DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the amendment filed on 12/18/2020.
Claims 1-4, 6-12 and 14-17 are currently pending in this application. Claims 1-4, 6-12 and 14-17 have been amended. Claims 5 and 13 are cancelled.
No new IDS has been filed.  

Examiner’s Note
Applicants are suggested to include a part of the information from pages 6-8 of the specification (e.g., steps for attributes with possible events) in the claims in order to improve claim limitations regarding the allowalibity of the application.

Response to Arguments
The previous objections to the claims 2-8 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 112(d) rejection to the claim 17 has been withdrawn in response to the applicants’ amendments/remarks.
 
 In regard to the previous 112(b) rejections, the applicants have amended the claims to overcome the rejections, however, parts of the currently amended limitations are unclear and cause for new rejections - see the 112(b) rejections section below for detail.
In regard to the 102 rejections, the applicants amended to include limitations from currently cancelled claim 5, and have, in pages 9-12 of the remarks, argued that “… a) collecting one or more events from a first endpoint, each event identifying one or more attributes associated to the event … b) detecting a security threat related to one or more of the collected event … with regards to items “a” and “b” stated above … Turgeman discloses that an end-user may utilize a computing device … however, Turgeman as cited does not disclose that the “silent key logger” is somehow used to detect a security threat related to one or more of the collected one or more events. According to Turgeman … paragraph [0033] … does not disclose that this visualization module is somehow disclosing at least where claim 1 related to …”. (Examiner’s note: the Turgeman’s visualization module is not used in the rejection of the claim 1 – see the rejections section below for more detail.)
Applicants’ this argument is not persuasive.
First of all, Turgeman’s the silent key logger is a software code of the end-user device used to monitor an track and log all the user interaction via keyboard, mouse, touch-screen and other input units as well as their timing and provide these information (e.g., the user interaction data) to the user interactions monitoring/sampling module 102 (of the system 100) – see fig. 1 and par. 0036. Moreover, the user interaction data enables a user-specific feature extraction module 101 to extract or determine user-specific features that characterize the interaction – see par. 0037. In other words, one or more events (e.g., the user interaction and timing with input units) is collected/logged from a first endpoint (e.g., the end-user device with the code), each event identifying one or more attributes (e.g., the user-associated to the event (e.g., the user interaction and timing with input units).
Secondly, Turgeman, in figs. 1, 2, paras. 0045, 0047, 0050, clearly taught that the mouse dynamics analyzer module 211 (of the fraud detection module 111 of the system 100) detects the rate or speed of mouse-clicks indicating a highly-experienced hacker or the lack of manual correction of mouse-movement, … indicates an automated script or a cyber-attack … rather than an authorized human user. In other words, the security threat (e.g., experienced hacker or lack of manual action, etc.) related to one or more of the collected events (e.g., collected information of the user interaction and timing with input units) is detected.
Therefore, it is obvious that Turgeman teaches the claimed/argued limitations, “… a) collecting one or more events from a first endpoint, each event identifying one or more attributes associated to the event … b) detecting a security threat related to one or more of the collected event … “.

The applicants, in pages 12-13 of the remarks, also argued that “… regarding items “c” and “d” stated above … Turgeman discloses that the comparator/matching module 104 is comparing or matching values from a user session and not from an endpoint as claimed …”.
Examiner respectfully disagrees with the argument.
As the applicants noted for teaching of Turgeman, in par. 0039, the comparator/matching module104 (of the system 100) compares/matches between values of user specific features that are extracted in a current user session or user interaction and values of respective previously-captured or previously extracted user-specific features of the current user, and/or of other users, and/or of pre-defined sets of values that correspond to known automated scripts or bots. Moreover, as described above, the silent key logger is a software code of the end-user device used to monitor an track and log all the user interaction to provide to the user interactions monitoring/sampling module 102 (of the system 100) – see fig. 1 and par. 0036. Therefore, it is obvious that the comparator/matching module 104 compares/matches values from user interactions of the endpoint (e.g., end-user device) as claimed and Turgeman teaches the claimed/argued limitation of item “c”. See the rejections section below for detail.

The applicants, in pages 13-15 of the remarks, further argued that “… the rejection of claim 5, now similarly incorporated into claim 1 … Turgeman discloses that an access time analyzer module 214 may analyze time-related … user interactions to detect or determine user interactions that may indicate that the current user is a cyber-attacker … there cannot be found in Turgeman where it is discloses that the access time analyzer module 214 of Turgeman is somehow, based on collecting one or more events from applications or processes by an endpoint … events relate to one or more procedures of … network operations …”.
The applicants’ these arguments are not persuasive.
As the applicants indicated, the access time analyzer module 214 (of the system 100) detects/determines user interactions related to the network operations (e.g., the cyber-attack) – see par. 0053. As described above, Turgeman, in par. 0036, the end-user device used to monitor an track and log all the user interaction (e.g., collecting events or user interactions from processes of the endpoint or end-user device) to provide to the user interactions monitoring/sampling module 102 (of the system 100) – see fig. 1 and par. 0036. Therefore, it is obvious that Turgeman teaches the claimed/argued limitations, “… collecting one or more events from applications or processes by an endpoint … events relate to one or more procedures of … network operations …”.
  
Finally, the applicants, in page 15 of the remarks, also argued that “… further, it is submitted that … would not find it obvious that Turgeman somehow discloses at least where the claimed invention relates to detecting endpoints that are suffering … by processing malicious files or executing malicious applications/processes …”.
The applicants’ this argument is not persuasive.
It is noted that the features upon which applicants argue (e.g., detecting endpoints that are suffering … processing malicious files or executing malicious applications/process) are NOT recited in the claims. Although the claims are interpreted in light of the specification, limitations for the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). See the 102 rejections section below for the rejections of the claimed limitations.
 
The applicants’ arguments, for the claims 1, 9, 17 and the dependent claims 2-4, 6-8, 10-12 and 14-16 regarding similar limitations of above responded limitations of the 
 
Thus, the applicants’ arguments are not persuasive. Please see amended rejections below for amended claims. This action is final.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
 

Claims 1-4, 6-12 and 14-17 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claim 1 (claims 9 and 17 have similar limitations) recites “…collecting one or more events from … by a first endpoint, … searching matching events from one or more further endpoints, wherein a matching event comprises … attributes associated with the collected one or more events (of the first endpoint) … based on finding the matching event (of the further endpoint)… identifying an associated endpoint as being related to a security threat …”; however, it is not clear (1) whether matching event of the second endpoint (e.g., the further endpoint) is associated with the first endpoint (e.g., the first endpoint) or not; (2) how to identify the third endpoint (e.g., the associated endpoint) using matching event of the second endpoint (e.g., the further endpoint) with information 
Claims 2-4, 6-8, 10-12 and 14-16 depend from the claim 1 or 9, and are analyzed and rejected accordingly.

Claims 2, 3, 10 and 11 (the dependent claims of the claim 1 or 9) recite “at least part of the attributes”, however, their independent claims 1 and 9 have amended to change from “at least part of the same attributes” to “at least one attribute”. It is not clear whether “at least part of the attributes” is related to the “at least one attribute” because they are associated with the same collected event.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6-12 and 14-17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Turgeman et al. (US 2015/0213246 A1).

As per claim 1, Turgeman teaches a method of threat control (e.g., the fraud mitigation) on a computer system [see abstract; figs. 1, 4 and par. 0088], the method comprising:
a) collecting one or more events from applications or processes executed by a first endpoint, each event of the collected one or more events identifying one or more attributes associated to the collected one or more events [fig. 1; par. 0036, lines 1-20; par. 0037, lines 1-5; par. 0045, lines 1-8 of Turgeman teaches collecting one or more events (e.g., the user interactions) from application or processes executed by a first endpoint (e.g., processes performed by the end-user device with codes to the Web-browser), each event of the collected one or more events identifying one or more attributes (e.g., the user-specific feature that characterize the interaction) associated to the collected one or more events], (note: one or more events/attributes can be interpreted either one event/attribute or more than one events/attributes),
wherein the one or more attributes associated to the collected one or more events relate to one or more procedures of: establishment of a secure session; communication over a secure session; file operations; registry operations; memory operations; network operations; process/threat creation; application start/exit [paras. 0036, 0053 of Turgeman teaches wherein the attributes (e.g., the values or the user-specific feature that relate to one or more procedures of: establishment of a secure session; communication over a secure session; file operations; registry operations; memory operations; network operations (e.g., the speed or time spent on filling the online form); process/threat creation; application start/exit];
b) detecting a security threat related to one or more of the collected one or more events [par. 0036, lines 13-31; paras. 0050-0053 of Turgeman teaches detecting a security threat (e.g., experienced hacker or lack of manual action, etc.) related to one or more of the collected events (e.g., the collected user interactions)];
c) searching matching events from one or more further endpoints, wherein a matching event comprises at least one attribute of the one or more attributes associated with the collected one or more events related to the detected security threat [par. 0039, lines 1-7; par. 0045, lines 1-8 of Turgeman teaches searching matching events from one or more further endpoints (e.g., values of previously-extracted user-specific features of other users/devices), wherein a matching event comprises at least one attribute of the one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) associated with the collected one or more events related to the detected security threat (e.g., experienced hacker or lack of manual action, etc.)]; and
d) based on finding the matching event with at least the one attribute of the one or more attributes associated to the collected one or more events related to the detected security threat, identifying an associated endpoint as being related to a security threat similar to what was detected in step b) [par. 0039, lines 1-7; par. 0040, lines 1-7; par. 0041, lines 1-8 of Turgeman teaches based on finding the matching event (e.g., the matching user interactions) with at least the one attribute of the one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) associated to the collected one or more events related to the detected security threat – see the rejections above, identifying an associated endpoint as being related to a security threat (e.g., experienced hacker or lack of manual action, etc.) similar to what was detected in step b].

As per claim 2, Turgeman teaches the method according to claim 1. 
Turgeman further teaches generating a list of at least part of the attributes of the collected one or more events related to the detected security threat and searching matching events comprising one or more attributes as in the generated list from the one or more further endpoints [par. 0036, lines 13-20; par. 0037, lines 5-8; par. 0038, lines 1-8; par. 0039, lines 1-7 of Turgeman teaches generating a list of at least part of the attributes of the collected one or more events (e.g., information of the user profile) related to the detected security threat (e.g., experienced hacker or lack of manual action, etc.) and searching matching events comprising one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) as in the generated list (e.g., the information of the user profile) from the one or more further endpoints (e.g., the other users/endpoints)] – see also rejections of the claim 1.

As per claim 3, Turgeman teaches the method according to claim 2. 
Turgeman further teaches collecting one or more sequences of the collected one or more events from the first endpoint; detecting that the detected security threat is related to a specific sequence of events of the collected one or more events or a subset of the specific sequence of events; and generating the list based on at least part of the attributes of the specific sequence of events or the subset of the specific sequence of events [fig. 2; par. 0049, lines 1-18; paras. 0050-0054 of Turgeman teaches collecting one or more sequences of the collected one or more events (e.g., the sequences of the user interactions) from the first endpoint (e.g., the end-user device with codes to the Web-browser); detecting that the detected security threat is related to a specific sequence of events of the collected one or more events or a subset of the specific sequence of events (e.g., filling multiple complicated fields in an online form, etc.); and generating the list based on at least part of the attributes of the specific sequence of events or the subset of the specific sequence of events (e.g., the sequences of the user interactions)] – see also rejections to the claims 1 and 2.

As per claim 4, Turgeman teaches the method according to claim 1. 
Turgeman further teaches generating a security alert corresponding to the detected security threat detected in step b [paras. 0106-0108 of Turgeman teaches generating a security alert corresponding to the detected security threat detected in step 

As per claim 6, Turgeman teaches the method according to claim 2. 
Turgeman further teaches providing the generated list of at least one of the attributes of the collected one or more events related to the detected security threat to one or more client computer devices for enabling the one or more client computer devices to identify the detected security threat and to take further action based on the identified detected security threat [fig. 1; par. 0037, lines 5-12; paras. 0039-0040; par. 0045, lines 1-8 of Turgeman teaches providing the generated list of at least one of the attributes of the collected one or more events (e.g., information of the user profile) related to the detected security threat to one or more client computer devices (e.g., one or more devices of the system 100) for enabling the one or more client computer devices (e.g., the device with the comparator/matching module, etc.) to identify the detected security threat and to take further action (e.g., generating and sending a possible-fraud signal) based on the identified security threat (e.g., experienced hacker or lack of manual action, etc.)].

As per claim 7, Turgeman teaches the method according to claim 6. 
Turgeman further teaches based on the identified detected security threat by one or more of: blocking, terminating or preventing one or more events of the collected one or more events or applications related to the identified detected security threat installed on one or more client computer devices; warning a user of an end point related to the identified detected security threat; providing a software update to one or more of the end points [par. 0040, lines 1-7; par. 0088, lines 1-8; par. 0089, lines 1-3 of Turgeman teaches based on the identified detected security threat by one or more of: blocking, terminating or preventing one or more events (e.g., holding or freezing the transactions) of the collected one or more events or applications related to the identified detected security threat installed on one or more client computer devices; warning a user of an end point (e.g., sending notification) related to the identified detected security threat; providing a software update to one or more of the end points].

As per claim 8, Turgeman teaches the method according to claim 1. 
Turgeman further teaches wherein a matching event is determined based on a relevant distance criteria associated with different domains of the one or more attributes associated to the event, wherein the distance criteria includes at least one of: an exact match of attributes, a partial match of attributes, heuristic or probabilistic matching and domain specific matching techniques [paras. 0103-0109 of Turgeman teaches a matching event is determined based on a relevant distance criteria (e.g., number of percent points) associated with different domains (e.g., a particular type of data entry method) of the one or more attributes (e.g., the user-specific feature that characterize the interaction) associated to the event, wherein the distance criteria includes at least one of: an exact match of attributes, a partial match of attributes (e.g., the percent points, threshold value, etc.), heuristic or probabilistic matching and domain specific matching techniques].

Claims 9-12 and 14-16 are server claims that correspond to the method claims 1-4 and 6-8, and are analyzed and rejected accordingly. See paras. 0095 and 0136 of Turgeman for components (e.g., memory, processor, etc.) of the server.
Claim 17 is a medium claim that corresponds to the method claim 1, and is analyzed and rejected accordingly.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MAUNG T LWIN/Primary Examiner, Art Unit 2495