DETAILED ACTION
The Amendment filed on January 13th, 2021 has been entered and made of record.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. John P. Wagner on April 8th, 2021. During the telephone conference, Mr. Wagner has agreed and authorized the Examiner to amend claims 1-2 & 7-8.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Examiner’s Amendment
An Examiner’s Amendment to the record appears below. Should the changes and/or additions be unacceptable to the Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Claims
Replacing claims 1-2 & 7-8 as following:
Claim 1: (Currently Amended) A computer-implemented method, performed within an enterprise application operating in a virtualized environment, for collecting process data characterizing processes and connections of a virtual machine using an application-protector agent installed in said virtual machine, said computer-implemented method comprising:

extracting, by said application-protector agent, first feature vectors from the process data;
grouping, by said application-protector agent, the feature vectors to define or redefine non-anomalous clusters of feature vectors, wherein the non-anomalous clusters include respective centroids, each centroid associating with each of the plural process features a true value or a false value;
collecting, by said application-protector agent, next process data describing application processes;
extracting, by said application-protector agent, next feature vectors from the next process data;
determining, by said application-protector agent, whether or not a next feature vector is within at least one of the non-anomalous clusters; and
in response to a determination, by said application-protector agent, that the next feature vector is not within at least one of the non-anomalous clusters.

Claim 2: (Currently Amended) The method of claim 1 wherein: 
each feature represents a respective process instance, each feature vector associating with each of plural process features a true value or a false value, each true value 


Claim 7: (Currently Amended) A system including an enterprise application operating in a virtualized environment, for collecting process data characterizing processes and connections of a virtual machine using an application-protector agent installed in said virtual machine, said system further comprising non-transitory media encoded with code that, when executed by a processor, implements a method including:
collecting, by said application-protector agent, first said process data describing application processes of said virtual machine, said application-protector agent installed in said virtual machine;
extracting, by said application-protector agent, first feature vectors from the process data;
grouping, by said application-protector agent, the feature vectors to define or redefine non-anomalous clusters of feature vectors, wherein the non-anomalous clusters include respective centroids, each centroid associating with each of the plural process features a true value or a false value;
collecting, by said application-protector agent, next process data describing application processes;

determining, by said application-protector agent, whether or not a next feature vector is within at least one of the non-anomalous clusters; and
in response to a determination, by said application-protector agent, that the next feature vector is not within at least one of the non-anomalous clusters.

Claim 8: (Currently Amended) The system of claim 7 wherein:
each feature represents a respective process instance, each feature vector associating with each of plural process features a true value or a false value, each true value indicating that the respective process data indicates that the respective feature has been present in the respective process instance, each false value indicating that the respective process data indicates that the respective feature has not been present in the respective process instance


Examiner’s Statement of reason for Allowance
Claims 1-12 are allowed.
The following is an examiner’s statement of reasons for allowance:
“collecting, by said application-protector agent, first said process data describing application processes of said virtual machine, said application-protector agent installed in said virtual machine; extracting, by said application-protector agent, first feature vectors from the process data; grouping, by said application-protector agent, the feature vectors to define or redefine non-anomalous clusters of feature vectors, wherein the non-anomalous clusters include respective centroids, each centroid associating with each of the plural process features a true value or a false value; collecting, by said application-protector agent, next process data describing application processes; extracting, by said application-protector agent, next feature vectors from the next process data; determining, by said application-protector agent, whether or not a next feature vector is within at least one of the non-anomalous clusters; and issuing an alert in response to a determination, by said application-protector agent, that the next feature vector is not within at least one of the non-anomalous clusters.” Therefore, the claims are allowable over the cited prior arts.
Claims 2-6 & 8-12 are allowed because of their dependence from independent claims 1 & 7.

           
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 






/KHOI V LE/
Primary Examiner, Art Unit 2436