DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/12/2021 has been entered.

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 112(b):
	The amendment is considered to have overcome the rejection. Accordingly, the rejection has been withdrawn.

Regarding claims rejected under 35 USC 103:
Applicant’s arguments have been fully considered and are persuasive.  The rejection has been withdrawn. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claims 1-3, 5, 8, 10-13, 15-18, 20, and 24-26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dotan (US 8,677,472 B1) in view of Lang (US 8,650,303 B1) and Kaminsky (US 2016/0191554 A1).

Regarding claim 1, Dotan discloses: A method comprising: 
running virtual sessions on a virtualization server for a plurality of client devices associated with respective users, the client devices having user input devices associated therewith, and the virtual sessions being responsive to user input device traffic from […] client devices over a plurality of respective channels; 
Refer to at least FIG. 1 and 2 of Dotan with respect to a VM server running plural virtual instances for plural users as per at least Col. 1, Ll. 40-49 of Dotan.
Refer to at least Col. 5, Ll. 32-37 of Dotan with respect to the VM server communicating with clients via any appropriate remote protocol.
Refer to at least Col. 4, Ll. 26-45 of Dotan with respect to users interacting via mouse and keyboard actions.
determining baseline user input traffic patterns for the users at the virtualization server based upon the [user input device traffic]; 
Refer to at least Col. 9, Ll. 55-67 of Dotan with respect to modifying and/or adding to historical behavior patterns for users. 
monitoring traffic […] at the virtualization server during a new virtual session for a given client device and detecting an anomaly therein relative to the baseline user input traffic patterns […]; and 
Refer to at least Col. 7, Ll. 1-Col. 8, Ll. 21 and Col. 9, Ll. 1-12 and 29-55 of Dotan with respect to collecting behavior data and associated analysis.
generating an anomaly alert based upon detecting the anomaly.
Refer to at least Col. 9, Ll. 1-7 and Col. 10, Ll. 1-14 of Dotan with respect to remedial actions such as adding to an audit log for an administrator. 
Dotan does not disclose: [user input device traffic] from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; generating a heat map of user input device behavior based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels; [based upon] the heat map; [monitoring traffic] over the virtual channels; [baseline user input traffic patterns] for different users. However, Dotan in view of Lang discloses: [user input device traffic] from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; [monitoring traffic] over the virtual channels;
Refer to at least the abstract and FIG. 14 of Lang with respect to monitoring.
Refer to at least FIG. 6, Col. 17, Ll. 29-Col. 18, Ll. 57, and Col. 27, Ll. 29-61 of Lang with respect to HDX/ICA functionality associated with the monitoring. 
Further, Dotan-Lang in view of Kaminsky discloses: generating a heat map of user input device behavior based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels; [based upon] the heat map;
Refer to at least [0060]-[0061] of Kaminsky with respect to generating heatmap signatures for users based upon mouse and keyboard usage patterns. The signatures represent typical human user behavior.
[baseline user input traffic patterns] for different users.
Refer to at least [0022] and [0031] of Kaminsky with respect to modeling users’ behaviors as typical for humans; creating a control group for such.
The teachings of Dotan readily discuss combination with any remote protocol, and further, the teachings of both Dotan and Lang concern monitoring virtual sessions. As such, they are 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Dotan to include support for HDX/ICA because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art. It further would have been obvious to implement heatmap signatures for at least the reasons discussed in [0061] of Kaminsky (i.e., a novel method of determining whether behavior is typical of a human or a bot).

Regarding claim 2, Dotan-Lang-Kaminsky discloses: The method of Claim 1 wherein the user input devices comprise keyboards; and wherein generating the baseline user input traffic patterns comprises generating the user input baseline traffic patterns based upon traffic from the keyboards to the client devices during the virtual sessions.
Refer to at least Col. 7, Ll. 50-64 of Dotan with respect to collecting and analyzing keystroke data; typing speed. 

Regarding claim 3, it is rejected for substantially the same reasons as claim 2 above.

Regarding claim 5, Dotan-Lang-Kaminsky discloses: The method of Claim 1 wherein the client devices further have input/output (I/O) ports associated therewith; and wherein generating the baseline traffic patterns comprises generating the baseline traffic patterns also based upon traffic associated with the I/O ports.
Refer to at least Col. 6, Ll. 32-36 of Dotan with respect to collecting and analyzing I/O data. 



Regarding claim 10, it is rejected for substantially the same reasons as claim 1 above.

Regarding independent claim 11, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially similar reasons (i.e., the citations and obviousness rationale).

Regarding claims 12-13 and 15, they are substantially similar to claims 2-3 and 5, and are therefore likewise rejected.

Regarding independent claim 16, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially similar reasons (i.e., the citations and obviousness rationale).

Regarding claims 17-18 and 20, they are substantially similar to claims 2-3 and 5, and are therefore likewise rejected.

Regarding claim 24, Dotan-Lang-Kaminsky discloses: The method of claim 1 wherein the user input devices comprise a respective mouse associated with each client device; and wherein generating the heat map comprises generating the heat map based upon user mouse click behavior.
Refer to at least [0060]-[0061] of Kaminsky with respect to generating heatmap signatures based on mouse click behavior. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claims 25-26, they are substantially similar to claim 24 above, and are therefore likewise rejected.

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dotan-Lang-Kaminsky as applied to claims 1-3, 5, 8, 10-13, 15-18, 20, and 24-26 above, and further in view of Brew (US 2016/0142430 A1).

Regarding claim 9, Dotan-Lang-Kaminsky does not specify: wherein detecting comprises detecting the anomaly based upon a multi-variant Gaussian distribution. However, Dotan-Lang-Kaminsky in view of Bailey discloses: wherein detecting comprises detecting the anomaly based upon a multi-variant Gaussian distribution.
Refer to at least [0023] of Brew with respect to use of a multivariate Gaussian distribution in determining anomalies. 
The teachings of Dotan-Lang-Kaminsky concern detecting anomalies based on models of user data, and are considered to be combinable with the teachings of Brew concerning anomaly detection.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Dotan-Lang-Kaminsky to include support for using a multivariate Gaussian distribution for anomaly detection because the substitution of one known element for another (an analysis program for user data) would have yielded predictable results to one of ordinary skill in the art at the time (i.e., refer to the cited portion of Brew, where a multivariate Gaussian is one of many possible options).

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432