DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 10/06/2021. 

Response to Amendment
Claims 1, 9 and 17 have been amended. 
Applicant’s arguments with respect to claim(s) 1, 9 and 17 regarding the new limitations: “in response to the request for resources from the web content that requires isolation, rendering the web content associated with the request in a cloud based secure environment that is isolated from the user device and providing image content based on the web content rendered, image content based on the web content rendered being graphics files including passive, safe pixels; and in response to the request for resources being the cloud application that requires isolation, isolating the cloud application in the cloud based secure environment and providing image content to the user device based on data from the cloud application, the content based on the data from the cloud application being graphics files including passive, safe pixels”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6-9, 14-17 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by prior art of record US 20180159896 to Soman et al (hereinafter Soman).
As per claims 1, 9 and 17, Soman teaches:
A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform the steps of: 
receiving a request for resources that are one of web content and a cloud application from a user device (Soman: [0022] As depicted in FIG. 2, secure browsing service 120 receives (201) a request for an internet browser from end user device 110. Once a request by the end user corresponds to an untrusted web destination (URL or IP address) that requires the use of secure browsing service 120, a request may be transferred to the secure browsing service 120 to accommodate the secure browsing requirement); 
determining the request requires isolation based on any of policy, category of the web content, type of the user device, and location of the user device (Soman: [0022]: Once a request by the end user corresponds to an untrusted web destination (URL or IP address) that requires the use of secure browsing service 120, a request may be transferred to the secure browsing service 120 to accommodate the secure browsing requirement. [0023] After receiving the request from end user device 110, operation 200 further directs secure browsing service 120 to allocate (202) a virtual machine with an instance of the internet browser executing thereon to the end user device); 
in response to the request for resources from the web content that requires isolation, rendering the web content associated with the request in a cloud based secure environment that is isolated from the user device and providing image content based on the web content rendered, image content based on the web content rendered being graphics files including passive, safe pixels (Soman: [0022]: Once a request by the end user corresponds to an untrusted web destination (URL or IP address) that requires the use of secure browsing service 120, a request may be transferred to the secure browsing service 120 to accommodate the secure browsing requirement. [0027] When the end user device is accessing the browser on the virtual machine using a remote desktop protocol, the graphical user interface (GUI) of the desktop is generated on the server hosting the virtual machine and the GUI image data is then encoded and transmitted over the network to the client device, where it is decoded and displayed to the user. For example, the framebuffer pixel data produced by the browser operating on the virtual machine may be encoded using a codec, such as H264, and transmitted over an Internet connection to the end user device, where the data is decoded and rendered in the secure browser window displayed on the screen of the end user device. [0068]: In some examples, secure browsing service 120 may operate as a cloud service or in a data center); and 
in response to the request for resources being the cloud application that requires isolation, isolating the cloud application in the cloud based secure environment and providing image content to the user device based on data from the cloud application, the content based on the data from the cloud application being graphics files including passive, safe pixels (Soman: [0022] As depicted in FIG. 2, secure browsing service 120 receives (201) a request for an internet browser (application) from end user device 110. [0027] When the end user device is accessing the browser (application) on the virtual machine using a remote desktop protocol, the graphical user interface (GUI) of the desktop is generated on the server hosting the virtual machine and the GUI image data is then encoded and transmitted over the network to the client device, where it is decoded and displayed to the user. For example, the framebuffer pixel data produced by the browser operating on the virtual machine may be encoded using a codec, such as H264, and transmitted over an Internet connection to the end user device, where the data is decoded and rendered in the secure browser window displayed on the screen of the end user device. [0068]: In some examples, secure browsing service 120 may operate as a cloud service or in a data center. Also, [0020]).

As per claims 6, 14 and 20, Soman teaches:
The non-transitory computer-readable medium of claim 1, wherein the instructions that, when executed, further cause the one or more processors to perform the steps of receiving a second request for resources that are one of web content and a cloud application from a user device, wherein the request is a first request (Soman: [0022]: In other implementations, browser request module 115 may monitor the operations of the user on a local browser installed at end user device 110. This monitoring may permit browser request module 115 to identify the websites and other online resource destinations of the end user); and 
determining the second request does not require isolation, wherein the first request is rendered in isolation in a first tab of a web browser and the second request is direct, not in isolation, in a second tab of the web browser (Soman: determine whether they should be handled via the local browser or through an external browser of secure browsing service 120. The determination may be made based on the uniform resource identifiers or locators (URIs/URLs) associated with requests, the IP addresses associated with requests, or some other similar determination based on the browsing operations of the end user. [0034]: Accordingly, if the user typed in a particular URI, browser request module 115 may compare the URI to blacklist or whitelist rules to determine whether the request should be processed locally via the local browser or externally via a browser executing on a virtual machine. It is inherent that if the URI is in the whitelist, the request will be processed via the local browser. [0049] In some implementations, browser instances 751 and 753 may appear as separate tabs within a browser window on the end user device).

As per claims 7 and 15, Soman teaches:
The non-transitory computer-readable medium of claim 1, wherein the instructions that, when executed, further cause the one or more processors to perform the steps of subsequent to a logout or exiting a web browser, for the request, destroying the secure environment (Soman: [0027]: Furthermore, once the user closes the secure browser window, the virtual machine on the remote server may be refreshed or deleted, thereby cleaning any possible malware that may have been introduced by the browser execution).

As per claims 8 and 16, Soman teaches:
The non-transitory computer-readable medium of claim 1, wherein the secure environment is a virtual browser in isolation that performs the request, and wherein the instructions that, when executed, further cause the one or more processors to perform the steps of receiving a response to the request in the virtual browser; and converting the response to the image content (Soman: [0022]: Once a request by the end user corresponds to an untrusted web destination (URL or IP address) that requires the use of secure browsing service 120, a request may be transferred to the secure browsing service 120 to accommodate the secure browsing requirement. [0027] When the end user device is accessing the browser on the virtual machine using a remote desktop protocol, the graphical user interface (GUI) of the desktop is generated on the server hosting the virtual machine and the GUI image data is then encoded and transmitted over the network to the client device, where it is decoded and displayed to the user. For example, the framebuffer pixel data produced by the browser operating on the virtual machine may be encoded using a codec, such as H264, and transmitted over an Internet connection to the end user device, where the data is decoded and rendered in the secure browser window displayed on the screen of the end user device).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 2, 5, 10, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Soman and prior art of record US 20190394255 to Kolesnikov (hereinafter Kolesnikov).
As per claims 2, 10 and 18, Soman does not teach the limitations of claims 2, 10 and 18, However, Kolesnikov teaches:
wherein the user device executes a web browser that loads the image content utilizing a JavaScript application and that interacts with the image content by sending keyboard and mouse inputs via a Web Socket channel (Kolesnikov: [0054]. [0056] The remote computing device 410 and the client computing devices 420.1-n may communicate using the WebSocket protocol. [0057] The helper application 440 may be a program executing on all or portions of the remote computing device 410 configured to receive all or portions of communications from the client computing devices 4201-n and implement the communications with respect to the sessions 411.1-n. For example, each session may have a respective helper application with a respective WebSocket channel for receiving instructions. The helper application 440 may be configured to open a channel (e.g., a WebSocket channel) to receive instructions (e.g., instructions to open a new tab) from the client computing devices 420.1-n). [0063] In step 506, the remote computing device 410 may wait for input from a client computing device. The input may comprise commands associated with a displayed web page, such as clicking on a link, moving a mouse, sending voice data from a microphone, or the like. The input may be received from the input devices 422.1-n. Input may comprise commands received from a web page, such as a command to access a new web page prompted from a JavaScript application in a web page. Also, [0032]-[0033]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kolesnikov in the invention of Soman to include the above limitations. The motivation to do so would be to provide a method of receiving and handling multiple web browser tabs in a remote web browsing session (Kolesnikov: [0005]).

As per claims 5 and 13, Soman does not teach the limitations of claims 5 and 13. However, Kolesnikov teaches:
wherein the instructions that, when executed, further cause the one or more processors to perform the steps of persisting a state and session of the cloud application in the secure environment, for use after the user device logs out and logs back in (Kolesnikov: [0061]: A session corresponding to the request may exist if the request is associated with an existing session. For example, a user of a laptop computer may request to access a session they previously accessed on a desktop computer. As another example, the remote computing device 410 may maintain a number of permanent sessions, and the request may be associated with an application executing in a permanent session. It is inherent that a permanent session will persist for use even after the user logs in after logging out).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kolesnikov in the invention of Soman to include the above limitations. The motivation to do so would be to provide a method of receiving and handling multiple web browser tabs in a remote web browsing session (Kolesnikov: [0005]).

Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Soman and prior art of record US 20110113467 to Agarwal et al (hereinafter Agarwal).
As per claims 3, 11 and 19, Soman teaches: 
wherein the resources are the cloud application and the user device is one or more of i) located outside an enterprise's network and ii) a non-enterprise device (Soman: Fig. 1, [0018]: Secure browsing service 120 may be accessed by end user device 110 using the internet, the intranet, or some other similar communication network. [0067]: end user device 110 can be subscriber equipment, customer equipment (non-enterprise device). [0022] As depicted in FIG. 2, secure browsing service 120 receives (201) a request for an internet browser (application) from end user device 110), and 
Soman does not teach: the cloud application is provided in isolation to avoid data exfiltration on the user device. However, Agarwal teaches:
the cloud application is provided in isolation to avoid data exfiltration on the user device (Agarwal: [0014] A system for preventing data loss as outlined by FIG. 1 can resolve many of these issues. In accordance with one example implementation, an application is provided to encapsulate or wrap each application or suite of applications used in a network within a virtual machine. Access to and from each virtual machine can be controlled by an associated firewall (i.e., security) policy, or any other suitable security safeguard. Confidential data, as potentially defined by the associated firewall policy, may be contained within the virtual machine wrapped application such that copy and paste buffers and temporary files would not be accessible through the main operating system underlying the virtual machine. [0019]: In one example embodiment, a policy may be applied to firewall policy module 34a for human resources virtual machine 12, preventing an authorized user from transmitting (e.g., copying, pasting, moving, sending, exporting, emailing, etc.) confidential data, such as employee salary data, from human resources virtual machine 12 to another application or user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Agarwal in the invention of Soman to include the above limitations. The motivation to do so would be to protect data associated with the application from accidental and deliberate leakage (Agarwal: [0010]).

Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Soman and prior art of record US 20170070509 to Giura et al (hereinafter Giura).
As per claims 4 and 12, Soman does not teach: wherein the determining is performed by a secure web gateway. However, Giura teaches:
wherein the determining is performed by a secure web gateway (Giura: [0018]: the transparent network proxy 120 to determine if the URL or destination is unknown, suspicious, otherwise untrustworthy, or a combination thereof. [0023]: the enterprise network 115 may include the transparent network proxy 120 and one or more internal resource servers 112. In certain embodiments, the enterprise network 115 may be a private network, such as a virtual private network, utilized to connect each of the devices within the enterprise network 115 to one another in a secure fashion. [0027]: In certain embodiments, the transparent network proxy 120 may be a network proxy, …, a gateway).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Giura in the invention of Soman to include the above limitations. The motivation to do so would be to provide secure browsing via a transparent network proxy (Giura: [0005]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 9729515 to Anantharaju: A network server generates and allocates operating environments to trusted user agents executing on a client device. Each operating environment is generated responsive to a request to establish a secure communications session between a trusted user agent and a user-level application executing on a secure application server at a secure site, and comprises the software and/or hardware components that are necessary for maintaining that secure session. The network server monitors the secure communications session and deletes the operating environment upon detecting that the secure communications session has terminated.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438