Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending, and claims 1, 9 and 17 have been amended.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 09-09-2021 has been considered. Please see attached PTO-1449. 
EXAMINER’S AMENDMENT
1.	The application has been amended as follows: 
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant’s attorney Lynne Wang (Reg. No. 74,876),  on 11-18-2021.

Claims are amended as follows:
1.	(Currently Amended) A computing system comprising:
one or more processors; and
one or more computer-readable storage media having thereon computer-executable instructions that are structured such that, when executed by the one or more processors, configure the computing system to:
access a set of one or more patterns of malicious behaviors associated with a first set of anomalies found in data collected from a plurality of data sources, the set of one or more patterns 
for each first entity associated with at least one anomaly in the first set of anomalies, 
determining if the at least one anomaly associated with the first entity is indicative of a pattern of malicious behavior; and 
in response to determining that the at least one anomaly associated with the first entity is indicative of a pattern of malicious behavior, determining that the entity is a malicious entity;
search data subsequently collected from the plurality of data sources to identify a second set of anomalies; and
for each second entity associated with at least one anomaly in the second set of anomalies, 
determine if the at least one anomaly associated with the second entity corresponds to a pattern of malicious behavior in the set of one or more patterns of malicious behaviors determined by the prior analysis; and
in response to determining that the at least one anomaly associated with the second entity corresponds to the pattern of malicious behavior in the set of one or more patterns of malicious behavior, determine that the second entity is a new malicious entity; and 
generate one or more alerts on any portion of the subsequently collected data that is associated with at least one malicious entity. 

9.	(Currently Amended) A method for using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data, the method comprising:

for each first entity associated with at least one anomaly in the first set of anomalies, 
determining if the at least one anomaly associated with the first entity is indicative of a pattern of malicious behavior; and 
in response to determining that the at least one anomaly associated with the entity is indicative of a pattern of malicious behavior, determining that the first entity is a malicious entity;
searching data subsequently collected from the plurality of data sources to identify a second set of anomalies; and
for each second entity associated with at least one anomaly in the second set of anomalies, 
determining if the at least one anomaly associated with the second entity corresponds to a pattern of malicious behavior in the set of one or more patterns of malicious behaviors determined by the prior analysis; and
in response to determining that the at least one anomaly associated with the second entity corresponds to the pattern of malicious behavior in the set of one or more patterns of malicious behavior, determining that the second entity is a new malicious entity; and 
generating one or more alerts on any portion of the subsequently collected data that is associated with at least one malicious entity.

17.	(Currently Amended) A computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause the computing system to perform at least:
access a set of one or more patterns of malicious behaviors associated with a first set of anomalies found in data collected from a plurality of data sources, the set of one or more patterns of malicious 
for each first entity associated with at least one anomaly in the first set of anomalies, 
determining if the at least one anomaly associated with the first entity is indicative of a pattern of malicious behavior; and 
in response to determining that the at least one anomaly associated with the first entity is indicative of a pattern of malicious behavior, determining that the entity is a malicious entity;
search data subsequently collected from the plurality of data sources to identity a second set of anomalies; and
for each second entity associated with at least one anomaly in the second set of anomalies, 
determine if the at least one anomaly associated with the second entity corresponds to a pattern of malicious behavior in the set of one or more patterns of malicious behaviors determined by the prior analysis; and
in response to determining that the at least one anomaly associated with the second entity corresponds to the pattern of malicious behavior in the set of one or more patterns of malicious behavior, determine that the second entity is a new malicious entity; and 
generating one or more alerts on any portion of the subsequently collected data that is associated with at least one malicious entity.
Allowable Subject Matter
Claims 1-20 are allowed. 
The following is an examiner’s statement of reasons for allowance:
This communication warrants No Examiner's Reason for Allowance, applicant's reply of 11-04-2021 makes evident the reasons for allowance, satisfying the "record as a whole" proviso of the rule 37 CFR 1.104(e). Specifically, applicant's arguments filed on 11-04-2021 are persuasive, as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437