DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status
Claims 21-26, 28-33, and 35-40 are allowed in this Office action.

Terminal Disclaimer
The terminal disclaimer filed on December 3, 2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of Pat. No. US 10489375 has been reviewed and is accepted. The terminal disclaimer has been recorded.

Examiner’s Amendment
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to the Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this instant Examiner’s amendment was given in a telephonic communication (see attached Interview Summary) from Applicant’s representative Mr. Robert Kowert on December 3, 2021.
The claims are amended as presented below and will replace all previous versions of claims:
Claims 1-20. (Canceled)
Claim 21. (Currently Amended) A system, comprising: 
one or more processors and one or more memories to store computer-executable instructions that, when executed, cause the one or more processors to: 
generate a plurality of patterns to match respective ones of [[a]] the plurality of predefined data values that correspond to respective types of data to be detected, wherein the plurality of predefined data values were injected into a plurality of services; 
cause a plurality of service requests or responses to be generated among the plurality of services, wherein the plurality of services are configured to compare the plurality of service requests or responses to the plurality of patterns; 
receive, from the plurality of services, data indicative of one or more data flows of the one or more predefined data values between the plurality of services; 
receive, from the plurality of services, additional data indicative of one or more additional data flows of the one or more predefined data values between the plurality of services; 
detect one or more changes among the plurality of services based at least in part on a comparison of the one or more data flows to the one or more additional data flows; and
generate a notification or an alarm based on the detected one or more changes among the plurality of services.  
Claim 22. (Previously Presented) The system as recited in claim 21, wherein the one or more additional data flows represent a different time window than the one or more data flows.  
Claim 23. (Previously Presented) The system as recited in claim 21, wherein the one or more additional data flows represent a different execution environment than the one or more data flows.  
Claim 24. (Previously Presented) The system as recited in claim 21, wherein the one or more data flows are represented using a first call graph, and wherein the one or more additional data flows are represented using a second call graph.  
Claim 25. (Previously Presented) The system as recited in claim 24, wherein the one or more changes among the plurality of services are represented using a call graph delta between the first call graph and the second call graph.  
Claim 26. (Previously Presented) The system as recited in claim 24, wherein the one or more changes among the plurality of services correspond to one or more nodes in the first call graph or second call graph, and wherein the one or more nodes in the first call graph or second call graph are highlighted in a report.  
Claim 27. (Canceled)
Claim 28. (Currently Amended) A method, comprising: 
generating a plurality of patterns to match respective ones of [[a]] the plurality of predefined data values that correspond to respective types of data to be detected, wherein the plurality of predefined data values were injected into a plurality of services; 
causing a plurality of service requests or responses to be generated among the plurality of services, wherein the plurality of services are configured to compare the plurality of service requests or responses to the plurality of patterns; 
receiving, from the plurality of services, data indicative of one or more data flows of the one or more predefined data values between the plurality of services; 
receiving, from the plurality of services, additional data indicative of one or more additional data flows of the one or more predefined data values between the plurality of services; 
detecting one or more changes among the plurality of services based at least in part on a comparison of the one or more data flows to the one or more additional data flows; and
generating a notification or an alarm based on the detected one or more changes among the plurality of services.
Claim 29. (Previously Presented) The method as recited in claim 28, wherein the one or more additional data flows represent a different time window than the one or more data flows.  
Claim 30. (Previously Presented) The method as recited in claim 28, wherein the one or more additional data flows represent a different execution environment than the one or more data flows.  
Claim 31. (Previously Presented) The method as recited in claim 28, wherein the one or more data flows are represented using a first call graph, and wherein the one or more additional data flows are represented using a second call graph.  
Claim 32. (Previously Presented) The method as recited in claim 31, wherein the one or more changes among the plurality of services are represented using a call graph delta between the first call graph and the second call graph.  
Claim 33. (Previously Presented) The method as recited in claim 31, wherein the one or more changes among the plurality of services correspond to one or more nodes in the first call graph or second call graph, and wherein the one or more nodes in the first call graph or second call graph are highlighted in a report.  
Claim 34. (Canceled)
Claim 35. (Currently Amended) One or more non-transitory computer-readable storage media storing program instructions that, when executed on or across one or more processors, perform: 
generating a plurality of patterns to match respective ones of [[a]] the plurality of predefined data values that correspond to respective types of data to be detected, wherein the plurality of predefined data values were injected into a plurality of services; 
causing a plurality of service requests or responses to be generated among the plurality of services, wherein the plurality of services are configured to compare the plurality of service requests or responses to the plurality of patterns; 
receiving, from the plurality of services, data indicative of one or more data flows of the one or more predefined data values between the plurality of services; 
receiving, from the plurality of services, additional data indicative of one or more additional data flows of the one or more predefined data values between the plurality of services; 
detecting one or more changes among the plurality of services based at least in part on a comparison of the one or more data flows to the one or more additional data flows; and
generating a notification or an alarm based on to the detected one or more changes among the plurality of services.  
Claim 36. (Previously Presented) The one or more non-transitory computer-readable storage media as recited in claim 35, wherein the one or more additional data flows represent a different time window than the one or more data flows.  
Claim 37. (Previously Presented) The one or more non-transitory computer-readable storage media as recited in claim 35, wherein the one or more additional data flows represent a different execution environment than the one or more data flows.  
Claim 38. (Previously Presented) The one or more non-transitory computer-readable storage media as recited in claim 35, wherein the one or more data flows are represented using a first call graph, and wherein the one or more additional data flows are represented using a second call graph.  
Claim 39. (Previously Presented) The one or more non-transitory computer-readable storage media as recited in claim 38, wherein the one or more changes among the plurality of services are represented using a call graph delta between the first call graph and the second call graph.  
Claim 40. (Previously Presented) The one or more non-transitory computer-readable storage media as recited in claim 38, wherein the one or more changes among the plurality of services correspond to one or more nodes in the first call graph or second call graph, and wherein the one or more nodes in the first call graph or second call graph are highlighted in a report.

Summary of Related Prior Arts
The prior arts on record are summarized as follows:
i)	Andrade et al. (Pub. No. US 2011/0239048) teaches partial fault tolerant stream processing applications. A partial fault tolerance is implemented in a stream processing application comprising a plurality of stream operators includes: defining a quality score function that expresses how well the application is performing quantitatively, injecting a fault into at least one of the plurality of operators, assessing an impact of the fault on the quality score function, and selecting at least one partial fault-tolerant technique for implementation in the application based on the quantitative metric-driven assessment.
ii)	Parcel (Pub. No. US 2014/0259173) teaches assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device.
iii)	Blackwell (Pub. No. US 2012/0210428) teaches detecting possible security intrusions in a computer network. The security intrusion detection may be based on analyzing patterns of how transactions flow through one or more software applications. For example, patterns of transaction flows are determined for an initial time period to establish a baseline of normal flow patterns. These normal flow patterns may be compared with patterns for transaction flows for a later time period. Deviations in the patterns of transaction flow may indicate a possible security intrusion. 
iv)	Ding et al. (Pub. No. US 2010/0100774) teaches non-faulty application traces of a computer application with the runtime environment during fault-free activities to create non-faulty runtime signatures for the computer application. Once obtained, the method stores the non-faulty runtime signatures. A faulty application is detected trace of the computer application and compares the faulty application trace with the non-faulty runtime signatures by comparing a call graph of the faulty application trace with call graphs of non-faulty application traces of the application signatures to identify differences between the two (e.g., fault attributes). Then the invention outputs the fault attributes to allow the user to identify a fault cause.
v)	Kapoor et al. (Pub. No. US 2012/0240185) teaches a flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security.


vi)	Leavy et al. (Pat. No. US 7,185,232) teaches testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. A feedback is received from the target to determine fault occurrence. A target is tested in a network by fault injection, includes: a driver configured to generate patterns, where a pattern can generate a plurality of packets for transmission to the target, the pattern being represented by an expression with a literal string and a wild character class; and a network interface coupled to the driver and configured to transmit and receive network traffic.
vii)	Wechter et al. (Pub. No. US 2004/0172467) teaches a file finder module  can inject the corresponding device records or device list contents into a discovery data flow, for example a discovery data flow of the module, to initially guide or seed the network topology discovery operation. For example, a Layer 2 discovery add-on mechanism to the NNM can cause the NNM to provide a device list or file to the file finder module, which then injects the information into the discovery data flow. This information can be used as a starting point for the network topology discovery operation.





Reasons for Allowance
The following is an examiner's statement of reasons for allowance of Claims 21-26, 28-33, and 35-40:
In interpreting the claims discussed in the interview dated 3 December 2021, the prosecution histories of the instant application and all related applications associated with the Terminal Disclaimer above, and the available prior art, the Examiner finds the claimed invention to be patentably distinct from the prior art of records. Specifically, the prior art of records, individually or in combination, fail to explicitly teach, suggest or render obvious the claimed invention as recited in independent claims 21, 28, and 35.
Other dependent claims are also allowed based on their dependencies on claims 21, 28, and 35.
Any comments considered necessary by the Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

          /SON T HOANG/Primary Examiner, Art Unit 2169                                                                                                                                                                                                                 December 3, 2021