Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Mohammad Zaryab on July 21, 2022.

The application has been amended as follows: 
Claims

Claim 1. “A method for detecting a behavioral anomaly in an application, the method comprising: retrieving historical usage information for an application on a computing device; identifying at least one key metric from the historical usage information; generating a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving usage information in real-time for the application; predicting, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting the behavioral anomaly; and generating, for output on the computing device, an alert indicative of the behavioral anomaly.” 
	Should be:
	“A method for detecting a behavioral anomaly in an application, the method comprising: retrieving, by a security application, historical usage information for an application on a computing device; identifying, by the security application, at least one key metric from the historical usage information; generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving, by the security application, usage information in real-time for the application; predicting, using the regression model of the security application, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model of the security application whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting, by the security application, the behavioral anomaly; and generating, by the security application for output on the computing device, an alert indicative of the behavioral anomaly.”

Claim 9. “A system for detecting a behavioral anomaly in an application, the system comprising: a hardware processor configured to: retrieve historical usage information for an application on a computing device; identify at least one key metric from the historical usage information; generate a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generate a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receive usage information in real-time for the application; predict, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determine via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detect the behavioral anomaly; and generate, for output on the computing device, an alert indicative of the behavioral anomaly.”
	Should be:
“A system for detecting a behavioral anomaly in an application, the system comprising: a hardware processor configured to execute a security application, wherein the security application is configured to: retrieve historical usage information for an application on a computing device; identify at least one key metric from the historical usage information; generate a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generate a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receive usage information in real-time for the application; predict, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determine via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detect the behavioral anomaly; and generate, for output on the computing device,  an alert indicative of the behavioral anomaly.”

Claim 17. “A non-transitory computer readable storage medium storing thereon computer executable instructions for detecting a behavioral anomaly in an application, including instructions for: retrieving historical usage information for an application on a computing device; identifying at least one key metric from the historical usage information; generating a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving usage information in real-time for the application; predicting, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting the behavioral anomaly; and generating, for output on the computing device, an alert indicative of the behavioral anomaly.”
	Should be:
	“A non-transitory computer readable storage medium storing thereon computer executable instructions for detecting a behavioral anomaly in an application, including instructions for: retrieving, by a security application, historical usage information for an application on a computing device; identifying, by the security application, at least one key metric from the historical usage information; generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving, by the security application, usage information in real-time for the application; predicting, using the regression model of the security application, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model of the security application whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting, by the security application, the behavioral anomaly; and generating, by the security application for output on the computing device, an alert indicative of the behavioral anomaly.”

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of claims 1-8 is the inclusion of the following limitations: ‘generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving, by the security application, usage information in real-time for the application; predicting, using the regression model of the security application, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model of the security application whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting, by the security application, the behavioral anomaly’.
The primary reason for the allowance of claims 9-16 is the inclusion of the following limitations: ‘generate a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generate a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receive usage information in real-time for the application; predict, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determine via the statistical model whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detect the behavioral anomaly’.
The primary reason for the allowance of claims 17-20 is the inclusion of the following limitations: ‘generating, by the security application, a regression model configured to predict usage behavior associated with the application based on data associated with the at least one key metric; generating, by the security application, a statistical model configured to identify outliers in the data associated with the at least one key metric; subsequent to generating the regression model and the statistical model, receiving, by the security application, usage information in real-time for the application; predicting, using the regression model of the security application, a usage pattern for the application indicating expected values of the at least one key metric; in response to determining that the usage information received in real-time does not correspond to the predicted usage pattern, determining via the statistical model of the security application whether the usage information comprises a known outlier; in response to determining that the usage information does not comprise the known outlier, detecting, by the security application, the behavioral anomaly’.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Yolanda L Wilson whose telephone number is (571)272-3653. The examiner can normally be reached M-F (7:30 am - 4 pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on 571-272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Yolanda L Wilson/Primary Examiner, Art Unit 2113