DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see applicant’s remarks, filed 05/19/2022, with respect to claims 1-4 and 6-20 have been fully considered and are persuasive.  The rejection of previous office action has been withdrawn. 
Allowable Subject Matter
Claims 1-4 and 6-20 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:  
Regarding claim 1, 11, and its respective dependents, the art of record either alone or in combination fails to particular disclose or suggest the claim limitation “acquiring a first plurality of
snapshots for the a first instance group that comprises a plurality of host instances that share one or more security behaviors, wherein each snapshot represents a current operational state of a different host instance included in the plurality of host instances; performing one or more clustering operations based on the first plurality of snapshots to generate a first plurality of clusters; and determining that a first host instance included in the first instance group is operating in an anomalous fashion based on a first cluster included in the first plurality of clusters that is associated with fewer host instances than at
least a second cluster included in the first plurality of clusters.”
As to the art of record, Park et al. reference discloses the concept of a system to monitor and detect unauthorized control commands for control devices. However, Park et al. does not teach with respect to the entire or combination claim limitation of “acquiring a first plurality of
snapshots for the a first instance group that comprises a plurality of host instances that share one or more security behaviors, wherein each snapshot represents a current operational state of a different host instance included in the plurality of host instances; performing one or more clustering operations based on the first plurality of snapshots to generate a first plurality of clusters; and determining that a first host instance included in the first instance group is operating in an anomalous fashion based on a first cluster included in the first plurality of clusters that is associated with fewer host instances than at
least a second cluster included in the first plurality of clusters.”
As to the art of record, Sridhara et al. reference discloses the concept of identifying malicious behavior attack in a network. However, Sridhara et al. does not teach with respect to the entire or combination claim limitation “acquiring a first plurality of snapshots for the a first instance group that comprises a plurality of host instances that share one or more security behaviors, wherein each snapshot represents a current operational state of a different host instance included in the plurality of host instances; performing one or more clustering operations based on the first plurality of snapshots to generate a first plurality of clusters; and determining that a first host instance included in the first instance group is operating in an anomalous fashion based on a first cluster included in the first plurality of clusters that is associated with fewer host instances than at least a second cluster included in the first plurality of clusters.”
As to the art of record, Bhogal et al. reference discloses the concept of monitoring virus infection in the social groups in the network. However, Bhogal et al. does not teach with respect to the entire or combination claim limitation “acquiring a first plurality of snapshots for the a first instance group that comprises a plurality of host instances that share one or more security behaviors, wherein each snapshot represents a current operational state of a different host instance included in the plurality of host instances; performing one or more clustering operations based on the first plurality of snapshots to generate a first plurality of clusters; and determining that a first host instance included in the first instance group is operating in an anomalous fashion based on a first cluster included in the first plurality of clusters that is associated with fewer host instances than at least a second cluster included in the first plurality of clusters.”
As to the art of record, Ayyagari et al. reference discloses the concept of classifying user’s computer security behaviors in the network. However, Ayyagari et al. does not teach with respect to the entire or combination claim limitation “performing one or more clustering operations based on the first plurality of snapshots to generate a first plurality of clusters; and determining that a first host instance included in the first instance group is operating in an anomalous fashion based on a first cluster included in the first plurality of clusters that is associated with fewer host instances than at least a second cluster included in the first plurality of clusters.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CAI Y CHEN whose telephone number is (571)270-5679. The examiner can normally be reached 8:30 AM -4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Pendleton can be reached on 571-272-7527. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CAI Y CHEN/               Primary Examiner, Art Unit 2425