DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner.

Claim Objections
Claims 14-20 are objected to because of the following informalities:  
Claim 14 recites “Program instructions” that are considered software per se and do not fall under any of the 4 statutory categories of patent eligible subject matter under 35 U.S.C. 101. The statue requires a discovery of either a “process”, “machine”, “manufacture” or “composition of matter”. The fact that the “Program instructions” may be incorporated on a non-transitory storage medium makes it unclear if the claim is directed to “Program instructions” or “A non-transitory storage medium”, although from the context and apparent intensions it appears that it is a combination of “Program instructions” and “A non-transitory storage medium”. It is recommended that the applicant clarifies the claim by re-writing it to underline that the “non-transitory storage medium” is the main patent eligible subject matter, e.g.: “A non-transitory storage medium comprising program instructions for protecting a computer from …”.  
Claims 15-20 depend on objected claim 14 and are objected to considering their dependence. 
Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 7-8 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB 2010/0197293 A1 to Shem- Tov (hereinafter “Tov”), and further in view of US-PGPUB 2003/0126468 A1 to Markham.

Regarding claim 1:
Tov discloses:
A system for protecting a computer from malicious remote desktop protocol attacks, the system comprising: 
(see Tov, ¶04: “When a computer desktop is virtualized, its keyboard, mouse and video display, along with any other peripheral components, are typically redirected across a network via a remote desktop protocol.”, ¶21: “… methods and systems for enhancing the security of remotely accessed computers.”, ¶41: “Access application … typically runs continuously on computer …, as a service on Microsoft Windows.COPYRGT. operating systems (OS), or as a daemon on
UNIX.COPYRGT. OS …”);a remote computer (seeTov, ¶42: “… Remote user … uses mobile device”);
verification software running on the remote computer (see Tov ¶46: “… remote user … uses remote computer access software …”);
the(see Tov ¶04: “Some examples of remote desktop protocols include Virtual Network Computing (VNC).”, Virtual Network Computing (VNC).”,   
¶45:” Processor … invokes access application 47 … to authenticate remote user”, and 
¶46: “… remote user … uses remote computer access software, such as … VNC program, to connect …  to computer 42, and then …  uses computer 42 remotely.”); 
after the (see Tov ¶62: “… processor … sends the temporary remote access code, typically in the form of a SMS message to mobile device …  Remote user … is required to respond by sending the temporary remote access code back to call receipt device … If call receipt device … fails to receive the authentication response message from caller … by the end of the remote access timeout interval, in a valid response receiving determination step …, processor … deems remote user … to be invalid.”).  

However, Tov failed to explicitly disclose the following limitation disclosed by Markham: 
intrusion detection software running on the computer (see Markham ¶156: “… local security server 20 provides … a single system interface to intrusion detection and response systems.
¶96: “… LSS 20 capabilities include intrusion detection and response interface (for interacting with ID&R systems), …”); a remote computer (see Markham ¶18: “… computer of a remote user.”, and 
¶40: “… a mobile computer 28”);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Tov to incorporate the functionality of an intrusion detection software, and be able to combine Tov’s remote computer access to establish a connection with the well-known method of intrusion detection, as disclosed by Markham, as such modification would monitor the network for malicious network traffic that indicates an active attack. 

Regarding claim 2:
The combination of Tov and Markham disclose:
The system of claim 1, wherein after the intrusion detection software attempts to make the test connection to the verification software that runs on the remote computer, the intrusion detection software waits for reception of at least one packet of data over the test connection and if the at least one packet of data is not received or a connection timeout occurs, the intrusion detection software declares the remote computer to be malicious and the intrusion detection software terminates the remote access connection (see Tov ¶62: “… processor … sends the temporary remote access code, typically in the form of a SMS message to mobile device …  Remote user … is required to respond by sending the temporary remote access code back to call receipt device … If call receipt device … fails to receive the authentication response message from caller … by the end of the remote access timeout interval, in a valid response receiving determination step …, processor … deems remote user … to be invalid.”).  

Regarding claims 7-8:
Claims 7-8 substantially recite the same limitations as claims 1-2, respectively, in the form of a system implementing the corresponding method, therefore they are rejected under the same rationale.

Regarding claims 14-15:
Claims 14-15 substantially recite the same limitations as claims 1-2, respectively, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore they are rejected under the same rationale.

Claims 3-5, 9-12 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable overTov in view of Markham, and further in view of US-PGPUB No. 2010/0313262 A1 Mehta et al. (hereinafter “Mehta”)
Regarding claim 3:
The combination of Tov and Markham disclose the system of claim 2, but failed to explicitly disclose the following limitation taught by Mehta: 
wherein after the at least one packet of data is received, the intrusion detection software searches a table of expected values for the data and if the data is not found in the table of expected values, the intrusion detection software declares the remote computer to be malicious and the intrusion detection software terminates the remote access connection (see Mehta ¶24: “… controller … may contain a whitelist stored in memory hierarchy … of those individual remote access points which are to be accepted. This whitelist may also reside outside of the controller … with the controller … being able to access the information at any time. This whitelist for example could be based on the unique MAC address of first wired interface … present in each remote access point ... If the MAC address, which is present in the device credentials such as digital certificate, is on the whitelist, the connection is accepted, otherwise the connection is rejected.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Tov and Markham to incorporate the functionality of the controller to contain a whitelist of those individual remote access points which are to be accepted, as disclosed by Mehta, such modification would allow the intrusion detection system to identify safe remote devices from those malicious ones by checking the unique identifier, for example MAC address, against expected values (whitelists), thus protecting the system from malicious access.

Regarding claim 4:
The combination Tov in view of MarkhamTov, Markham and Mehta disclose:
The system of claim 3, wherein the table of expected values includes computer identifications of approved remote computers (see Tov, ¶45: “… the system administrator uses access application 47 to manage a list of authorized mobile device numbers.”).  

Regarding claim 5:
The combination Tov in view of MarkhamTov, Markham and Mehta disclose:
The system of claim 3, wherein the table of expected values includes phone number of approved remote computers (see Tov, ¶06: “… authenticating the caller includes comparing the telephone number to a list of authorized telephone numbers.”).

Regarding claims 9:
Claim 9 substantially recites the same limitation as claim 3, in the form of a system implementing the corresponding method, therefore it is rejected under the same rationale.

Regarding claim 10:
The combination Tov in view of MarkhamTov, Markham and Mehta disclose: 
The method of claim 9 if not finding one of the expected values from the table of expected values in the data, declaring the remote computer to be malicious and terminating the remote access connection (see Mehta ¶24: “… controller … may contain a whitelist stored in memory hierarchy … of those individual remote access points which are to be accepted. This whitelist may also reside outside of the controller … with the controller … being able to access the information at any time. This whitelist for example could be based on the unique MAC address of first wired interface … present in each remote access point ... If the MAC address, which is present in the device credentials such as digital certificate, is on the whitelist, the connection is accepted, otherwise the connection is rejected.”).
 
Regarding claims 11-12:
Claims 11-12 substantially recite the same limitations as claims 4-5, respectively, in the form of a system implementing the corresponding method, therefore they are rejected under the same rationale.

Regarding claims 16 - 19:
Claims 16, 17 and 18-19 substantially recite the same limitations as claims 3 -5 and 10 respectively, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore they are rejected under the same rationale.

Claims 6 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Tov in view of Markham and further in view of US-PGPUB No. 2014/0007222 A1 to Qureshi et al. (hereinafter “Qureshi”)
Regarding claim 6:
The combination of Tov and Markham disclose the system of claim 1, but failed to explicitly disclose the following limitation taught by Qureshi: 
wherein after detecting that the remote access connection has been made and the new logon session is initiated, the intrusion detection software blocks any new programs from executing until the intrusion detection software determines that the remote computer is authorized (see Qureshi ¶88: “The secure VM may also prevent an enterprise application from running unless and until the user enters a valid passcode or otherwise successfully authenticates.”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Tov and Markham to incorporate the functionality of the secure VM to protect an application from running unless and until the user enters a valid passcode or otherwise successfully authenticated, as disclosed by Qureshi, such modification would allow to protect the host programs from being run by a remote device application before being properly authenticated, thus protecting the system from malicious access.

Regarding claim 20:
Claim 20 substantially recites the same limitation as claim 6, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore it is rejected under the same rationale.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Tov in view of Markham, Mehta and further in view of Qureshi
Regarding claim 13:
The combination of Tov in view of MarkhamTov, Markham and Mehta disclose the method of claim 9, but failed to explicitly disclose the following limitation taught by Qureshi: 
wherein after detecting that the remote access connection has been made and the new logon session is initiated, blocking any new programs from executing until declaring the remote computer to be safe authorized (see Qureshi ¶88: “The secure VM may also prevent an enterprise application from running unless and until the user enters a valid passcode or otherwise successfully authenticates.”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Tov in view of MarkhamTov, Markham and Mehta to incorporate the functionality of the secure VM to protect an application from running unless and until the user enters a valid passcode or otherwise successfully authenticated, as disclosed by Qureshi, such modification would allow to protect the host programs from being run by a remote device application before being properly authenticated, thus protecting the system from malicious access.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Shem Tov et al. (US-PGPUB No. 2018/0359237-A1)- disclosed an invention that relates to remote desktop access to a target machine and, more particularly, but not exclusively, to generating an assessment of a remote desktop access connection session.
German et al. (US-PGPUB No. 2013/0067229-A1)- disclosed an invention that relates to remote desktop technology, and, more particularly, relate to a method, apparatus, and computer program product for key sharing over remote desktop protocol.
Fausak et al. (US-PGPUB No 2019/0222571- A1)- disclosed information handling systems for remote access to a personal computer as a service using a remote desktop protocol and Windows Hello support.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491


/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491