DETAILED ACTION
In replay to applicant communications filed on August 12, 2022 and telephonic interview made on August 26, 2022, claims 1-2, 4-13, and 15-20 have been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 3 and 14 have been cancelled.
Claims 1-2, 4-13, and 15-20 are pending.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant representative, Sangki Park (Reg. No. 77,261). 

Please amend the following to the claim set filed on August 12, 2022:


1. (Currently Amended) A method for analyzing a security threat, the method comprising: 
	storing a plurality of candidate security packages in a central server; 
	identifying a network host being affected by a potential security threat; 
	based on the identification, transmitting to the identified network host a request for host information about the identified network host, and receiving from the identified network host the host information;
selecting, based on the host information, a security package from the candidate security packages, the security package configured for the identified network host and formatted to be executable on the identified network host; 
transmitting the security package from the central server to the network host, the security package executed on the network host and configured to cause the network host to collect forensic information from a plurality of forensic data sources of the network host while permitting for the network host to run tasks thereon, wherein the collected forensic information is usable by a security computing device to determine whether the potential security threat is an actual security threat, the security computing device being remote from the central server and the identified network host; 
retrieving the forensic information from the network host; and
outputting the forensic information to the security computing device, wherein the forensic information is usable to mitigate the actual security threat on the network host,
wherein the plurality of candidate security packages is designed to mitigate security threats on affected network hosts, and isolate the affected network hosts from other network hosts in a network. 

2. (Original)	The method of claim 1, further comprising:
	updating, using the central server, the plurality of candidate security packages in the central server. 

3. (Cancelled)	 

4. (Original)	The method of claim 1, further comprising: 
	processing, using the central server, the forensic information to generate formatted data, the formatted data being used for security analysis. 

5. (Original)	The method of claim 4, wherein the formatted data include a tabular data format. 

6. (Original)	The method of claim 1, wherein the security package is configured as a self-contained, single executable file. 

7. (Original)	The method of claim 1, wherein the security package is configured to create a log file based on the forensic information. 

8. (Original)	The method of claim 1, wherein at least some of the plurality of forensic data sources provide redundant forensic information. 

9. (Original)	The method of claim 1, wherein the forensic information includes one or more of system logs, window events, firewall logs, SEP logs, driver logs, memory logs, and registry on the network host. 

10. (Original)	The method of claim 1, wherein the security package is configured to cause the network host to be isolated from other network resources. 

11. (Original)	The method of claim 1, wherein the security package is configured to dissolve after the forensic information is collected from the plurality of forensic data sources of the network host. 

12. (Original)	The method of claim 1, wherein the security package is configured to perform at least one of collecting a file, hashing a file, deleting a file, and creating a memory dump. 

13. (Currently Amended) A method of identifying a security threat, the method comprising: 
	running a plurality of processes using a network host; 
based on a potential security threat being identified at the network host, receiving, at the network host, a request for host information about the network host and sending, from the network host to a central server, the host information; 
	receiving, using the network host and based on the host information, a security package from a central server, the security package configured for the network host and formatted to the executable on the network host; and
	executing, using the network host, the security package to cause the network host to perform:	
	 	stopping one or more of the running processes on the network host, the one or more of the running processes being determined based on a security rule; 
		permitting for the other running processes to continue to run on the network host; 
		collecting forensic data from a plurality of forensic data sources associated with the other running processes, the plurality of forensic data providing data that are at least partially redundant, wherein the collected forensic data is usable to determine whether the potential security threat is an actual security threat; 
		creating a log file from the forensic data; and
		transmitting the log file to the central server,
wherein the security package further causes the network host to perform: 
	collecting a file from the network host and sending the file to the central server; 
	hashing a file on the network host; and
	deleting a file from the network host. 

14. (Cancelled)	 

15. (Original)	The method of claim 13, wherein the security package further causes the network host to perform: 
	creating a memory dump on the network host. 

16. (Original)	The method of claim 13, wherein the forensic data sources include running processes, files being used, incoming and outgoing network traffics, and open ports. 

17. (Original) 	The method of claim 13, wherein the security package further causes the network host to perform: 
	dissolving the security package from the network host. 

18. (Original)	The method of claim 13, wherein the security package is configured as a self-contained, single executable file. 

19. (Original)	The method of claim 13, wherein the security package is stored and managed in the central server before deployed to the network host. 

20. (Currently Amended) A non-transitory computer-readable medium having stored therein a program for causing a network host to execute a process of identifying a security threat on the network host, the process comprising:
based on a potential security threat being identified at the network host, receiving a request for host information about the network host and sending, to a central server, the host information; 
receiving, based on the host information, a security package from a central server, the security package configured for the network host and formatted to the executable on the network host;
stopping one or more of running processes on the network host, the one or more of running processes being determined based on a security rule; 
	permitting for the other running processes to continue to run on the network host; 
	collecting forensic data from a plurality of forensic data sources associated with the other running processes, the plurality of forensic data providing data that are at least partially redundant, wherein the collected forensic data is usable to determine whether the potential security threat is an actual security threat; 
	creating a log file from the forensic data; and 
transmitting the log file to a central server,
wherein the security package further causes the network host to perform: 
	collecting a file from the network host and sending the file to the central server; 
	hashing a file on the network host; and
	deleting a file from the network host.

Allowable Subject Matter
Claims 1-2, 4-13, and 15-20 are allowed. No reason for allowance is needed as the record is clear in light of applicant argument and amendment filed August 12, 2022 and examiner amendment above. See MPEP 1302.14(l). 

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434