DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. 15/484,830, filed on April 11, 2017.

Information Disclosure Statement
	The information disclosure statements filed January 7, 2021, March 18, 2021,
June 29, 2021 and March 11, 2022 have been placed in the application file and the
information referred to therein has been considered as to the merits.

Allowable Subject Matter
Claims 1-20 are allowed.

EXAMINER’S STATEMENT OF REASONS FOR ALLOWANCE
	Regarding the claimed terms, the Examiner notes that a “general term must be
understood in the context in which the inventor presents it.” In re Glaug 263 F.3d 1335,
1340, 62 USPQ2d 1151, 1154 (Fed. Cir 2002}. Therefore the Examiner must interpret
the claimed terms as found on the specification of the instant application. Clearly almost
all the general terms in the claims may have multiple meanings. So where a claim term “is susceptible to various meanings,...the inventor's lexicography must prevail..." id.
Using these definitions for the claims, the claimed Invention was not reasonably found
in the prior art.
	Prior art US 20780046800 (Aoki et al.) taught a detection device generates an
event sequence from events that are acquired for each of identifiers that distinguish
among terminals in a monitoring target network or pieces of malware, by taking into
account an order of occurrence of the events. The detection device retrieves events that
commonly occur in event sequences belonging to a same cluster among clusters
including event sequences with similarities at a predetermined level or higher, and
extracts, as a detection event sequence, a representative event sequence based on a
relationship between events that have high occurrence rates in similar common event
sequences. The detection device detects a malware infected terminal in the monitoring
target network based on whether the event sequence generated based on a
communication in the monitoring target network and the extracted detection event
sequence match each other.
	Prior art US 20140283067 (Call et al.) taught a computer-implemented method
for identifying abnormal computer behavior data that characterizes subsets of particular
document object models for web pages rendered by particular client computers;
identifying clusters from the data that characterize the subsets of the particular
document object models; and using the clusters to identify alien content on the
particular client computers.
	Prior art US 20780075038 (Azvine et al) taught a method for partitioning a
plurality of entities each associated with a plurality of ordered sequences of events
received by a computer system, the method including: defining a minimal directed
acyclic graph data structure representing the sequences of events to define a plurality of
categories of behavior of the entities; defining a threshold degree of similarity; defining a
relation for each entity including a degree of association of the entity with each of the
categories; defining a cluster of entities as a set of entities comprising a first entity;
comparing a relation for the first entity with a relation for a second entity to define a
Jaccard similarity coefficient for the first and second entities; and responsive to the
coefficient meeting the threshold degree of similarity, adding the second entity to the
cluster.
	Prior art US 8.949 931 (Ermagan et al.) taught a method for obtaining network
traces from a distributed application, analyzing the network traces to extract the
application role, detecting security breaches and determining anomalies in traffic based
thereon.
	For independent claim 1,
	Since, no prior art was found to teach: “recording a sequence of events causally relating the number of computing objects at the set of logical locations, wherein the sequence of events spans multiple devices including at least the first endpoint and the second endpoint; creating an event graph spanning multiple devices based on the sequence of events; applying a malware detection rule for tracking malicious software movement through a network to the event graph; evaluating a security state of the first endpoint based on the event graph and the malware detection rule; and initiating remediation of the first endpoint in response to a change in the security state indicating a presence of malware on the first endpoint” as it pertains to the other portions of the claim as a whole, in a manner that would motivate a person of ordinary skill in the art before the effective fling date of the invention to combine it as an obvious inclusion, the examiner found the invention as claimed to be allowable and allowed it to be patented.
	For independent claims 4 and 19, the claims recite essentially similar
limitations as in claim 1.
	For dependent claims 2-3, 5-18, and 20, the claims are allowed due to their
dependency on allowable independent claims 1, 4, and 19.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW B SMITHERS whose telephone number is (571)272-3876. The examiner can normally be reached 8:00-4:00 (Teleworking).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MATTHEW SMITHERS/
Primary Examiner
Art Unit 2437