DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the RCE filed on 05/21/2021.
Claims 1-4, 6-12 and 14-18 are currently pending in this application. Claims 1-3, 6, 7, 9-11, 14, 15 and 17 have been amended. Claim 18 is new.
No new IDS has been filed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/21/2021 has been entered.

Examiner’s Note
Applicants are suggested to include a part of the information from pages 6-8 of the specification (e.g., steps for attributes with possible events) in the claims in order to improve claim limitations regarding the allowalibity of the application.

Response to Arguments
In regard to the previous 112(b) rejections, the applicants have amended the claims to overcome the rejections, however, the currently amended limitations are unclear and cause for new rejections (some of them are compatibility or antecedent basis issues) - see the 112(b) rejections section below for detail.

In regard to the 102 rejections, the applicants have, in pages 11-13 of the remarks, argued that “… a) collecting one or more events from a first endpoint, each event identifying one or more attributes associated to the event … b) detecting a security threat related to one or more of the collected event … with regards to items “a” and “b” stated above … Turgeman discloses that an end-user may utilize a computing device … however, Turgeman as cited does not disclose that the “silent key logger” is somehow used to detect a security threat related to one or more of the collected plurality of events. According to Turgeman … paragraph [0033] … does not disclose that this visualization module is somehow disclosing at least where claim 1 related to …”. (Examiner’s note: the Turgeman’s visualization module is not used in the rejection of the claim 1 – see the rejections section below for more detail.)
Applicants’ this argument is not persuasive.
First of all, as responded in the previous office action, Turgeman’s the silent key logger is a software code of the end-user device used to monitor an track and log all the user interaction via keyboard, mouse, touch-screen and other input units as well as their timing and provide these information (e.g., the user interaction data) to the user interactions monitoring/sampling module 102 (of the system 100) – see fig. 1 the user interaction data enables a user-specific feature extraction module 101 to extract or determine user-specific features that characterize the interaction – see par. 0037. In other words, one or more events (e.g., the user interaction and timing with input units) is collected/logged from a first endpoint (e.g., the end-user device with the code), each event identifying one or more attributes (e.g., the user-specific feature that characterize the interaction) associated to the event (e.g., the user interaction and timing with input units).
Secondly, Turgeman, in figs. 1, 2, paras. 0045, 0047, 0050, clearly taught that the mouse dynamics analyzer module 211 (of the fraud detection module 111 of the system 100) detects the rate or speed of mouse-clicks indicating a highly-experienced hacker or the lack of manual correction of mouse-movement, … indicates an automated script or a cyber-attack … rather than an authorized human user. In other words, the security threat (e.g., experienced hacker or lack of manual action, etc.) related to one or more of the collected events (e.g., collected information of the user interaction and timing with input units) is detected.
Therefore, it is obvious that Turgeman teaches the claimed/argued limitations, “… a) collecting a plurality of events from a first endpoint, each event of the collected plurality of events identifying one or more attributes associated to the … b) detecting a security threat related to one or more of the collected plurality of events … “. See the 102 rejections section below for detail.

The applicants, in pages 12-13 of the remarks, also argued that “… Turgeman as cited discloses … par. 0053 … however, there cannot be found in Turgeman where it is discloses that access time analyzer module 214 of Turgeman is somehow, based on collecting a plurality of events from applications or process … expected actions of the procedure …”.
 The applicants’ arguments are not persuasive.
As the applicants noted, the processes of the access time analyzer module 214 is a part of the fraud detection module of the system 100 (see figs. 1, 2; and par. 0047) and the claimed method, “collecting a plurality of events … one or more expected actions of the procedure …” is taught by processes of the components (NOT the module 214 alone) of the system 100 (e.g., “the user interactions sampling/monitoring 102” – see par. 0036; “the user interactions analyzer 203” – see par. 0049; “the mouse dynamics analyzer module 211” – see par. 0050; “the keyboard dynamics analyzer module 212” – see par. 0051; “the typing patterns analyzer module 213” – see par. 0052; including “the access time analyzer module 214” – see par. 0053). See the 102 rejections section below for detail.

The applicants, in pages 13-15 of the remarks, also argued that “… regarding items “c” and “d” stated above … Turgeman discloses that the comparator/matching module 104 is comparing or matching values from a user session and not from an endpoint as claimed … for at least these reasons Turgeman as cited does not disclose …c) searching matching events … and d) based on finding … detected in step b)”.
Examiner respectfully disagrees with the argument.
As responded in the previous office action, Turgeman, in par. 0039, clearly discloses that the comparator/matching module104 (of the system 100) compares/matches between values of user specific features that are extracted in a current user session or user interaction and values of respective previously-captured or previously extracted user-specific features of the current user, and/or of other users, and/or of pre-defined sets of values that correspond to known automated scripts or bots. Moreover, as described above, the silent key logger is a software code of the end-user device used to monitor an track and log all the user interaction to provide to the user interactions monitoring/sampling module 102 (of the system 100) – see fig. 1 and par. 0036. Therefore, it is obvious that the comparator/matching module 104 compares/matches values from user interactions of the endpoint (e.g., end-user device) as claimed and Turgeman teaches the claimed/argued limitation of items “c” and “d”. See the rejections section below for detail.

Furthermore, the applicants, in page 15 of the remarks, have argued that “… regards to identifying attributes, Turgeman only mentions the term “network attributes” one time in par. 0091, where Turgeman discloses a detailed report … for at least these reasons  … the office action appears to have litter or no support in Turgeman”.
The applicants’ this argument is not persuasive.
The claimed term “attribute” of the claim is interpreted as “a specific value or metadata that define a property of an event, for example, a name, a value, a type or a class, etc.”. Any specific value or metadata (e.g., the values or the user-specific feature that characterize the interaction) that define a property of an event (and any information of a name, a value, a type or a class, etc.) included/mentioned/supported by Turgeman 
  
Finally, the applicants, in page 15 of the remarks, also argued that “… further, it is submitted that … would not find it obvious that Turgeman somehow discloses at least where the claimed invention relates to detecting endpoints that are suffering … by processing malicious files or executing malicious applications/processes …”.
The applicants’ this argument is not persuasive.
As responded in the previous office action, it is noted that the features upon which applicants argue (e.g., detecting endpoints that are suffering … processing malicious files or executing malicious applications/process) are NOT recited in the claims. Although the claims are interpreted in light of the specification, limitations for the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). See the 102 rejections section below for the rejections of the claimed limitations.
 
The applicants’ arguments, for the claims 1, 9, 17, the dependent claims 2-4, 6-8, 10-12, 14-16  and the new claim 18, regarding similar limitations of above responded limitations of the claim 1, are not persuasive and the response for these arguments are similar with the response for the claim 1 above.  
Thus, the applicants’ arguments are not persuasive. Please see amended rejections below for amended claims.

Claim Objections
Claim 18 is objected to because of the following informalities:  the claim recites “… the method according to claim 11, wherein …”, however, the claim 11 is a server claim.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
 

Claims 1-4, 6-12 and 14-18 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claim 1 (claims 9 and 17 have similar limitations) recites “… identifying one (or more) attribute(s) associated to the collected plurality of events … wherein the one (or more) attribute(s) identify, for each procedure, a characteristic action and one or more expected actions of the procedure …”; however, it is not clear (1) whether the collected plurality of events are associated to a single attribute or not; (2) whether the single attribute identifies both characteristic action and the expected action or not – note: “one or more attributes” is interpreted as “one attribute”, but the applicants are suggest to use “a plurality of attributes” if would like to interpret for more than one attribute; and (3) whether “the procedure” is the same as “one or more procedures” or each procedure, the each procedure, etc.) if they are the same.
Claims 2-4, 6-8, 10-12, 14-16 and 18 depend from the claim 1 or 9, and are analyzed and rejected accordingly.

Claims 2, 3, 6, 10 and 11 (the dependent claims of the claim 1 or 9) recite “at least part of the attributes … comprising one or more attributes as in the …”, however, it is not clear whether “the attributes” and “one or more attributes” are the same as “one or more attributes” included in the independent claim 1/9 or not. Note: the applicants are suggested to review the terms related to the attributes (e.g., “one or more attributes”, “the one or more attributes”, “the attributes”, “attributes”, etc.) for grammatical, compatibility or antecedent basis issue. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




Claims 1-4, 6-12 and 14-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Turgeman et al. (US 2015/0213246 A1).

As per claim 1, Turgeman teaches a method of threat control (e.g., the fraud mitigation) on a computer system [see abstract; figs. 1, 4 and par. 0088], the method comprising:
a) collecting a plurality events from applications or processes executed by a first endpoint, each event of the collected plurality of events identifying one or more attributes associated to the collected plurality of events [fig. 1; par. 0036, lines 1-37; par. 0037, lines 1-5; par. 0045, lines 1-8 of Turgeman teaches collecting one or more events (e.g., the user interactions) from applications or processes executed by a first endpoint (e.g., processes performed by the end-user device with codes to the Web-browser), each event of the collected one or more events identifying one or more attributes (e.g., the user-specific feature that characterize the interaction) associated to the collected one or more events], (note: one or more attributes can be interpreted either one attribute or more than one attributes),
wherein the one or more attributes associated to the collected plurality of events relate to one or more procedures of: establishment of a secure session; communication over a secure session; file operations; registry operations; memory operations; network operations; process/threat creation; application start/exit [fig. 2; par. 0036, lines 1-37; par. 0053, lines 1-24 of Turgeman teaches wherein the one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) associated to the collected one or more events relate to one or more procedures of: establishment of a secure session; communication over a secure session; file operations; registry operations; memory operations; network operations (e.g., filling the online form regarding the speed or time spent on); process/threat creation; application start/exit (e.g., log-in attempts during a time in which the user is expected to be sleeping)];
wherein the one or more attributes identify, for each procedure, a characteristic action and one or more expected actions of the procedure [fig. 2; par. 0036, lines 25-31; paras. 0050-0053 of Turgeman teaches wherein the one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) identify, for each procedure (e.g., filling the online form, or log-in attempts during a time in which the user is expected to be sleeping), a characteristic action (e.g., the data-entry or log-in attempts) and one or more expected actions (e.g., rate of speed of the data entry, such as mouse-click speed, keyboard data entry rate, typing patterns, field filling time, log-in attempts or service time, etc. indicating actions performed by an experienced hacker or bot) of the procedure];
b) detecting a security threat related to one or more of the collected plurality of events [figs. 1, 2; par. 0036, lines 13-31; paras. 0050-0053 of Turgeman teaches detecting a security threat (e.g., experienced hacker’s action 
c) searching matching events of the collected plurality of events from one or more further endpoints, wherein a matching event comprises at least one attribute of the one or more attributes associated with the collected plurality of events related to the detected security threat [par. 0039, lines 1-11; par. 0045, lines 1-8 of; par. 0048, lines 1-10 of Turgeman teaches searching matching events of the collected plurality of events (e.g., the collected user interactions) from one or more further endpoints (e.g., values of previously-extracted user-specific features of other users/devices), wherein a matching event comprises at least one attribute of the one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) associated with the collected plurality of events related to the detected security threat (e.g., experienced hacker or lack of manual action, etc.)]; and
d) based on finding at an associated endpoint the matching event with at least the one attribute of the one or more attributes associated to the collected plurality of events related to the detected security threat, identifying the associated endpoint as being related to a security threat similar to what was detected in step b) [par. 0039, lines 1-7; par. 0040, lines 1-7; par. 0041, lines 1-8 of Turgeman teaches based on finding at an associated endpoint (e.g., the device of a user, whose extracted user-specific features are compared), the matching event (e.g., the matching user interactions) with at least the one attribute of the one or more attributes (e.g., the values or the user-

As per claim 2, Turgeman teaches the method according to claim 1. 
Turgeman further teaches generating a list of at least part of the attributes of the collected plurality of events related to the detected security threat and searching matching events of the collected plurality of events comprising one or more attributes as in the generated list from the one or more further endpoints [par. 0036, lines 13-20; par. 0037, lines 5-8; par. 0038, lines 1-8; par. 0039, lines 1-7 of Turgeman teaches generating a list of at least part of the attributes of the collected plurality of events (e.g., information of the user profile) related to the detected security threat (e.g., experienced hacker or lack of manual action, etc.) and searching matching events of the collected plurality of events comprising one or more attributes (e.g., the values or the user-specific feature that characterize the interaction) as in the generated list (e.g., the information of the user profile) from the one or more further endpoints (e.g., the other users/endpoints)] – see also rejections of the claim 1.

As per claim 3
Turgeman further teaches collecting one or more sequences of the collected plurality of events from the first endpoint; detecting that the detected security threat is related to a specific sequence of events of the collected plurality of events or a subset of the specific sequence of events; and generating the list based on at least part of the attributes of the specific sequence of events or the subset of the specific sequence of events [fig. 2; par. 0049, lines 1-18; paras. 0050-0054 of Turgeman teaches collecting one or more sequences of the collected plurality of events (e.g., the sequences of the user interactions) from the first endpoint (e.g., the end-user device with codes to the Web-browser); detecting that the detected security threat is related to a specific sequence of events of the collected plurality of events or a subset of the specific sequence of events (e.g., filling multiple complicated fields in an online form, etc.); and generating the list based on at least part of the attributes of the specific sequence of events or the subset of the specific sequence of events (e.g., the sequences of the user interactions)] – see also rejections to the claims 1 and 2.

As per claim 4, Turgeman teaches the method according to claim 1. 
Turgeman further teaches generating a security alert corresponding to the detected security threat detected in step b [paras. 0106-0108 of Turgeman teaches generating a security alert corresponding to the detected security threat detected in step b (e.g., experienced hacker or lack of manual action, a particular type of data entry method, etc.)] – see also rejections to the claim 1.

As per claim 6
Turgeman further teaches providing the generated list of at least one of the attributes of the collected plurality of events related to the detected security threat to one or more client computer devices for enabling the one or more client computer devices to identify the detected security threat and to take further action based on the identified detected security threat [fig. 1; par. 0037, lines 5-12; paras. 0039-0040; par. 0045, lines 1-8 of Turgeman teaches providing the generated list of at least one of the attributes of the collected plurality of events (e.g., information of the user profile) related to the detected security threat to one or more client computer devices (e.g., one or more devices of the system 100) for enabling the one or more client computer devices (e.g., the device with the comparator/matching module, etc.) to identify the detected security threat and to take further action (e.g., generating and sending a possible-fraud signal) based on the identified security threat (e.g., experienced hacker or lack of manual action, etc.)].

As per claim 7, Turgeman teaches the method according to claim 6. 
Turgeman further teaches based on the identified detected security threat by one or more of: blocking, terminating or preventing one or more events of the collected plurality of events or applications related to the identified detected security threat installed on one or more client computer devices; warning a user of an end point related to the identified detected security threat; providing a software update to one or more of the end points [par. 0040, lines 1-7; par. 0088, lines 1-8; par. 0089, lines 1-3 of Turgeman teaches based on the identified detected security threat by one or more of: blocking, terminating or preventing one or more 

As per claim 8, Turgeman teaches the method according to claim 1. 
Turgeman further teaches wherein a matching event is determined based on a relevant distance criteria associated with different domains of the one or more attributes associated to the event, wherein the distance criteria includes at least one of: an exact match of attributes, a partial match of attributes, heuristic or probabilistic matching and domain specific matching techniques [paras. 0103-0109 of Turgeman teaches a matching event is determined based on a relevant distance criteria (e.g., number of percent points) associated with different domains (e.g., a particular type of data entry method) of the one or more attributes (e.g., the user-specific feature that characterize the interaction) associated to the event, wherein the distance criteria includes at least one of: an exact match of attributes, a partial match of attributes (e.g., the percent points, threshold value, etc.), heuristic or probabilistic matching and domain specific matching techniques].

Claims 9-12 and 14-16
Claim 17 is a medium claim that corresponds to the method claim 1, and is analyzed and rejected accordingly.

As per claim 18, Turgeman teaches the method according to claim 11. 
Turgeman further teaches wherein the matching event comprises a subset or at least part of one or more attributes of the collected plurality of events related to the detected security threat [paras. 0039, 0042, 0043, 0048 of Turgeman, see also rejections of the claim 1].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/MAUNG T LWIN/Primary Examiner, Art Unit 2495