DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the RCE filed on 02/02/2021.
Claims 1-5, 7-12, 14-19 and 21 are currently pending in this application. Claims 1, 8 and 15 have been amended.
No new IDS has been filed.

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/02/2021 has been entered.

Response to Arguments
The previous 112(a) rejections to claims 1-5, 7-12, 14-19 and 21 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 112(b) rejections to claims 1-5, 7-12, 14-19 and 21 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 102 rejections to claims 1-5, 7-12, 14-19 and 21 have been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 1-5, 7-12, 14-19 and 21 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

Regarding independent claims 1, 8 and 15,

Di Pietro et al. (US 2017/0099309 A1) teaches a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly - see figs. 4A-4H; abstract, paras. [0054] - [0057] of Di Pietro.

Barak (US 2017/0286683 A1) teaches a computerized method for identification of suspicious processes executing on an end-point device. One or more parameters associated with the process by the end-point device are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified and whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution are determined – see abstract, figs. 1, 3; paras. [0007], [0012] and [0028] of Barak.

Carey et al. (US 2012/0144020 A1) teaches a dynamic administration of event pools for relevant event and alert analysis during event storms including receiving, by an events analyzer from an events queue, a plurality of events from one or more components of the distributed processing system, each event including an occurred time and a logged time. The processes include creating, by the event analyzer, an events pool; determining whether an arrival rate of the events from the components of the distributed processing system is greater than a predetermined threshold. If the arrival rate is not greater than the predetermined threshold, assigning, by the events analyzer, a plurality of events to the events pool in dependence upon their logged time. – see abstract, figs. 36, 7 and paras. [0006], [0023] and [0024] of Carey.

However, the prior art of record does not teach or render obvious the limitations, specific and combination with other limitations, the claims 1, 8 and 15 in a method, a system or a product for:
identifying a network signature of an endpoint having an authorized application executing thereon, wherein the authorized application is associated with an identity of the endpoint inclusive of the network signature;
registering, in a database, the network signature, the identity of the endpoint, and information of the authorized application, 
wherein the information is inclusive of a current operational state of the authorized application, and 
wherein, when the authorized application lacks communication ability with the database, a helper agent is deployed on the endpoint to facilitate communication between the authorized application and the database;
detecting the security incident within the endpoint, wherein the detecting of the security incident includes determining an identity and a type of activity associated with the detected security incident; and 
when the detected security incident corresponds to the authorized anomalous behavior according to the comparison between the identity and the type of activity associated with the detected security incident to the identity and the type of activity associated with the authorized anomalous behavior, suppressing a presentation of a generated alert.

Dependent claims 2-5, 7, 9-12, 14, 16-19 and 21 are allowed as they depend from allowable independent claim 1, 8 or 15.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic 






/MAUNG T LWIN/Primary Examiner, Art Unit 2495