DETAILED ACTION
In replay to applicant communications filed on March 07, 2019 and telephonic interview made on November 05, 2021, claims 1-4, 6-14 and 16-20 have been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 5 and 15 have been cancelled.
Claims 1-4, 6-14 and 16-20 are pending. 


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant representative, Mark K. Young (Reg. No. 38,666). 

Please replace the claim set filed on March 07, 2019 with the following to claim:

1. 	(Currently amended) A computing device configured to implement attack surface reduction (ASR) cluster adaptation for a group of machine endpoints utilized by users, each of the endpoints performing code execution that supports a plurality of different features, comprising:
	one or more processors; and
	at least one hardware-based non-transitory computer-readable memory having computer-executable instructions stored thereon which, when executed by the one or more processors, cause the computing device to

	track a history of exclusion events describing features that are excluded on one or more of the endpoints;
	receive user-initiated events describing requests from one or more of the users for exceptions to features that are excluded on one or more of the endpoints; and
	apply one or more ASR rules from the set based on the tracked history of exclusion events and user-initiated events to perform ASR clustering of the endpoints in which clustered endpoints share common characteristics,
	wherein the adaptation comprises endpoint to cluster adaptation in which an endpoint becomes a member of an existing cluster, cluster to cluster adaptation in which existing clusters are merged, and endpoint to new cluster adaptation in which an endpoint becomes a member of a new cluster.

2.	(Original) The computing device of claim 1 in which the exclusion events are associated with one or more ASR rules that are excluded at respective endpoints.

3.	(Original) The computing device of claim 1 in which the common characteristics comprise one of enabled feature, excluded feature, or excluded file. 

4.	(Original) The computing device of claim 1 in which the instructions further cause the computing device to dynamically perform adaptation of clusters in response to changes in characteristics of the endpoints.

5.	(Cancelled) 

6.	(Currently amended) The computing device of claim [[5]] 1 in which the instructions further cause the computing device to determine endpoint and cluster affinity and adaptation is performed in response to the determination.

7.	(Original) The computing device of claim 1 in which the ASR rules provide for a set of exclusions and the exclusions are normalized based on a size of the exclusion set.

8.	(Currently amended) A method for adaptation of attack surface reduction (ASR) clusters of endpoints in an organization that supports a computing environment, comprising:
	tracking events that occur in the computing environment including exclusion history events and user requested events;
	implementing an initial clustering of endpoints in which each endpoint is placed into a single ASR cluster;
	determining affinity of endpoints and ASR clusters;
	joining the single ASR clusters into a group of ASR clusters based on endpoint and cluster affinity;
	placing the grouped ASR clusters into a vertical hierarchy comprising layers, in which a bottom of the hierarchy comprises clusters each having a single endpoint, and a top of the hierarchy comprises a single ASR cluster having all the endpoints, in which the hierarchy identifies multiple sets of potential ASR clusters for adaptation;
	selecting ASR clusters from one of the layers in the hierarchy to form a working ASR cluster set; and
	dynamically adapting the ASR clusters in the working set according to exclusion history events and user requested events,
	wherein the hierarchy is configured so that the ASR cluster at the top of the hierarchy provides for minimized business impact on the organization and the ASR cluster at the bottom of the hierarchy provides for maximum security.

9.	(Original) The method of claim 8 in which endpoint and clustering affinity is determined using a clustering algorithm that identifies centroids each having a minimal set of distances between points of interest in a cluster.

10.	(Original) The method of claim 9 in which the clustering algorithm comprises one of hierarchical agglomerative clustering, K-Means, expectation-maximization (EM) clustering, affinity clustering, or penalty score determination that is based on differential ASR rule settings among endpoints.

11.	(Original) The method of claim 8 in which each of the endpoints represents one of machine or user.

12.	(Original) The method of claim 8 in which the exclusion history events are based on files or services that are permitted in endpoints in one cluster while blocked in endpoints in another cluster.

13.	(Original) The method of claim 8 in which the user requested events comprise requests from users for exclusions or exceptions.

14.	(Original) The method of claim 8 in which the adaptation is dynamically performed in response to changes in characteristics of an endpoint, the characteristics including one of user role change, application update, or new application release.

15. 	(Cancelled).	

16.	(Currently amended) One or more hardware-based non-transitory computer readable memory devices storing computer-executable instructions which, upon execution by one or more processors in a computing device, cause the computing device to:
	apply attack surface reduction (ASR) rules to manage membership of one or more endpoints in a group of ASR clusters in which endpoints in an ASR cluster share common characteristics;
	monitor changes in endpoint characteristics based on exclusion events for service and file usage occurring in the endpoints; 
monitor changes in user requests for exclusions or exceptions to service and file usage at the endpoints; and
	in response to the monitored changes in endpoint characteristics and user requests, apply the ASR rules to perform adaptation of , 
	wherein the adaptation comprises endpoint to cluster adaptation in which an endpoint becomes a member of an existing cluster, cluster to cluster adaptation in which existing clusters are merged, and endpoint to new cluster adaptation in which an endpoint becomes a member of a new cluster.

17.	(Original) The one or more hardware-based non-transitory computer-readable memory devices of claim 16 in which the instructions further cause the computing device to queue the exclusion events and user requests for review by a human administrator. 

18.	(Original) The one or more hardware-based non-transitory computer-readable memory devices of claim 16 in which the instructions further cause the computing device to manage membership of the endpoints so that the group of ASR clusters does not exceed a predetermined number.

19.	(Original) The one or more hardware-based non-transitory computer-readable memory devices of claim 16 in which the instructions further cause the computing device to perform the adaptation in view of input parameters comprising user role changes, application updates, and introduction of new applications into an organization that supports the endpoints.

20.	(Original) The one or more hardware-based non-transitory computer-readable memory devices of claim 16 in which the instructions further cause the computing device to perform the adaptation in response to endpoint and cluster affinity that is determined using vector orthogonality in an n-dimensional binary space.

Allowable Subject Matter
Claims 1-4, 6-14 and 16-20 are allowed. The following is an examiner’s statement of reasons for allowance: 
	The primary reason for allowance of claim 1 is the combined limitations of providing a set of ASR rules that are applicable to the endpoints to perform clustering; track a history of exclusion events describing features that are excluded on one or more of the endpoints; receiving user-initiated events describing requests from one or more of the users for exceptions to features that are excluded on one or more of the endpoints; and applying one or more ASR rules from the set based on the tracked history of exclusion events and user-initiated events to perform ASR clustering of the endpoints in which clustered endpoints share common characteristics, wherein the adaptation comprises endpoint to cluster adaptation in which an endpoint becomes a member of an existing cluster, cluster to cluster adaptation in which existing clusters are merged, and endpoint to new cluster adaptation in which an endpoint becomes a member of a new cluster.
	The primary reason for allowance of claim 8 is the combined limitations of tracking events that occur in the computing environment including exclusion history events and user requested events; implementing an initial clustering of endpoints in which each endpoint is placed into a single ASR cluster; determining affinity of endpoints and ASR clusters; joining the single ASR clusters into a group of ASR clusters based on endpoint and cluster affinity; placing the grouped ASR clusters into a vertical hierarchy comprising layers, in which a bottom of the hierarchy comprises clusters each having a single endpoint, and a top of the hierarchy comprises a single ASR cluster having all the endpoints, in which the hierarchy identifies multiple sets of potential ASR clusters for adaptation; selecting ASR clusters from one of the layers in the hierarchy to form a working ASR cluster set; and dynamically adapting the ASR clusters in the working set according to exclusion history events and user requested events, wherein the hierarchy is configured so that the ASR cluster at the top of the hierarchy provides for minimized business impact on the organization and the ASR cluster at the bottom of the hierarchy provides for maximum security.
	The primary reason for allowance of claim 16 is the combined limitations of applying attack surface reduction (ASR) rules to manage membership of one or more endpoints in a group of ASR 
The prior art disclosed by Apparao (US Pub. No. 2011/0099602) is found as the closest prior art to the claimed features of the invention. Apparao  discloses the system and method for managing adaptive security zones in complex business operations comprising a rules enging adapted to receive events from a plurality of event sources. However, the cited art alone or in combination with other art fail to teach the limitations of the above independent claims. The dependent claims are allowable as per dependency nature of the allowed independent claims. Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/TESHOME HAILU/Primary Examiner, Art Unit 2434