Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the amendment filed 11/30/2020.  Claims 1, 2, 10 and 18 have been amended.  Claims 3-5, 7-9, 11-17, 19 and 20 have been cancelled.  Claims 21-35 have been added.   Claims 1, 2, 10, 18 and 21-35 are pending and have been considered below. 

Status of Claims
The following claims have been amended and or cancelled via examiner amendments: Claims 1, 10, 18, 27, 28 and 30 have been amended. Claims 21-23, 25 and 26 have been cancelled. Claims 36-40 have been added.

Allowable Subject Matter
Claims 1, 2, 6, 10, 18, 24 and 27-40 are allowed. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. James T. Bergstrom, Reg. No. 57,021 on 02/28/2021. An agreement was made on 03/04/2021.   
PLEASE AMEND THE CLAIMS AS FOLLOWS: 
1.	(Currently Amended)  A computer-implemented method, comprising, at a computer system of a security management system:
deploying an agent to a cloud service platform of a cloud service provider, wherein the agent is configured to monitor an application deployed to the cloud service platform by a tenant of the cloud service platform, the cloud service platform provides the tenant with a tenant account,  the tenant account enables one or more users to access the cloud service platform to use the application, and the agent is configured to:
operate as a layer between the application and a library used by the application; and
modify byte code for the library by inserting instrumentation code into the byte code when a class loader fetches the library for loading into memory;
receiving, from the agent, application data that comprises a record of actions performed by the application during use of the application by one or more users associated with the tenant;

determining an action to perform in response to identifying the event; and
performing the action.  
2.	(Previously Presented)  The computer-implemented method of claim 1, wherein the cloud service platform maintains an activity log for the tenant, the activity log including actions performed by the one or more users in accessing the cloud service platform, and wherein the activity log does not include actions performed by the application.  
3-5.	(Canceled)  
6.	(Original)  The computer-implemented method of claim 1, wherein the event is identified using a model for the application, wherein the model describes usage patterns for the application.  
7-9.	(Canceled) 
10.	(Currently Amended)  A computing system, comprising:
one or more processors; and

deploying an agent to a cloud service platform of a cloud service provider, wherein the agent is configured to monitor an application deployed to the cloud service platform by a tenant of the cloud service platform, the cloud service platform provides the tenant with a tenant account,  the tenant account enables one or more users to access the cloud service platform to use the application, and the agent is configured to:
operate as a layer between the application and a library used by the application; and
modify byte code for the library by inserting instrumentation code into the byte code when a class loader fetches the library for loading into memory;
receiving, from the agent, application data that comprises a record of actions performed by the application during use of the application by one or more users associated with the tenant;
analyzing the application data to identify an event associated with a security risk, wherein the event is identified from one or more actions performed by the application;
determining an action to perform in response to identifying the event; and

11-17.	(Canceled)  
18.	(Currently Amended)  A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
deploying an agent to a cloud service platform of a cloud service provider, wherein the agent is configured to monitor an application deployed to the cloud service platform by a tenant of the cloud service platform, the cloud service platform provides the tenant with a tenant account,  the tenant account enables one or more users to access the cloud service platform to use the application, and the agent is configured to:
operate as a layer between the application and a library used by the application; and
modify byte code for the library by inserting instrumentation code into the byte code when a class loader fetches the library for loading into memory;
receiving, from the agent, application data that comprises a record of actions performed by the application during use of the application by one or more users associated with the tenant;
 analyzing the application data to identify an event associated with a security risk, wherein the event is identified from one or more actions performed by the application;
 determining an action to perform in response to identifying the event; and
 performing the action.  
19-23.	(Canceled)  
24.	(Previously Presented)  The computer-implemented method of claim 1, wherein the application comprises a custom application developed by the tenant and not natively provided by the cloud service platform.  
25-26.	(Canceled)  
27.	(Currently Amended)  The computer system of claim [[26]] 10, wherein the instrumentation code is configured to output function calls and parameters to an output file when functions are called from the library by the application.  
28.	(Currently Amended)  The computer system of claim [[25]] 10, wherein the library is selected from a plurality of libraries for monitoring by the agent based on security-sensitive operations performed by the library.  
29.	(Previously Presented)  The computer system of claim 28, wherein the library enables access to authentication information, enables access to databases, enables network access, or enables generation and deletion of users.  
[[26]] 10, wherein the instrumentation code does not require the application itself to be modified.  
31.	(Previously Presented)  The non-transitory computer-readable medium of claim 18, wherein the agent is configured to monitor the application and a plurality of other applications hosted by the cloud service platform.  
32.	(Previously Presented)  The non-transitory computer-readable medium of claim 18, wherein the operations further comprise maintaining and training a model specific to the application that describes usage patterns for the application by the one or more users of the tenant.  
33.	(Previously Presented)  The non-transitory computer-readable medium of claim 32, wherein the application data is compared to data provided by the model to identify anomalous activity that falls outside of expected behavior for the one or more users of the application  
34.	(Previously Presented)  The non-transitory computer-readable medium of claim 18, wherein the cloud service platform is not able to monitor or record internal actions performed by the application.  
35.	(Previously Presented)  The non-transitory computer-readable medium of claim 18, wherein a source code for the application comprises tags that indicate functions that should be monitored by the agent.  

37.	(New)  The computer-implemented method of claim 1, wherein the library is selected from a plurality of libraries for monitoring by the agent based on security-sensitive operations performed by the library.  
38.	(New)  The computer-implemented method of claim 1, wherein the instrumentation code does not require the application itself to be modified.  
39.	(New)  The non-transitory computer-readable medium of claim 18, wherein the agent is configured to monitor the application and a plurality of other applications hosted by the cloud service platform.  
40.	(New)  The non-transitory computer-readable medium of claim 18, wherein the operations further comprise maintaining and training a model specific to the application that describes usage patterns for the application by the one or more users of the tenant.  

Examiner's Statement of Reasons for Allowance
The following is a statement of reasons for the indication of allowable subject matter:  
Regarding Claims 1, 10 and 18:
The prior art references of record, either alone or in combination, do not describe or suggest all elements of the claimed invention as amended.  In particular, the cited references 
Regarding claims 2, 6, 24, 27-40, the claims are allowable based at least on their depending from an allowable claim.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





Thursday, March 4, 2021


/FATOUMATA TRAORE/
Primary Examiner, Art Unit 2436