column 5, lines 18-55 (emphasis added). Ogle principle of operation, in particular, parses and filters "attach requests" to determine "characteristics associated with communications devices," as Ogle's column 6 explains: The detector component can analyze the filtered information. Based at least in part on the results of analyzing the filtered information, the detector component can determine respective characteristics associated with respective communication devices, respective groups of communication devices, or respective messages associated with the respective communication devices. The respective characteristics associated with the respective devices, respective groups of communication devices, or the respective messages can comprise, for example, a type of communication device, a device identifier associated with the communication device, a location of a communication device, a number of communication devices located within a defined area and/or located in relative proximity (e.g., within a defined distance) of each other, a type of request or communication, a priority level associated with a communication device or associated communication (e.g., message), a time (e.g., time of day, day of week, or time of year, ….) associated with the attach request or other communication received from a communication device, or other desired characteristics. See id. at column 6, lines 1-20 (emphasis added). Ogle's principle of operation then compares these "characteristics" to baseline values that indicate a "malicious event against the RAN." See id. at column 6, lines 21-40. Indeed, numerous times Ogle repeats how its principle of operation determines malware events by analyzing "attach requests" and other communications to a radio access network (or RAN). See, e.g., id. at column 11, line 10 through column 13, line 15 (again explaining "attach requests" and analyzing device type, deviceID, time, location and priority of the communications device).” The Examiner respectfully disagrees. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. The sections relied upon by the Applicant with respect to Ogle are not cited by the Examiner in the Final Office Action. Applying the broadest reasonable interpretation to the claim language, Ogle also assesses malware events that is of the same field of invention as what is claimed by the Applicant. Ogle has been shown to disclose: “comparing, by the computer, the malware event to a malware assessment rule associated with a malware (a SMC (Security Management Component) determines if the received relevant information (i.e., data indicative of a potential malware event) obtained by parsing operations and comparison with defined network security criteria (i.e., malware assessment rules) is indicative of a malware event, col. 19, lines 51-58, col. 19, line 60 through col. 20, line 1; and col. 23, lines 15-27)”. The sections cited by the Applicant are different from the portions relied upon by the Examiner in the Non-final Office Action and also in the Final Office Action. The Examiner finds the Applicant’s argument to be non-persuasive, and hereby maintains the current grounds of the rejection. With respect to the argument: “Katz destroys Ogle' principle of operation. Katz detects malware by monitoring kernel level events, as Katz Abstract expressly explains: A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in nm time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS. See U.S. Patent 9,942,246 to Katz, et al. at Abstract (emphasis added). Indeed, Katz is replete with many paragraphs that describe kernel monitoring. See, e.g., id at column 1, lines 44-55; at column 3, lines 10-24; at column 5, lines 10-55; and at column 6, lines 15-25 (all explaining kernel level and kernel driver). As Examiner Revak must now understand, Ogle with Katz teaches away. If Ogle is combined with Katz, as Examiner Revak proposes, then Ogle's principle of operation must be impermissibly changed. Ogle's principle of operation, for example, must be changed to detect malware by monitoring kernel level events, as taught by Katz. Indeed, Ogle's entire scheme for analyzing "attach requests" and other communications to a radio access network (or RAN) must be eliminated. Ogle's entire scheme for parsing and filtering "attach requests" must be eliminated. Ogle's entire scheme for determining the "characteristics associated with communications devices," such as device type, deviceID, time, location and priority, must be eliminated. Ogle's entire scheme for comparing the "characteristics" to baseline values must be eliminated. Simply put, these changes would require eliminating nearly all of Ogle's disclosure, thus rendering Ogle unsatisfactory for its intended purposes of analyzing "attach requests" and other communications to a radio access network (or RAN). Because the patent caselaw forbids changing a principle of operation to support a prima facie case, the Office is required to remove the § 103 rejections of the pending claims.” The Examiner again respectfully disagrees. In response to applicant's argument that Katz is non-analogous art, it has been held that a prior art reference must either be in the field of the inventor’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the inventor was concerned, in order to be relied upon as a basis for rejection of the claimed invention. See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992). In this case, Katz et al discloses of preemptive event management by preventing the processing of events by an operating system based on kernel level analysis of real time events in a computing device, col. 2, line 66 through col. 3, line 2, and further to preemptively block processes at detection before dispatching the detected event, col. 3 lines, 18-21. Although the teachings of Ogle et al fail to disclose of detection of kernel-level events, Katz et al offers an extension to Ogle et al by detection of kernel level events that would enable a malicious actor to obtain high-level privileged access to the operating system. With respect to the Applicant’s comments on “Katz is replete with many paragraphs that describe kernel monitoring”, the Examiner notes how the Applicant’s own specification provides little to no guidance on how the kernel monitoring process is different from Katz. It is only suggestive of applying “kernel-level activity” monitoring. Since the standard set forth by the Applicant that the disclosure is capable of detecting “kernel-level activity” monitoring, Katz is a teaching that meets the standard set forth by the Applicant’s own disclosure. According to the Applicant’s specification, the only mention of “kernel-level activity” from the specification occurs in paragraph 0028: “The malware sensory agent 90 monitors the client device 30. The malware sensory agent 90 interfaces with an operating system executed by the client device 30. The malware sensory agent 90 is a software application or program code stored in a memory device of the client device 30 and executed by a hardware processor operating within the client device 30. The malware sensory agent 90 may thus have permissions to monitor any kernel-level activity and/or any user-mode activity conducted by the client device 30 (such as any smartphone, laptop, tablet, server, switch, or other computer). Should the malware sensory agent 90 detect any suspicious activity, the malware sensory agent 90 cooperates with the operating system to generate and send the malware event 28 to the cloud-computing environment 22.” Katz et al meets the claim requirement of monitoring kernel-level activity, using the Applicant’s specification guidelines set forth when viewed in light of the claims. The Applicant has a different interpretation of the combination of Ogle in view of Katz, contrary to the Examiner’s position. The broadest reasonable interpretation of Ogle in view of Katz has been properly applied to the claims by the Examiner. The arguments are found to be non-persuasive, and the Examiner hereby maintains the current grounds of the rejection. With respect to independent claim 16, the amendments to the claim has overcome the previous grounds of the rejection under 35 U.S.C. 103 as being unpatentable over Ogle et al in view of Katz et al. Claims 17-20 are also in conditions for allowance by virtue of their dependency upon allowable claim 16. Applicant's arguments with respect to the rejection of claims 3, 5, 10, and 12 rejected under 35 U.S.C. 103 as being unpatentable over Ogle in view of Katz in further view of Colquhoun fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments with respect to the rejection of claims 6-7 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ogle in view of Katz in further view of Zorlular fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 4, 8, 9, 11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ogle et al, U.S. Patent 11,588,850 in view of Katz et al, U.S. Patent 9,942,246. As per claim 1, it is taught by Olga et al of a method executed by a computer that assesses a malware event, comprising: comparing, by the computer, the malware event to a malware assessment rule associated with a malware (a SMC (Security Management Component) determines if the received relevant information (i.e., data indicative of a potential malware event) obtained by parsing operations and comparison with defined network security criteria (i.e., malware assessment rules) is indicative of a malware event, col. 19, lines 51-58, col. 19, line 60 through col. 20, line 1; and col. 23, lines 15-27); determining, by the computer, that the malware event satisfies the malware assessment rule associated with the malware (defined network security criteria (i.e., malware assessment rules) indicate what types of information can be relevant to determining malicious events against the RAN, col. 19, line 60 through col. 20, line 1 and the comparison of the respective parameters of the respective characteristics determines if there is sufficient evidence of a malicious event occurring against the RAN in accordance with network security criteria (i.e., malware assessment rules), col. 23, lines 15-27); determining, by the computer, a historical malware assessment (an initial or continuous baseline is based upon results of analysis of parsed information and/or other parsing and/or filtering related information of historical information related to malicious event determinations, col. 21, lines 21-31) associated with the malware assessment rule (the comparison of the respective parameters of the respective characteristics determines if there is sufficient evidence of a malicious event occurring against the RAN in accordance with network security criteria (i.e., malware assessment rules), col. 23, lines 15-27); and generating, by the computer, a malware resolution suggestion that historically assesses the malware event based on the historical malware assessment (historical information related to malicious event determinations, col. 21, lines 21-31 and the SMC can mitigate (i.e., malware resolution suggestion) malicious events by certain communication devices in accordance with defined network security criteria (i.e., malware assessment rules) and to further make modifications based upon post process analytics, col. 18, lines 51-63 and col. 30, line 64 through col. 31, line 15). Ogle et al fails to disclose of a computer comparing a malware event detected by a malware sensory agent monitoring an operating system kernel-level activity to a malware assessment rule associated with a malware. Katz et al discloses wherein computer comparing a malware event detected by a malware sensory agent monitoring an operating system kernel-level activity to a malware assessment rule associated with a malware (a threat monitoring module (i.e., malware sensory agent) monitors events in run time at a kernel-level of an operating system running on a computer device, and classifies (i.e. comparing detected malware events against malware assessment rules associated with the malware), col. 2, lines 20-31, wherein it is further disclosed of classifying malware with risk scores, when the score is above a threshold (i.e., malware assessment rule), action is taken against the malware, col. 6, lines 33-39). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to detect kernel-level events operating at the highest level of an operating system since they can be most destructive by performing malicious operations without restrictions. Katz et al discloses of preemptive event management by preventing the processing of events by an operating system based on kernel level analysis of real time events in a computing device, col. 2, line 66 through col. 3, line 2, and further to preemptively block processes at detection before dispatching the detected event, col. 3 lines, 18-21. Although the teachings of Ogle et al fail to disclose of detection of kernel-level events, Katz et al offers an extension to Ogle et al by detection of kernel level events that would enable a malicious actor to obtain high-level privileged access to the operating system. As per claim 2, it is disclosed by Olga et al of further comprising associating the malware assessment rule to a false positive report (determination is made whether there exists a false positive and to communicate the malicious event detection as stored in the data store (i.e., report), col. 32, lines 16-25 and col. 44, lines 53-64, wherein malicious events by certain communication devices are detected in accordance with defined network security criteria (i.e., malware assessment rules), col. 18, lines 51-63). As per claim 4, it is disclosed by Olga et al of further comprising associating the malware assessment rule to a true positive report (determination is made whether there exists a false positive or not (i.e., true positive) and to communicate the malicious event detection as stored in the data store (i.e., report), col. 32, lines 16-25 and col. 44, lines 53-64). As per claim 8, it is disclosed by Olga et al of a computer that assesses a malware event, comprising: a central processing unit (col. 31, lines 54-63); and a memory device storing instructions that, when executed by the central processing unit, perform operations (col. 52, lines 33-40), the operations comprising: monitoring malware events reported via a cloud-computing environment (a cloud radio access network is used, col. 33, lines 25-28) by malware sensory agents (communication devices (i.e., endpoint client devices) comprise sensors (malware sensory agents) that monitor or sense conditions, col. 8, lines 48-56, col. 9, lines 3-4, wherein the communication devices (i.e., endpoint client devices can provide a SMC (Security Management Component) with additional information that can or may be pertinent or making malicious event determinations, col. 17, lines 19-24); comparing the malware events to malware assessment rules specifying historical malware events previously reported (an initial or continuous baseline is based upon results of analysis of parsed information and/or other parsing and/or filtering related information of historical information related to malicious event determinations, col. 21, lines 21-31) via the cloud-computing environment by the malware sensory agents (the SMC (Security Management Component) determines if the received relevant information (i.e., data indicative of a potential malware event) obtained by parsing operations and comparison with defined network security criteria (i.e., malware assessment rules) is indicative of a malware event, col. 19, lines 51-58, col. 19, line 60 through col. 20, line 1; and col. 23, lines 15-27); determining that a malware event of the malware events satisfies a malware assessment rule of the malware assessment rules (defined network security criteria (i.e., malware assessment rules) indicate what types of information can be relevant to determining malicious events against the RAN, col. 19, line 60 through col. 20, line 1 and the comparison of the respective parameters of the respective characteristics determines if there is sufficient evidence of a malicious event occurring against the RAN in accordance with network security criteria (i.e., malware assessment rules), col. 23, lines 15-27); identifying a historical malware assessment by querying an electronic database (historical information related to malicious event determinations, col. 21, lines 21-31, wherein the SMC has an associated data store (i.e., electronic database) that stores the historical information for use by the system, col. 31, lines 54-59 and col. 32, lines 16-34) having entries that associate the malware assessment rule to the historical malware assessment (the comparison of the respective parameters of the respective characteristics determines if there is sufficient evidence of a malicious event occurring against the RAN in accordance with network security criteria (i.e., malware assessment rules), col. 23, lines 15-27); and generating a malware resolution suggestion based on the historical malware assessment associated with the malware assessment rule (historical information related to malicious event determinations, col. 21, lines 21-31 and the SMC can mitigate (i.e., malware resolution suggestion) malicious events by certain communication devices in accordance with defined network security criteria (i.e., malware assessment rules) and to further make modifications based upon post process analytics, col. 18, lines 51-63 and col. 30, line 64 through col. 31, line 15). Ogle et al fails to disclose of a computer monitoring, comparing, and determining that a malware event detected by a malware sensory agent monitoring an operating system kernel-level activity to a malware assessment rule associated with a malware. Katz et al discloses wherein a computer compares a malware event detected by a malware sensory agent monitoring an operating system kernel-level activity to a malware assessment rule associated with a malware (a threat monitoring module (i.e., kernel level malware sensory agent) monitors events in run time at a kernel-level of an operating system running on a computer device, and classifies (i.e. comparing detected kernel level malware events against kernel level malware assessment rules associated with the kernel level malware), col. 2, lines 20-31, wherein it is further disclosed of classifying kernel level malware with risk scores, when the score is above a threshold (i.e., kernel level malware assessment rule), action is taken against the malware, col. 6, lines 33-39). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to detect kernel-level events operating at the highest level of an operating system since they can be most destructive by performing malicious operations without restrictions. Katz et al discloses of preemptive event management by preventing the processing of events by an operating system based on kernel level analysis of real time events in a computing device, col. 2, line 66 through col. 3, line 2, and further to preemptively block processes at detection before dispatching the detected event, col. 3 lines, 18-21. Although the teachings of Ogle et al fail to disclose of detection of kernel-level events, Katz et al offers an extension to Ogle et al by detection of kernel level events that would enable a malicious actor to obtain high-level privileged access to the operating system. As per claim 9, it is taught by Olga et al wherein the operations further comprise identifying an entry of the entries in the electronic database that associates the historical malware assessment to a false positive report (determination is made whether there exists a false positive and to communicate the malicious event detection as stored in the data store (i.e., report), col. 32, lines 16-25 and col. 44, lines 53-64, wherein malicious events by certain communication devices are detected in accordance with defined network security criteria (i.e., malware assessment rules), col. 18, lines 51-63). As per claim 11, it is taught by Olga et al wherein the operations further comprise identifying an entry of the entries in the electronic database that associates the historical malware assessment to a true positive report (historical information related to malicious event determinations, col. 21, lines 21-31 and determination is made whether there exists a false positive or not (i.e., true positive) and to communicate the malicious event detection as stored in the data store (i.e., report), col. 32, lines 16-25 and col. 44, lines 53-64). As per claim 13, it is taught by Olga et al wherein the operations further comprise storing an entry of the entries in the electronic database that associates the malware event to the historical malware assessment (determination is made whether there exists a false positive and to communicate the malicious event detection as stored in the data store, col. 32, lines 16-25 and col. 44, lines 53-64). Katz et al is relied upon for disclosing of kernel-level malware events (col. 2, lines 20-31). Please refer above for the motivational reasons of applying the teachings of Katz et al with Olga et al. Claims 3, 5, 10, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Ogle et al, U.S. Patent 11,588,850 in view of Katz et al, U.S. Patent 9,942,246, in further view of Colquhoun et al, US 2021/0097172. As per claim 3, Ogle et al discloses of malware resolution suggestions (SMC can mitigate (i.e., malware resolution suggestion) malicious events by certain communication devices in accordance with defined network security criteria (i.e., malware assessment rules) and to further make modifications based upon post process analytics, col. 18, lines 51-63), but the combined teachings of Ogle and Katz fail to disclose of generating a webpage that provides the false positive report. Colquhoun et al discloses of Colquhoun et al teaches of generating a webpage (graphical user interface (GUI) may be a web browser window, paragraph 0028, lines 12-14) that provides the true positive report (the GUI includes a true positives pane along with a false positive pane listing the properties of the system events (i.e., records), paragraph 0100, lines 1-11). It would have been obvious to a person of ordinary skill in the art before the effective filing data of the claimed invention to have been motivated to provide a detailed display in order to assist an analyst to properly analyze the collected event findings. The teachings of Colquhoun et disclose of the need to modify a cybersecurity event detector, paragraph 0058, lines 1-2. Colquhoun et al further discloses of fine tuning the cybersecurity event detector using rules to determine the desired modification to change the rules, paragraph 0059, lines 1-6, which is used to ultimately determine whether a respective system event is indicative of a potential cybersecurity event using the modified cybersecurity detector, paragraph 0063, lines 1-5. Although the combined teachings of Ogle et al and Katz et al disclose of detecting true positives and false positives, there are no means of making adjustments to the detection methods to enable for a more accurate reporting of detected cybersecurity events as is disclosed by Colquhoun et al. As per claim 5, Ogle et al discloses of malware resolution suggestions (SMC can mitigate (i.e., malware resolution suggestion) malicious events by certain communication devices in accordance with defined network security criteria (i.e., malware assessment rules) and to further make modifications based upon post process analytics, col. 18, lines 51-63), but the combined teachings of Ogle and Katz fail to disclose of generating a webpage that provides the true positive report as the malware resolution suggestion. Colquhoun et al teaches of generating a webpage (graphical user interface (GUI) may be a web browser window, paragraph 0028, lines 12-14) that provides the true positive report (the GUI includes a true positives pane along with a false positive pane listing the properties of the system events (i.e., records), paragraph 0100, lines 1-11). It would have been obvious to a person of ordinary skill in the art before the effective filing data of the claimed invention to have been motivated to provide a detailed display in order to assist an analyst to properly analyze the collected event findings. The teachings of Colquhoun et disclose of the need to modify a cybersecurity event detector, paragraph 0058, lines 1-2. Colquhoun et al further discloses of fine tuning the cybersecurity event detector using rules to determine the desired modification to change the rules, paragraph 0059, lines 1-6, which is used to ultimately determine whether a respective system event is indicative of a potential cybersecurity event using the modified cybersecurity detector, paragraph 0063, lines 1-5. Although the combined teachings of Ogle et al and Katz et al disclose of detecting true positives and false positives, there are no means of making adjustments to the detection methods to enable for a more accurate reporting of detected cybersecurity events as is disclosed by Colquhoun et al. As per claim 10, the combination of Ogle et al and Katz et al fail to teach of generating a malware graphical control that prompts for the false positive report. Colquhoun et al discloses of generating a malware graphical control that prompts for the false positive report (a graphical user interface (GUI) includes a true positives pane along with a false positive pane listing the properties of the system events (i.e., records), paragraph 0100, lines 1-11). It would have been obvious to a person of ordinary skill in the art before the effective filing data of the claimed invention to have been motivated to provide a detailed display in order to assist an analyst to properly analyze the collected event findings. The teachings of Colquhoun et disclose of the need to modify a cybersecurity event detector, paragraph 0058, lines 1-2. Colquhoun et al further discloses of fine tuning the cybersecurity event detector using rules to determine the desired modification to change the rules, paragraph 0059, lines 1-6, which is used to ultimately determine whether a respective system event is indicative of a potential cybersecurity event using the modified cybersecurity detector, paragraph 0063, lines 1-5. Although the combined teachings of Ogle et al and Katz et al disclose of detecting true positives and false positives, there are no means of making adjustments to the detection methods to enable for a more accurate reporting of detected cybersecurity events as is disclosed by Colquhoun et al. As per claim 12, the combined teachings of Ogle et al and Katz et al fail to disclose of generating a malware graphical control that when tactilely selected presents the true positive report. Colquhoun et al teaches of generating a malware graphical control that when tactilely selected (touch sensitive interface may be overlaid on the display to form a touch sensitive display, paragraph 0108, lines 1-8) presents the true positive report (a graphical user interface (GUI) includes a true positives pane along with a false positive pane listing the properties of the system events (i.e., records), paragraph 0100, lines 1-11). It would have been obvious to a person of ordinary skill in the art before the effective filing data of the claimed invention to have been motivated to provide a detailed display in order to assist an analyst to properly analyze the collected event findings. The teachings of Colquhoun et disclose of the need to modify a cybersecurity event detector, paragraph 0058, lines 1-2. Colquhoun et al further discloses of fine tuning the cybersecurity event detector using rules to determine the desired modification to change the rules, paragraph 0059, lines 1-6, which is used to ultimately determine whether a respective system event is indicative of a potential cybersecurity event using the modified cybersecurity detector, paragraph 0063, lines 1-5. Although the combined teachings of Ogle et al and Katz et al disclose of detecting true positives and false positives, there are no means of making adjustments to the detection methods to enable for a more accurate reporting of detected cybersecurity events as is disclosed by Colquhoun et al. Claims 6, 7, 14, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Ogle et al, U.S. Patent 11,588,850 in view of Katz et al, U.S. Patent 9,942,246, in further view of Zorlular et al, U.S. Patent 10,721,262. As per claim 6, Ogle et al and Katz et al fails to disclose of determining an analyst identifier that is associated with the malware assessment rule. Zorlular et al discloses of determining an analyst identifier that is associated with the malware assessment rule (investigator name field (i.e., analyst identifier) is associated with an escalate alert (i.e., malware assessment rule), col. 24, lines 16-30). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to identify analysts who escalate alerts by adding information that is visible to an assignee and to other analysts who are reviewing the alerts to enable confirmation of the escalation of an alert for further scrutiny. If the analyst confirms escalation of the alert, a confirmation is provided and allows for comments to be added so that other users reviewing the alert can be provided with contextual information, which enables more effective sharing and collaboration between analysts, col. 24, lines 53-59 and col. 24, line 65 through col. 25, line 11. Although the combined teachings of Ogle and Katz disclose of a system providing malware assessment rules, the teachings of Zorlular et al disclose of enabling an analyst to additionally review the findings, and associates their identifier, such as the investigator name field, in order to enable sharing and collaboration between analysts to allow for more accurate diagnosis of detected security events. As per claim 7, Ogle et al and Katz et al fails to teach of determining an analyst group identifier that is associated with the malware assessment rule. Zorlular et al teaches of determining an analyst group identifier that is associated with the malware assessment rule (investigator name field (i.e., analyst identifier) is associated with an escalate alert (i.e., malware assessment rule), col. 24, lines 16-30). Additional analysts review the alerts, which is interpreted as an analyst group identifier since they are additionally recorded, col. 24, line 65 through col. 25, line 11. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to identify analysts who escalate alerts by adding information that is visible to an assignee and to other analysts who are reviewing the alerts to enable confirmation of the escalation of an alert for further scrutiny. If the analyst confirms escalation of the alert, a confirmation is provided and allows for comments to be added so that other users reviewing the alert can be provided with contextual information, which enables more effective sharing and collaboration between analysts, col. 24, lines 53-59 and col. 24, line 65 through col. 25, line 11. Although the combined teachings of Ogle and Katz disclose of a system providing malware assessment rules, the teachings of Zorlular et al disclose of enabling an analyst to additionally review the findings, and associates their identifier, such as the investigator name field, in order to enable sharing and collaboration between analysts to allow for more accurate diagnosis of detected security events. As per claim 14, it is disclosed by Ogle et al of wherein the operations further comprise identifying an entry of the entries in the electronic database (historical information related to malicious event determinations, col. 21, lines 21-31 and malicious event detection as stored in the data store, col. 32, lines 16-25 and col. 44, lines 53-64), however the combined teachings Ogle et al and Katz et al fail to disclose of associating an analyst identifier to the historical malware assessment. Zorlular et al teaches of associating an analyst identifier to the historical malware assessment (investigator name field (i.e., analyst identifier) is associated with an escalate alert (i.e., malware assessment rule), col. 24, lines 16-30). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to identify analysts who escalate alerts by adding information that is visible to an assignee and to other analysts who are reviewing the alerts to enable confirmation of the escalation of an alert for further scrutiny. If the analyst confirms escalation of the alert, a confirmation is provided and allows for comments to be added so that other users reviewing the alert can be provided with contextual information, which enables more effective sharing and collaboration between analysts, col. 24, lines 53-59 and col. 24, line 65 through col. 25, line 11. Although the combined teachings of Ogle and Katz disclose of a system providing malware assessment rules, the teachings of Zorlular et al disclose of enabling an analyst to additionally review the findings, and associates their identifier, such as the investigator name field, in order to enable sharing and collaboration between analysts to allow for more accurate diagnosis of detected security events. As per claim 15, it is taught by Ogle et al wherein the operations further comprise identifying an entry of the entries in the electronic database (historical information related to malicious event determinations, col. 21, lines 21-31 and malicious event detection as stored in the data store, col. 32, lines 16-25 and col. 44, lines 53-64), however the combined teachings of Ogle and Katz fail to disclose of associating an analyst group identifier to the historical malware assessment. Zorlular et al teaches of associating an analyst group identifier to the historical malware assessment (investigator name field (i.e., analyst identifier) is associated with an escalate alert (i.e., malware assessment rule), col. 24, lines 16-30). Additional analysts review the alerts, which is interpreted as an analyst group identifier since they are additionally recorded, col. 24, line 65 through col. 25, line 11. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated to identify analysts who escalate alerts by adding information that is visible to an assignee and to other analysts who are reviewing the alerts to enable confirmation of the escalation of an alert for further scrutiny. If the analyst confirms escalation of the alert, a confirmation is provided and allows for comments to be added so that other users reviewing the alert can be provided with contextual information, which enables more effective sharing and collaboration between analysts, col. 24, lines 53-59 and col. 24, line 65 through col. 25, line 11. Although the combined teachings of Ogle and Katz disclose of a system providing malware assessment rules, the teachings of Zorlular et al disclose of enabling an analyst to additionally review the findings, and associates their identifier, such as the investigator name field, in order to enable sharing and collaboration between analysts to allow for more accurate diagnosis of detected security events. Allowable Subject Matter Claims 16-20 are allowed. The following is a statement of reasons for the indication of allowable subject matter: Claim 16 stands allowable over the prior art of record as argued by the Applicant in the responses dated May 2, 2026 and March 27, 2026. Conclusion The relevant art made of record and not relied upon is considered pertinent to applicant's disclosure. Horie, US 2025/0217482 is relied upon for disclosing of a kernel probe section transmits the received kernel trace information to the management terminal. Note that, upon receiving kernel trace information, the management terminal displays this kernel trace information, allowing an administrator to check whether or not there is any kernel anomaly. If the administrator determines that there is a kernel anomaly (kernel anomalies), he or she will operate the management terminal to transmit a stop command to the monitoring server apparatus, see paragraph 0082. Philip, US 2024/0048567 is relied upon for disclosing of threat analysis database engine may query the forward proxy on identified traffic, and validate the website with a vulnerability URL database. The threat analysis database engine may send an analyzed result output to a proxy content filtering engine for action and may update the vulnerability URL database, and/or cyber threat intelligence/open-source intelligence (CTI/OSINT) database, see paragraph 0019. Edwards et al, US 2013/0312095 is relied upon for disclosing of determining whether the process or file is known to be associated with malware, known to be safe, or is unknown as to malware status. In one embodiment, anti-malware server or anti-malware rules may be configured to provide analysis for the entity in which it is not definitively known whether or not the entity is associated with malware. If it is definitively known whether, for example, a hash of the entity is matched to malware, then anti-malware module may determine that the entity is malicious and take appropriate corrective action. Furthermore, if it is definitively known whether, for example, a hash of the entity is matched to a known safe program, such as a portion of the operating system kernel, then anti-malware module may determine that the entity is safe and allow the locking operation, see paragraph 0021. Kim et al, US 2010/0169973 is relied upon for disclosing of a malicious action database has predetermined malicious action data stored therein. Here, malicious actions are defined by standardizing actions that various malicious code or viruses commonly undertake, and the malicious action data is written based on kernel-based system events which occur when malicious code or viruses are actually running. Therefore, the malicious action data may have the same organization as the action data presented in Tables 1 to 5. Also, the malicious action data may be encoded so as to have a form which is not recognized by common users, see paragraph 0035. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2407