DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/14/2022 has been entered.
This Office action is in response to RCE filed on 01/14/2022.
As per instant Examiner Amendment, Claims 1, 3-4, 6-7, 11, 13-14, 16-17 and 21  have been amended. Claims 2, 5, 8-9, 12, 15 and 18-19 have been cancelled without prejudice. Claims 22-23 have been added. 
Claims 1, 11 and 21 are independent.  
Claims 1, 3-4, 6-7, 10-11, 13-14, 16-17 and 20-23 have been examined and are pending in this application. 
Claims 1, 3-4, 6-7, 10-11, 13-14, 16-17 and 20-23 are allowed

Examiner Amendments


An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Mr. Andrei D. Popovici (Reg No. 42401), and conducted a telephone interview on 02/15/2022. During the interview, the Examiner proposed an examiner amendment to the claims with some minor amendments for better clarity of the claims’ scope, and for putting the application in condition for allowance. Authorization for this Examiner's Amendment was given by Mr. Mr. Andrei D. Popovici (Reg No. 42401), on 02/15/2022. Mr. Mr. Andrei D. Popovici (Reg No. 42401) has agreed and authorized the Examiner’s amendment. 


Amendments to the Claims:

Please replace claims 1, 6, 11, 16, 21 as following:

Claim 1. 	(currently amended) A computer system comprising at least one hardware processor configured to:
in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, select a client cluster from the plurality of client clusters, 
wherein the grouping is determined by analyzing a collection of events having occurred on members of the plurality of client systems to identify client systems having similar behavior;
in response to selecting the client cluster, train a behavior model to encode a baseline behavior collectively characterizing members of the selected client cluster, wherein:
the behavior model comprises an event encoder configured to determine an embedding vector of a selected event of a sequence of events according to a position of the selected event within the sequence of events and further according to at least another event of the sequence of events,
the sequence of events is composed exclusively of events having occurred on members of the selected client cluster and is ordered according to a time of occurrence of each event, and
wherein training the behavior model comprises predicting yet another event of the sequence of events according to the embedding vector and adjusting a parameter of the event encoder according to the prediction; and
in response to training the behavior model, transmit an adjusted value of the parameteremploy the trained behavior model to determine whether a target event occurring on a target client system is indicative of a computer security threat.









Claim 6. 	(currently amended) The computer system of claim 1, wherein:
theof events is divided into a plurality of event categories according to an event context of each of events; and
grouping the plurality of client systems into clusters comprises determining whether a selected client system belongs to the selected client cluster according to a count of events having occurred on the selected client system and belonging to a selected category of the plurality of event categories.

employing at least one hardware processor of a computer system, in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, to select a client cluster from the plurality of client clusters, 
wherein the grouping is determined by analyzing a collection of events having occurred on members of the plurality of client systems to identify client systems having similar behavior;
in response to selecting the client cluster, employing at least one hardware processor of the computer system to train a behavior model to encode a baseline behavior collectively characterizing members of the selected client cluster, wherein:
the behavior model comprises an event encoder configured to determine an embedding vector of a selected event of a sequence of events according to a position of the selected event within the sequence of events and further according to at least another event of the sequence of events,
the sequence of events is composed exclusively of events having occurred on members of the selected client cluster and is ordered according to a time of occurrence of each event, and
wherein training the behavior model comprises predicting yet another event of the sequence of events according to the embedding vector and adjusting a parameter of the event encoder according to the prediction; and
in response to training the behavior model, employing at least one hardware processor of the computer system to transmit an adjusted value of the parameteremploy the trained behavior model to determine whether a target event occurring on a target client system is indicative of a computer security threat.











the of events is divided into a plurality of event categories according to an event context of each event of the of events; and
grouping the plurality of client systems into clusters comprises determining whether a selected client system belongs to the selected client cluster according to a count of events having occurred on the selected client system and belonging to a selected category of the plurality of event categories.


Claim 21. 	(currently amended) A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a computer system, cause the computer system to:
in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, select a client cluster from the plurality of client clusters, 
wherein the grouping is determined by analyzing a collection of events having occurred on members of the plurality of client systems to identify client systems having similar behavior;
in response to selecting the client cluster, train a behavior model to encode a baseline behavior collectively characterizing members of the selected client cluster, wherein:
the behavior model comprises an event encoder configured to determine an embedding vector of a selected event of a sequence of events according to a position of the selected event within the sequence of events and further according to at least another event of the sequence of events,
the sequence of events is composed exclusively of events having occurred on members of the selected client cluster and is ordered according to a time of occurrence of each event, and
wherein training the behavior model comprises predicting yet another event of the sequence of events according to the embedding vector and adjusting a parameter of the event encoder according to the prediction; and
in response to training the behavior model, transmit an adjusted value of the parameteremploy the trained behavior model to determine whether a target event occurring on a target client system is indicative of a computer security threat.









Response to Arguments/Remarks
Claims 1, 3-4, 6-7, 10-11, 13-14, 16-17 and 20-23 are allowed


Examiner’s Statement of reason for Allowance
Claims 1, 3-4, 6-7, 10-11, 13-14, 16-17 and 20-23 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus. A client profile group together which having a similar event statistic. The events detected on a client are selectively analyzed against a client profile associated with the respective client. Identify client systems having similar behavior and transmit an adjusted value of the parameter to an anomaly detector configured to employ the trained behavior model to determine whether a target event occurring on a target client system is indicative of a computer security threat.

The closest prior art, as previously recited, are Krasser (US 20190026466), Wallace (US 2017037773), Hanis (US 20190340615), Gil (US 20180004961), Reybok (US 20170171231), in which, Krasser discloses receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty; Wallace discloses a networked computing environment initiates each of a plurality of different types of man-in-the middle detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node; Hanis discloses generated based on the Petri-net model, and an event pattern layer is established using event sequence vectors from the state space representation. An aggregator layer is also established. The pattern image is created from the event pattern layer and aggregator layer, while applying iterative clustering on the vectors to combine similarities into patterns. A risk score is assigned using supervised or unsupervised learning. The same methodology is used to generate a current pattern image for current events to be analyzed. The cognitive system provides a current risk score based on risk scores associated with likely matches (not necessarily exact) from the pattern library; Gil discloses detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network 
However, none Krasser (US 20190026466), Wallace (US 2017037773), Hanis (US 20190340615), Gil (US 20180004961), Reybok (US 20170171231), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim 1 and Claim 11 and Claim 21. For example, none of the cited prior teaches or suggest the steps of Claim 1 and Claim 11 and Claim 21: in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, select a client cluster from the plurality of client clusters, wherein the grouping is determined by analyzing a collection of events having occurred on members of the plurality of client systems to identify client systems having similar behavior; in response to selecting the client cluster, train a behavior model to encode a baseline behavior collectively characterizing members of the selected client cluster, wherein: the behavior model comprises an event encoder configured to determine an embedding vector of a selected event of a sequence of events according to a position of the selected event within the sequence of events and further according to at least another event of the sequence of events, the sequence of events is composed exclusively of events having occurred on members of the selected client cluster and is ordered according to a time of occurrence of each event, and wherein training the behavior model comprises predicting yet another event of the sequence of events according to the embedding vector and adjusting a parameter of the event encoder according to the prediction; and in response to training the behavior model, transmit an adjusted value of the parameter to an anomaly detector configured to employ the trained behavior model to determine whether a target event occurring on a target client system is indicative of a computer security threat.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should 



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  



/C.W./
Examiner, Art Unit 2439 


/JAHANGIR KABIR/Primary Examiner, Art Unit 2439