Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/06/2021 has been entered.

Examiner’s Note
On December 8, Examiner contacted applicant's representative, Thomas Ham, Registration No. 43654, and received approval to correct claim 19 to depend from claim 16 instead of claim 17 which has been canceled, and also for claim 8, to change "for method" to "for a method". See Examiner's Amendment below.

Examiner’s Amendment
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner's amendment was given via telephone conversation from Attorney Thomas Ham (Reg. No. 43654) on December 8, 2021.

The application has been amended as follows:

Amendments to the Claims:
This listing of claims will replace prior versions, and listings, of claims in the application:
Listing of Claims: 

8. (currently amended) A non-transitory computer-readable storage medium containing program instructions for a method for protecting a host computer in a computer network from security threats, wherein execution of the program instructions by one or more processors of a computer system causes the one or more processors to perform steps comprising: 

collecting local security-relevant data of the host computer, wherein the local security-relevant data includes system events of applications running in the host computer and network traffic associated with the host computer; 

downloading global security-relevant data for other components in the computer network from a security information plane system to the host computer, wherein the global security-relevant data includes application related information from other host computers in the computer network; 3 

analyzing the local security-relevant data, by an application behavior classifier running in the host computer, without using the global security-relevant data to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior and determine a security threat to the host computer when the local security-relevant data is categorized as being out of the bounds of expected application behavior;

in response to a determination that the local security-relevant data is categorized as being out of the bounds of expected application behavior, determining whether the security 
 issuing a security alert when the security threat is determined to be a legitimate threat; and
 initiating an action in response to the security alert of the security threat, wherein the action includes quarantining or shutting down an application at risk.


19. (currently amended) The system of claim 16


Response to Amendment
This communication is in response to the RCE and amendment filed on 
10/06/2021. The Examiner acknowledges amended claims 1-3, 5-6, 8-10, 12-13, 15-16, and 18-19. Claims 4, 7, 11, 14, 17, and 20 have been canceled. Claims 1-3, 5-6, 8-10, 12-13, 15-16, and 18-19 are pending and claims 1-3, 5-6, 8-10, 12-13, 15-16, and 18-19 are allowed.  Claims 1, 8, and 15 is/are independent. 

The rejection(s) of claims under 35 U.S.C. § 101 are withdrawn in view of Applicant's amendments.
The objections to the claims have been withdrawn in view of Applicant’s amendments.

Claims 8 and 19 have been amended with this Examiner’s amendment.
Applicant's arguments/amendments have been fully considered and are persuasive.
	
		
Response to Arguments
Applicant's arguments filed 10/06/2021 have been fully considered and are persuasive. The rejection to the claims 1-3, 5-6, 8-10, 12-13, 15-16, and 18-19 have been withdrawn in view of the applicant’s amendment and persuasive arguments.

Allowable Subject Matter
Claims 1-3, 5-6, 8-10, 12-13, 15-16, and 18-19 are allowed.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

The prior art of record (in particular, Wilhelm et al. U.S. Patent No. 8925088 (hereinafter “Wilhelm”) in view of Granstedt et al. U.S. Publication 20100319069 (hereinafter “Granstedt”), further in view of Canzanese et al. U.S. Publication 20150295945 (hereinafter “Canzanese”), 
Suarez et al. U.S. Patent No. 10782990 (hereinafter “Suarez”), and Gantman et al. U.S. Publication 20160285897 (hereinafter “Gantman”)) does not expressly disclose all the limitations recited in independent claim(s) and the combination of their features thereon. With respect to independent claim 1 the closest prior art does not disclose at least the following limitations in the recited context:

downloading global security-relevant data for other components in the computer network from a security information plane system to the host computer, wherein the global security-relevant data includes application related information from other host computers in the computer network; 3 

analyzing the local security-relevant data, by an application behavior classifier running in the host computer, without using the global security-relevant data to categorize the local security-relevant data as being one of within bounds of expected application behavior and out of the bounds of expected application behavior and determine a security threat to the host computer when the local security-relevant data is categorized as being out of the bounds of expected application behavior;

in response to a determination that the local security-relevant data is categorized as being out of the bounds of expected application behavior, determining whether the security threat is a legitimate threat or a false-positive threat, by a resolution agent running in the host computer, using the global security-relevant data downloaded from the security information plane system;

Rather, Wilhelm discloses a server distributing global first appearance information to a client, comparing an appearance date for locally detected malware against a global first appearance date, and detecting a potential false positive [Wilhelm, 8:60-89, 8:56-9:1, 8:10-30]. 
However, Wilhelm does not disclose at least the features of claim 1 quoted above.  
To this, Granstedt adds disabling or otherwise neutralizing the device that is used to attack or infiltrate a network, or report information to authorities [Granstedt, para. 30]. Canzanese adds monitoring feature data to detect whether changes occurred, detecting malware with behavior similar to known malware, and reducing global false alarms by resuming normal operation if no global decision is made in a fixed time window after a local detector indicates positive detection [Canzanese, para. 15, 82, 91, 109, 110]. Suarez adds a software agent may be launched to execute in a container and container instances may be virtual machines [Suarez, 5:26-53, 4:43-47, 7:35-44]. Gantman adds determining whether a software application is non-benign in response to determining the observed behavior of the software application is not within the range of expected behavior [Gantman, para. 6].
However, the combination of Wilhelm, Granstedt, Canzanese, Suarez, and Gantman  does not teach at least the features of claim 1 quoted above.  
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.	
	
	
	
 For the reasons described above, the prior art of record does not disclose, with respect to independent claim(s) 1, features corresponding to those of independent claim(s) 1 in their respective contexts. Therefore, the independent claim(s) 1 is/are allowed.  Claims 8 and 15 recite features analogous to the features of claim 1 and are also allowed for the reasons indicated with respect to claim 1.
Dependent claims 2-3, 5-6, 9-10, 12-13, 16, and 18-19 are allowed in view of their respective dependence from independent claim(s) 1, 8, and 15.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for
Allowance.”

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                     
	
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494