DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment and communication filed on 05/27/2021.
Claims 1-3, 5-10, 12-14, 16-21 and 23-27 have been examined and are pending in this application. Claims 1, 12 and 23 are independent.
Claims 1-3, 5-10, 12-14, 16-21 and 23-27 are allowed.

Examiner Amendments

An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Mr. Andrei D. Popovici (Reg. No 42401), and conducted a telephone interview on 09/02/2021. During the interview, the Examiner proposed an examiner amendment to the claims with some minor amendments for better clarity of the claims’ scope, and for putting the application in condition for allowance. 
Authorization for this Examiner's Amendment was given in a telephone interview with Applicant's representative Mr. Andrei D. Popovici (Reg. No 42401) on 09/02/2021.


Claims

Please replace all claims as following:

Claim 1. (currently amended) A server computer system comprising at least one hardware processor configured to:
in response to an occurrence of a target event on a target client system, the target event selected from a group consisting of a launch of a process and an attempt to access a file, determine according to the target event whether the target client system comprises malicious software; and 
in response to a determination that the target client system comprises malicious software, perform a security action to protect the target client system;
wherein determining whether the target client system comprises malicious software comprises: 
determining[[e]] an event context of the target event, the event context comprising a set of events having occurred on the target client system prior to the target event and another set of events having occurred on the client system following the target event,[[;]] 
ing a client profile from a plurality of pre-determined client profiles according to the target event, the selected client profile characterizing a baseline behavior of a selected cluster of client systems,[[;]] 
ing a behavior model specific
to the selected client profile to determine a plurality of prediction scores according to the event context, each score of the plurality of prediction scores determined for a distinct event type and indicative of a likelihood that an event of the distinct event type would occur in the event context for the selected client profile,[[;]] 
selecting, from the plurality of prediction scores, a score determined for an event type of the target event,[[;]] and 
ing the selected score to a pre-determined threshold; and 
wherein a composition of the selected cluster of client systems is determined by analyzing a collection of events having occurred on a plurality of client systems to determine which of the plurality of client systems show similar behavior.

Claim 2. (previously presented) The computer system of claim 1, wherein determining whether the target client system comprises malicious software comprises: 
when the selected score indicates that the target event is likely to occur in the event context, determining that the target client system does not comprise malicious software; and
when the selected score indicates that the target event is not likely to occur in the event context, determining that the target client system comprises malicious software.

Claim 3. (previously presented) The computer system of claim 1, wherein determining whether the target client system comprises malicious software comprises: 
determining a predicted event according to the plurality of prediction scores;

in response, determining whether the target client system comprises malicious software according to a result of the comparison.

Claim 4. (cancelled).

Claim 5. (previously presented) The computer system of claim 1, wherein: 
the behavior model comprises an event encoder configured to determine a set of coordinates indicative of a position of the target event in an event embedding space; and 
the hardware processor is further configured to determine whether the target client system comprises malicious software according to the position.

Claim 6. (previously presented) The computer system of claim 1, wherein determining the composition of the selected cluster of client systems comprises: 
constructing a plurality of event categories according to whether a selected event of the collection of events occurs in a selected context of other events of the collection of events; 
in response to constructing the plurality of event categories, deciding whether each client system belongs to the selected cluster of client systems according to an event profile of the each client system, the event profile determined according to a count of events occurring on the each client system and belonging to a selected event category of the plurality of event categories.


assembling a training sequence of events having a training central event and a training event context, wherein each member of the training sequence is selected from the collection of events according to whether the each member has occurred on a member of the selected cluster of client systems;
employing the behavior model, in response to receiving the training event context of the training sequence, to produce a training prediction indicative of a likelihood that the training central event belongs to the training sequence; and 
adjust a set of parameter values of the behavior model according to the training prediction.

Claim 8. (previously presented) The computer system of claim 1, further configured to select the client profile according to whether the target client system is a member of the selected cluster.

Claim 9. (previously presented) The computer system of claim 1, wherein selecting the client profile comprises: 
determining a set of coordinates indicating a position of the target client system in a multidimensional embedding space; 
in response, selecting a target cluster of the plurality of clusters according to the set of coordinates; and 
selecting the client profile according to the target cluster.



Claim 11. (cancelled).

Claim 12. (currently amended) A computer-implemented method comprising: 
in response to an occurrence of a target event on a target client system, the target event selected from a group consisting of a launch of a process and an attempt to access a file, employing at least one hardware processor of a computer system in determining according to the target event, whether the target client system comprises malicious software; and 
in response to a determination that the target client system comprises malicious software, performing a security action to protect the target client system; 
wherein determining whether the target client system comprises malicious software comprises: 
determining an event context of the target event, the event context comprising a set of events having occurred on the target client system prior to the target event and another set of events having occurred on the client system following the target event,[[;]] 
selecting a client profile from a plurality of pre-determined client profiles according to the target event, the selected client profile characterizing a baseline behavior of a selected cluster of client systems,[[;]] 
employing a behavior model specific to the selected client profile to determine a plurality of prediction scores according to the event context, each score of the plurality of prediction scores determined for a distinct event type and indicative of a likelihood that an event of the distinct event type would occur in the event context for the selected client profile,[[;]] 
selecting, from the plurality of prediction scores, a score determined for an event type of the target event,[[;]] and 
comparing the selected score to a pre-determined threshold; and 
wherein a composition of the selected cluster of client systems is determined by analyzing a collection of events having occurred on a plurality of client systems to determine which of the plurality of client systems show similar behavior.

Claim 13. (previously presented) The method of claim 12, wherein determining whether the target client system comprises malicious software comprises: 
when the selected score indicates that the target event is likely to occur in the event context, determining that the target client system does not comprise malicious software; and 
when the selected score indicates that the target event is not likely to occur in the event context, determining that the target client system comprises malicious software.


determining a predicted event according to the plurality of prediction scores;
comparing the predicted event to the target event; and 
in response, determining whether the target client system comprises malicious software according to a result of the comparison.
Claim 15. (cancelled).

Claim 16. (previously presented) The method of claim 12, wherein: 
the behavior model comprises an event encoder configured to determine a set of coordinates indicative of a position of the target event in an event embedding space; and 
the at least one hardware processor is further configured to determine whether the target client system comprises malicious software according to the position.

Claim 17. (previously presented) The method of claim 12, wherein determining the composition of the selected cluster of client systems comprises: 
constructing a plurality of event categories according to whether a selected event of the collection of events occurs in a selected context of other events of the collection of events; 
in response to constructing the plurality of event categories, deciding whether each client system belongs to the selected cluster of client systems according to an event profile of the each client system, the event profile determined according to a count of events occurring on the each client system and belonging to a selected event category of the plurality of event categories.

Claim 18. (previously presented) The method of claim 12, wherein training the behavior model comprises: 
assembling a training sequence of events having a training central event and a training event context, wherein each member of the training sequence is selected from the collection of events according to whether the each member has occurred on a member of the selected cluster of client systems; 
employing the behavior model, in response to receiving the training event context of the training sequence, to produce a training prediction indicative of a likelihood that the training central event belongs to the training sequence; and 
adjusting a set of parameters of the behavior model according to the training prediction.

Claim 19. (previously presented) The method of claim 12, further comprising selecting the client profile according to whether the target client system is a member of the selected cluster.

Claim 20. (previously presented) The method of claim 12, wherein selecting the client profile comprises: 
determining a set of coordinates indicating a position of the target client system in a multidimensional embedding space; 
in response, selecting a target cluster of the plurality of clusters according to the set of coordinates; and 
selecting the client profile according to the target cluster.



Claim 22. (cancelled).
Claim 23. (currently amended) A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a computer system, cause the computer system to: 
in response to an occurrence of a target event on a target client system, the target event selected from a group consisting of a launch of a process and an attempt to access a file, determine according to the target event whether the target client system comprises malicious software; and 
in response to a determination that the target client system comprises malicious software, perform a security action to protect the target client system; 
wherein determining whether the target client system comprises malicious software comprises: 
determining[[e]] an event context of the target event, the event context comprising a set of events having occurred on the target client system prior to the target event and another set of events having occurred on the client system following the target event,[[;]] 
selecting a client profile from a plurality of pre-determined client profiles according to the target event, the selected client profile characterizing a baseline behavior of a selected cluster of client systems,[[;]] 
ing a behavior model specific to the client profile to determine a plurality of prediction scores according to the event context, each score of the plurality of prediction scores determined for a distinct event type and indicative of a likelihood that an event of the distinct event type would occur in the event context for the selected client profile,[[;]] 
selecting, from the plurality of prediction scores, a score determined for an event type of the target event,[[;]] and 
comparing the selected score to a predetermined threshold; and 
wherein a composition of the selected cluster of client systems is determined by analyzing a collection of events having occurred on a plurality of client systems to determine which of the plurality of client systems show similar behavior.

Claim 24. (previously presented) The computer system of claim 1, wherein the at least one hardware processor is configured to select the client profile further according to a current user of the target client system.

Claim 25. (previously presented) The method of claim 12, wherein the at least one hardware processor is configured to select the client profile further according to a current user of the target client system.

Claim 26. (previously presented) The computer system of claim 1, wherein the event context of the target event comprises an attempt by the target client system to access a selected network location.



Response to Arguments/Remarks
Claims 1-3, 5-10, 12-14, 16-21 and 23-27 are allowed.

Examiner’s Statement of reason for Allowance
The following is an examiner’s statement of reasons for allowance: 
The present invention is a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. By selecting the client profile and determine a prediction score. Comparing the selected score to a pre-determined threshold. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior.
The closest prior art, as previously recited, are Zoldi (US 20170140384), Gil (US 20180004961), Hanis (US 20190340615) in which, Zoldi discloses based on an event sequence of the real-time transactions, the n-grams providing a probability based on a specific sequence of behavioral events and their likelihood, and in which high probability n-grams represent typical behaviors of customers in a same peer group, and low probability n-grams represent rare event sequences and increased risk. Gil discloses detecting and assessing security risks in an enterprise's computer network. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's 
However, none of Jones (Zoldi (US 20170140384), Gil (US 20180004961), Hanis (US 20190340615),teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim1 and similarly Claim 12 and Claim 23.  For example, none of the cited prior teaches or suggest the steps of Claim 1 and similarly Claim 12 and Claim 23: in response to an occurrence of a target event on a target client system, the target event selected from a group consisting of a launch of a process and an attempt to access a file, determine according to the target event whether the target client system comprises malicious software; and in response to a determination that the target client system comprises malicious software, perform a security action to protect the target client system; wherein determining whether the target client system comprises malicious software comprises: determining an event context of the target event, the event context comprising a set of events having occurred on the target client system prior to the target event and another set of events having occurred on the client system following the target event, selecting a client profile from a plurality of pre-determined client profiles according to the target event, the selected client profile characterizing a baseline behavior of a selected cluster of client systems, in response to selecting the client profile, employing a behavior model specific to the selected client profile to determine a plurality of prediction scores according to the event context, each score of the plurality of prediction scores determined for a distinct event type and indicative of a likelihood that an event of the distinct event type would occur in the event context for the selected client profile, selecting, from the plurality of prediction scores, a score determined for an event type of the target event, and comparing the selected score to a pre-determined threshold; and wherein a composition of the selected cluster of client systems is determined by analyzing a collection of events having occurred on a plurality of client systems to determine which of the plurality of client systems show similar behavior.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	

	/C.W./Examiner, Art Unit 2439      


	/JAHANGIR KABIR/Primary Examiner, Art Unit 2439