DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with John F. Woodson II on 3/1/2022.

The application has been amended as follows: 

  (Currently amended) A method comprising:
running virtual sessions on a virtualization server corresponding to a published application for a plurality of client devices associated with respective users, the client devices having user input devices associated therewith, and the virtual sessions being responsive to user input device traffic from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; 
generating a heat map of user input device behavior including printing traffic and universal serial bus (USB) traffic based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels;
printing traffic and USB traffic for the users at the virtualization server based upon the heat map, and a normal usage pattern for the published application, the USB traffic relating to file copying; 
monitoring traffic over the virtual channels at the virtualization server during a new virtual session for a given client device and detecting an anomaly therein relative to the baseline user input traffic patterns for different users and the normal usage pattern for the published application based upon a multi-variant Gaussian distribution; and
generating an anomaly alert based upon detecting the anomaly.

  (Currently amended) The method of Claim 1 wherein the user input devices comprise keyboards; and wherein determining the baseline user input traffic patterns comprises determining the baseline user input traffic patterns based upon traffic from the keyboards to the client devices during the virtual sessions.

  (Currently amended) The method of Claim 2 wherein determining the baseline user input traffic patterns further comprises determining the baseline user input traffic patterns based upon a typing speed associated with the traffic from the keyboards during the virtual sessions.

  (Cancelled).

  (Cancelled).

  (Cancelled).

  (Cancelled).

  (Currently amended) The method of Claim 1 wherein determining the baseline user input traffic patterns determining the baseline user input traffic patterns based upon machine learning.

  (Cancelled).

(Original) The method of Claim 1 wherein the virtual sessions comprise at least one of virtual desktop sessions and virtual application sessions.

(Currently amended) A virtualization server comprising:
a memory and a processor configured to cooperate with the memory to
run virtual sessions on a virtualization server corresponding to a published application for a plurality of client devices associated with respective users, the client devices having user input devices associated therewith, and the virtual sessions being responsive to user input device traffic from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; 
generate a heat map of user input device behavior including printing traffic and universal serial bus (USB) traffic based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels,
determine baseline user input traffic patterns for printing traffic and USB traffic for the users based upon the heat map, and a normal usage pattern for the published application, the USB traffic relating to file copying;
monitor traffic over the virtual channels during a new virtual session for a given client device and detect an anomaly therein relative to the baseline user input traffic patterns for different users and the normal usage pattern for the published application based upon a multi-variant Gaussian distribution; and
generate an anomaly alert based upon detecting the anomaly.

(Currently amended) The virtualization server of Claim 11 wherein the user input devices comprise keyboards; and wherein the processor determines the baseline user input 

(Currently amended) The virtualization server of Claim 12 wherein the processor determines the baseline user input 

(Cancelled).

(Cancelled).

(Currently amended) A non-transitory computer-readable medium having computer-executable instructions for causing a processor of a virtualization server to perform steps comprising:
running virtual sessions on the virtualization server corresponding to a published application for a plurality of client devices associated with respective users, the client devices having user input devices associated therewith, and the virtual sessions being responsive to user input device traffic from a plurality of different virtual drivers at the client devices over a plurality of respective virtual channels; 
generating a heat map of user input device behavior including printing traffic and universal serial bus (USB) traffic based upon the traffic from the virtual drivers of respective client devices during the virtual sessions across the plurality of virtual channels;
printing traffic and USB traffic for the users over a period of time based upon the heat map, and a normal usage pattern for the published application, the USB traffic relating to file copying;
monitoring traffic over the virtual channels during a new virtual session for a given client device and detecting an anomaly therein relative to the user input baseline traffic patterns for different users and the normal usage pattern for the published application based upon a multi-variant Gaussian distribution; and
generating an anomaly alert based upon detecting the anomaly.

(Currently amended) The non-transitory computer-readable medium of Claim 16 wherein the user input devices comprise keyboards; and wherein determining the baseline user input determining the baseline user input 

(Currently amended) The non-transitory computer-readable medium of Claim 17 wherein determining the baseline user input determining the baseline user input 

(Cancelled).

(Cancelled).

(Cancelled).

(Cancelled).

(Cancelled).

(Previously presented) The method of claim 1 wherein the user input devices comprise a respective mouse associated with each client device; and wherein generating the heat map comprises generating the heat map based upon user mouse click behavior.

(Previously presented) The virtualization server of claim 11 wherein the user input devices comprise a respective mouse associated with each client device; and wherein the processor generates the heat map based upon user mouse click behavior.

(Previously presented) The non-transitory computer-readable medium of claim 16 wherein the user input devices comprise a respective mouse associated with each client device; and wherein generating the heat map comprises generating the heat map based upon user mouse click behavior.

(Cancelled).

Allowable Subject Matter
Claims 1-3, 8, 10-13, 16-18, and 24-26 are allowed.

The following is an examiner’s statement of reasons for allowance: With respect to detecting an anomaly “based upon a multi-variant Gaussian distribution,” Applicant’s arguments (in view of the amended claim language), have been fully considered and are considered to be persuasive concerning the combination of references. For instance, none of the Dotan, Lang, Kaminsky, and Lian specify a multi-variant Gaussian distribution, nor do they suggest use of this specific distribution. 
Further with respect to “the USB traffic relating to file copying,” it is noted that, e.g., [0022] of Kaminsky does not fully specify the claim language in view of the claim as a whole: i.e., it does not recite that the copy/paste is associated with “USB traffic” and/or “file copying” specifically. 
.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432