DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Specification 
For the record, the Examiner acknowledges that the amendment to the Specification submitted on 03/10/2021 has been accepted. 

Response to Amendment
The Amendment filed on 03/10/2021 has been entered. 
The objection of specification is withdrawn in view of the amendment.
The rejection of claims 1-19 under 35 U.S.C 112(b) is withdrawn in view of the amendment. 
The rejection of claim 19 under 35 U.S.C 112(d) is withdrawn in view of the amendment. 
Claims 1-5, 8-14 and 17-19 are amended.
Claims 1-19 are pending of which claims 1, 10 and 19 are independent claims.

Examiner's Amendment
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given in a telephone interview with John A. Garrity (Reg. No. 60,470) on 03/16/2021. The application has been amended as follows: 
In the claims: 
Please amend claims 1, 4,  10, 13 and 19 as follows:
--

Claim 1:
(Currently Amended) A method of detecting a threat against a computer system, the method comprising:
analysing the computer system to find any at least one of applications or services exhibiting common at least one of vulnerability types or misconfigurations known to exist;
monitoring installation and normal operation of such found at least one of applications or services of the analysed computer system that are detected to exhibit said at least one of vulnerability types or misconfigurations;
creating and storing representations of expected behaviors of monitored at least one of applications or services on the basis of the monitoring, comprising maintaining a respective behavior profile for each respective monitored at least one of applications or services, wherein the respective behavior profile identifies, for one or more procedures of the respective monitored at least one of application or services, a respective characteristic action and respective one or more expected actions for each of the respective monitored at least one of application or services;
monitoring the behavior of the computer system to detect the one or more procedures of the monitored at least one of applications or services that do not match the expected behaviors of the respective monitored at least one of applications or services defined in the respective behavior profile; and
upon detection of the one or more procedures not matching the expected behaviors of the monitored at least one of applications or services, identifying said at least one of applications or services as malicious or suspicious.

Claim 4:
4. (Currently Amended)	The method according to claim 1, upon detection of the one or more procedures not matching the expected behaviours, the method further comprises analysing whether the 

Claim 10:
10. (Currently Amended ) 	A computer system comprising:
	a memory configured to store computer program code, and 
	a processor configured to read and execute computer program code stored in the memory,
	wherein the processor is configured to cause the computer system to perform:
analysing the computer system to find any at least one of applications or services exhibiting common at least one of vulnerability types or misconfigurations known to exist;
monitoring installation and normal operation of such found at least one of applications or services of the analysed computer system that are detected to exhibit said common at least one of vulnerability types or misconfigurations;
creating and storing representations of expected behaviors of the monitored at least one of applications or services on the basis of the monitoring, comprising maintaining a respective behavior profile for each respective monitored at least one of applications or services, wherein the respective behavior profile identifies, for one or more procedures of the respective monitored at least one of applications or services, a respective characteristic action and respective one or more expected actions for each of the monitored at least one of applications or services;
monitoring the behavior of the computer system to detect the one or more procedures of the monitored at least one of applications or services that do not match the expected behaviors of the respective monitored at least one of applications or services defined in the respective behavior profile; and upon detection of the one or more procedures not matching the expected behaviors of the monitored at least one of applications or services, identifying said at least one of applications or services as malicious or suspicious.

Claim 13:
13. (Currently Amended) 	The system according to claim 10, upon detection of the one or more procedures not matching the expected behaviours, the processor is further configured to cause the system to perform analysing whether the 

Claim 19:
19. (Currently Amended)	A non-transitory computer storage medium of a computer system having stored thereon computer program code for implementing
analysing the computer system to find any at least one of applications or services exhibiting common at least one of vulnerability types or misconfigurations known to exist;
monitoring installation and normal operation of such found at least one of applications or services of the analysed computer system that are detected to exhibit said at least one of vulnerability types or misconfigurations;
creating and storing representations of expected behaviors of monitored at least one of applications or services on the basis of the monitoring, comprising maintaining a respective behavior profile for each respective monitored at least one of applications or services, wherein the respective behavior profile identifies, for one or more procedures of the respective monitored at least one of applications or services, a respective characteristic action and 
monitoring the behavior of the computer system to detect the one or more procedures of the monitored at least one of applications or services that do not match the expected behaviors of the respective monitored at least one of applications or services defined in the respective behavior profile; and
upon detection of the one or more procedures not matching the expected behaviors of the respective monitored at least one of applications or services, identifying said at least one of applications or services as malicious or suspicious.


--------------------------------------END OF EXAMINER’S AMENDMENT----------------------------

Allowable Subject Matter
Claims 1-19 are allowed.  
This communication warrants no examiner's reason for allowance, as applicant's reply makes evident the reason for allowance, satisfying the record as whole as required by rule 37 CFR 1.104 (e). In this case, the substance of applicant's remarks in the Amendment/Remarks filed on 03/10/2021 point out the reason claims are patentable over the prior art of record (See, Pages 12-20). Further search doesn’t find any better prior art that teaches the claimed limitation of claims. Thus, the reason for allowance is in all probability evident from the record and no statement for examiner's reason for allowance is necessary.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MENG LI/Primary Examiner, Art Unit 2437