DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the currently amended claims, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made as per the cited prior art below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8, 10-13, 15-18, 20, and 24-27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dotan (US 8,677,472 B1) in view of Lang (US 8,650,303 B1), Kaminsky (US 2016/0191554 A1), and “Traffic Classification Using Visual Motifs: An Empirical Evaluation,” hereinafter “Lian.”

Regarding claim 1, Dotan discloses: A method comprising: 
running virtual sessions on a virtualization server for a plurality of client devices associated with respective users, the client devices having user input devices associated therewith, and the virtual sessions being responsive to user input device traffic from […] client devices over a plurality of respective channels; 
Refer to at least FIG. 1 and 2 of Dotan with respect to a VM server running plural virtual instances for plural users as per at least Col. 1, Ll. 40-49 of Dotan.
Refer to at least Col. 5, Ll. 32-37 of Dotan with respect to the VM server communicating with clients via any appropriate remote protocol.
Refer to at least Col. 4, Ll. 26-45 of Dotan with respect to users interacting via mouse and keyboard actions.
determining baseline user input traffic patterns for the users at the virtualization server based upon the [user input device traffic]; 
Refer to at least Col. 9, Ll. 55-67 of Dotan with respect to modifying and/or adding to historical behavior patterns for users. 
monitoring traffic […] at the virtualization server during a new virtual session for a given client device and detecting an anomaly therein relative to the baseline user input traffic patterns […]; and 
Refer to at least Col. 7, Ll. 1-Col. 8, Ll. 21 and Col. 9, Ll. 1-12 and 29-55 of Dotan with respect to collecting behavior data and associated analysis.
generating an anomaly alert based upon detecting the anomaly.
Refer to at least Col. 9, Ll. 1-7 and Col. 10, Ll. 1-14 of Dotan with respect to remedial actions such as adding to an audit log for an administrator. 
Dotan does not disclose: [user input device traffic] from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; generating a heat map of user input device behavior based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels; [based upon] the heat map; [monitoring traffic] over the virtual channels; [baseline user input traffic patterns] for different users; including printing traffic and universal serial bus (USB) traffic. However, Dotan in view of Lang discloses: [user input device traffic] from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; [monitoring traffic] over the virtual channels;
Refer to at least the abstract and FIG. 14 of Lang with respect to monitoring.
Refer to at least FIG. 6, Col. 17, Ll. 29-Col. 18, Ll. 57, and Col. 27, Ll. 29-61 of Lang with respect to HDX/ICA functionality associated with the monitoring. 
including universal serial bus (USB) traffic;
Refer to at least Col. 8, Ll. 66-Col. 9, Ll. 8 of Lang with respect to USB devices. 
Further, Dotan-Lang in view of Kaminsky discloses: generating a heat map of user input device behavior based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels; [based upon] the heat map;
Refer to at least [0060]-[0061] of Kaminsky with respect to generating heatmap signatures for users based upon mouse and keyboard usage patterns. The signatures represent typical human user behavior.
[baseline user input traffic patterns] for different users.
Refer to at least [0022] and [0031] of Kaminsky with respect to modeling users’ behaviors as typical for humans; creating a control group for such.
Finally, Dotan-Lang-Kaminsky in view of Lian discloses: including printing traffic.
Refer to the last paragraph on page 71 of Lian with respect to the Line Printer Daemon traffic heat map. 
The teachings of Dotan readily discuss combination with any remote protocol, and further, the teachings of both Dotan and Lang concern monitoring virtual sessions. As such, they are considered to be combinable. The teachings of Kaminsky are further considered to be combinable with those of Dotan-Lang as they both concern keyboard/mouse behavior analysis 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Dotan to include support for HDX/ICA because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art. It further would have been obvious to implement heatmap signatures for at least the reasons discussed in [0061] of Kaminsky (i.e., a novel method of determining whether behavior is typical of a human or a bot). Finally, it would have been obvious to implement additional metrics (e.g., printer and USB traffic) for at least the purpose of strengthening the model.

Regarding claim 2, Dotan-Lang-Kaminsky-Lian discloses: The method of Claim 1 wherein the user input devices comprise keyboards; and wherein generating the baseline user input traffic patterns comprises generating the user input baseline traffic patterns based upon traffic from the keyboards to the client devices during the virtual sessions.
Refer to at least Col. 7, Ll. 50-64 of Dotan with respect to collecting and analyzing keystroke data; typing speed. 

Regarding claim 3, it is rejected for substantially the same reasons as claim 2 above.

Regarding claim 5, Dotan-Lang-Kaminsky-Lian discloses: The method of Claim 1 wherein the client devices further have input/output (I/O) ports associated therewith; and wherein generating the baseline traffic patterns comprises generating the baseline traffic patterns also based upon traffic associated with the I/O ports.
Refer to at least Col. 6, Ll. 32-36 of Dotan with respect to collecting and analyzing I/O data. 

Regarding claim 8, it is rejected for substantially the same reasons as claim 1 above (i.e., Col. 9, Ll. 64-67 concerning machine learning).

Regarding claim 10, it is rejected for substantially the same reasons as claim 1 above.

Regarding independent claim 11, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially similar reasons (i.e., the citations and obviousness rationale).

Regarding claims 12-13 and 15, they are substantially similar to claims 2-3 and 5, and are therefore likewise rejected.

Regarding independent claim 16, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially similar reasons (i.e., the citations and obviousness rationale).

Regarding claims 17-18 and 20, they are substantially similar to claims 2-3 and 5, and are therefore likewise rejected.

Regarding claim 24, Dotan-Lang-Kaminsky-Lian discloses: The method of claim 1 wherein the user input devices comprise a respective mouse associated with each client device; and wherein generating the heat map comprises generating the heat map based upon user mouse click behavior.
Refer to at least [0060]-[0061] of Kaminsky with respect to generating heatmap signatures based on mouse click behavior. 


Regarding claims 25-26, they are substantially similar to claim 24 above, and are therefore likewise rejected.

Regarding claim 27, Dotan-Lang-Kaminsky-Lian discloses: The method of claim 1 wherein the USB traffic relates to file copying.
Refer to at least [0022] of Kaminsky with respect to copy/paste.
Refer to at least Col. 19, Ll. 37-40 of Lang with respect to local data transfer.
This claim would have been obvious for substantially the same reasons as claim 1 above.


Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dotan-Lang-Kaminsky-Lian as applied to claims 1-3, 5, 8, 10-13, 15-18, 20, and 24-27 above, and further in view of Brew (US 2016/0142430 A1).

Regarding claim 9, Dotan-Lang-Kaminsky-Lian does not specify: wherein detecting comprises detecting the anomaly based upon a multi-variant Gaussian distribution. However, Dotan-Lang-Kaminsky in view of Bailey discloses: wherein detecting comprises detecting the anomaly based upon a multi-variant Gaussian distribution.
Refer to at least [0023] of Brew with respect to use of a multivariate Gaussian distribution in determining anomalies. 
The teachings of Dotan-Lang-Kaminsky-Lian concern detecting anomalies based on models of user data, and are considered to be combinable with the teachings of Brew concerning anomaly detection.
.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/V.S/Examiner, Art Unit 2432