DETAILED ACTION
1.	Claims 1-20 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Continued Examination Under 37 CFR 1.114
4.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission has been entered. 
Response to Arguments
5.	Applicant's arguments have been considered but are moot in view of the new ground(s) of rejection.  
Claim Rejections - 35 USC § 103
6.1.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

6.2.	Claims 1, 8-13, 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 20200226298 to Appleboum et al (“Appleboum”), in view of US Patent Application No. 20120110217 to Christiansen et al (“Christiansen”), 
and in view of US Patent No. 9245147 issued to Williams et al (“Williams”), and further in view of US Patent Application No. 20090292924 to Johnson et al (“Johnson”). 
 	As per claim 1, Appleboum discloses a system for the detection and inhibition of insider threats to a computing environment to which the system is connected, the system comprising: a hardware bus having instructions stored thereon that, when executed, perform the following steps: classify the external device as benign or malicious based on the extracted information ([0136], [0138], peripheral identifies itself to the operating system of the workstation as a mouse (requiring a mouse interface), then later (e.g. responsive to an external event or a timer) identifies itself (also) as a keyboard requiring a keyboard interface (e.g. which receives from the peripheral keystrokes rather than (just) movements), this typically constitutes a trigger because it is likely that the peripheral is operating in this manner in order to run a malicious script. Or, if an input device (e.g. keyboard) which does not have remote capabilities, requests from the operating system a remote interface, this may constitute a trigger because this may be a rogue input device attempting to pave the way for a rogue user to input rogue commands into the system, from afar. It is appreciated that wireless keyboards may include an integrally formed radio transmitter and a separate radio receiver which plugs into the USB port; however non-wireless keyboards lack this hardware hence lack 
if the external device is classified as malicious, prevent the external device from transmitting the incoming signals to the computing environment [0182], a malicious USB device is detected, an alert may be sent e.g. to the SIEM via REST API or to the EPS/EDR. An example structure of this API is detailed below, with reference to FIGS. 12a-18b); and	
if the external device is classified as benign, allow the external device to transmit the incoming signals to the computing environment ([0184], determines inter alia whether each agent will operate in free mode (corresponding to a soft policy), or in armed mode (corresponding to a hard enforcement policy, for that endpoint). For example, the system may provide a administrator's GUI in which all endpoints are displayed, and, for each, the administrator may use a checkbox or other input option to determine whether armed mode or free mode is suitable. Typically, the default mode is free, in which case if a USB device connected to that endpoint triggers the system, a 
Appleboum does not explicitly disclose however in the same field of endeavor, Christiansen discloses transform the data from the incoming signals into Macrocell Interface (UIMI) or UTM1+ Low Pin Interface (ULPI) data, packages ([0030]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the teaching Christiansen by including the feature of Interface by including the feature of a timestamp, in order for Appleboum’s system for monitoring high speed interchip (HSIC) universal serial bus (USB) signals in a device comprising a USB controller configured to output first USB transceiver macro-cell (UTMI+) signals, an HSIC PHY transceiver configured to receive first UTMI+ signals from the USB controller and to convert and transmit received first UTMI+ signals as first HSIC signals, and to receive second HSIC signals and transmit them as second UTMI+ signals to the USB controller, a UTMI+ conversion block configured to receive first and second UTMI+ signals and to transform the received first and second UTMI+ signals to corresponding first and second ULPI signals, and transmit first and second ULPI signals, the first and second ULPI signals being equivalent to the first and second HSIC signals, and a ULPI PHY transceiver configured to receive the first and second ULPI signals and transmit corresponding first and second USB signals. A UTMI+ interface uses between 50 and 60 pins depending on which level of Plus-functionality is needed. As a result, UTMI+ is not very useful for external transceivers, as pin-count must be minimized for size, cost, and power reasons in the digital SoC. To connect to an external ULPI transceiver, a ULPI wrapper on the 
Appleboum does not explicitly disclose however in the same field of endeavor, Williams discloses collect data from incoming signals from an external device connected to the hardware bus ( 2:55-55, also see 5: 5-10 collecting and analyzing data collected one or more systems (and/or subsystems) and then using a finite state machine to determine whether the one or more systems (and/or subsystems) has been compromised. One or more embodiments of the invention provides the ability to perform real time analysis of collected data (including communications, commands, etc.)); 
perform pre-processing on the data package to recreate protocol data packets of the external device (7:15-35, also see the exact configuration of the logic trees used within the method may determine the extent and type of preprocessing necessary. Some protocols and communication types may require several layers of preprocessing);
the performing of the pre-processing comprising utilizing finite state machines with the data packages (7:40-60, also see 9:53-65 the State Machine Reference Monitor's preprocessor would assign each of the command portions of the observed messages a unique identification. This way, multiple similar commands from dissimilar systems that have different syntax or values in the communication protocols would be mapped to the same command code within the State Machine Reference Monitor.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the teaching of Williams by including the feature of a pre-processing , in order for 
Furthermore Williams discloses observed timestamp and other iformation (fig. 2c). Appleboum/ Williams does not explicitly disclose however in the same field of endeavor, Johnson discloses to obtain timestamp information and human interface device (HID) information about the data from the incoming signals; extract feature information about the external device from the recreated protocol data packets ([0021]-[0022], timestamp and/or keystroke … particular string of characters was typed by a human user, also see [0017], keyboard/mouse event to Manageability Engine 124. In some embodiments, ME 124 records the time at which the event notification was received, creating a timestamp).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the 

 As per claim 8, the combination of Appleboum, Christiansen, Williams and Johnson discloses the system according to claim 1, the external device being a universal serial bus (USB) device (Johnson, [0017]). The motivation regarding the obviousness of claim 1 is also applied to claim 8.
As per claim 9, the combination of Appleboum, Christiansen, Williams and Johnson discloses the system according to claim 8, the external device being a USB keyboard, USB mouse, USB storage device, or USB adapter (Johnson, [0017]). The motivation regarding the obviousness of claim 1 is also applied to claim 9.

As per claim 11, the combination of  Appleboum, Christiansen, Williams and Johnson discloses  the system according to claim 10, the using of machine learning comprising using a decision tree, a random forest, Naive Bayes, k-nearest neighbors, or a support vector machine on the extracted information (AAPA,  and also Please see US patent application no: 20190347518 to Shrestha).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum/Johnson with the well known in the including the feature of machine learning, in order for Appleboum’s system to  using the combined machine learning model, the one or more embodiments of the present application may function to process many aspects of video input, in parallel or synchronously, to achieve comprehensive detection results in real-time. In this way, the feature outputs of the combined machine learning model core may be composited in such a manner to extract mutual information (e.g., where information of feature outputs overlap) existing between distinct feature outputs from each of the distinct video analysis models within the combined model core.
As per claim 12, the combination of Appleboum, Christiansen, Williams and Johnson discloses the system according to claim 10, the using of machine learning comprising using a decision tree on the extracted information (AAPA,  and also Please 
Claims 13, 18-19 are rejected for similar reasons as stated above.

6.3.	Claims 2-7, 14-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Appleboum, Christiansen, Williams and Johnson as applied to claim above, and in view of US Patent Application No. 20170116399 to Samzelius et al (“Samzelius”).

	As per claim 2, the combination of Appleboum, Christiansen and Johnson discloses the invention as described above. Appleboum, Christiansen and Johnson do not explicitly disclose however in the same field of endeavor, Samzelius discloses the system according to claim 1, the information comprising information about at least one feature of keystroke-like actions of the external device, and the at least one feature comprising at least one of key transition time (KTT), duration held, normalized KTT, and normalized duration held ([0017], [0038]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the teaching of Samzelius by including the feature of keystroke-like actions, in order for Appleboum’s system to  measuring particular attributes about a user's typing cadence, sending such measures to a component (that may be part of the same computer that has the keyboard or another remote authentication component/system) where those current measures are compared to an already established profile of this user's typing 
As per claim 3, the combination of Appleboum, Christiansen, Williams, Johnson and Samzelius discloses the system according to claim 1, the information comprising information about at least one feature of keystroke-like actions of the external device, the at least one feature comprising key transition time (KTT), and the external device being classified as malicious if the KTT of any keystroke-like action of the external device is less than a first minimum threshold time (Samzelius, [0046]-[0050]). The motivation regarding the obviousness of claim 2 is also applied to claim 3.
As per claim 4, the combination of Appleboum, Christiansen, Williams, Johnson and Samzelius discloses the system according to claim 3, the first minimum threshold 

As per claim 5, the combination of Appleboum, Christiansen, Williams, Johnson discloses the system according to claim 1, the instructions of the hardware bus, when executed, further creating a whitelist of known benign devices a key activities of less than a first minimum threshold, the information comprising information about at least one feature of keystroke-like actions of the external device, the at least one feature comprising key activities, and the external device being classified as malicious if the key activities of any keystroke-like action of the external device is less than the first minimum threshold time and the external device is not on the whitelist (Appleboum, [0093]-[0095]).    
Appleboum, Christiansen, Johnson do not explicitly disclose however in the same field of endeavor, Samzelius discloses one of key transition time (KTT) (Samzelius, [0017], [0038]). The motivation regarding the obviousness of claim 2 is also applied to claim 5.
As per claim 6, the combination of Appleboum, Christiansen, Williams, Johnson and Samzelius discloses the system according to claim 1, the information comprising information about at least one feature of keystroke-like actions of the external device,the at least one feature comprising duration held, and the external device being classified as malicious if the duration held of any keystrokelike action of the external device is less 
As per claim 7, the combination of Appleboum, Christiansen, Williams, 9+Johnson and Samzelius discloses the system according to claim 1, the information comprising information about at least one feature of keystroke-like actions of the external device, the at least one feature comprising key transition time (KTT) and duration held, and the external device being classified as benign if the KTT of all keystroke-like actions of the external device is greater than or equal to a first minimum threshold time and the duration held of all keystroke-like actions of the external device is greater than or equal to a second minimum threshold time ([0017], [0038], also see [0023]). The motivation regarding the obviousness of claim 2 is also applied to claim 5.
Claims 14-17 are rejected for similar reasons as stated above.
As per claim 20, Appleboum disclose a method for the detection and inhibition of insider threats to a computing environment to which a hardware bus is connected, the method comprising:
classifying, by the hardware bus, the external device as benign or malicious based on the extracted feature information ([0136], [0138]);
if the external device is classified as malicious, preventing, by the hardware bus, the external device from transmitting the incoming signals to the computing environment ([0182]); and

the external device being classified as malicious if the activities of any keystroke-like action of the external device is less than the first minimum threshold time and the external device is not on the whitelist (Appleboum [0093]-[0095]).
Appleboum does not explicitly disclose however in the same field of endeavor, Christiansen discloses transform the data from the incoming signals into Macrocell Interface (UIMI) or UTM1+ Low Pin Interface (ULPI) data, packages ([0030]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the teaching Christiansen by including the feature of Interface by including the feature of a timestamp, in order for Appleboum’s system for monitoring high speed interchip (HSIC) universal serial bus (USB) signals in a device comprising a USB controller configured to output first USB transceiver macro-cell (UTMI+) signals, an HSIC PHY transceiver configured to receive first UTMI+ signals from the USB controller and to convert and transmit received first UTMI+ signals as first HSIC signals, and to receive second HSIC signals and transmit them as second UTMI+ signals to the USB controller, a UTMI+ conversion block configured to receive first and second UTMI+ signals and to transform the received first and second UTMI+ signals to corresponding first and second ULPI signals, and transmit first and second ULPI signals, the first and second ULPI signals being equivalent to the first and second HSIC signals, and a ULPI PHY transceiver configured to receive the first and second ULPI signals and transmit corresponding first and second USB signals. A UTMI+ interface uses between 50 and 60 pins depending 
Appleboum does not explicitly disclose however in the same field of endeavor, Williams discloses collect data from incoming signals from an external device connected to the hardware bus ( 2:55-55, also see 5: 5-10 collecting and analyzing data collected one or more systems (and/or subsystems) and then using a finite state machine to determine whether the one or more systems (and/or subsystems) has been compromised. One or more embodiments of the invention provides the ability to perform real time analysis of collected data (including communications, commands, etc.)); 
perform pre-processing on the data package to recreate protocol data packets of the external device (7:15-35, also see the exact configuration of the logic trees used within the method may determine the extent and type of preprocessing necessary. Some protocols and communication types may require several layers of preprocessing);
the performing of the pre-processing comprising utilizing finite state machines with the data packages (7:40-60, also see 9:53-65 the State Machine Reference Monitor's preprocessor would assign each of the command portions of the observed messages a unique identification. This way, multiple similar commands from dissimilar systems that have different syntax or values in the communication protocols would be mapped to the same command code within the State Machine Reference Monitor.
pre-processing , in order for Appleboum’s system to  providing protection against one or more of the following: (i) sophisticated, advanced malware not detected by anti-virus software, (ii) targeted attacks directed by adversaries at a particular target, and (iii) "Insider attacks" made by knowledgeable employees or personnel, in particular privileged network administrators possessing full administrative access to parts or all of the network. Specifically, one or more embodiments of the invention improve protection of systems (and subsystems) by one or more of the following mechanisms: (a) locating the state reference monitor off the network, not on it, making it immune to targeted attacks and circumvention; (b) tracking and analyzing expected versus actual data application and equipment states across multiple dissimilar systems and network segments, and/or (c) tracking and analyzing network communication states across multiple dissimilar systems and network segments (Williams, 13:20-35).
Furthermore Williams discloses observed timestamp and other iformation (fig. 2c). Appleboum/ Williams does not explicitly disclose however in the same field of endeavor, Johnson discloses to obtain timestamp information and human interface device (HID) information about the data from the incoming signals; extract feature information about the external device from the recreated protocol data packets ([0021]-[0022], timestamp and/or keystroke … particular string of characters was typed by a human user, also see [0017], keyboard/mouse event to Manageability Engine 124. In 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum with the teaching of Johnson by including the feature of a timestamp, in order for Appleboum’s system to authenticating the service transaction based at least in part on the attestation 240. For example, if a service provider desires to detect presence of an actual human user and receives an anonymously signed timestamp, the timestamp can be compared to a threshold to determine if the timestamp is temporally correlated to the initiation of the service request. If there is a correlation, then presence of a human user is determined to be authentic. Otherwise, the service transaction is determined to be fraudulent. If the service provider desires to know if a particular string of characters was typed by a human user, a received signature from the manageability engine verifies that the string of characters was typed. When the service provider receives a signature in response, then the service provider determines if the signature corresponds to a positive ("matched") or negative ("not matched") response and can take appropriate action based on that result (Johnson, [0021]).

Appleboum does not explicitly disclose however in the same field of endeavor, Samzelius discloses creating a whitelist of known benign devices having a key transition time (KTT) of less than a first minimum threshold ([0017], [0038]);
the information comprising information about at least one feature of keystroke-like actions of the external device, the at least one feature comprising KTT and duration held ([0017], [0038]),

the first minimum threshold time being 80 milliseconds (Samzelius, [0038], specific number is a design choices),
the classifying of the external device as benign or malicious based on the extracted information comprising using machine learning on the extracted information, and the using of machine learning comprising using a decision tree on the extracted information (please see rejection above claims 11-12).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Appleboum/ Johnson and with the well known in the including the feature of machine learning, in order for Appleboum’s system to  using the combined machine learning model, the one or more embodiments of the present application may function to process many aspects of video input, in parallel or synchronously, to achieve comprehensive detection results in real-time. In this way, the feature outputs of the combined machine learning model core may be composited in such a manner to extract mutual information (e.g., where information of feature outputs overlap) existing between distinct feature outputs from each of the distinct video analysis models within the combined model core.
as the prior art discloses many of the claim features (See PTO-form 892).

Conclusion
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195.  The examiner can normally be reached on 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 


HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497