DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
2. 	This communication is in response to the amendment filed on 11/08/2021. The Examiner has acknowledged the amended Claims 1 and 3-6. Claim 2 has been cancelled and new claims 9-16 have been added. Claims 1 and 3-16 are pending and Claims 1 and 3-16 are rejected.

Response to Arguments
3.	Applicant's Arguments (Remarks) filed 11/08/2021 have been fully considered but they are not persuasive and/or now moot in view of the new ground of rejection necessitated by Applicant's amendment. 

4.	The objection to Claim 4 has been withdrawn in view of the amended corrections.

5. 	Claim 2 has been cancelled and the rejection of Claims 1, 3-8 under 35 U.S.C. § l 12(b) has been withdrawn in view of applicant’s amendment.

6.	Claim 2 has been cancelled and the rejection of claims 1, 3-8 under 35 U.S.C 101 has been withdrawn in view of the applicant’s amendment.

considered but they are not persuasive and/or now moot in view of the new ground of rejection necessitated by Applicant's amendment.
Applicant argues [REMARKS, Pages 12-15] that “Specifically, Pitre does not expressly or inherently describe several steps of amended claim 1 including "identifying privileged accounts," "connecting remotely, by the robot program to machines within the domain," "retrieving activity log information of the machines," "filtering the privileged accounts," "calculating associations between the filtered privileged accounts and the machines responsive to the activity log information," supplying the secure connection proxy with the calculated associations," and "establishing a privileged session between one or more of the machines and a server responsive to at least one of the calculated associations," as recited in amended claim 1” and  “Wana appears to merely describe the generation and recording of activity data of a user. Wana does not expressly or inherently describe each and every element of claim 1, as amended.”.
Examiner respectfully disagrees. Pitre discloses identifying privileged accounts, i.e. Pitre discloses "identifying privileged accounts" – for example Pitre discloses account may be associated with an entitlement (e.g., an access privilege or a usage right) to a resource provided by a target system (Pitre: ¶ [0050]) and maintain access to those accounts based on roles 220 associated with a user  (Pitre: ¶ [0085]). Pitre further discloses "connecting remotely, by the robot program to machines within the domain" -- IDM system 112 may receive account data corresponding to several accounts from a target system. The account data may be received by IDM system 112…, account data corresponding to several accounts may be imported into IDM system (Pitre: ¶ [0062], ¶ [0009, 0174]). Pitre further discloses "filtering the privileged accounts," – for example, Pitre discloses one or more types of accounts may be provisioned for a target system…, account types may include, for example, various user 
Applicant further argues [REMARKS, Pages 14-15] that “Applicant respectfully submits that a person having ordinary skill in the art would not have been motivated to combine Pitre and Wana. Wana does not appear to describe any kind of secure connection or privileged sessions but instead merely describes "mak[ing] it easier to find the resources for which users are looking." Wana, ¶ [0002]. As such, Wana is not from the same field of endeavor and modifying Pitre to include teachings from Wana would not have been predictable.”
Examiner respectfully disagrees. Wana teaches that the activity data collected by the server activity collection system 108 to calculate activity scores and those activity score for a resource is based, at least in part, on the interactions between one or more users (see Fig. 1 -104 client system) and the resource (see Fig. 1 -102 server system) and is also based on a degree to which those users are related to the user (See Wana: ¶ [0028]). Further, collecting logs to analyze interactions between users (i.e. user accounts) and machines are known methods in the art, and Wana teaches that client machines connecting to servers in a network and collecting activity logs of user’s interactions with resources in resource servers. Therefore, Wana’s teachings are from the same field of endeavor and an ordinary skilled in the art would have combined Pitre and Wana to yield predictable results.
Applicant’s other arguments stated above are based on applicant’s amendment and moot in view of the new ground of rejection necessitated by the amendment (Please see the 103 rejection below). 

Claim Rejections - 35 USC § 112
8.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



9.	Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

10.	Claim 6 recites in a limitation “exploring activity logs of the at least two computers of the explored at least one domain for each of the identified privileged accounts…” (emphasis added). However, Claim 6 is dependent on Claim 5 and it is unclear whether the applicant is trying to refer to the same activity logs recited in Claim 5 or different activity logs. There is insufficient antecedent basis for this limitation in the claim.
Note: Applicant may overcome this rejection by changing the phrase “exploring activity logs…” to “exploring the activity logs….”

Claim Rejections - 35 USC § 103
11.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

13.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.


14.	Claims 1, 3, 5-7 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 Al, hereinafter Pitre) [As disclosed in IDS] in view of Wana et al. (US 2011/0270850 A1, hereinafter Wana), and further in view of  Shem Tov et al. (US 2016/0006765 A1, hereinafter Shem Tov).



Regarding Claim 1,
 Pitre discloses a method for automatically supplying a secure connection proxy with remote targets on the basis of privileged account data (Pitre: [Abstract] techniques for automatically associating one or more access policies with an account…, an identity management system (IDM) system may manage access policies for determining access to resources of target systems, ¶ [0040] IDM system 112 may provide a unified, integrated computing system for managing user identities, enable policy-based automated provisioning of resources to user identities with fine grained entitlements, and support governance and compliance across the target systems, ¶ [0049] Access to one or more resources types provided by a target system may be controlled using various types of accounts provided for that target system…, ¶ [0050] account may be associated with an entitlement (e.g., an access privilege or a usage right) to a resource provided by a target system, See also ¶ [0097-0098, 0121], Fig. 1 –102 (1), 102 (2), 112), the method comprising: 
a step of exploring, by a robot program (Pitre: ¶[0096] implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores)…, the process depicted by flowchart 400 may be performed by IDM system 112 of FIG. 1), at least one domain for identifying the privileged accounts (Pitre: ¶ [0009] IDM system may provide administration services to users of an organization include managing administration of identity information about users belonging to one or more organizations,  ¶ [0078] an enterprise may have any number of accounts, e.g., accounts 202(1 ), 202(2), .. . 202(n)..., ¶ [0050] account may be associated with an entitlement (e.g., an access privilege or a usage right) to a resource provided by a target system, ¶ [0062] IDM system 112 may receive account data corresponding to several accounts from a target system…, a "bulk-load" process by which account data corresponding to several accounts may be imported into IDM system, ¶¶ [0049, 0077, 0097, 0174]), 
the step of exploring comprising:
connecting remotely, by the robot program, to machines within the domain (Pitre: ¶ [0062] IDM system 112 may receive account data corresponding to several accounts from a target system. The account data may be received by IDM system 112…, a "bulk-load" process by which account data corresponding to several accounts may be imported into IDM system, ¶ [0174] Communications subsystem 824 provides an interface to other computer systems and networks…, IDM system 112 of FIG.1 may receive account data 104 from target systems 102 using communication subsystem 824, See also Fig. 1--112, 102 (1), 102 (2), ¶¶ [0009], [0049]); 
a step of filtering the privileged accounts on the basis of predetermined parameters that define a subset of privileged accounts (Pitre: ¶ [0049] One or more types of accounts may be provisioned for a target system…, account types may include, for example, various user accounts, administrative accounts…, each account type providing a particular level of access, ¶ [0054] an access policy controls the access to and use of a resource type, the access policies associated with an account type may control the access rights that a user, having an account of that type, ¶ [0080] associate one or more access policies 208 with each of accounts 206, ¶ [0085] maintain access to those accounts based on roles 220 associated with a user, ¶ [0090] group membership information 304…, group membership information 304 may indicate one or more users of the group organization and other information (e.g., group name) identifying the group organization), ¶¶ [0050, 0082, 0089, 0099-0102]);
steps of calculating associations between the filtered privileged accounts and the machines (Pitre: ¶ [0017] determining whether the policy profile data indicates an association between an identifier corresponding to the target system and an access policy that grants access to the resource of the target system by a role associated with the identity. The identifier corresponding to the target system may be based on information identifying the resource of the target system and an account identifier corresponding to the account associated with the identity, ¶ [0049] One or more types of accounts may be provisioned for a target system…, account types may include, for example, various user accounts, administrative accounts…, each account type providing a particular level of access, ¶ [0099] account data corresponding to an account may be processed to determine resource information (e.g., a resource identifier or resource name) in the account data identifying a resource of a target system, ¶ [0039] one or more target systems 102(1) . . . 102(N) (collectively, target systems 102)) responsive to the activity log information; 
a step of supplying the secure connection proxy with the calculated associations (Pitre: ¶[0082] IDM system 112 may perform access policy harvesting to associate each of accounts 206 with at least one of access policies…, a resource indicated by any of accounts…, set of access policies 222 may be identified from access policies 208 that match a resource indicated by accounts, ¶ [0083] identify access policies in set of access policies 222 applicable one or more role(s) 220 associated with user identity 204…, determine one or more roles associated with an identity of a user indicated by each of accounts, also see ¶¶ [0079, 0081, 0103]).
However, Pitre does not explicitly disclose:
retrieving activity log information of the machines; and 
steps of calculating associations between the filtered privileged accounts and the machines  responsive to the activity log information.
However, Wana et al. from the same field of endeavor as the claimed invention discloses computing system generates resource data that represents a resource (Wana: ¶ [0004]), generates
(Wana: ¶ [0022]),  client system 104 is also a system comprising one or more computing devices (Wana: ¶ [0015]), generates and records activity data that indicates how users interact with resources hosted by the resource server 110 (Wana: ¶ [0025]), the client activity collection system 112 stores the activity data in a log file (Wana: ¶ [0035]), the server activity collection system 108 receives client-generated activity data from the client system 104 (352). The client-generated activity data indicates how the user 116 interacted with at least one resource (i.e. retrieving activity log information) (Wana: ¶ [0041]), the server system 102 and/or the client system 104 are implemented using one or more computing devices like the computing device 600 (Wana: ¶ [0074]), and the activity data collected by the server activity collection system 108 to calculate activity scores for resources in a set of resources. The activity score for a resource is based, at least in part, on the interactions between one or more users and the resource and is also based on a degree to which those users are related to the user 116 (i.e. calculating associations responsive to the activity data) (Wana: ¶ [0028]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Wana in the teachings of Pitre. A person having ordinary skill in the art would have been motivated to do so because generating resource data that is dependent on the interactions between users and resources and the degree to which those users are related to the user 116, the user 116 may be able to conveniently find the resources that the user 116 was looking for (Wana: ¶ [0030]).
However, it is noted that the combination of Pitre and Wana does not explicitly disclose:
a step of establishing a privileged session between one or more of the machines and a server responsive to at least one of the calculated associations.
However, Shem Tov et al. from the same field of endeavor as the claimed invention discloses managing a connection-specific policy for accessing a target system (Shem Tov:  [Abstract]), "target system" includes applications, systems, servers, proxy servers and other machines, and may reside on an endpoint or be accessible over a communication network (Shem Tov: ¶ [0058]), policy management logic 150 may look up user privileges using the username included in the connection settings request and build an access policy which limits user client access to target system resources (such as a database or application) during the connection (Shem Tov: ¶ [0088], ¶ [0075]), policy controller resides on a server functioning as a proxy between the user client and target system (Shem Tov: ¶ [0033], ¶[0034]), client request specifies the target system and may also include additional information used by policy controller 130 to determine an access policy for the connection (Shem Tov: ¶ [0082], ¶ [0083-0086]), and connection via a proxy server (Shem Tov: ¶ [0116], also see [0117-0118]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Shen Tov in the teachings of Pitre and Wana. A person having ordinary skill in the art would have been motivated to do so because to apply an access policy on a connection-specific basis (Shem Tov: ¶ [0007]), and managing connections to target systems on a per connection basis (Shem Tov: ¶ [0049]).

Regarding Claim 3,
Claim 3 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. Pitre further discloses wherein the calculated associations are recorded in a file intended for supplying the secure connection proxy (Pitre: ¶ [0062] IDM system 112 may receive account data corresponding to several accounts from a target system, ¶ [0043] Any one of target systems 102 can include one or more memory storage devices…, local storage may include or implement one or more databases ( e.g., a document database, a relational database, or other type of database), one or more file stores, one or more file systems, ¶ [0048] a data resource type provided by a target system may include, without limitation, any accessible data objects such as a file ( e.g., a networked file or directory information), a database, and the like).

Regarding Claim 5,
Pitre discloses a method for automatically supplying a secure connection proxy with remote session on a server on the basis of privileged account data (Pitre: [Abstract] techniques for automatically associating one or more access policies with an account…, an identity management system (IDM) system may manage access policies for determining access to resources of target systems, ¶ [0040] IDM system 112 may provide a unified, integrated computing system for managing user identities, enable policy-based automated provisioning of resources to user identities with fine grained entitlements, and support governance and compliance across the target systems, ¶ [0049] Access to one or more resources types provided by a target system may be controlled using various types of accounts provided for that target system…, ¶ [0050]account may be associated with an entitlement (e.g., an access privilege or a usage right) to a resource provided by a target system, See also ¶ [0097-0098, 0121], Fig. 1 –102 (1), 102 (2), 112), the method comprising and at least one domain comprising at least two computers using a robot program (Pitre: ¶[0096] implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores)…, the process depicted by flowchart 400 may be performed by IDM system 112 of FIG. 1, ¶ [0009] IDM system may provide administration services to users of an organization include managing administration of identity information about users belonging to one or more organizations, ¶¶ [0033, 0042, 0049, 0056, 0124-125]) 

Regarding Claim 6,
Claim 6 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. Pitre further discloses supplying the secure connection proxy using data gathered by the robot program while exploring the activity logs of the at least two computers and the associations between the at least two computers and the identified privileged accounts (Pitre: ¶[0082] IDM system 112 may perform access policy harvesting to associate each of accounts 206 with at least one of access policies…, a resource indicated by any of accounts…, set of access policies 222 may be identified from access policies 208 that match a resource indicated by accounts, ¶ [0083] identify access policies in set of access policies 222 applicable one or more role(s) 220 associated with user identity 204…, determine one or more roles associated with an identity of a user indicated by each of accounts, also see ¶¶ [0079, 0081, 0103]).
However, it is noted that Pitre does not explicitly disclose:
exploring activity logs of the at least two computers of the explored at least one domain for each of the identified privileged accounts, and associating the at least two computers of the explored at least one domain and with the identified privileged accounts, respectively, on the basis of an amount of usage of the at least two computers by the identified privileged accounts; and
supplying the secure connection proxy using data gathered by the robot program while exploring the activity logs of the at least two computers and the associations between the at least two computers and the identified privileged accounts.
However, Wana further discloses computing system generates resource data that represents a resource (Wana: ¶ [0004]), generates activity data that indicates how the user 116 interacted with (Wana: ¶ [0022]), the server system 102 can comprise one or more desktop computers, laptop computers, netbook computers…, (Wana: ¶ [0014]), client system 104 is also a system comprising one or more computing devices (Wana: ¶ [0015]), generates and records activity data that indicates how users interact with resources hosted by the resource server 110. For example, the server activity collection system 108 can generate information about how many times the user 116 requested a resource (Wana: ¶ [0025]), the ranking on the resources is dependent on a degree to which each user in the set of users is related to the user who requested the resources…, activity score for a resource is based, at least in part, on the interactions between one or more users and the resource and is also based on a degree to which those users are related to the user 116…, (Wana: ¶ [0028]) stores the activity data in a relational database. In other embodiments, the client activity collection system 112 stores the activity data in a log file (Wana: ¶ [0035]), activity score for a relevant resource is a measure of how relevant the relevant resources are to the user 116 based the activities of the relevant users with regard to the relevant resources and the social scores of the relevant users (i.e. exploring activity logs…) (Wana: ¶ [0068], also see ¶ [0069]), the activity data collected by the server activity collection system 108 to calculate activity scores for resources in a set of resources. The activity score for a resource is based, at least in part, on the interactions between one or more users and the resource and is also based on a degree to which those users are related to the user 116 (Wana: ¶ [0028]), and sends the recorded activity data to the server activity collection system (i.e. supplying the data gathered…) (Wana: ¶ [0036]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Wana in the teachings of Pitre. A person having ordinary skill in the art would have been motivated to do so because generating resource data that is dependent on the interactions between users and resources and the degree to (Wana: ¶ [0030]).

Regarding Claim 7,
Claim 7 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. Pitre further discloses all the limitations of Claim 7 as discussed in Claim 3. Therefore, Claim 7 is rejected using similar rationales.

Regarding Claim 10,
Claim 10 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 10. Pitre further discloses wherein the predetermined parameters comprise: 
membership in a standard group (Pitre: ¶ [0080] associate one or more access policies 208 with each of accounts 206, ¶ [0089] User information 302 may include one or more roles ("user roles")…, User information302 may include account information corresponding to an account created by ID M system 112 for the user, ¶ [0090] include group membership information 304 ("Group Membership" …, group membership information 304 may indicate one or more users of the group organization and other information ( e.g., group name) identifying the group organization, Fig 3) indicating an association of a user to one or more groups, ¶¶ [0049, 0064-0065]); 
	membership in a group defined by its name (Pitre: ¶ [0049] One or more types of accounts may be provisioned for a target system…, account types may include, for example, various user accounts, administrative accounts…, each account type providing a particular level of access  ¶ [0090] include group membership information 304 ("Group Membership"…, group membership information 304 may indicate one or more users of the group organization and other information (e.g., group name) identifying the group organization,) indicating an association of a user to one or more groups, Fig. 3);  
benefits of a predetermined privilege (Pitre: ¶ [0049] Access to one or more resources types provided by a target system may be controlled using various types of accounts provided for that target system. One or more types of accounts may be provisioned for a target system…, account types may include, for example, various user accounts, administrative accounts…, each account type providing a particular level of access, ¶ [0050] account may be associated with an entitlement (e.g., an access privilege or a usage right) to a resource provided by a target system, ¶ [0054] an access policy controls the access to and use of a resource type, the access policies associated with an account type may control the access rights that a user, having an account of that type).

15. 	Claims 4 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 Al, hereinafter Pitre) [As disclosed in IDS] in view of Wana et al. (US 2011/0270850 A1, hereinafter Wana), in view of  Shem Tov et al. (US 2016/0006765 A1, hereinafter Shem Tov) and further in view of Brady et al.(US 2015/0271200 A1, hereinafter Brady) [As disclosed in IDS]. 

Regarding Claim 4,
Claim 4 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. However, it is noted that the combination Pitre, Wana and Shem Tov does not explicitly disclose wherein the calculated associations directly supplies the secure connection proxy through an input application programming interface.
 the directory service application 110 may also expose and/or implement one or more application program interfaces (APIs) for the admin management …, application 114 to authenticate the one or more clients 102-a requesting elevated access permissions. For example, the admin management application 114 may authenticate the one or more clients 102-a requesting elevated access permissions by utilizing via network interconnect 112, one or more APIs …, and/or any other API that enables authentication of clients 102-a (Brady: ¶ [0038], also see ¶¶ [0050,0057]). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Brady in the teachings of Pitre, Wana and Shem Tov. A person having ordinary skill in the art would have been motivated to do so to allow different platforms, applications and systems to connect and share information with each other using APIs.

Regarding Claim 8,
Claim 8 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. The combination Pitre, Wana, Shem Tov and Brady discloses all the limitations of Claim 8 as discussed in Claim 4. Therefore, Claim 8 is rejected using similar rationales.

16.	Claims 9 and 11-16 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 Al, hereinafter Pitre) [As disclosed in IDS], in view of Wana et al. (US 2011/0270850 A1, hereinafter Wana), in view of  Shem Tov et al. (US 2016/0006765 A1, hereinafter Shem Tov) and further in view of Mumcuoglu et al. (US 2017/0054744 A1, hereinafter Mumcuoglu).

Regarding Claim 9,
Claim 9 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. However, Pitre, Wana and Shem Tov do not explicitly disclose wherein the activity log information comprises a number of connections of at least one of the identified privileged accounts on a machine and a date of a recent connection between the at least one identified privileged account and the machine.
However, Mumcuoglu et al. from the same field of endeavor as the claimed invention discloses monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system…, administrative activities performed by at least a group of the computers in the system are tracked automatically (Mumcuoglu:  [Abstract], ¶ [0006]), a profile is assembled of the administrative activities performed over the group of monitored computers in any given system, and this profile is applied in analyzing the administrative activities performed by the computers in the group (Mumcuoglu: ¶ [0027]),  each server 24 maintains a log 28 of actions performed by and on the server, such as logins, commands received and executed, and access to various resources on or via the server. Personal computers 22 may maintain similar logs (Mumcuoglu: ¶ [0029]), list of administrative activities typically includes, for example, some or all of the following types of activities (Mumcuoglu: ¶ [0035]), Access to servers of servers in system 20…, Access to specified Web addresses on network  (i.e. a number of connections of at least one of the identified privileged accounts on a machine) (Mumcuoglu: ¶ [0041-0042]), Login as an administrator (Mumcuoglu: ¶ [0037]), and during each monitoring period, anomaly detector 40 detects changes in the administrative activities performed by each monitored host…, monitoring period may be of any desired length, such as an hour, a day, or several days. Assuming the period to be one day, the (i.e. a date of a recent connection…) (Mumcuoglu: ¶ [0062]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mumcuoglu in the teachings of Pitre, Wana and Shem Tov. A person having ordinary skill in the art would have been motivated to do so because so that illegitimate activities can be promptly detected and inhibited (Mumcuoglu: ¶ [0023], also see ¶ [0024]).

Regarding Claim 11,
Claim 11 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. However, the combination of Pitre, Wana and Shem Tov does not explicitly disclose wherein the step of filtering comprises combining a plurality of the predetermined parameters by logical operators.
However, Mumcuoglu further discloses establishing the profile includes assigning respective weights to the administrative activities…, administrative activities includes computing a score by applying the weights to the administrative activities performed by the computer, and deciding that the combination of the administrative activities performed by the computer is anomalous (Mumcuoglu: ¶ [0010]), and calculates a weight ws that is inversely proportional to this number:
ws =1/ |{h V э {a V ah ^as}| (Mumcuoglu: ¶ [0063], also see ¶ [0062]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mumcuoglu in the teachings of Pitre, Wana and Shem Tov. A person having ordinary skill in the art would have been motivated to do so  (Mumcuoglu: ¶ [0023], also see ¶ [0024]).

Regarding Claim 12,
Claim 12 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. However, the combination of Pitre, Wana and Shem Tov does not disclose wherein the established privileged session enables a user to perform at least one of: 
changing rights of ordinary users; 
creating new user accounts; and 
modifying, installing, or removing a program.
However, Mumcuoglu further discloses administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system (Mumcuoglu:  [Abstract]), and Administrators, who have access to read and write any data in the system, add or remove any programs, and change operating system settings (i.e. modifying, installing, or removing a program) (Mumcuoglu: ¶ [0020]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mumcuoglu in the teachings of Pitre, Wana and Shem Tov. A person having ordinary skill in the art would have been motivated to do so because so that illegitimate activities can be promptly detected and inhibited (Mumcuoglu: ¶ [0023], also see ¶ [0024]).

Regarding Claim 13,
Claim 13 is dependent on Claim 1, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 1. However, the combination Pitre, Wana and Shem Tov does not 
weighting a number of connections of the at least one filtered privileged account on the at least one machine; and 
weighting a most recent connection date between the at least one filtered privileged account and the at least one machine.
However, Mumcuoglu further discloses administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system (Mumcuoglu:  [Abstract]), determines the degree to which any given combination of administrative activities should be considered anomalous (Mumcuoglu: ¶ [0028]) list of administrative activities typically includes, for example, some or all of the following types of activities (Mumcuoglu: ¶ [0035]), Access to servers of servers in system 20…, Access to specified Web addresses on network  (i.e. a number of connections on a machine) (Mumcuoglu: ¶ [0041-0042]), Login as an administrator (Mumcuoglu: ¶ [0037]), and during each monitoring period, anomaly detector 40 detects changes in the administrative activities performed by each monitored host…, monitoring period may be of any desired length, such as an hour, a day, or several days. Assuming the period to be one day, the change in administrative activities for host d relative to its baseline h on day (i.e. a date of a recent connection…) (Mumcuoglu: ¶ [0062]), weight computed for each administrative activity depends on the frequency of performance of the activity over all the monitored hosts (i.e. weighting admin activities) (Mumcuoglu: ¶ [0063]), and compares the host scores to a predefined threshold (i.e. scores below the threshold are the ideal combinations based on calculated weights - i.e. non-suspicious activities) (Mumcuoglu: ¶ [0065]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Mumcuoglu in the teachings of Pitre,  (Mumcuoglu: ¶ [0023], also see ¶ [0024]), and anomaly detector 40 may quarantine hosts that exhibit suspicious behavior and prevent them entirely from communicating with other computers in system 20, or may instruct authentication server 34 to downgrade the privileges of these hosts (Mumcuoglu: ¶ [0065]).

Regarding Claim 14,
Claim 14 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. The combination Pitre, Wana, Shem Tov and Mumcuoglu discloses all the limitations of Claim 14 as discussed in Claim 9. Therefore, Claim 14 is rejected using the same rationales as discussed in Claim 9.

	
Regarding Claim 15,
Claim 15 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. The combination Pitre, Wana, Shem Tov and Mumcuoglu discloses all the limitations of Claim 15 as discussed in Claim 12. Therefore, Claim 15 is rejected using the same rationales as discussed in Claim 12.

Regarding Claim 16,
Claim 16 is dependent on Claim 5, and the combination Pitre, Wana and Shem Tov discloses all the limitations of Claim 5. The combination Pitre, Wana, Shem Tov and  Mumcuoglu discloses all the limitations of Claim 16 as discussed in Claim 13. Therefore, Claim 16 is rejected using the same rationales as discussed in Claim 13.
Conclusion
17.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US-20110023107-A1
US-20140068707-A1
US-20140068707-A1
US-9326189-B2
US-20150200821-A1
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507.  The examiner can normally be reached on M-F 9:45am - 6:15pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494

/Jeremy S Duffield/Primary Examiner, Art Unit 2498