DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the RCE filed on 02/03/2022.
Claims 1-4, 6-12 and 14-18 are currently pending in this application. Claims 1-3, 6, 9-11, 14 and 16-18 have been amended.
No new IDS has been filed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/03/2022 has been entered.

Allowable Subject Matter
Claims 1-4, 6-12 and 14-18 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Regarding independent claims 1, 9 and 17,

Turgeman et al. (US 2015/0213246 A1) teaches a method and system for detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. User Interface (UI) interferences are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user to the interferences. The system determines whether the user is a legitimate human user, or a cyber attacker posing as the legitimate human user. The system displays gauges indicating cyber fraud scores or cyber-attack threat-levels. The system extrapolates from observed fraud incidents and utilizes a rules engine to automatically search for similar fraud events and to automatically detect fraud events or cyber-attackers – see figures 1, 2; the abstract; paras. [0014], [0034], [0035]- [0043], [0049]- [0057] of Turgeman.

Monastyrsky et al. (US 2018/0365419 A1) teaches a system and method for detecting anomalous events occurring in an operating system of a computing device. The method includes detecting an event that occurs in the operating system of the computing device during execution of a software process, and determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. The method further includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event – see abstract, figs. 2, 4; paras. [0008]- [0012] and [0015] of Monastyrsky.

Thorley et al. (US 2012/0216278 A1) teaches a method and system using a designated known secure computer for real time classification of change events in a computer integrity system. The known secure computer, having only inbound connection, is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is generated when the change event at the client operational computer and the respective permissible change event provided by the known secure computer mismatch - see figs. 2a, 8c, 9; abstract, paras. [0014] - [0017] and [0023] - [0032] of Thorley.

However, the prior art of record does not teach or render obvious the limitations, specific and combination with other limitations,
the claims 1, 9 or 17 in a method, server or medium for:
collecting a plurality of events from applications or processes executed by a first endpoint, wherein the collected plurality of events identify attributes of procedures comprising:
establishment of a secure session; communication over a secure session; file operations; registry operations; memory operations; and process/threat creation; and
the collected plurality of events comprise:
creating and modifying system files and settings, installing, updating and removing system components, modifying other applications, registering application automatic start launch points, requesting user elevation (UAC), creating system files, creating and modifying user files, running other processes, loading of specific modules by application, receiving data from specific remote host computers, downloading files, and opening a local server,
wherein the attributes identify characteristic actions and expected actions of the procedures;
detecting a security threat of the collected plurality of events; and searching matching events of the collected plurality of events from one or more further endpoints, wherein a matching event comprises at least one attribute of the attributes.

Dependent claims 2-4, 6-8, 10-12, 14-16 and 18 are allowed as they depend from allowable independent claim 1 or 9.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic 






/MAUNG T LWIN/Primary Examiner, Art Unit 2495