DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending in this application. 
Examiner Note
Examiner initiated a call on May 19, 2022, with Applicant to discuss allowable subject matter to be incorporated into independent claim 1, as presented, claims are the same as parent invention of 15/372,304 dated 12/07/2016 with no arguments presented beyond the Doyle 2014/0281546 A1 prior art previously used to reject claim 6. Unfortunately, no further steps have been made to advance prosecution of this instant invention by examiner’s amendment at this time. As such, a non-final is being processed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/04/2020 and 09/15/2020 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure. Abstract has 244 words in length.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The use of the terms Windows and Linux, p. 30, para 0126, which is a trade name or a mark used in commerce, has been noted in this application. It should be capitalized wherever it appears and be accompanied by the generic terminology.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.            Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) 
101 Flowchart Analysis: 
Step 1: meets the statutory category of a mental process;  Step 2A/Prong 1: recited claims – receiving at a collector server, from a first connection and application execution sensor, a first piece of activity data comprising a first set of attributes, each attribute having a particular value; combining, using the collector server, a first set of context information with the first piece of activity data to generate a first activity record; comparing, using the collector server, the first activity record to a set of baseline signatures, where each baseline signature comprises a second set of attributes, each attribute having a particular value and each baseline signature being unique in the combination of values of its attributes; incrementing, using the collector server, a count of a first matching baseline signature from the set of baseline signatures when the first activity record has the same values for all attributes in the first matching baseline signature; receiving at a collector server, from a second connection and application execution sensor, a second piece of activity data comprising a third set of attributes, each attribute having a particular value; combining, using the collector server, a second set of context information with the second piece of activity data to generate a second activity record; and generating, using the collector server, an alert when the values of the attributes of the second activity record differ from all baseline signatures in the set of baseline signatures by at least a predetermined threshold number of attributes – when viewed as a whole meet a mental process, thus an abstract idea; and 
Step 2B/Prong 2:  recites an additional element in steps (1)-(7) generating, using the collector server, an alert when the values of the attributes of the second activity differ from all baseline signatures in the set of the baseline signatures by at least a predetermined threshold number of attributes, which are a form of insignificant extra-solution activity.  However, the particular additional element is recited at high level of generality that is no more than merely “apply” the mental step using a generic computer system.  The generating...an alert step (7) is alerting, alarming, warning or indicating when a difference is noted is recited at high level of generality, not integrated into a practical application, and amounts to a mere post-solution of displaying or asserting an alert that is a form of insignificant extra-solution activity. 
 The additional elements are determined to be no more than insignificant extra-solution activity.  In particular, the processor and computer system are considered conventional and well-understood, and are recited at high level of generality.  As the result, the claim, as a whole, is no more than attempting to broadly cover the concept of using a computer system to implement analysis of what a human security analyst would have performed in the mind. Therefore, the claim 1 is considered as an abstract idea without significantly more than the judicial exception.
Dependent claim(s) Claims 2-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reason addressed above. 

	
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 7, 13-16, 18, are 20 are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al., hereinafter (“Nucci”), US Patent (8,418,249 B1), was submitted in 09/15/2020 IDS, in view of Moran, US Patent (7,032,114 B1), was submitted in 09/15/2020 IDS.
Regarding claims 1 and 21, Nucci teaches a process for detecting suspicious activity in a network and in a computer server system, comprising:
receiving at a collector server, from a first connection and application execution sensor, a first piece of activity data comprising a first set of attributes, each attribute having a particular value; [Nucci, Col 7, lines 1-50:  host module (101) (a collector server); Col 8, lines 24-30: coupled with  flow parser (105) (receiving at a collector server, from a first connection and application execution sensor) and IDS/IPS (106) data capture and processing module (103) (a first connection and application execution sensor) collects data in form of full packets, packet headers and flow information; traffic flow visibility represents the transaction between hosts by grouping based on common 5-tuple identifier (a first piece of activity data comprising a first set of attributes, each attribute having a particular value) (i.e. source address, destination address, source port, destination port, and transport protocol)]
combining, using the collector server, a first set of context information with the first piece of activity data to generate a first activity record; [Nucci, Col 5, lines 30-67:  traffic flow (a first piece of activity data comprising a first set of attributes) and traffic stream are finest level of information collected of Internet transactions. Col 8, lines 4-30: aggregating (combining, using the collector server,) flow information (a first set of context information with the first piece of activity data) and use flow parser (105)]
comparing, using the collector server, the first activity record to a set of baseline signatures, where each baseline signature comprises a second set of attributes, each attribute having a particular value and each baseline signature being unique in the combination of values of its attributes; [Nucci, Col 8, lines 4-30: network module (107) includes classifier (109) (comparing, using the collector server, the first activity record) that analyzes the wider network traffic activity and classifies suspicious traffic patterns and associated hosts/servers in real-time according to pre-computer statistical models (108) (a set of baseline signatures, where each baseline signature comprises a second set of attributes). 8, lines 4-30: flow information] 
 However, Nucci fails to explicitly teach but Moran teaches receiving at a collector server, from a second connection and application execution sensor, a second piece of activity data comprising a third set of attributes, each attribute having a particular value; [Moran, Col 3, lines 40-55: Intrusion detection system comprises analysis engine in communication with a source of rules and combining primary, combining secondary and combining other indirect sources (a second connection and application execution sensor). Rules configure system to collect, correlated and evaluate data related to all phases of an attack, from a range of data sources. Col 3, lines 56-67: Intrusion detection system comprises analysis engine and at least one sensor communicates a meta-protocol where data packet comprises semantic type, data type, data type size, and value (comprising a third set of attributes, each attribute having a particular value) for each 4-tuple data item (a second piece of activity data). Examiner interprets that multiple hosts with sensors are possible in receiving a second piece of activity data. See also Col 14, lines 40-45]
combining, using the collector server, a second set of context information with the second piece of activity data to generate a second activity record; [Moran, Col 10, lines 15-33: different collection modules using separate programs to extract data and identify information (a second set of context information with the second piece of activity data to generate) for the fields (a second activity record); which allows the addition of new data sources and rules on what evidence to combine and interpret] and 
incrementing, using the collector server, a count of a first matching baseline signature from the set of baseline signatures when the first activity record has the same values for all attributes in the first matching baseline signature; [Moran, Col 4, lines 30-40: “the system compares the timestamps of a directory and its files and identifies values that are inconsistent or not accounted for, and assigns a suspicion value (incrementing, using the collector server, a count of a first matching baseline signature from the set of baseline signatures) to the associated file or directory.” Examiner interprets the assigned suspicion value has an increment to the directory]
generating, using the collector server, an alert when the values of the attributes of the second activity record differ from all baseline signatures in the set of baseline signatures by at least a predetermined threshold number of attributes. [Moran, Col 10, lines 45-48: They extract data from system logs and other files, filter it, and display it to the system administrator. For example, some tools allow a system administrator to be alerted whenever an entry matching any of the patterns specified is written to a designated log file. Examiner interprets that the designated log file has predetermined threshold number of attributes to be logged] 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for a more customizable and efficient attack diagnosis (Moran, Col 10, lines 55-62).  

Regarding claim 2, the combination of Nucci and Moran teach claim 1 as described above.
However, Nucci fails to explicitly teach but Moran teaches further comprising storing the first activity record in a connection and application execution database as a record that includes: a reference to the first matching baseline signature; [Moran, Col 10, lines 35-55: through DERBI system, the system administrator ] and 
values of attributes other than common attributes present in both the first activity record and the first matching baseline signature. [Moran, Col 18, lines 1-5: unavailable/undefined values can be assigned by analysis engine based on features of database if unlikely same value]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for rigorously segregating input from each sensor based on sensor family identifier and session identifier of message in database (Moran, Col 18, lines 55-62).  
Regarding claim 3, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches wherein associating, using the collector server, a first set of context information with the first piece of activity data comprises: looking up an IP address within the first piece activity data with an identity manager service to identify an associated entity. [Nucci, Col 5, lines 36-47: through full packet visibility (looking up an IP address within the first piece activity data with an identity manager service), the source address can be ascertained from the traffic flow/flow, of the 5-tuple identifier collected for an Internet transactions between two network hosts in a series of data records]
 Regarding claim 4, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches wherein the first piece of activity data includes connection information concerning communication on a device. [Nucci, Col 10, lines 61-67: “…the supervised machine learning algorithm takes flow-based features from the data capture module (201) as input. Example features are listed in TABLE 1 (connection information concerning communication on a device) below (i.e. Duration, IAT, pkts, etc.…” See also Col 5, lines 30-67, Col 7, lines 1-50]

Regarding claim 7, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches wherein the first piece of activity data includes application execution information concerning an executing application on a device. [Nucci, Col 3, lines 1-10: historical flow is tagged with the ground truth class label based on data characteristics associated with corresponding applications executing on devices in the network]

Regarding claim 13, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches wherein the first connection and application execution sensor is dynamically configurable. [Nucci, Col 7 , lines 55-67: “dynamic analysis of executable code); furthermore, it studies the way the compromised machine (e.g., a bot) communicates back to the malevolent server (e.g., a command-and-control server of a botnet) and automatically extrapolates the complete state machine of the protocol being used…]

Regarding claim 14, the combination of Nucci and Moran teach claim 1 as described above.
However, Nucci fails to explicitly teach but Moran teaches further comprising highlighting within a user interface for review a reduced set of baseline signatures having a count below a predetermined threshold. [Moran, Col 8, lines 40-50: allowing the alert threshold can be set higher]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for a more customizable and efficient attack diagnosis (Moran, Col 10, lines 55-62).  

Regarding claim 15, the combination of Nucci and Moran teach claim 1 as described above.
However, Nucci fails to explicitly teach but Moran teaches further comprising highlighting within a user interface for review a reduced set of baseline signatures unique to an entity within a group of entities to which the entity belongs. [Moran, Col 8, lines 7-25: user interface 300 on a console provides system administrator with access to analysis engine 302 and event database 304, which utilizes ruleset 306 and an attack signatures database 308. Col 17, lines 55-59:  sensor reports can extract a filesystem record subsets to extrapolate values. See also Col 11, line 15-28: filename patterns recognized as known parts of attach]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for a more customizable and efficient attack diagnosis (Moran, Col 10, lines 55-62).  

Regarding claim 16, the combination of Nucci and Moran teach claim 1 as described above.
However, Nucci fails to explicitly teach but Moran teaches further comprising highlighting within a user interface for review a reduced set of baseline signatures based upon a security policy. [Moran, See Col 8, lines 7-25: user interface 300; Col 33, lines 52-55: specifying a policy]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for a more customizable and efficient attack diagnosis (Moran, Col 10, lines 55-62).  

Regarding claim 18, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches wherein the first connection and application execution sensor is implemented using a hardware co-processor on a device. [Nucci, Col 23, lines 30-32: “FIG. 4, a computer system (400) includes one or more processor(s) (402)”]

Regarding claim 19, the combination of Nucci and Moran teach claim 1 as described above.
Nucci teaches further comprising searching for and retrieving the first activity record in response to a user instruction. [Nucci, Col 22, lines 60-62: “any executable found by the threat tagger (309) in any of the flow in a flow-bucket is forwarded to the host module (301) for retrieving the unknown threat label”]
Regarding claim 20, the combination of Nucci and Moran teach claim 1 as described above.
However, Nucci fails to explicitly teach but Moran teaches wherein the alert comprises one or more closest matching baseline signatures to the second activity record. [Moran, See Col 10, lines 45-48]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a method of profiling network traffic of a network of Nucci before him or her by including the teachings of a system for using signatures to detect computer intrusions of Moran. The motivation would have been for a more customizable and efficient attack diagnosis (Moran, Col 10, lines 55-62).  

Claims 5 and 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al., hereinafter (“Nucci”), US Patent (8,418,249 B1), was submitted in 09/15/2020 IDS, in view of Moran, US Patent (7,032,114 B1), was submitted in 09/15/2020 IDS, and further in view of Murphy, US PG Publication (US 20150052595 A1).
Regarding claim 5, the combination of Nucci and Moran teach claim 4 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Murphy teaches wherein the connection information includes the attributes of: user name initiating the communication, identification of the user device, responding application name, responding server name, login ID to responding server, tunnel endpoint IP, and VPN gateway server. [Murphy, Fig. 11 and ¶¶0115-0116: user display 1102 shows various data and information related to users, devices, and apps connected to the gateway: screen 1102 are three categories of data: session data 1104 for a selected user; device data 1106, and app data 1108. This information is for a selected user shown in box 1110. Session data 1104 shows information such as username, group, login time and date, length of current session, and the authentication provider]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a user, device, and app authentication implemented between a client and VPN gateway of Murphy. The motivation/suggestion would have been obvious to try to show how an enterprise gateway established executing specific apps via app-specific link (Murphy, Abstract).  

Regarding claim 8, the combination of Nucci and Moran teach claim 7 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Murphy teaches wherein the application execution information includes the attributes of: server name, application name, executable image path name, interpreter script name, system user ID, command line, current working directory, and process start time. [Murphy, See Fig. 11 and ¶¶0115-0116: user display 1102 shows various data and information related to users, devices, and apps connected to the gateway: screen 1102 are three categories of data: session data 1104 for a selected user; device data 1106, and app data 1108 (with Device, Application, Package ID, MAP Version, UUID, Session ID). This information is for a selected user shown in box 1110. Session data 1104 shows information such as username, group, login time and date (process start time), length of current session, and the authentication provider]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a user, device, and app authentication implemented between a client and VPN gateway of Murphy. The motivation/suggestion would have been obvious to try to show how an enterprise gateway established executing specific apps via app-specific link (Murphy, Abstract).  

Regarding claim 9, the combination of Nucci and Moran teach claim 8 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Murphy teaches wherein the application execution information further includes the attributes of: session signature ID, session signature chain ID, and parent application. [Murphy, Fig. 11 and ¶¶0118: The third category is data 1108 describing applications being used by the selected user. This data includes device information (same as the device data shown in box 1106), the name of the application (in this case, a browser app and another app called "NSLookup") and related app information. This may include a package ID, UUID, and a Session ID. Recall that the apps that are monitored using the VPN gateway are security wrapped using the processes described above in FIGS. 1-6]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a user, device, and app authentication implemented between a client and VPN gateway of Murphy. The motivation/suggestion would have been obvious to try to show how an enterprise gateway established executing specific apps via app-specific link (Murphy, Abstract).  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al., hereinafter (“Nucci”), US Patent (8,418,249 B1), was submitted in 09/15/2020 IDS, in view of Moran, US Patent (7,032,114 B1), was submitted in 09/15/2020 IDS, in view of Jin, Korean Patent Published Application (KR101541348B1), published 05/08/2015, machine translated by WIPO.
Regarding claims 6 and 28, the combination of Nucci and Moran teach claim 4 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Doyle teaches wherein the connection information is a session chain representing the activity of a particular user identity across different servers. [Jin, p. 4¶7: the session chain (a session chain representing the activity) is composed of a UE, an End-User Experience (IP), an Uplink Control Channel (UC), a Downlink Downlink Control Channel (UD),an Uplink Data Format (UD), and a Downlink Data Format (DD). p. 4¶22:the session chain, the UE's unique IMSI (International Mobile Subscriber Identity) value (a particular user identity) extracted from the packet data, IP allocated through the UE access procedure specified in the network from P-GW (PDN Gateway), and GTP tunnel establishment It is configured including the assigned TEID, and is created based on the UE information given from the tunnel creation request (Create Request) message in the packet for data call establishment between theS-GW and the P-GW (different servers). ]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a method for managing session based on GTP networks. The motivation would have been obvious to try to show how generating User experience Equipment (UE) related information as a session chain according to a result, and then managing the same in a single session when session is connected between gateways using GPRS Tune Tunneling Protocol (GTP)   (Jin, p. 4, ¶15).  

Claims 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al., hereinafter (“Nucci”), US Patent (8,418,249 B1), was submitted in 09/15/2020 IDS, in view of Moran, US Patent (7,032,114 B1), was submitted in 09/15/2020 IDS, in view of Guilford, US PG Publication (2016/0055166 A1), was submitted in 09/15/2020 IDS.

Regarding claim 10, the combination of Nucci and Moran teach claim 7 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Guilford teaches wherein the application execution information includes the attributes of: server name, file path name, system user ID, application name, and file access mode. [Guilford, ¶0051: parameter values passed to the function are the File Extension, Locator Function (application name), Locator Function Parameter Value, File Access Mode (file access mode.), User Text, Valid Until, Content Length, Access Limit, New File Operation, On Close Procedure, Enforce Process-ID Security (system user ID), Enforce Session-ID Security, and Enforce IP-address Security 305. ¶0064: filename and subdirectory path (file path name)]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a system for accessing data from a database as a file. The motivation/suggestion would have been obvious to try to show how data is organized more securely in a database than a file system (Guilford, Abstract).  

Regarding claim 11, the combination of Nucci and Moran teach claim 10 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Guilford teaches wherein the application execution information further includes the attributes of: session signature ID and session signature chain ID. [Guilford, ¶0094: session ID; ¶0063: Enforce Process Security, an optional value, indicates whether the client will enforce system process id security upon the program making use of the gateway. Enforce Session Security, an optional value, indicates whether the client will ensure the database session security when satisfying the gateway request. Enforce IP-address Security, an optional value, indicates whether the file system module will enforce client IP address security before satisfying the gateway request]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of a system for accessing data from a database as a file of Guilford. The motivation/suggestion would have been obvious to try to show how data is organized more securely in a database than a file system (Guilford, Abstract).  

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al., hereinafter (“Nucci”), US Patent (8,418,249 B1), was submitted in 09/15/2020 IDS, in view of Moran, US Patent (7,032,114 B1), was submitted in 09/15/2020 IDS, in view of, Brodsky et al., hereinafter (“Brodsky”), US PG Publication (US 20100332473 A1), was submitted in 09/15/2020 IDS.
Regarding claim 12, the combination of Nucci and Moran teach claim 7 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Brodsky teaches wherein the application execution information includes a stack trace of an executing application. [Brodsky, ¶¶0016: obtaining a stack trace before the query makes a call to a database]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of correlating queries issued by application with source lines and analyzing applications of Brodsky. The motivation/suggestion would have been obvious to try to show how a stack trace is examined to determine API calls (Brodsky, Abstract).  

Regarding claim 17, the combination of Nucci and Moran teach claim 1 as described above.
However, the combination of Nucci and Moran fail to explicitly teach but Brodsky teaches further comprising monitoring user logins, privileges used by logged in users, process and file creations, and process and file executions on the first connection and application execution sensor to detect a compromise of the sensor. [Brodsky, ¶0110: task of setting breakpoints (privileges used by logged in users); ¶0115: the correlator 130 invokes the query parser 115 to parse the query to identify database objects (process and file executions on the first connection and application execution sensor to detect a compromise of the sensor process and file executions on the first connection and application execution sensor to detect a compromise of the sensor); ¶0134:  stack traces created after client application 112 execution (process and file creations); Examiner interprets monitoring user logins]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings Nucci and Moran before him or her by including the teachings of correlating queries issued by application with source lines and analyzing applications of Brodsky. The motivation/suggestion would have been obvious to try to show how a stack trace is examined to determine API calls (Brodsky, Abstract).  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bellovin et al., US Patent (US 8239531 B1) discloses method and apparatus for connection to virtual private networks for secure transactions
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/           Primary Examiner, Art Unit 2497