DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This action is responsive to an amendment filed on 2/14/2022.

3.	The IDS submitted on 2/14/2022 has been considered. 

Examiner’s Amendment
4.         An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in a telephonic interview with Applicants' representative, Eric Sophir (Reg. No. 48,499) on 5/10/2022.

5.         The following listing of claims replaces all prior versions and listings of claims in the application:
(Currently Amended) A computer-implemented method, comprising:
generating, by a server, kernel level feature vectors of system call hierarchy during testing phase of a computing system;
training, by the server, a machine-learning model based upon the kernel level feature vectors for the machine-learning model to learn a normal behavior of the computing system;
retrieving, by the server, a first set of system calls of a first sub-system of the computing system during runtime of the computing system;
retrieving, by the server, a second set of system calls of a second sub-system of the computing system during runtime of the computing system;
executing, by the server, the machine-learning model on the first and the second sets of system calls to compare the runtime behavior of the computing system with the normal behavior; and
in response to the server determining that the runtime behavior deviates from the normal behavior over a predetermined threshold, instructing, by the server, the computing system to execute one or more mitigation instructions, 
wherein the one or more mitigation instructions comprises 
(Currently Amended) The computer-implemented method of claim 1, wherein the kernel level feature vectors [[comprises]] comprise normal behavior features of both software and hardware components of the computing system.
(Original) The computer-implemented method of claim 1, further comprising:
retrieving, by the server, the first and the second sets of system calls based on system call interception using dynamic kernel trace points.
(Original) The computer-implemented method of claim 1, further comprising:
combining, by the server, the first and the second sets of system calls across sub-systems to generate an entire system call hierarchy.
(Original) The computer-implemented method of claim 1, further comprising:
training, by the server, the machine-learning model based on a convolutional neural network.
(Canceled) 
(Original) The computer-implemented method of claim 1, further comprising:
automatically evaluating, by the server, a risk for each system call within the first and the second sets of system calls; and
determining, by the server, a weight value for each system call based on the corresponding risk.
(Original) The computer-implemented method of claim 1, further comprising:
determining, by the server, the one or more mitigation instructions for anomalous system behavior based on a weight value of the system call associated with the anomalous system behavior.
(Original) The computer-implemented method of claim 1, further comprising:
applying, by the server, a hybrid approach of rules combined with machine-learning model on the first and the second sets of system calls.
(Original) The computer-implemented method of claim 1, further comprising:
determining, by the server, that the runtime behavior deviates from the normal behavior based on a hierarchical risk model comprising an attack tree.
(Currently Amended) A computer system comprising:
a computing system comprising a first sub-system and a second sub-system;
a server in communication with the computing system and having a processor comprising instructions that when executed by the processor are configured to:
	generate kernel level feature vectors of system call hierarchy during testing phase of the computing system;
	train a machine-learning model based upon the kernel level feature vectors for the machine-learning model to learn a normal behavior of the computing system;
	retrieve a first set of system calls of the first sub-system of the computing system during runtime of the computing system;
	retrieve a second set of system calls of the second sub-system of the computing system during runtime of the computing system;
	execute the machine-learning model on the first and the second sets of system calls to compare the runtime behavior of the computing system with the normal behavior; and
	in response to determining that the runtime behavior deviates from the normal behavior over a predetermined threshold, instruct the computing system to execute one or more mitigation instructions, 
wherein the one or more mitigation instructions comprises 
(Currently Amended) The computer system of claim 11, wherein the kernel level feature vectors [[comprises]] comprise normal behavior features of both software and hardware components of the computing system.
(Original) The computer system of claim 11, wherein the server is further configured to:
retrieve the first and the second sets of system calls based on system call interception using dynamic kernel trace points.
(Original) The computer system of claim 11, wherein the server is further configured to:
combine the first and the second sets of system calls across sub-systems to generate an entire system call hierarchy.
(Original) The computer system of claim 11, wherein the server is further configured to:
train the machine-learning model based on a convolutional neural network.
(Canceled) 
(Original) The computer system of claim 11, wherein the server is further configured to:
automatically evaluate a risk for each system call within the first and the second sets of system calls; and
determine a weight value for each system call based on the corresponding risk.
(Original) The computer system of claim 11, wherein the server is further configured to:
determine the one or more mitigation instructions for anomalous system behavior based on a weight value of the system call associated with the anomalous system behavior.
(Original) The computer system of claim 11, wherein the server is further configured to:
apply a hybrid approach of rules combined with machine-learning model on the first and the second sets of system calls.
(Original) The computer system of claim 11, wherein the server is further configured to:
determine that the runtime behavior deviates from the normal behavior based on a hierarchical risk model comprising an attack tree.
 










Allowable Subject Matter

6.	Claims 1-5, 7-15 and 17-20 are allowed. No reason for allowance is needed as the record is clear in light of applicant's arguments and specification.

7.	According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”

8.	As allowable subject matter has been indicated, applicant’s reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).








Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433