Prosecution Insights
Last updated: July 17, 2026
Application No. 18/926,119

DEFINING INDICATORS OF MALICIOUS ACTIVITY BY A MACHINE LEARNED MODEL

Non-Final OA §103
Filed
Oct 24, 2024
Examiner
SPOONER, LAMONT M
Art Unit
2657
Tech Center
2600 — Communications
Assignee
CrowdStrike Inc.
OA Round
5 (Non-Final)
74%
Grant Probability
Favorable
5-6
OA Rounds
1y 8m
Est. Remaining
86%
With Interview

Examiner Intelligence

Grants 74% — above average
74%
Career Allowance Rate
450 granted / 612 resolved
+11.5% vs TC avg
Moderate +12% lift
Without
With
+12.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
17 currently pending
Career history
629
Total Applications
across all art units

Statute-Specific Performance

§101
2.0%
-38.0% vs TC avg
§103
79.7%
+39.7% vs TC avg
§102
11.2%
-28.8% vs TC avg
§112
4.5%
-35.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 612 resolved cases

Office Action

§103
DETAILED ACTION Introduction This office action is in response to applicant’s request for continued examination filed 3/18/26. Claims 1, 3-20 are currently pending and have been examined. Applicant’s IDS have been considered. There is no claim to foreign priority. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/18/2026 has been entered. Response to Arguments Applicant’s arguments, see remarks, filed 3/18/2026, with respect to the rejection(s) of claim(s) 1, 3-20 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the at least the previously cited prior art, and further in view of Coulter et al. (Coulter, US 2025/0053587) and/or Mercado-Alcala et al. (Mercado, US 12,259,976). The Examiner notes Coulter explicitly teaches using a plurality of statistical features of labeled data entities, and the corresponding vector representation thereof, to detect malicious activity. The Examiner further notes, this enhances the argued Stokes discussed features, with an explicit “actual” length, and multiple other length and corresponding statistical features of the labeled data. Applicant further argues, regarding claim 12, “While Stokes describers a labeled data set containing command line strings, Stokes is silent regarding the labeled data set containing a process tree.” The Examiner notes, in the previous set of claims, claims 11 and 17, the applicant claims “a process tree or a command line”, wherein the data entity being analyzed presents absolutely no new or novel aspect to detecting malicious activity. Each aspect of the claim as applied to the command lines, are interpreted to be applied to process trees, given process trees are taught by the newly cited prior art, as data to be analyzed for malicious content. The Examiner notes Mercado-Alcala et al. (Mercado, US 12,259,976), explicitly details having a set of labeled process trees, thus being able to have a process identified as malicious, benign, etc. wherein the system monitors processes (process trees) and command lines for malicious activity. The Examiner notes that having labeled process trees, and determining malicious activities in the process trees is not novel, wherein the labeled data entities are taught to include command lines, process trees, and other types of data, to be analyzed for malicious activities. Furthermore, Mercado explicitly details the machine learning model is based on multiple categories of labeled records, which include command lines and process tree data (see the current rejection below). Applicant’s remaining arguments are based on the above arguments and are rejected accordingly. Claim Objections Claim 3 is objected to because of the following informalities: In claim 3, throughout multiple lines, “the least one labeled” should probably be - -the at least one- -. This issue is found in multiple lines, including at least line 4, 8, 10, 12, 13, 15, 17 and 18. Claim 12 is objected to because of the following informalities: In claim 12, lines 12 and 13, “for at least one labeled process tree of the set of process trees” should probably be - - for at least one labeled process tree of the set of labeled process trees- -, to maintain clarity, antecedent basis and congruency with respect to claim 18. Appropriate correction is required. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 3-4 and 6-11 is/are rejected 35 U.S.C. 103 as being unpatentable over Stokes, III et al. (Stokes, US 2023/0096895) and further in view of Gururajan et al. (Gururajan, US 2021/0312041), and further in view of Seward et al. (Seward, US 10,367,827), and further in view of Coulter et al. (Coulter, US 2025/0053587). As per claim 1, Stokes teaches a system comprising: one or more processors (paragraph [0086, 0087]-fig. 7, see his processor, computer-readable instruction discussion); a user interface coupled to the one or more processors (ibid-Fig. 7, paragraph [0089]); and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed, cause the one or more processors to perform operations comprising (ibid, paragraphs [0086-0089]): receiving a joint vocabulary and a set of labeled data entities, the joint vocabulary generated by (paragraphs [0036, 0037, 0032, 0058-0071]-his data set, from manually labeled, and machine learning labeled, as the joint vocabulary, the joint dataset being used in subsequent operations, Fig. 1 item 118, 104, 102): determining at least one first data token based at least in part on user data entered by way of the user interface, the at least one first data token being one or more human-interpretable characters (see paragraph [0042, 0011, 0079], and this processing is deemed, having one first data token determined based on the user input, which is entered via the user interface, the at least one first data token being one or more human-interpretable characters, see his token discussion, the words, strings, as human-interpretable characters, Figs. 1, 2A, paragraphs [0014, 0031, 0035]-his manually entered text strings, and human security expert adding a sample of data/terms, as the token, and his “labeled data”, such as “malicious” or “benign”, his data entered manually, via a user interface), determining at least one second data token [by a tokenizer trained using unlabeled training data] (Figs. 1, 2A, paragraphs [0036, 0037]-his machine learned terms and data as classified, as the tokens, and his “labeled data”, such as “malicious” or “benign”, based on his data entered automatically, via and determined by a machine learned model); combining the at least one first data token and the at least one second data token into the joint vocabulary (ibid-paragraphs [0032, 0036, 0037, 0058-0071]-the aggregate model, thus the use of the first and second machine learning model, which comprises the datasets, as the joint vocabulary, Fig. 1 items 118, or 118 and 104, both sets of vocabulary or data sets, are joined together, and input into the aggregated representation module, which uses both vocabulary data sets, Figs. 5A, 5B); [receiving statistical features associated with at least one labeled data entity of the set of labeled data entities, the statistical features including a length of the at least one labeled data entity]; based at least in part on the joint vocabulary, determining, for the at least one labeled data entity, a vector representation of the at least one labeled data entity, the vector representation indicating presence or counts of data tokens of the joint vocabulary within the at least one labeled data entity [and numerical values corresponding to the values of the statistical features] (ibid-paragraphs [0043-0045, 0049]-Fig. 1-his term embedding model, and numerical representations, of the labeled data entity, Fig. 2B, his one-hot encoding, representing a count and presence of tokens of the vocabulary within the labeled data entity); and using the vector representation in detecting malicious activity in data transactions associated with the at least one labeled data entity (ibid, see also paragraphs [0039, 0040, 0002]-his detection of malicious activity based on the vector representation, see his file transmission, security and attack prevention discussion). Stokes lacks explicitly teaching that which Gururajan teaches, determining at least one second data token by a tokenizer trained using unlabeled training data (paragraphs [0028, 0026]-see his constructed vocabulary, based on unsupervised training, using a corpus that is tokenized, thus tokens are determined by a tokenizer, from the text corpus, the “unsupervised” training, defined as, “a machine learning technique that identified patterns and relationships within unlabeled data”). Thus, it would have been obvious to one of ordinary skill in the linguistics art, before the effective filing date of the invention, as all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (computer implemented techniques and algorithms combining processes and steps in natural language processing), in view of the teachings of Stokes and Gururajan and Seward to combine the prior art element of generating an aggregate vocabulary, of first and second data tokens, from labeled and unlabeled data as taught by Stokes with a tokenization process, to assist in generating a vocabulary, wherein the tokenizer is trained in an unsupervised manner, thus not requiring labeled data, as taught by Gururajan as each element performs the same function as it does separately, as the combination would yield predictable results, KSR International Co. v. Teleflex Inc., 550 US. -- 82 USPQ2nd 1385 (2007), wherein the predictable result would be generating a tokenized vocabulary dataset using unsupervised training for a tokenizer in order to detect malicious content, the vocabulary including a user generated list and automated list aggregated into a single vocabulary list, wherein a user can manipulate the vocabulary, enable disable, and aggregate into a single vocabulary, (ibid-Gururajan, paragraphs [0026] and abstract, Seward, C.13 lines 26-51-see his aggregated into a single list discussion). Stokes, Gururajan and Seward lack explicitly teaching that which Coulter teaches, receiving statistical features associated with at least one labeled data entity of the set of labeled data entities, the statistical features including a length of the at least one labeled data entity (paragraph [0050, 0050-0056]-his multiple “statistical features” for labeled data, including multiple length-based features, including length of a labeled data entity, such as his character count, word count, line count, word length, etc.); based at least in part on the joint vocabulary, determining, for the at least one labeled data entity, a vector representation of the at least one labeled data entity, the vector representation indicating presence or counts of data tokens of the joint vocabulary within the at least one labeled data entity and numerical values corresponding to the values of the statistical features (ibid-see his counts/lengths as corresponding to the statistical features). Thus, it would have been obvious to one of ordinary skill in the linguistics art, before the effective filing date of the invention, as all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (computer implemented techniques and algorithms combining processes and steps in natural language processing), in view of the teachings of Stokes and Gururajan and Seward and Coulter to combine the prior art element of generating an aggregate vocabulary, of first and second data tokens, from labeled and unlabeled data as taught by Stokes with a tokenization process, to assist in generating a vocabulary, wherein the tokenizer is trained in an unsupervised manner, thus not requiring labeled data, as taught by Gururajan with using statistical features for labeled data entities, and having a vector representation thereof as each element performs the same function as it does separately, as the combination would yield predictable results, KSR International Co. v. Teleflex Inc., 550 US. -- 82 USPQ2nd 1385 (2007), wherein the predictable result would be detecting malicious activity using the vector representation which encodes statistical features to match the pattern of malicious content, (ibid-Coulter, see also paragraph [0061, 0062]). As per claim 3, Stokes with Coulter further make obvious the system of claim 1, wherein the statistical features further include at least one of: a length of a part of the least one labeled data entity (ibid-see Coulter, which teaches the length variations, character counts, and the like, associated with a data entity, see claim 1); a number of alphanumeric character strings in a data entity or in a part of a data entity; an average length, a minimum length, a maximum length, or a standard deviation of length of substrings separated by whitespace in the least one labeled data entity or in a part of the least one labeled data entity; a ratio of digits to alphanumeric characters in the least one labeled data entity or in a part of the least one labeled data entity; a number of characters associated with the least one labeled data entity or a part of the least one labeled data entity; a ratio of digits and counts; a ratio of one type of character to all characters in the least one labeled data entity or in a part of the least one labeled data entity; or a ratio of alphanumeric characters to total length of characters in the least one labeled data entity or in the least one labeled part of a data entity. As per claim 4, Stokes further makes obvious the system of claim 1, wherein: the at least one second data token represents a set of human-interpretable characters, and the tokenizer is configured to output the at least one second data token based at least in part on an unsupervised algorithm (ibid-see claim 1, machine learned model tokens/terms discussion, paragraph [0014, 0036, 0037, 0079, 0058-0071]-his automatic collection of terms, from unlabeled data, by the machine learned model, and corresponding terms as output to the term embedding module). As per claim 6, Stokes further makes obvious the system of claim 1, wherein using the vector representation comprises providing the vector representation and one or more labels associated with the at least one labeled data entity to a machine learning model to train the machine learning model to detect the malicious activity (paragraphs [0036-0039]-see his continually ”train” and training discussion of the machine learning model discussion, based on the labels associated with the labeled data entity). As per claim 7, Stokes further makes obvious the system of claim 6, wherein using the vector representation further comprises providing at least one of the vector representation, the machine learning model, or the indicator or attack to a host device to detect malicious activity on the host device (ibid, Figs. 1-8, paragraph [0095]-his malware detection as a service, the service to include the vector representation, machine learned model, and indicator or attack, on his plurality of (host) device(s), via his service to the multiple devices). As per claim 8, Stokes further makes obvious the system of claim 6, wherein the one or more labels indicate one or more security statuses for the at least one labeled data entity and the vector representation is associated with the one or more security statuses (ibid, Fig. 6C items 514A-514D, Fig. 2B-see his labels, and claim 1, labeled data entity discussion, his malicious, benign, uncertain, anomalous, etc. as the security statuses). As per claim 9, Stokes further makes obvious the system of claim 8, wherein the one or more security statuses include at least one of a malicious status, a clean status, or an unwanted status (ibid-see claim 8, statuses discussion, to include malicious, clean, etc. statuses). As per claim 10, Stokes further makes obvious the system of claim 1, wherein using the vector representation in detecting the malicious activity in the data transactions comprises providing the vector representation to a supervised machine learning model or using the vector representation to learn new indicators of attack from the machine learning model (ibid-claim 1, see transaction discussion-paragraphs [0038, 0039]-as his supervised learning model, including learning new indicators of attack from the machine learning model, see Fig. 1). As per claim 11, Stokes further makes obvious the system of claim 1, further comprising: receiving a process tree or a command line as part of the data transaction (ibid-see Figs. 1, 2A, 2B, abstract, claim 1, detecting malicious activity in data transactions discussions, his command line discussion); analyzing the process tree or command line based at least in part on the vector representation or on a model or component trained with the vector representation (ibid-see Figs. 1-2B, above trained model discussion, as trained with the vector representation, paragraphs [0036-0038]); and applying one or more security statues to the process tree or command line based at least in part on the analyzing (ibid-see above, claim 1, detecting malicious activity discussion, as pertaining to the command line, and corresponding security statuses, classification as malicious, benign, etc. Figs. 1-8, abstract). Claim(s) 12-20 is/are rejected 35 U.S.C. 103 as being unpatentable over Stokes, III et al. (Stokes, US 2023/0096895) and further in view of Gururajan et al. (Gururajan, US 2021/0312041), and further in view of Seward et al. (Seward, US 10,367,827), and further in view of Mercado-Alcala et al. (Mercado, US 12,259,976). As per claim 12, claim 12 sets forth limitations similar to claim 1 and is thus rejected under similar reasons and rationale, wherein the system is deemed to embody the method, such that Stokes teaches a method comprising (paragraph [0026]): receiving, by one or more computing devices, a joint vocabulary and a set of labeled [process trees], the joint vocabulary generated by (paragraphs [0036, 0037, 0032, 0058-0071]-his data set, from manually labeled, and machine learning labeled, as the joint vocabulary, the joint dataset being used in subsequent operations, Fig. 1 item 118, 104, 102): determining at least one first data token based at least in part on user data entered by way of a user interface, the at least one first data token being one or more human-interpretable characters (see paragraph [0042, 0011, 0079], and this processing is deemed, having one first data token determined based on the user input, which is entered via the user interface, the at least one first data token being one or more human-interpretable characters, see his token discussion, the words, strings, as human-interpretable characters, Figs. 1, 2A, paragraphs [0014, 0031, 0035]-his manually entered text strings, and human security expert adding a sample of data/terms, as the token, and his "labeled data", such as "malicious" or "benign", his data entered manually, via a user interface), determining at least one second data token by a machine learned model (Figs. 1, 2A, paragraphs [0036, 0037]-his machine learned terms and data as classified, as the tokens, and his "labeled data", such as "malicious" or "benign", based on his data entered automatically, via and determined by a machine learned model), [the at least one second data token representing a hierarchy of characters included in an unlabeled data entity]; and combining the at least one first data token and the at least one second data token into the joint vocabulary (ibid-paragraphs [0032, 0036, 0037, 0058- 0071]-the aggregate model, thus the use of the first and second machine learning model, which comprises the datasets, as the joint vocabulary, Fig. 1 items 118, or 118 and 104, both sets of vocabulary or data sets, are joined together, and input into the aggregated representation module, which uses both vocabulary data sets, Figs. 5A, 5B); based at least in part on the joint vocabulary, determining for at least one labeled [process trees] of the set of labeled [process trees], by the one or more computing devices, a vector representation of the at least one labeled [process trees], the vector representation indicating presence or counts of data tokens of the joint vocabulary within the at least one labeled [process trees] (ibid-paragraphs [0043-0045]-Fig. 1-his term embedding model, and numerical representations, of the labeled data entity, Fig. 2B, his one-hot encoding, representing a count and presence of tokens of the vocabulary within the labeled data entity); and using, by the one or more computing devices, the vector representation for use in detecting malicious activity in data transactions associated with the at least one labeled [process tree] (ibid, see also paragraphs [0039, 0040, 0002]-his detection of malicious activity based on the vector representation, see his file transmission, security and attack prevention discussion). Stokes lacks explicitly teaching that which Gururajan teaches, the at least one second data token representing a hierarchy of characters included in an unlabeled data entity (paragraphs [0023, 0028, 0030, 0032, 0026, 0062]-see his constructed vocabulary, based on unsupervised training, using a corpus that is tokenized, thus tokens are determined by a tokenizer, from the text corpus, the “unsupervised” training, defined as, “a machine learning technique that identified patterns and relationships within unlabeled data”, his character level tokenization, based on the series, thus hierarchy of characters, and unsupervised training discussion). Thus, it would have been obvious to one of ordinary skill in the linguistics art, before the effective filing date of the invention, as all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (computer implemented techniques and algorithms combining processes and steps in natural language processing), in view of the teachings of Stokes and Gururajan to combine the prior art element of generating an aggregate vocabulary from labeled and unlabeled data as taught by Stokes with a tokenization process, to assist in generating a vocabulary, wherein the tokenizer is trained in an unsupervised manner, thus not requiring labeled data, using a hierarchy of characters, for character level encoding and training, as taught by Gururajan as each element performs the same function as it does separately, as the combination would yield predictable results, KSR International Co. v. Teleflex Inc., 550 US. -- 82 USPQ2nd 1385 (2007), wherein the predictable result would be generating a tokenized vocabulary dataset using unsupervised training for a tokenizer of characters, in order to detect malicious content (ibid-Gururajan, paragraphs [0026] and abstract). The above combination lacks teaching that which Mercado-Alcala teaches, a set of “labeled process trees”, wherein each labeled process trees as claimed above, are interpreted as a type of labeled data entity hereinafter (wherein the Examiner notes, the process trees as taught by Mercado teaches a set of labeled data entities comprising labeled process trees/hierarchies and command lines, and a plurality of other categories of data, Mercado C.2 lines 1-10-his labeled data set, C.16 lines 13-25, C.23-C.26-his labeled data set categories, and records including process trees comprising parent/child relationships of processes and command lines labeled as , C.17 and 18-his process trees). Thus, it would have been obvious to one of ordinary skill in the linguistics art, before the effective filing date of the invention, as all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (computer implemented techniques and algorithms combining processes and steps in natural language processing), in view of the teachings of Stokes and Gururajan and Mercado to combine the prior art element of generating an aggregate vocabulary from labeled and unlabeled data as taught by Stokes with a tokenization process, to assist in generating a vocabulary, wherein the tokenizer is trained in an unsupervised manner, thus not requiring labeled data, using a hierarchy of characters, for character level encoding and training, as taught by Gururajan with the labeled process trees (or other labeled data entities such as command lines, to be analyzed for malicious activities) as taught by Mercado as each element performs the same function as it does separately, as the combination would yield predictable results, KSR International Co. v. Teleflex Inc., 550 US. -- 82 USPQ2nd 1385 (2007), wherein the predictable result would be generating a tokenized vocabulary dataset using unsupervised training for a tokenizer of characters, in order to detect malicious content, the content from process trees and other data entities such as command lines, etc. (ibid-Gururajan, paragraphs [0026] and abstract, ibid-Mercado-Alcala). As per claim 13, Stokes with Mercado further makes obvious the method of claim 12, Stokes teaches, further comprising receiving statistical features associated with [the at least one process tree] and including with the vector representation, numerical values corresponding to values of the statistical features for the [at least one process tree] (ibid-Stokes, Fig. 2B-4, paragraph [0055]-his term count, frequency determination, and corresponding term representations vectors generated therefrom, based on the entities. Stokes lacks teaching that which Mercado teaches, the at least one process tree, as claimed above (see claim 12, Mercado process tree discussion, wherein the entities are taken as the process trees, as discussed in claim 12, as taught by Mercado, the Examiner notes, claim 13, is similarly motivated and combined, as taught in claim 12, such that the features extracted, are based on entities, the entities as process trees). As per claims 14 and 20, Stokes further makes obvious the method of claim 12, wherein: the at least one second data token represents a set of human-interpretable characters, and the machine learned model is configured to output the at least one second data token based at least in part on an unsupervised algorithm (ibid-see claim 1, machine learned model tokens/terms discussion, paragraph [0014, 0036, 0037, 0079, 0058-0071]-his automatic collection of terms, from unlabeled data, by the machine learned model, and corresponding terms as output to the term embedding module). As per claim 15, Stokes further makes obvious the method of claim 12, wherein using the vector representation comprises providing the vector representation and one or more labels associated with the [at least one process tree] to a machine learning model to train the machine learning model to detect the malicious activity (paragraphs [0036-0039]-see his continually ”train” and training discussion of the machine learning model discussion, based on the labels associated with the labeled data entity). Stokes lacks teaching that which Mercado teaches, the at least one process tree, as claimed above (see claim 12, Mercado process tree discussion, wherein the entities are taken as the process trees, as discussed in claim 12, as taught by Mercado, the Examiner notes, claim 13, is similarly motivated and combined, as taught in claim 12, such that the method is directed towards the process trees as the entities or labeled data entities). As per claim 16, Stokes with Mercado further makes obvious the method of claim 15, wherein using the vector representation comprises providing at least one of the vector representation, the machine learning model, or an indicator of attack obtained from the machine learned model to a host device to detect malicious activity on the host device (ibid-Stokes, Figs. 1-8, paragraph [0095]-his malware detection as a service, the service to include the vector representation, machine learned model, and indicator or attack, on his plurality of (host) device(s), via his service to the multiple devices). As per claim 17, Stokes further makes obvious the method of claim 12, further comprising: applying one or more security statues to the at least one labeled [process tree] based at least in part on the vector representation (ibid-see above, claim 1, detecting malicious activity discussion, as pertaining to the command line, and corresponding security statuses, classification as malicious, benign, etc. Figs. 1-8, abstract). Stokes lacks teaching that which Mercado teaches, the at least one process tree, as claimed above (see claim 12, Mercado process tree discussion, wherein the entities are taken as the process trees, as discussed in claim 12, as taught by Mercado, the Examiner notes, claim 13, is similarly motivated and combined, as taught in claim 12, such that the method is directed towards the process trees as the entities or labeled data entities). As per claim 18, claim 18 sets forth limitations similar to claim 12 and is thus rejected under similar reasons and rationale, wherein the non-transitory computer storage medium is deemed to embody the system, such that Stokes with Gururajan with Mercado make obvious a non-transitory computer storage medium having programming instructions stored thereon that, when executed by one or more processors of a system, cause the system to perform operations comprising (Stokes, paragraph [0007]-fig. 7, see his processor, computer-readable instruction discussion): receiving a joint vocabulary and a set of labeled process trees, the joint vocabulary generated by (ibid-see claim 12, corresponding and similar limitation): determining at least one first data token based at least in part on user data entered by way of a user interface, the at least one first data token being one or more human-interpretable characters (ibid-see claims 1, and 12, similar and corresponding limitation), determining at least one second data token by a machine learned model (ibid-see claim 12, corresponding and similar limitation), the at least one second data token representing a hierarchy of characters included in an unlabeled data entity (ibid), and combining the at least one first data token and the at least one second data token into the joint vocabulary (ibid); based at least in part on the joint vocabulary, determining, for at least one labeled process tree of the set of labeled process trees, a vector representation of the at least one labeled process tree, the vector representation indicating presence or counts of data tokens of the joint vocabulary within the at least one labeled process tree (ibid); and providing the vector representation in detecting malicious activity in data transactions (ibid). As per claim 19, Stokes further makes obvious the non-transitory computer storage medium of claim 18, wherein the operations further comprise receiving statistical features [associated with the at least one process tree] and including, with the vector representation, numerical values corresponding to values of the statistical features [for the at least one process tree] (ibid-see claim 2, corresponding and similar limitation), at least one of the statistical features being received as part of the user data associated with the user interface (ibid-paragraphs [0038, 0039-his user entered and accurately labeled, and scored terms, as statistical features, associated with user/analyst data and samples, the adjustments to the uncertain samples, improving the accuracy in detecting malicious command line strings). Stokes lacks teaching that which Mercado teaches, the at least one process tree, as claimed above (see claim 12, Mercado process tree discussion, wherein the entities are taken as the process trees, as discussed in claim 12, as taught by Mercado, the Examiner notes, claim 13, is similarly motivated and combined, as taught in claim 12, such that the method is directed towards the process trees as the entities or labeled data entities). Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stokes in view of Gururajan in view of Seward in view of Coulter as applied to claim 1 above, and further in view of Jia et al. (Jia, US 11,714,903). As per claim 5, Stokes further makes obvious the system of claim 1, but lacks that which Jia teaches, further comprising removing duplicate data tokens from the joint vocabulary (C.12 lines 6-25-his multiple sources for gathering the vocabulary data, C.15 lines 15-64-his machine generated tokens, C.16 lines 55-65, see his “tokenization” discussion, including “cleaned” up, and “duplicated” data only appear once). Thus, it would have been obvious to one of ordinary skill in the linguistics art, before the effective filing date of the invention, as all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (computer implemented techniques and algorithms combining processes and steps in natural language processing), in view of the teachings of Stokes and Jia to combine the prior art element of generating an aggregate vocabulary from labeled and unlabeled data as taught by Stokes with removing duplicate data during the tokenization process as taught by Jia as each element performs the same function as it does separately, as the combination would yield predictable results, KSR International Co. v. Teleflex Inc., 550 US. -- 82 USPQ2nd 1385 (2007), wherein the predictable result would be generating a cleaned tokenized dataset for conversing into an embedding layer for performing detection of command, and control malware (ibid-Jia, C.16 line 55-C.17 line 2). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (See PTO-892). Ackerman (US 2023/0336575) teaches process trees and command lines, evaluation for malicious activity. Bhosale et al. (US 2022/0318386) teaches process tree and command lines, with as labeled data entities. Churkin et al. (US 2025/0335580-process trees, command line as labeled data entities. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LAMONT M SPOONER whose telephone number is (571)272-7613. The examiner can normally be reached 8:00 AM -5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Daniel Washburn can be reached on (571)272-5551. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /LAMONT M SPOONER/Primary Examiner, Art Unit 2657 5/29/2026
Read full office action

Prosecution Timeline

Show 6 earlier events
Jun 24, 2025
Request for Continued Examination
Jun 26, 2025
Response after Non-Final Action
Jul 28, 2025
Non-Final Rejection mailed — §103
Oct 23, 2025
Response Filed
Dec 23, 2025
Final Rejection mailed — §103
Mar 18, 2026
Request for Continued Examination
Mar 21, 2026
Response after Non-Final Action
Jun 03, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12675644
TASK-SPECIFIC LANGUAGE SETS FOR MULTILINGUAL LEARNING
4y 0m to grant Granted Jul 07, 2026
Patent 12670327
DETECTING HALLUCINATION IN A LANGUAGE MODEL
3y 0m to grant Granted Jun 30, 2026
Patent 12664377
TEXT STRING SUMMARIZATION
5y 11m to grant Granted Jun 23, 2026
Patent 12632671
CLINICAL CONTEXT CENTRIC NATURAL LANGUAGE PROCESSING SOLUTIONS
3y 2m to grant Granted May 19, 2026
Patent 12626050
Semi-Autoregressive Text Editing
3y 11m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
74%
Grant Probability
86%
With Interview (+12.3%)
3y 4m (~1y 8m remaining)
Median Time to Grant
High
PTA Risk
Based on 612 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month