Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/24/2020 has been entered.
 
This action is in response to the amendment filed 7/24/2020.  Claims 1-10, 12-20 are pending.  Claims 1, 12-15, and 18-20 are amended.  Claims 1 (a method) and 12 (a machine) are independent.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 12 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.  See also Advisory Action mailed 7/23/2020.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6, 12-15, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., US 2017/0063910 (filed 2015-10), in view of Xu, US 2016/0330206 (filed 2016-05), and Byrd et al., US 2014/0280625 (published 2014-09).
	As to claims 1 and 12 Muddu discloses the method/system of:
	(Regarding the processor and CRM of claim 12, see Muddu Figure 85 and ¶¶ 740-741)
collecting, by a first computing device, timestamped data (“for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, an event identifier (ID), a process ID, a type of the event, a type of machine that generates the event, and so forth.” Muddu ¶ 206) from a plurality of different software products comprising at least two of a end point product (“(3) Security Products: e.g., endpoint security,” Muddu ¶ 198), a Server Based Computing ("SBC") (“Software as a Service (SaaS) or Mobile: e.g., AWS™ CloudTrail™, SaaS applications such as Box™ or Dropbox™” Muddu ¶ 199. SAAS cloud services are server based computing services that perform virtualization.), a content collaboration product (“SaaS 
analyzing, by the first computing device, the collected timestamped data to determine if an observed user behavior matches a learned normal user behavior (“The security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, and then comparing activities of those entities to their behavior baselines to determine whether the activities are anomalous” Muddu ¶ 182) of an authorized user associated with a user account; (“session layer data may be used to identify (e.g., via techniques disclosed here) which user is attempting to log in with what credential and using which particular session” Muddu ¶ 191.  See also ¶¶ 210, 258, 263)
determining a risk classification level (“Process 2500 continues at step 2508 with outputting an indicator of a particular anomaly if the anomaly score satisfies a specified criterion (e.g., exceeds a threshold). Continuing with the given example, the specified criterion may be set such that an anomaly is detected if the anomaly score is 6 or 
causing at least one security related action to be performed (“The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like.” Muddu ¶ 151) by the first computing device or the second computing device when the risk classification level is greater than a threshold level (“if the anomaly score satisfies a specified criterion (e.g., exceeds a threshold). Continuing with the given example, the specified criterion may be set such that an anomaly is detected if the anomaly score is 6 or above” Muddu ¶ 360.) or the risk classification level is one of a top N highest risk classification levels. (“The filter section 4020 also enables the user to filter out threats based on their scores by clicking the “Scores” tab 4022. (For example, if the user is only interested in evaluating high risk threats, the user might filter out any threats with a score less than 5). The user can also click on the “Time” tab 4023 to filter out threats based on a date range” Muddu ¶ 455.  
wherein the risk classification level is determined based on a risk value resulting from raising a given risk value (“For example, the resulting threat indicator score may be a value between 0 and 10, with 0 being the least threating and 10 being the most threatening.” Muddu ¶ 363 and 628) (i) by a first amount when the observed user behavior is of a first type and (ii) by a second different amount when the observed user behavior is of a second type. (Different events, user behaviors, result in different scores: “the security platform has the ability to attribute an event that happens on a device to a user, and to detect behavioral anomalies and threats based on that attribution.” Muddu ¶ 239 “an anomaly model includes at least model processing logic defining a process for assigning an anomaly score to the event data 2302” Muddu ¶ 358. “different types of anomalies are detected based a different models.” Muddu ¶ 387.)
Muddu discloses a “collaboration product” e.g. dropbox and box.  Where examiner interprets the term “product” in accordance with the Merriam-Webster online dictionary definition: “something (such as a service) that is marketed or sold as a commodity.”  In other words, a software or service that is sold and marketed by some entity.  

Muddu does not disclose:
a unified end point management product
and App and Desktop Virtualization ("ADV") product
an application delivery controller product
wide area network product;

wherein the at least one security related action comprises terminating access to the user account from the second computing device while another use of the credential to remain logged into the user account via a third computing device is unaffected by the at least one security related action;

Xu discloses: 
wherein the at least one security related action comprises (“In step 402, the active login sessions in the login session queue are managed based on the user's login permission settings.” Xu ¶ 57) terminating access to the user account (“each login session created by logging in using a legitimate user's user identifier (UID) can be effectively managed using a login session queue.” Xu ¶ 4) from the second computing device (“When Han Mei's UID is detected to have been used to log in from a different IP address, the login session is deleted, forcing the illegitimate user offline” Xu ¶ 57) while another use of the credential to remain logged into the user account via a third computing device is unaffected by the at least one security related action; (“each currently active login session in the login session queue is identified. In step 412, each currently active login session that is permitted by the user's login permission settings is kept” Xu ¶ 59. See also Xu ¶ 60 describing simultaneous logins from plural devices.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Muddu with Xu by providing for simultaneous logins and 

Muddu in view of Xu does not disclose the particular application types of: 
a unified end point management product
and App and Desktop Virtualization ("ADV") product
an application delivery controller product
and a software defined wide area network product;

Byrd discloses: (“initiating a monitoring client to monitor user activity in an application and detecting, by the monitoring client, a user action taken in the application.” Byrd ¶ 5)
and App and Desktop Virtualization ("ADV") product (See Applicant’s ¶ 50 for definition of SBC/ADV: “In step 415, the user may select the applications and/or type of applications that the user uses (e.g., is using, plans to user, and/or desires assistance for). Example applications include, but are not limited to, XENCENTER, XENDESKTOP, XENAPP,… PEACHTREE ACCOUNTING etc.” Byrd ¶ 80. See also Byrd ¶ 96)
 
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Muddu in view of Xu with Byrd by obtaining events related to users from various application suggested by Byrd ¶ 80.  It would have been 


As to claims 2 and 13, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:
wherein the timestamped data specifies (“for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, an event identifier (ID), a process ID, a type of the event, a type of machine that generates the event, and so forth.” Muddu ¶ 206) at least one of a newly observed user behavior (“the batch event processing engine can perform a behavioral analysis of the entity to detect a behavioral anomaly using the same version of machine learning model that has been trained by the real-time event processing engine to compute a degree of behavioral deviation, as compared to the behavioral baseline specific to the entity.” Muddu ¶ 344.  The anomaly being a newly observed pattern in the user behavior.  As discussed in Applicant’s ¶ 48, newly observed behavior is just a new event.), the second computing device's location (“event decorators 814 can include a geographical decorator, which can be configured to decorate the received events (e.g., by adding a field in the event data that represents the events) so all events with an IP 

As to claims 3 and 14, Muddu in view of Xu and Byrd discloses the method/system of claims 2 and 13 and further discloses:
wherein the newly observed user behavior is defined by at least one of a type of network the second computing device is connecting from (“after the entities are identified in the tokens, the relationship graph generator 810 is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities.” Muddu ¶ 213.  Figure 9B shows multiple network segments as determined by the relationship graph, a type of network.), a type of input device being used by a user of the second computing device (“a type of machine that generates the event, and so forth.” Muddu ¶ 206), a type of user-software interaction (“an action” Muddu ¶ 206), and a type of action caused by the user-software interaction. (“a type of the event” Muddu ¶ 206).

As to claims 4 and 15, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:
wherein the analyzing comprises increasing a numerical risk value (“Process 2500 continues at step 2506 with assigning an anomaly score based on the processing of the event data 2302 through the anomaly model.” Muddu ¶ 359) when the second computing device's unique identifier is a black listed (“The blacklist anomaly indicates 

As to claims 6 and 17, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:
wherein the analyzing comprises increasing a numerical risk value (“Process 2500 continues at step 2506 with assigning an anomaly score based on the processing of the event data 2302 through the anomaly model.” Muddu ¶ 359. Anomalous activity increases score. See e.g. Muddu ¶ 360.) when the credential is being used again from a different geographic location within a given time period from a last use of the credential (“For example, “Land Speed Violation” 4087, the first listed anomaly type, is associated with three “Participants,” user “Mark Pittman” and devices “1.94.32.234” and “66.39.90.214.” The listing summaries that the anomaly is “From Pittsburg, US to Beijing, CN,”” Muddu ¶ 471.  A land speed violation is a determination that different logins at different locations occur such that the user could not have travelled to the other location.), and the risk classification level is determined based on the numerical risk value. (“(For example, if the user is only interested in evaluating high risk threats, the 


Claim 5 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., US 2017/0063910 (filed 2015-10), in view of Xu, US 2016/0330206 (filed 2016-05), Byrd et al., US 2014/0280625 (published 2014-09), and Zimmermann et al., 2018/0027006, (filed 2016-02).

As to claims 5 and 16, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:
wherein the analyzing comprises increasing a numerical risk value (“Process 2500 continues at step 2506 with assigning an anomaly score based on the processing of the event data 2302 through the anomaly model.” Muddu ¶ 359. Anomalous activity increases score. See e.g. Muddu ¶ 360.) when the credential is being used from two distant geographic locations (“For example, “Land Speed Violation” 4087, the first listed anomaly type, is associated with three “Participants,” user “Mark Pittman” and devices “1.94.32.234” and “66.39.90.214.” The listing summaries that the anomaly is “From Pittsburg, US to Beijing, CN,”” Muddu ¶ 471), and the risk classification level is determined based on the numerical risk value. (“(For example, if the user is only interested in evaluating high risk threats, the user might filter out any threats with a score less than 5).” Muddu ¶ 455. See also Muddu ¶ 360.)


at the same time.

Zimmermann discloses said features: “Behavioral indicators of potential account compromise may include activity at night and on weekends, simultaneous login from distant locations, and access patterns that suggest bot/crawler behavior, rather than real human behavior.” Zimmermann ¶ 132.
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Muddu in view of Xu and Byrd with Zimmermann by including a behavioral indicator of simultaneous logins from distant locations in addition to the impossible travel condition of Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the behavioral condition of Zimmermann with Muddu in view of Xu and Byrd because Zimmermann discloses additional use conditions that are indicative of account compromise, which are useful in detecting a compromised account, Muddu ¶ 136 (discussing compromised accounts/systems).

Claim 7-8 and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., US 2017/0063910 (filed 2015-10), in view of Xu., US 2016/0330206 (filed 2016-05), Byrd et al., US 2014/0280625 (published 2014-09), and Srivastava et al., 2016/0065594, (published 2016-03).


wherein the analyzing comprises increasing a numerical risk value (“Process 2500 continues at step 2506 with assigning an anomaly score based on the processing of the event data 2302 through the anomaly model.” Muddu ¶ 359. Anomalous activity increases score. See e.g. Muddu ¶ 360.) when the second computing device is, and the risk classification level is determined based on the numerical risk value. (“(For example, if the user is only interested in evaluating high risk threats, the user might filter out any threats with a score less than 5).” Muddu ¶ 455. See also Muddu ¶ 360.)

Muddu in view of Xu and Byrd does not disclose: 
a rooted or jail-broken device.

Srivastava discloses: 
a rooted or jail-broken device.  (“intrusion detection platform 220 may determine BYOD threats to network 230 based on the user profiles. BYOD may refer companies permitting employees to bring personally owned devices (e.g., notebooks, smart phones, tablets, or the like) into the workplace and to connect to the companies' networks…. rooting or jailbreaking a BYOD device (e.g., procedures that undo security features placed on the BYOD device by the manufacturer); or the like.” Srivastava ¶ 51. See also Srivastava ¶ 52 discussing detecting user anomalies from a typical/baseline profile)


 
As to claims 8 and 19, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:
wherein the analyzing comprises increasing a numerical risk value (“Process 2500 continues at step 2506 with assigning an anomaly score based on the processing of the event data 2302 through the anomaly model.” Muddu ¶ 359. Anomalous activity increases score. See e.g. Muddu ¶ 360.), and the risk classification level is determined based on the numerical risk value. (“(For example, if the user is only interested in evaluating high risk threats, the user might filter out any threats with a score less than 5).” Muddu ¶ 455. See also Muddu ¶ 360.)

Muddu in view of Xu and Byrd does not disclose: 
when the second computing device is a non-enterprise issued device 

Srivastava discloses: 


A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Muddu in view of Xu and Byrd with Srivastava by including, in the baseline comparison of Muddu ¶ 182, the profile information that would indicate BYOD threats, Srivastava ¶ 51.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Muddu in view of Xu and Byrd with Srivastava in order to quantify the risks posed by BYOD threats, Srivastava ¶ 51, while allowing users to utilize their own devices (BYOD).


Claim 9 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., US 2017/0063910 (filed 2015-10), in view of Xu, US 2016/0330206 (filed 2016-05), Byrd et al., US 2014/0280625 (published 2014-09), and Barile, 2010/0162347, (filed 2008-12).
As to claims 9 and 20, Muddu in view of Xu and Byrd discloses the method/system of claims 1 and 12 and further discloses:


Muddu in view of Xu and Byrd does not disclose: 
when data is being provided to a peripheral device of the second computing device.

Barile discloses: 
data is being provided to a peripheral device of the second computing device (“the order in which previous policy violations have occurred can influence what actions are performed in response to a current policy violation. For example, a different action may be taken if a user previously attempted to email data to a workmate and then copy the data to a USB drive than if the user first attempted to copy the data to a USB drive and then attempted to email the data to a workmate.” Barile ¶ 29.)

A person of ordinary skill in the art would have combined Muddu in view of Xu and Byrd with the teachings of Barile by utilizing the contingent violations of Barile and including the various types of data exfiltration in the violations, e.g. the copy by email .


Claim 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., US 2017/0063910 (filed 2015-10), in view of Xu, US 2016/0330206 (filed 2016-05), Byrd et al., US 2014/0280625 (published 2014-09), and Chang et al., 2014/0208419, (published 2014-07).
As to claim 10, Muddu in view of Xu and Byrd discloses the method of claim 1 but does not disclose: 
wherein the at least one security related action comprises at least one of presenting a multi-factor challenge to the user of the second computing device, activating session recording for the second computing device, and remotely causing data to be deleted from the second computing device.

Chang discloses: 
wherein the at least one security related action (“In step 315 it is not only checked if the risk profile of the user has changed, but it is additionally checked if this change has led to a change in the risk profile level.” Chang ¶ 55. Also ¶¶ 46 and 57) comprises at least one of presenting a multi-factor challenge (“The user may be activating session recording for the second computing device, and remotely causing data to be deleted from the second computing device. (alternatives)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Muddu in view of Xu and Byrd with Chang by incorporating the user’s risk profile and re-authentication requirements of Chang in the anomaly score system of Muddu in view of Byrd.  I.e. by associating the anomaly score to a risk profile to determine if additional user authentication should be required (Chang ¶ 50).  It would have been obvious to a person of ordinary skill in the art before the effective to combine Muddu in view of Byrd with Chang in order to trigger actions to lockout users (Muddu ¶ 151) in response to changes in the user’s risk profile (Chang ¶ 3); thereby preventing an active login from completely compromising the user’s account.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:

Lerner et al., US 2014/0282978, discloses a system for displaying multiple login sessions of a user and allowing the user to manage the sessions separately.
Chaturvedi et al., US 2011/0238862, discloses a system for devices which are both simultaneously logged on to indicate to each other to disconnect and store the session information.
Newcombe et al., US 7,243,226, discloses a system that cancels authorization tickets in response to detecting simultaneous logins by the user. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 






/MICHAEL W CHAO/Examiner, Art Unit 2492