Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is related to the following commonly-owned U.S. patent applications that are incorporated herein by reference in their entirety: U.S. application Ser. No. 15/136,687 filed on Apr. 22, 2016 entitled “Labeling Network Flows According to Source Applications,” and U.S. application Ser. No. 15/136,762 filed on Apr. 22, 2016 entitled “Secure Labeling of Network Flows.”
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/24/2021 and 01/05/2022 were filed before and after the mailing date of the Non-Final Office Action on 10/01/2021. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to an amendment application received on 01/03/2022. In the amendment, applicant has amended claims 1, 7 and 17. Claims 18-41 remain cancelled. Claims 3-11 and 13-17 remain original. No new claim has been added. 
For this Office Action, claims 1, 3-11 and 13-17 have been received for consideration and have been examined.


Response to Arguments
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, filed 01/03/2022, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of new amendments made to independent claims.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1, 7 and 17 are rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Independent claims 1, 7 and 17 recite “at the gateway, determining whether the network request was an automatically generated network request or a network request initiated by a human user based at least in part on a historical record of activity on the endpoint indicating one or more processes executing on the endpoint when the network request was initiated”.
how the determination, by the gateway is occurring, whether the request was automatically generated based on historical record of activity on the endpoint’. 
Specification discloses “For example, a historical record of user activity on the endpoint may be examined to determine when the user that initiated the request last authenticated to the endpoint, the state of the user's session, one or more processes that were in operation when the network request was initiated, whether the request was initiated as a result of user interaction, and whether the user authorized or directed the network request” [0204]. However, the specification is silent with respect to ‘how the determination, by the gateway is occurring, whether the request was automatically generated based on historical record of activity on the endpoint’.
Dependent claims inherit this deficiency. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 3-4, 6-11, 13-14 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley, (US9154520B1) w.e.f.d. of 11/27/2012 in view of Dandliker et al., (US20080082662A1) w.e.f.d. of 05/19/2006 in view of Yu, (US20150249641A1) w.e.f.d. of 12/19/2013 and further in view of Wing et al., (US20160134646A1) w.e.f.d. of 11/06/2014.
Regarding claim 1, Cooley discloses:
A computer program product for monitoring network security based on endpoint user presence, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway (i.e. networking device 208) in an enterprise network, performs the steps of:
connecting an endpoint (i.e. endpoint Device 202) to a data network through the gateway (i.e. networking device 208) (See FIG. 2 for Endpoints connected through the networking device);
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley does not disclose:
	wherein the network request includes a request to download an executable file; wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
See FIG. 3B; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as gateway).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
	The motivation to include an appliance which is able to prevent automatic download of an executable files from external networks is to protect internal network from maliciously download executable files from external networks (See Dandliker: [0107]). 
Cooley as modified by Dandliker fails to disclose:
wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated.
However, Yu discloses:		
 wherein determining whether the network request is suspicious or not comprises: determining whether the network request (i.e. a network access) was an automatically generated network request (i.e. automatic process) or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated (i.e. initiated or authorized by a human user) (See [0017-0018] Systems and methods are described for verifying a high-risk network access has been initiated by or is otherwise authorized by a human user … intermediary network security device sending a verification message to the user to receive user input from the user; [0040] Human user test engine 230 is used for performing human user testing in order to distinguish if a network access is actually initiated by a human user or by an automatic process of malware that may be running on a user's computer; [0051] see FIG. 5; At block 501, a network access is captured by an intermediary network security device that is used for separating an internal network with other computing devices. The network access may be a data packet, a network session or an access to a network resource [which is interpreted as one or more processes executing on the endpoint]. The access may originate from the internal network and be directed to a remote computing device; [0053] If the network access is not in the whitelist and blacklist, at block 503, the security device checks if the network access is a high risk network access; [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified; [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user.; And see Abstract).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
See Yu: [0017-0018]).
The combination of Cooley, Dandliker and Yu fails to disclose:
	at the gateway, determining a historical record of activity on the endpoint indicating one or more processes executing on the endpoint when the network request was initiated.
However, Wing discloses:
	at the gateway (See FIG. 4; i.e. a node 452 (Observer)), determining a historical record of activity (See FIG. 5A; [0021] – [0022] i.e. historical unusual TLS/SSL handshake behavior of the endpoint) on the endpoint indicating one or more processes (i.e. TLS/SSL handshake / TLS/SSL connection construed as one or more processes) executing on the endpoint when the network request was initiated ([0021] Techniques which may be used to assess a likelihood that unusual TLS/SSL handshake behavior indicates the presence of malicious software involve, but are not limited to involving, processing telemetry data and/or historical data, and comparing the data to the unusual TLS/SSL handshake behavior; [0022] In step 113, a determination is made as to whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software with respect to an endpoint. Factors used to determine whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software may vary widely. Such factors include, but are not limited to including, the characteristics of the unusual TLS/SSL handshake behavior, whether the unusual TLS/SSL handshake behavior has historically been associated with the presence of malicious software, and/or whether relatively recent changes in TLS/SSL handshake behavior have occurred; [0032] A method 109′ of determining whether unusual TLS/SSL handshake behavior indicates the presence of malicious software begins at step 505 in which the unusual TLS/SSL handshake behavior [interpreted as “historical record of activity on the endpoint”], which is an abandoned TLS/SSL handshake in the described embodiment, is followed by a successful TLS/SSL connection between the same endpoints. In other words, it is determined whether an abandoned TLS/SSL handshake between two endpoints is subsequently followed by a successful TLS/SSL connection between the two endpoints; [0036] Telemetry and/or historical information may be used to assess whether current unusual TLS/SSL handshake behavior is likely indicative of the presence of malicious software. For example, if unusual TLS/SSL handshake behavior has previously been associated with malicious software, then current unusual TLS/SSL behavior may be considered to be indicative of the presence of malicious software).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Yu reference and have a system and method which is able determine unusual behavior of the endpoint based on historical data, as disclosed by Wing.
	The motivation to have the system and method which is able determine unusual behavior of the endpoint based on historical data is to identify the endpoint as potentially being infected by malicious software (See Wing: [0023]).
Regarding claim 3, the combination of Cooley, Dandliker, Yu and Wing discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process).
Regarding claim 4, the combination of Cooley, Dandliker, Yu and Wing discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a user is logged in to the endpoint (Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process. In one embodiment, the human user test message may be sent to the source of the network access as a response to the network access. It is also possible that the network access is redirected to a web page showing the human user test message).
Regarding claim 6, the combination of Cooley, Dandliker, Yu and Wing discloses:
The computer program product of claim 1 wherein the determining whether the network request was an automatically generated network request or a network request initiated by a human user status includes analyzing a record of keyboard or mouse activity within a predetermined time window (Yu: [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user; [0056] At block 506, the received response is compared with the correct answer of the challenge question. If it is not a correct answer, the process goes to block 507 and the network access is blocked).
Regarding claim 7, Cooley discloses:
A method of operating a gateway comprising:
connecting an endpoint (i.e. endpoint Device 202) to a data network through the gateway (i.e. networking device 208) (See FIG. 2 for Endpoints connected through the networking device);
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
the network request presenting a potential security risk (i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley does not disclose:
	wherein the network request includes a request to download an executable file; wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
	a network request that includes download an executable file (See FIG. 3B; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as gateway).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
See Dandliker: [0107]). 
Cooley as modified by Dandliker fails to disclose:
wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated.
However, Yu discloses:		
 wherein determining whether the network request is suspicious or not comprises: determining whether the network request (i.e. a network access) was an automatically generated network request (i.e. automatic process) or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated (i.e. initiated or authorized by a human user) (See [0017-0018] Systems and methods are described for verifying a high-risk network access has been initiated by or is otherwise authorized by a human user … intermediary network security device sending a verification message to the user to receive user input from the user; [0040] Human user test engine 230 is used for performing human user testing in order to distinguish if a network access is actually initiated by a human user or by an automatic process of malware that may be running on a user's computer; [0051] see FIG. 5; At block 501, a network access is captured by an intermediary network security device that is used for separating an internal network with other computing devices. The network access may be a data packet, a network session or an access to a network resource [which is interpreted as one or more processes executing on the endpoint]. The access may originate from the internal network and be directed to a remote computing device; [0053] If the network access is not in the whitelist and blacklist, at block 503, the security device checks if the network access is a high risk network access; [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified; [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user.; And see Abstract).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process (See Yu: [0017-0018]).
The combination of Cooley, Dandliker and Yu fails to disclose:
	at the gateway, determining a historical record of activity on the endpoint indicating one or more processes executing on the endpoint when the network request was initiated.
However, Wing discloses:
See FIG. 4; i.e. a node 452 (Observer)), determining a historical record of activity (See FIG. 5A; [0021] – [0022] i.e. historical unusual TLS/SSL handshake behavior of the endpoint) on the endpoint indicating one or more processes (i.e. TLS/SSL handshake / TLS/SSL connection) executing on the endpoint when the network request was initiated ([0021] Techniques which may be used to assess a likelihood that unusual TLS/SSL handshake behavior indicates the presence of malicious software involve, but are not limited to involving, processing telemetry data and/or historical data, and comparing the data to the unusual TLS/SSL handshake behavior; [0022] In step 113, a determination is made as to whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software with respect to an endpoint. Factors used to determine whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software may vary widely. Such factors include, but are not limited to including, the characteristics of the unusual TLS/SSL handshake behavior, whether the unusual TLS/SSL handshake behavior has historically been associated with the presence of malicious software, and/or whether relatively recent changes in TLS/SSL handshake behavior have occurred; [0032] A method 109′ of determining whether unusual TLS/SSL handshake behavior indicates the presence of malicious software begins at step 505 in which the unusual TLS/SSL handshake behavior [interpreted as “historical record of activity on the endpoint”], which is an abandoned TLS/SSL handshake in the described embodiment, is followed by a successful TLS/SSL connection between the same endpoints. In other words, it is determined whether an abandoned TLS/SSL handshake between two endpoints is subsequently followed by a successful TLS/SSL connection between the two endpoints; [0036] Telemetry and/or historical information may be used to assess whether current unusual TLS/SSL handshake behavior is likely indicative of the presence of malicious software. For example, if unusual TLS/SSL handshake behavior has previously been associated with malicious software, then current unusual TLS/SSL behavior may be considered to be indicative of the presence of malicious software).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Yu reference and have a system and method which is able determine unusual behavior of the endpoint based on historical data, as disclosed by Wing.
	The motivation to have the system and method which is able determine unusual behavior of the endpoint based on historical data is to identify the endpoint as potentially being infected by malicious software (See Wing: [0023]).
Regarding claim 8, the combination of Cooley, Dandliker, Yu and Wing discloses:
The method of claim 7 wherein the network request includes a request for a download of an executable from the data network (Dandliker: [0107] In step 310, the allowed action is performed with respect to the specified network identifier. Various embodiments involve performing a variety of allowed actions. Referring now to FIG. 3B, examples of responsive actions that may be performed based on different URL reputation score values are shown. For example, messaging apparatus 116 may block access to the network resource identifier and any associated web site or resource, as shown in block 320. Messaging apparatus 116 may prevent automatic downloads or installations of certain file types, as shown in block 322. For example, downloads or installations of EXE or ZIP files can be blocked).
Regarding claim 9, the combination of Cooley, Dandliker, Yu and Wing discloses:
Cooley: Col. 4, Line # 59-67; As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may be configured to store any type of form of information used to determine whether to block attempts by users of endpoint devices to download one or more files from an external network).
Regarding claim 10, the combination of Cooley, Dandliker, Yu and Wing discloses:
The method of claim 7 wherein the network request includes a request directed to a known source of malware (Cooley: Col. 4, Line # 59-67; As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may be configured to store any type of form of information used to determine whether to block attempts by users of endpoint devices to download one or more files from an external network).
Regarding claim 11, the combination of Cooley, Dandliker, Yu and Wing discloses:
The method of claim 7 wherein evaluating the status of the endpoint includes querying the endpoint about whether the user is present (Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified; [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user).
Regarding claim 13, the combination of Cooley, Dandliker, Yu and Wing discloses:
Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process).
Regarding claim 14, the combination of Cooley, Dandliker, Yu and Wing discloses:
The method of claim 7 wherein the status includes whether a user is logged in to the endpoint (Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process. In one embodiment, the human user test message may be sent to the source of the network access as a response to the network access. It is also possible that the network access is redirected to a web page showing the human user test message).
Regarding claim 16, the combination of Cooley, Dandliker, Yu and Wing discloses:
The method of claim 7 wherein the status includes a record of keyboard or mouse activity within a predetermined time window (Yu: [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user; [0056] At block 506, the received response is compared with the correct answer of the challenge question. If it is not a correct answer, the process goes to block 507 and the network access is blocked).
Regarding claim 17, Cooley discloses:
A system comprising: 
a gateway (i.e. networking device 208) including a network interface configured to couple in a communicating relationship with a data network that includes an endpoint (i.e. endpoint Device 202) (See FIG. 2 for Endpoints connected through the networking device); a memory on the gateway; and a processor on the gateway;
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
the network request presenting a potential security risk (i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley does not disclose:
	wherein the network request includes a request to download an executable file; wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
	a network request that includes download an executable file (See FIG. 3B; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as gateway).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.

Cooley as modified by Dandliker fails to disclose:
wherein determining whether the network request is suspicious or not comprises: determining whether the network request was an automatically generated network request or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated.
However, Yu discloses:		
 wherein determining whether the network request is suspicious or not comprises: determining whether the network request (i.e. a network access) was an automatically generated network request (i.e. automatic process) or a network request initiated by a human user based at least in part on an evaluation of one or more processes executing on the endpoint when the network request was initiated (i.e. initiated or authorized by a human user) (See [0017-0018] Systems and methods are described for verifying a high-risk network access has been initiated by or is otherwise authorized by a human user … intermediary network security device sending a verification message to the user to receive user input from the user; [0040] Human user test engine 230 is used for performing human user testing in order to distinguish if a network access is actually initiated by a human user or by an automatic process of malware that may be running on a user's computer; [0051] see FIG. 5; At block 501, a network access is captured by an intermediary network security device that is used for separating an internal network with other computing devices. The network access may be a data packet, a network session or an access to a network resource [which is interpreted as one or more processes executing on the endpoint]. The access may originate from the internal network and be directed to a remote computing device; [0053] If the network access is not in the whitelist and blacklist, at block 503, the security device checks if the network access is a high risk network access; [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified; [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user.; And see Abstract).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
The combination of Cooley, Dandliker and Yu fails to disclose:
	at the gateway, determining a historical record of activity on the endpoint indicating one or more processes executing on the endpoint when the network request was initiated.
However, Wing discloses:
See FIG. 4; i.e. a node 452 (Observer)), determining a historical record of activity (See FIG. 5A; [0021] – [0022] i.e. historical unusual TLS/SSL handshake behavior of the endpoint) on the endpoint indicating one or more processes (i.e. TLS/SSL handshake / TLS/SSL connection) executing on the endpoint when the network request was initiated ([0021] Techniques which may be used to assess a likelihood that unusual TLS/SSL handshake behavior indicates the presence of malicious software involve, but are not limited to involving, processing telemetry data and/or historical data, and comparing the data to the unusual TLS/SSL handshake behavior; [0022] In step 113, a determination is made as to whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software with respect to an endpoint. Factors used to determine whether the unusual TLS/SSL handshake behavior likely indicates the presence of malicious software may vary widely. Such factors include, but are not limited to including, the characteristics of the unusual TLS/SSL handshake behavior, whether the unusual TLS/SSL handshake behavior has historically been associated with the presence of malicious software, and/or whether relatively recent changes in TLS/SSL handshake behavior have occurred; [0032] A method 109′ of determining whether unusual TLS/SSL handshake behavior indicates the presence of malicious software begins at step 505 in which the unusual TLS/SSL handshake behavior [interpreted as “historical record of activity on the endpoint”], which is an abandoned TLS/SSL handshake in the described embodiment, is followed by a successful TLS/SSL connection between the same endpoints. In other words, it is determined whether an abandoned TLS/SSL handshake between two endpoints is subsequently followed by a successful TLS/SSL connection between the two endpoints; [0036] Telemetry and/or historical information may be used to assess whether current unusual TLS/SSL handshake behavior is likely indicative of the presence of malicious software. For example, if unusual TLS/SSL handshake behavior has previously been associated with malicious software, then current unusual TLS/SSL behavior may be considered to be indicative of the presence of malicious software).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Yu reference and have a system and method which is able determine unusual behavior of the endpoint based on historical data, as disclosed by Wing.
The motivation to have the system and method which is able determine unusual behavior of the endpoint based on historical data is to identify the endpoint as potentially being infected by malicious software (See Wing: [0023]).

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley, (US9154520B1) w.e.f.d. of 11/27/2012 in view of Dandliker et al., (US20080082662A1) w.e.f.d. of 05/19/2006 in view of Yu, (US20150249641A1) w.e.f.d. of 12/19/2013 in view of Wing et al., (US20160134646A1) w.e.f.d. of 11/06/2014 and further in view of Gear et al., (US20160117911A1) w.e.f.d. of 12/14/2010. 
Regarding claim 5, the combination of Cooley, Dandliker, Yu and Wing discloses:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a human is present at the endpoint (Yu: [0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process. In one embodiment, the human user test message may be sent to the source of the network access as a response to the network access. It is also possible that the network access is redirected to a web page showing the human user test message).  
the combination of Cooley, Dandliker, Yu and Wing fails to disclose:
wherein determining whether a human is present at the endpoint comprises: determining whether a display of the endpoint is locked.
However, Gear discloses:
wherein determining whether a human is present at the endpoint comprises: determining whether a display of the endpoint is locked (i.e. determination if workstation/computing device is locked) (abstract; Fig 3, item 312 into 318; [0035]-[0036] [0036]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley, Dandliker, Yu and Wing references and use multiple different factors and sensors to determine whether a human user is present, such as the use of whether the workstation is locked, as disclosed by Gear.
	The motivation would be to provide the most accurate estimation as to whether a human was present at the device at the time the request was made and thus influence the probability of whether the request was machine generated or human generated (See Gears: [0035-0036]).
Regarding claim 15, the combination of Cooley, Dandliker, Yu and Wing fails to disclose:

However, Gear discloses:
wherein determining whether a human is present at the endpoint comprises: determining whether a display of the endpoint is locked (i.e. determination if workstation/computing device is locked) (abstract; Fig 3, item 312 into 318; [0035]-[0036]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley, Dandliker, Yu and Wing references and use multiple different factors and sensors to determine whether a human user is present, such as the use of whether the workstation is locked, as disclosed by Gear.
	The motivation would be to provide the most accurate estimation as to whether a human was present at the device at the time the request was made and thus influence the probability of whether the request was machine generated or human generated (See Gears: [0035-0036]).



Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic 

/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432