REASONS FOR ALLOWANCE
[1]	The following is an examiner’s statement of reasons for allowance: The instant invention is related to detecting abnormal application behavior.

[2]	Prior art was found for the claims as follows:
Schmidt et al. (Schmidt) [US 2019/0213099 A1] discloses the following claim limitations:
A system for detecting abnormal application behavior ([0016], anomalous application behavior is detected), comprising:
a hardware processor ([0042], a CPU);
a memory, configured to store a computer program that, when executed by the hardware processor ([0024], a program stored on a computer readable medium), is configured to implement a graph vector model that determines a vector representation of a first syscall graph that is generated by a first application ([0036], syscalls are represented as vectors), the vector representation including a representation of a distribution of subgraphs of the first syscall graph ([0039], cv=zero-filled vector of size(number of syscall types)); ie. The number of vectors corresponds to an amount of syscall types).

Shu et al. (Shu) [US 2020/0120109 A1] discloses the following claim limitations:
Graph matching for determining threats ([0008], abstract graph pattern matching is an important operation in behavior-based threat detection and cyber hunting. Given an abstract pattern, e.g., a process creates a thread into another process, graph pattern matching algorithms search the monitored host for such activities. Matched activities are returned can then be returned for further inspection, e.g., by security analysts or threat hunters


[3]	Applicant uniquely claimed a distinct feature in the instant invention, which are not found in the prior art, either singularly or in combination. The feature is “a security console, configured to compare the vector representation of the first syscall graph to one or more second syscall graphs that are generated by respective second applications to determine respective similarity scores, to determine that the first application is behaving abnormally based on the similarity scores, and to perform a security action responsive to the determination that the first application is behaving abnormally”.  This feature is not found or suggested in the prior art.

[4]	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

[5]	Claims 1-18 are allowed.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY A WILLIAMS whose telephone number is (571)270-7579. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sath Perungavoor can be reached on 571-272-7455. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEFFERY A WILLIAMS/Primary Examiner, Art Unit 2488