DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Responsive to communication filed on 9/24/2019.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ganesan (US 2019/0004845) and further in view of El-Moussa (US 2019/0188392).

Regarding claim 1, Ganesan teaches: A method of enabling select virtual session capabilities on a user device configured to access virtual sessions, the method comprising: 
receiving, at a gateway server (¶ 23, “virtualized computing environment 100 may include a management server 104 communicative with host computing systems 102A-N”), a virtual session launch request from the user device (¶ 20, “a device profile manager may assist in finding a suitable host computing system that can support/honor the attached first device profile”); 
obtaining, by the gateway server and based on the virtual session launch request, a compliance profile determined from operational data for the user device (¶ 21, “Examples described herein may provide device profiles that can ensure the requested virtual devices are complaint and supported by the host computing systems in the data center inventory and be available in the management application (e.g., vSphere virtual center that is offered by VMware)”); and
permitting the user device to access a virtual session hosted on a virtual machine ("VM") server based on determining, at the gateway server, that the compliance profile satisfies a minimum access policy (¶ 29, “device profile manager 106 may check for compliance of device profile A during initial placements, high availability and fault tolerance conditions of VM1”).
Ganesan does not teach, however, El-Moussa teaches: configuring the virtual session, at the VM server, based on the compliance profile and requirements for a full capability scheme, the full capability scheme being configured to provide access to all virtual session capabilities available through the VM server to a standard virtual session configured for the user device (¶ 62, “it is possible to determine configurations of VM that are indicated to be less susceptible to particular classes of attack. Accordingly, on the basis of the reduced set of features determined by learning of the latent factor extractor 130 an indication of susceptibility of a VM configuration can be evaluated, and further a configuration or modifications to a configuration of a VM can be determined”), 
wherein configuring the virtual session includes allowing the user device to access a portion of the virtual session capabilities for the full capability scheme (¶ 63, “Given a particular uninfected VM with a set of configuration parameters, denoted as features set [X'], the classification process will make use of the outcome from an earlier training phase (i.e. trained algorithms defining a reduced set of features [Y]) in conjunction with a set of detected attack features [A] in order to assess whether or not there will be an attack at the VM”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of configuring the virtual session, at the VM server, based on the compliance profile and requirements for a full capability scheme, the full capability scheme being configured to provide access to all virtual session capabilities available through the VM server to a standard virtual session configured for the user device, wherein configuring the virtual session includes allowing the user device to access a portion of the virtual session capabilities for the full capability scheme, as taught by El-Moussa, in the same way to device profiles for VM placement, as taught by Ganesan. Both inventions are in the field of allocating virtual instances, and combining them would have predictably resulted in a method, applied to a virtualized computer system vulnerable to attacks, to “protect such virtualized computer systems from such attacks”, as indicated by El-Moussa (¶ 4).

Regarding claim 2, Ganesan teaches: comparing requirements for each of a plurality of session capability schemes to the compliance profile (¶ 18, “VMs may need to be powered on or migrated to a suitable host computing system that can support the VM specifications /requirements”); 
selecting, for the portion of the virtual session capabilities, one of the plurality of session capability schemes based on the comparing (¶ 43, “At step 802, device profiles with required hardware details may be created for each device profile”); and 
implementing a selected session capability scheme to control use of the user device, wherein each of the plurality of session capability schemes incorporates a respective combination of capabilities from the full capability scheme (¶ 43, “Further at 802, a corresponding host computing system which satisfy each device profile may be selected by a device profile manager, and mapping between device profiles and host computing systems may be performed by the device profile manager”).

Regarding claim 3, El-Moussa teaches: obtaining, from a security service (¶ 51, “In each VCE a service provider manages configuration information 110 and security information 112”), a security assessment based on a compliance sub- profile of the compliance profile (¶ 52, “the security information includes information sufficient to determine characteristics of any attack(s) that have occurred in a VM in the VCE”); 
configuring a security sub-profile of the compliance profile based on the security assessment (¶ 52, “In some embodiments the security information 112 is specific to each of one or more VMs 104, 106 and can be obtained, stored, handled and/or managed by such VMs individually”); and 
determining the portion of the virtual session capabilities at least based on the security sub-profile and one of a standard and a scale corresponding to an overall security rating for user devices (¶ 91, “The susceptibility determiner 184 thus uses the VM configuration for the target VM to identify attack characteristics identified in the feature classification 142 to which the target VM is susceptible. In this way attack characteristic susceptibility of the target VM can be determined and remediation or protective measures can be employed.”).

Regarding claim 4, El-Moussa teaches: selecting, by a policy server, the plurality of virtual session capability schemes from a store of session capability schemes (¶ 61, “a matrix 142 mapping VM configuration features 152 against attack features 150 in an exemplary embodiment of the present disclosure”); and 
transmitting, by the policy server, the plurality of session capability schemes to a policy engine for the VM server based on a scheme request transmitted to the policy server by the policy engine, the policy engine having generated the scheme request based on access to the virtual session being permitted (¶ 62, “Equally, it is possible to determine configurations of VM that are indicated to be less susceptible to particular classes of attack. Accordingly, on the basis of the reduced set of features determined by learning of the latent factor extractor 130 an indication of susceptibility of a VM configuration can be evaluated, and further a configuration or modifications to a configuration of a VM can be determined”).

modifying at least one of plurality of the capability schemes before the transmitting, according to a modification specified through a user interface (¶ 62, “a configuration or modifications to a configuration of a VM can be determined”).

Regarding claim 6, El-Moussa teaches: establishing, by a VM client on the user device, a communication channel with the VM server based on the gateway server permitting the access (¶ 64, “A restricted Boltzmann Machine (RBM) is a stochastic neural network, i.e. a network of neurons where each neuron has some random behavior when activated”); and after the access is permitted, receiving additional compliance profile information at the VM server from the VM client (¶ 64, “The bias unit 156 is used to allow other units to learn an appropriate threshold”).

Regarding claim 7, El-Moussa teaches: the compliance profile specifies that the user device is connected to a network through an unsecure connection (¶ 48, “There is also a lack of security knowledge among many users which can lead to non-optimal configuration of security software (e.g. firewall) or unsafe access to materials via a network (e.g. unsafe browsing, not being aware of unsecure network connections such as non-HTTPS connections, etc.)”), and wherein allowing the user device to access the portion of the virtual session capabilities includes selecting a session capability scheme that incorporates a capability to: 
allow the user device access to the VM server through a first logical network segment (¶ 66, “a set of features [X] for VM configuration features can include , and restrict access to the VM server through a second logical network segment that serves devices having a secure connection to the network, and wherein the first logical network segment is isolated from the second logical network segment (¶ 62, “modify a VM configuration to mitigate or reduce susceptibility to one or more classes of attack; and/or generate a VM configuration for mitigating or reducing susceptibility to one or more classes of attack”).

Claim(s) 8-20 correspond(s) to claim(s) 1-7, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB D DASCOMB whose telephone number is (571)272-9993.  The examiner can normally be reached on M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 5712723759.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/JACOB D DASCOMB/Primary Examiner, Art Unit 2199