Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/28/2020 was filed after the mailing date of the Non-Final office action on 08/31/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This office action is in response to an amendment application received on 11/30/2020. In the amendment, applicant has amended claims 1, 3-7 and 17. Claims 2, 12 and 18-41 remain cancelled. Claims 8-11 and 13-16 remain original. No new claim has been added. 
For this office action, claims 1, 3-11 and 13-17 have been received for consideration and have been examined. 
Response to Arguments
Claim rejection under 35 U.S.C. § 103
Applicant’s arguments, filed 11/30/2020, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of new amendments to the claims.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1, 3-11 and 13-17 are rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Examiner did not find support for the language “in response to the potential security risk” in the instant specification and also applicant did not mention any supporting paragraphs with respect to new amendments in the submitted remarks.
Dependent claims inherit the rejection. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6-11, 13-14 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley, (US9154520B1) in view of Dandliker et al., (US20080082662A1) and further in view of Yu, (US20150249641A1).
Regarding claims 1, 7 and 17, Cooley discloses:
A computer program product for monitoring network security based on endpoint user presence, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway (i.e. networking device 208) in an enterprise network, performs the steps of:
connecting an endpoint (i.e. endpoint Device 202) to a data network through the gateway (i.e. networking device 208) (See FIG. 2 for Endpoints connected through the networking device);
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley does not disclose:
	wherein the network request includes a request to download an executable file; wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
See FIG. 3B; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as gateway).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
	The motivation to include an appliance which is able to prevent automatic download of an executable files from external networks is to protect internal network from maliciously download executable files from external networks. 
Cooley as modified by Dandliker fails to disclose:
wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Yu discloses:		
 wherein determining whether the network request is suspicious or not comprises: determining whether the network request (i.e. a network access) was an automatically generated network request (i.e. automatic process) or a network request initiated by a human user (i.e. initiated or authorized by a human user) (See [0017-0018] Systems and methods are described for verifying a high-risk network access has been initiated by or is otherwise authorized by a human user … intermediary network security device sending a verification message to the user to receive user input from the user; Also see FIG. 5; Steps 502-505; And see Abstract & paragraphs [0053-0054]).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
	Claims 7 and 17 recite the same concept as claim 1 and therefore rejected on same grounds. 
Regarding claims 3 and 13, the combination of Cooley, Dandliker and Yu discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes transmitting a request to the endpoint for a user input (Yu: [0053-0054]).
Claim 13 recite the same concept as claim 3 and therefore rejected on same grounds.
Regarding claims 4 and 14, the combination of Cooley, Dandliker and Yu discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a user is logged in to the endpoint (Yu: [0053-0054]).
Claim 14 recite the same concept as claim 4 
Regarding claims 6 and 16, the combination of Cooley, Dandliker and Yu discloses:
	The computer program product of claim 1 wherein the determining whether the network request was an automatically generated network request or a network request initiated by a human user status includes analyzing a record of keyboard or mouse activity within a predetermined time window (Yu: [0054-0055]).
	Claim 16 recites the same concept as claim 6 and therefore rejected on same grounds.
Regarding claim 8, the combination of Cooley, Dandliker and Yu discloses:
The method of claim 7 wherein the network request includes a request for a download of an executable from the data network (Dandliker: [0107]).
Regarding claim 9, the combination of Cooley, Dandliker and Yu discloses:
The method of claim 7 wherein the network request includes a request directed to an unknown address (Cooley: Col. 4, Line # 59-67).
Regarding claim 10, the combination of Cooley, Dandliker and Yu discloses:
The method of claim 7 wherein the network request includes a request directed to a known source of malware (Cooley: Col. 4, Line # 59-67).
Regarding claim 11, the combination of Cooley, Dandliker and Yu discloses:
The method of claim 7 wherein evaluating the status of the endpoint includes querying the endpoint about whether the user is present (Yu: [0053-0054]).

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley, (US9154520B1) in view of Dandliker et al., (US20080082662A1) and further in view of Yu, (US20150249641A1) and further in view of Gear et al., (US20160117911A1). 

Regarding claims 5 and 15, the combination of Cooley, Dandliker and Yu discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a human is present at the endpoint (Yu:  [0053]-[0054]).  
The combination of Cooley, Dandliker, and Yu fails to disclose:
wherein determining whether a human is present at the endpoint comprises: determining whether a display of the endpoint is locked.
However, Gear discloses:
wherein determining whether a human is present at the endpoint comprises: determining whether a display of the endpoint is locked (i.e. determination if workstation/computing device is locked) (abstract; Fig 3, item 312 into 318; [0035]-[0036] [0036]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley, Dandliker and Yu references and use multiple different factors and sensors to determine whether a human user is present, such as the use of whether the workstation is locked, as disclosed by Gear.
	The motivation would be to provide the most accurate estimation as to whether a human was present at the device at the time the request was made and thus influence the probability of whether the request was machine generated or human generated.


15 is a method claim and recites the same concept as claim 5 and therefore rejected on same grounds.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018.  The examiner can normally be reached on 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/S.M.A./Patent Examiner, Art Unit 2432            

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432