CTNF 18/986,691 CTNF 82687 Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. DETAILED ACTION This Office Action is in response to the communication and claim amendment filed on 12/18/2024; claims 14-16 have been amended; Claims 1, 13, and 17 are independent claims. Claims 1-20 have been examined and are pending. This Action is made non-FINAL . Drawings 06-37 AIA The drawings were received on 12/18/2024] . These drawings are reviewed and accepted by the Examiner . Information Disclosure Statement The information disclosure statement (IDS), submitted on 02/14/2025 is being considered by the examiner. Claim Rejections - 35 USC § 103 07-20-aia AIA The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 07-21-aia AIA Claims 1-4, 6-8, 11-12, 13-15, an d 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mercado-Alcala et al. (“ Mercado-Alcala ,” US 12,259,976), in view of Levy (“ Levy ,” US 10,841,333), further in view of Dar et al. (“ Dar ,” US 2024/0370166). Regarding claim 1 , Mercado-Alcala teaches a computer implemented method for emulating malicious code, comprising: an emulator training classifier classifies activity as malicious (Mercado-Alcala: Col. 29, lines 59 to Col. 30, line 40, “actual ransomware executable examples are used to generate ransomware behavior data for supervised learning”; Col. 27, lines 36-59, classifier outputs a malicious/non-malicious classification); an emulator implementing configuration parameters (Mercado-Alcala: Col. 29 lines 34-52, “a ransomware behavior emulator ... deployed to one or more endpoints as an executable program” and “a configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted.) ; saving the configuration parameters for a malware type (Mercado-Alcala: Col. 29, lines 34-57, “A configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted.) ; deploying an instance of the emulator to operate with the saved configuration parameters in a system to generate operations to produce classifier training traces to train a malware classifier to recognize malicious activity in the system for the malware type (Mercado-Alcala: Col. 29, lines 34-52, “sent to the computing platform for updating one or more models for detecting simulated malicious activities”; Col. 29, lines 59 to Col. 30, line 40, ransomware behavior data for “bootstrap populating of training record datasets”; Col. 32, lines 24-51, train detection model.) ; and deploying the malware classifier in the system to detect and report malicious activity during production operations in the system (Mercado-Alcala: Col. 32, lines 52 to Col. 33, line 4, trained models transmitted to user devices that “execute a set of models to monitor ... for ransomware activity”; Col. 2, lines 11-20 ; Col. 9, lines 5-7, “detection of ransomware attack” Col. 4, lines 18-19 , "detect ... malicious activities of the ransomware."; Col. 10, lines 19-40, “an administrator may access the web UI 110 ….display information about ... whether any ransomware ... have been detected".). Mercado-Alcala teaches an emulator implementing configuration parameters, an emulator training classifier classifies activity as malicious, saving the configuration parameters for a malware type but does not explicitly teach “determining whether the emulator training classifier classifies the emulator training traces resulting from operations of the emulator” as a gating determination, nor "saving the configuration parameters ... in response to the malicious activity exceeding the threshold rate". However, Levy teaches the determining/gating step, in that Levy discloses evaluating generated output with a classifier and retaining output according to that classifier's result — “filtering ... to provide a filtered sample set containing one or more of the synthetic malware samples ... that are not detected by the first antimalware system ” (Levy: Col. 11, lines 60-65 — performed within an iterative loop that repeats “the generating, validating, filtering and creating a new antimalware system until a predetermined threshold is reached” (Levy: Col. 12, lines 45-48) . Levy further teaches saving the configuration in response to the threshold being reached, in that Levy retains the output satisfying the gating result and repeats “until a predetermined threshold is reached” (Levy: Col. 12, lines 45-48, carrying forward the configuration that satisfies the threshold.) as malicious activity that exceeds a threshold rate of malicious activity (Levy: iterating until “a receiver operating characteristic for the detection model achieves a predetermined threshold for true positive detection” (claim 20; see claim 19; Col. 12, lines 32-29: "measuring true positive detections against false positive detections"). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Levy with the method and system of Mercado-Alcala to include classifier-gated, iterate-until-threshold determination to Mercado's emulator because Levy teaches that an “iterative machine learning process may be created that continuously narrows the window of vulnerabilities” (Levy: Abstract), whereas Mercado's configuration file is otherwise set manually (Mercado: Col. 29, lines 59-63) ; applying Levy's classifier-gated determination automates and refines the configuration of Mercado's emulator, a predictable improvement. KSR (550 U.S. 398, 416–421). The combination of Mercado and Levy teaches determining whether an emulator training classifier classifies emulator training traces, resulting from operations of an emulator implementing configuration parameters, as malicious activity that exceeds a threshold of malicious activity as recited above, but does not explicitly disclose that the threshold is a “threshold rate”. However, Dar teaches a ratio of positive classifications (Dar: par. 0057, Table 2, suppose a machine learning model is configured for multi-class classification focusing on ransomware classes. Table 2 includes precision (i.e., the ratio of true positive classifications to total predicted positive classifications), recall (i.e., the ratio of true positive classifications to total actual positive classifications). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Dar with the method and system of Mercado-Alcala and Levy to include a threshold as “threshold rate” because Dar teaches that precision and recall — the ratios of true positive classifications to totals — are the measures of a ransomware classifier's performance (Dar: [0057]); using such a ratio as the thresholded metric is the use of a known measure for its established purpose, yielding a predictable result. KSR (550 U.S. 398, 416–421) Regarding claim 2, the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala , Levy, and Dar further teaches, wherein the system comprises a user system, and wherein the emulator and the malware classifier are deployed at the user system (Mercado-Alcala: Col. 29, lines 34-57, deploys to endpoints / user devices; "deployed to one or more endpoints"; Col. 29, lines 34-36 , "ransomware behavior emulator ... deployed to one or more endpoints as an executable program."; Col. 32, lines 52-55, trained models "transmitted to ... user devices" that execute them) . Regarding claim 3, claim 3 depends from claim 1 and recites the iterative tuning loop of claim 1 expressed in index notation, with limitations directed to an nth and an (n-1)th iteration of that loop. The combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar further teaches wherein the emulator training traces comprise nth emulator training traces collected at an nth time (claim 1; Mercado: Col. 29, lines 34-57 , the emulator is “executed by the endpoints to generate ransomware behavior” [] “behavior data …may be sent to the computing platform for updating one or more models”. The behavior data the emulator generates each time it runs is the emulator train traces; a given run produces the “nth” traces at the “nth time”). wherein the configuration parameters comprise an nth set of configuration parameters (claim 1; Mercado: Col. 29, lines 34-57, “A configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted”. The modifiable configuration file is the set of configuration parameters; a given iteration’s configuration is the “nth” set., and Levy teaches that the process is performed iteratively — "iteratively repeating the generating, validating, filtering and creating a new antimalware system until a predetermined threshold is reached" (Levy: claim 11; Col. 12, lines 45-48,). Under broadest reasonable interpretation, a given iteration of this iterative process produces traces (the "nth emulator training traces") at a corresponding time (the "nth time") from a corresponding set of configuration parameters (the "nth set"); the index "n" is a standard iteration counter denoting which iteration of the loop is being performed.); determining whether the emulator training classifier classifies (n-1)th emulator training traces, resulting from operations of the emulator implementing an (n-1)th set of configuration parameters at an (n-1)th time, as malicious activity exceeding the threshold rate (The combination teaches determining whether the emulator training classifier classifies the emulator training traces as malicious activity exceeding the threshold rate as cite in claim 1; Levy: Col. 11, lines 61 to Col. 12, line 9, claim 11, claims 19–20; Dar: [0057]). Under broadest reasonable interpretation, applying this determination to a prior iteration's traces — the "(n-1)th emulator training traces" resulting from the "(n-1)th set of configuration parameters" at the "(n-1)th time" — is the same determination performed on the immediately preceding iteration of Levy's iterative loop) ; The combination does not explicitly recite the determination in terms of an (n-1)th iteration relative to an nth iteration. However, Levy's iterative loop inherently operates over successive iterations — each "creating a new antimalware system" and repeating "until a predetermined threshold is reached" (Levy: claim 11, Col. 12, lines 45-48, repeat until a threshold is reached) — such that any given iteration (n) is preceded by an immediately prior iteration (n-1). Expressing successive iterations of a known iterative loop using an index counter, where the nth iteration follows the (n-1)th iteration, is a standard and well-known manner of describing an iterative process and would have been understood by a POSITA. generating the nth set of configuration parameters in response to determining that the emulator training classifier classifies (n-1)th emulator training traces as malicious activity below the threshold rate (Levy teaches generating a new (next) set in response to the prior iteration not satisfying the threshold, in that Levy "iteratively repeat[s] the generating ... until a predetermined threshold is reached" (Levy: claim 11, Col. 12, lines 45-48 (55), repeat until a threshold is reached)). Under broadest reasonable interpretation, continuing to iterate — i.e., generating the next (nth) set of configuration parameters — occurs precisely while the threshold is not yet reached, that is, while the prior ((n-1)th) iteration's traces are classified as malicious activity below the threshold rate. Generating the nth set "in response to" the (n-1)th being below the threshold is therefore the same continue-while-below-threshold condition that is the necessary counterpart of Levy's iterate-until-threshold-reached loop.). A POSITA would have been motivated to perform Levy's iterative loop over successive indexed iterations — generating the nth set of configuration parameters in response to the (n-1)th iteration being below the threshold — because Levy teaches iteratively repeating the process until the threshold is reached ( Levy: claim 11, Col. 12, lines 45-48 ), and continuing to generate new configuration parameters while the threshold is not yet reached is the inherent operation of such an iterate-until-threshold loop. Expressing the loop with an index counter (the nth iteration following the (n-1)th) is a standard, well-known way to describe an iterative process, yielding no new or unexpected result. KSR (550 U.S. 398, 416–421). Regarding claim 4, the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar further teaches wherein the emulator training classifier is trained using malware traces gathered from executing real malware (Mercado: Col. 29, line 59 to Col. 30, lines 1- 39, “actual ransomware executable examples are used to generate ransomware behavior data for supervised learning) . Regarding claim 6 , the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar teaches further teaches wherein the configuration parameters used to configure the emulator are selected from the group consisting of: target directories to which the emulator reads and writes (Mercado: Col. 29, lines 42-46 A configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted "what files are targeted") ; file ordering operations to select files on which to operate; filtering options to filter files by file types on which to operate; encryption algorithm and encryption methods to use to encrypt data (Mercado: Col. 29, lines 42-46 ) A configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted, such as to emulate an encryption attack on those files via one or more encryption processes or services. emulates an "encryption attack" ; encryption content methods to select a subset of content in files to encrypt; encryption write method indicating one of overwriting original file, shredding the original file and writing to a new file, and copying the original file to a new file; delay mode indicating delays between file encryption operations; timeout to specify a time limit for the encryption operations; custom file extension for encrypted files; and indicating whether to use multiple threads for emulator operations. Regarding claim 7, combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar further teaches: generating new configuration parameters until the emulator (Levy: claim 11; Col. 12, lines 45-48: "iteratively repeating the generating, validating, filtering and creating a new antimalware system until a predetermined threshold is reached." → Levy has the explicit "iteratively ... until a threshold" loop.), using the new configuration parameters (Mercado: Col. 29, lines 42-57: emulator's "configuration file ... may be modified" and the emulator runs it. → emulator uses (modified/new) config) , produces operations resulting in emulator training traces that are classified by the emulator training classifier as malicious activity above the threshold rate (Levy: Col. 11, lines 60-65, “filtering ... to provide a filtered sample set containing one or more of the synthetic malware samples ... that are not detected by the first antimalware system ”; claim 11, Col. 12, lines 45-48, repeat until a threshold is reached; claims 19/20: threshold on true-positive; Dar: par. [0057]) Regarding claim 8, The combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1, and teaches that a plurality of malware types exists (Mercado-Alcala: Col 30, lines 31-34 "over 1000 families of ransomware and more than 5500 different ransomware executables"). The combination does not explicitly teach that a separate emulator training classifier and a separate malware classifier are provided, and the operations performed, for each of the plurality of malware types. However, claim 1 already performs the recited determining, saving, and deploying operations for a malware type by the combination of Mercado-Alcala, Levy, and Dar. It has been held that the mere duplication of parts has no patentable significance unless a new and unexpected result is produced. See MPEP § 2144.04(VI)(B); In re Harza , 274 F.2d 669 (CCPA 1960). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to duplicate the claim 1 process — providing a separate emulator training classifier and malware classifier for, and performing the operations for, each of the plurality of malware types — in order to detect each of the plurality of malware types that Mercado collects and addresses (Mercado-Alcala: Col 30, lines 31-34 "over 1000 families of ransomware and more than 5500 different ransomware executables") . Duplicating the per-type process to cover additional malware types yields the predictable result of detecting those additional types, with no new or unexpected result. KSR (550 U.S. 398, 416–421); MPEP § 2144.04(VI)(B). Regarding claim 11, the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar further teaches a plurality of malware types exists (Mercado-Alcala: Col. 30, lines 31-34 Mercado discloses collecting behavior data across "over 1000 families of ransomware and more than 5500 different ransomware executables"). wherein the configuration parameters are saved for a plurality of malware types to control the emulator to generate classifier training traces for the plurality of malware types (Mercado-Alcala: Col. 29, lines 42-44); A configuration file of the emulator may be modified to specify which ransomware behavior to execute and what files are targeted."; Col. 30, lines 31-33, over100 families of ransomware) , wherein the emulator generates operations to produce classifier training traces for the plurality of malware types to train the malware classifier to recognize malicious activity for the plurality of malware types (Mercado-Alcala: Col. 29, lines 42-44; Col. 30, lines 31-33, over100 families of ransomware.; Dar: par. 0057, “machine learning model is configured for multi-class classification focusing on ransomware classes) . Regarding claim 12, the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar further teaches wherein the operations resulting from the emulator emulates I/O operations generated from the group consisting of: a computational storage device; a storage device layer; an operating system layer ( Mercado-Alcala : Col.12 , lines 52-57, examples of which may include one or more of, but are not limited to, the file system 131, running processes 132, OS information 133, telemetry data 135 (e.g., processor, memory, disk I/O, network I/O etc. utilization), command line requests 136, running services134 information, and registry key 137 information; Col. 17, lines 14-16, activities. In some examples, the monitoring module 141 may monitor file system access and changes at a low operating system level on the endpoint 120: Col. 11, lines 38-41, within the OS …. Runtime environment”) ; a block level from the operating system layer; an object/file level from a user application layer; a memory subsystem; and a network layer. Regarding claim 13 , claim 13 is directed to a computer program product for emulating malicious code, comprising: one or more computer-readable storage media (Mercado-Alcala: Col. 34, lines 36-62) ; and program instructions stored on the one or more computer-readable storage media (Mercado-Alcala: Col. 34, lines 36-62) to perform operations associated with the method claimed in claim 1; claim 13 is similar in scope to claim 1, and is therefore rejected under similar rationale. Regarding claim 14 , claim 14 is similar in scope to claim 7, and is therefore rejected under similar rationale. Regarding claim 15 , claim 15 is similar in scope to claim 8, and is therefore rejected under similar rationale. Regarding claim 17 , claim 17 is directed to a system for emulating malicious code, comprising: a processor set (Mercado-Alcala: Col. 34, lines 36-62) ; one or more computer-readable storage media (Mercado-Alcala: Col. 34, lines 36-62) ; and program instructions (Mercado-Alcala: Col. 34, lines 36-62) stored on the one or more computer-readable storage media to cause the processor set to perform operations associated with the method claimed in claim 1; claim 17 is similar in scope to claim 1, and is therefore rejected under similar rationale. Regarding claim 18 , claim 18 is similar in scope to claim 7, and is therefore rejected under similar rationale. Regarding claim 19 , claim 19 is similar in scope to claim 8, and is therefore rejected under similar rationale . 07-21-aia AIA Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Mercado-Alcala et al. (“ Mercado-Alcala ,” US 12,259,976), in view of Levy (“ Levy ,” US 10,841,333), and Dar et al. (“ Dar ,” US 2024/0370166), further in view of Bello (“ Bello ,” US 11,876,693) . Regarding claim 5, the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar teaches wherein the emulator training traces and the classifier training traces generated by the emulator but does not explicitly disclose selected from the group consisting of: Shannon entropy of writes; variance of logical block address (LBA) reads and writes; read/write throughput; variance of LBA reads and writes to a master boot record; variance of LBA reads and writes to a boot partition; variance of LBA reads and writes to an operating system partition; variance of LBA reads and writes to a recovery partition; and variance of LBA reads and writes to a data partition. However, Bello teaches read/write throughput as a trace of emulated operations (Bello: Col. 43, lines 35-38, "may emulate the key dimensions of a workload," where "[t]he dimensions include CPU MHz, memory utilization in gigabytes, read/write IOPs, read/write throughputs, and network received/transmit in bytes per second"). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bello with the method and system of Mercado-Alcala, Levy, and Dar to include read/write throughput. One would have been motivated to do so because read/write throughput, as taught by Bello, among the traces generated by the emulator of the Mercado-Alcala, Levt, and Dar combination because Bello teaches that read/write throughput is a key dimension of a workload that may be emulated with high fidelity ( Bello: Col. 43, lines 35-36,33-35 ); including read/write throughput as a trace provides a standard, recognized measure of the emulated I/O workload, yielding the predictable result of characterizing the emulated operations. KSR (550 U.S. 398, 416–421) . 07-21-aia AIA Claim s 9, 10, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mercado-Alcala et al. (“ Mercado-Alcala ,” US 12,259,976), in view of Levy (“ Levy ,” US 10,841,333), and further in view of Dar et al. (“ Dar ,” US 2024/0370166), and further in view of Bhalotra et al. (“ Bhalotra ,” US 10,397,255) . Regarding claim 9 , the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. Mercado-Alcala further discloses performing the determining, saving, and deploying operations for a malware type (claim 1), and Mercado teaches that a plurality of malware types exists (Mercado-Alcala: Col 30, lines 31-34 "over 1000 families of ransomware and more than 5500 different ransomware executables") . Mercado-Alca, Levy, and Dar do not explicitly disclose (b) wherein the emulator training classifiers include an emulator training classifier for a benign activity type to identify the benign activity type, and (c) wherein the saved configuration parameters are used to control the emulator to generate operations for malware types and for a benign activity type; providing a separate emulator training classifier and a separate malware classifier for each of the plurality of malware types. However, in an analogous art, Bhalotra discloses: wherein the emulator training classifiers include an emulator training classifier for a benign activity type to identify the benign activity type (Bhalotra: Col. 7, lines 30-46, "may include a scanning technology that processes data to test all possible input spaces of an application to emulate benign operations, emulate malicious attacks, and test potential vulnerabilities. This allows the machine learning module 202 to generate data on application behavior with normal data and commands, application behavior during an attack, and behavior after (or resulting from) an attack []. “This allows the machine learning module 202 to learn the characteristics of benign and malicious behavior in the user's system"; abstract, “where operating signals are compared to models representing "observed benign operating signals and malicious operating signals"; Mercado-Alcala: Col. 27, lines 47-51, “behavioral data obtained from endpoint devices known to not be infected with ransomware or subjected subject to a ransomware attack may be classified as from devices not infected with ransomware as " non-malicious (e.g., normal or healthy) activity") , and wherein the saved configuration parameters are used to control the emulator to generate operations for malware types and for a benign activity type (Bhalotra: Col. 7, lines 30-46, in combination with Mercado-Alcala: Col. 29, lines 34-57). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bhalotra with the method and system of Mercado-Alcala, Levy, and Dar to include an emulator training classifier for a benign activity type. One would have been motivated to incorporate teachings of Bhalotra with the system/method of Mercado-Alcala, Levy, and Dar enabling the machine learning module to train classifier for a benign activity type (Bhalotra: Col. 7, lines 30-46). Regarding claim 10 , the combination of Mercado-Alcala, Levy, and Dar teaches the computer implemented method of claim 1. The combination of Mercado-Alcala, Levy, and Dar explicitly disclose (a)wherein there are configuration parameters to control the emulator to output operations (Mercado-Alcala: claim 1, Col. 29, lines 34-57) but does not explicitly teach configuration parameters controlling the emulator to output operations for benign activity. However, Bhalotra teaches controlling an emulator to output operations for benign activity (Bhalotra: Col. 7, lines 30-46, may include a scanning technology that processes data to test all possible input spaces of an application to emulate benign operations, emulate malicious attacks, and test potential vulnerabilities. This allows the machine learning module 202 to generate data on application behavior with normal data and commands, application behavior during an attack, and behavior after (or resulting from) an attack []. “This allows the machine learning module 202 to learn the characteristics of benign and malicious behavior in the user's system"; abstract, “where operating signals are compared to models representing "observed benign operating signals and malicious operating signals".). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bhalotra with the method and system of Mercado-Alcala, Levy, and Dar to include “configuration parameters controlling the emulator to output operations for benign activity.” One would have been motivated to incorporate teachings of Bhalotra with the system/method of Mercado-Alcala, Levy, and Dar enabling the machine learning module to train classifier for a benign activity type (Bhalotra: Col. 7, lines 30-46). The combination of Mercado-Alcala, Levy, Dar, and Bhalotra further discloses: wherein the generating operations to produce classifier training traces to train a malware classifier comprises: generating operations from the emulator implementing the configuration parameters for the malware type and a benign activity type (Mercado-Alcala: claim 1; Col. 29, lines 34-57; Bhalotra: Col. 7, lines 30-46, “emulate benign operations”; generating operations for a benign activity type) ; generating training entries indicating a false negative when the malware classifier outputs a negative classification from traces result from operations of the emulator implementing the configuration parameters for the benign activity type (Mercado-Alcala: claim 1; Col. 29, lines 34-57; Bhalotra: Col. 7, lines 30-46, “emulate benign operations”; generating operations for a benign activity type) ; generating training entries indicating a false positive when the malware classifier outputs a positive classification from traces result from operations of the emulator implementing configuration parameters for the benign activity type or another malware type (Mercado-Alcala: Col. 27, lines 60-66, teaches generating training entries indicating a false positive, in that Mercado-Alcala discloses that "if a detection event corresponds to a false positive detection of ransomware activity," the system may “obtain and label records comprising behavioral data corresponding to the false positive detection event as non-malicious”) ; and training the malware classifier to output a positive classification from training entries indicating a false negative (Mercado-Alcala: claim 1; Col. 29, lines 34-57; Bhalotra: Col. 7, lines 30-46, “emulate benign operations”; generating operations for a benign activity type) ; and training the malware classifier to output negative classification from training entries indicating a false positive (Mercado-Alcala teaches training the malware classifier to output a negative classification from training entries indicating a false positive, in that Mercado-Alcala discloses labeling the false-positive records "as non-malicious" and "iterate one or more training operations to retrain one or more machine learning models that caused or contributed to the false positive" (Mercado-Alcala: Col. 27, line 60 to Col. 28, line 6) . Regarding claim 16 , claim 16 is similar in scope to claim 10, and is therefore rejected under similar rationale. Regarding claim 20 , claim 20 is similar in scope to claim 10, and is therefore rejected under similar rationale. Conclusion 07-101 Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham, can be reached at telephone number 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /Canh Le/ Examiner, Art Unit 2439 June 11 th , 2026 /LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439 Application/Control Number: 18/986,691 Page 2 Art Unit: 2439 Application/Control Number: 18/986,691 Page 3 Art Unit: 2439 Application/Control Number: 18/986,691 Page 4 Art Unit: 2439 Application/Control Number: 18/986,691 Page 5 Art Unit: 2439 Application/Control Number: 18/986,691 Page 6 Art Unit: 2439 Application/Control Number: 18/986,691 Page 7 Art Unit: 2439 Application/Control Number: 18/986,691 Page 8 Art Unit: 2439 Application/Control Number: 18/986,691 Page 9 Art Unit: 2439 Application/Control Number: 18/986,691 Page 10 Art Unit: 2439 Application/Control Number: 18/986,691 Page 11 Art Unit: 2439 Application/Control Number: 18/986,691 Page 12 Art Unit: 2439 Application/Control Number: 18/986,691 Page 13 Art Unit: 2439 Application/Control Number: 18/986,691 Page 14 Art Unit: 2439 Application/Control Number: 18/986,691 Page 15 Art Unit: 2439 Application/Control Number: 18/986,691 Page 16 Art Unit: 2439 Application/Control Number: 18/986,691 Page 17 Art Unit: 2439 Application/Control Number: 18/986,691 Page 18 Art Unit: 2439 Application/Control Number: 18/986,691 Page 19 Art Unit: 2439 Application/Control Number: 18/986,691 Page 20 Art Unit: 2439 Application/Control Number: 18/986,691 Page 21 Art Unit: 2439