Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is related to the following commonly-owned U.S. patent applications that are incorporated herein by reference in their entirety: U.S. application Ser. No. 15/136,687 filed on Apr. 22, 2016 entitled “Labeling Network Flows According to Source Applications,” and U.S. application Ser. No. 15/136,762 filed on Apr. 22, 2016 entitled “Secure Labeling of Network Flows.”
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/27/2022 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/17/2022 and 06/07/2022 were filed after the mailing date of the Final Office Action on 03/01/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Response to Arguments
Claim Rejection – 35 USC § 112
	Applicant’s remarks regarding support for the amendment has been reviewed by the examiner and found to be persuasive. Therefore this rejection has been withdrawn.
Claim Rejection – 35 USC 103
Applicant’s arguments, filed 05/27/2022, with respect to the rejection(s) of claim(s) under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the independent claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley et al., (US9154520B1) in view of Dandliker et al., (US20080082662A1) and further in view of Wright., (US20110023115A1).
Regarding claim 1, Cooley discloses:
A computer program product for monitoring network security based on endpoint user presence, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a gateway (i.e. networking device 208) in an enterprise network, performs the steps of: 
connecting an endpoint (i.e. endpoint Device 202) to a data network through the gateway (i.e. networking device 208) (See FIG. 2 for Endpoints connected through the networking device);
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
the network request presenting a potential security risk (i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10; In this example, as the request submitted by endpoint device 202(1) reaches networking device 208, detection module 104 may intercept the request to determine whether the requested data transfer includes content that has been potentially prohibited by at least one policy associated with endpoint device 202(1)); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley fails to disclose:
	wherein the network request includes a request to download an executable file; determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
	a network request that includes download an executable file (See FIG. 3A; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as network request which contains downloading executable files).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
	The motivation to include an appliance which is able to prevent automatic download of an executable files from external networks is to protect internal network from maliciously download executable files from external networks. 
The combination of Cooley and Dandliker fails to disclose:
	determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Wright discloses:
	determining (i.e., monitor and compare the user interaction; see [0007]) whether the network request (i.e., clicking on a link on a webpage, downloading a file; See [0007 & 0010]) was initiated by a human user (i.e., based on user interaction with the computer such as downloading a file; see [0007]) based at least in part on a historical record of activity on the endpoint (i.e., a predetermined behavior is construed as ‘historical record’ of the user interaction on the computer) indicating whether the network request was an automatically generated network request or a network request initiated by a human user ([0007] protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior; [0067] The indication of the malicious behavior may be a result of comparing an operation of the executing code with a predetermined behavior, such as a gene stored for reference in a gene database 248; [0074] FIG. 3 depicts a flowchart for behavioral-based threat detection. At step 302, an executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior [i.e., historical record], referred to as a gene. At step 304, a plurality of malicious behavior indications are collected by performing step 302 a number of times. At step 308, the plurality of malicious behavior indications are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. At step 310, an action is caused based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype [step 310 is construed as determination step based on previously recorded behavior [i.e., historical record of activity] that the computer process is an automated behavior which is not executed in result of the user interaction]; [0085] The indication of suspicious and/or risky user 400 behavior may be a result of comparing one or more user 400 behaviors with a predetermined behavior gene, such as a behavior gene stored for reference in a behavior gene database 422).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, as disclosed by Wright.
	The motivation to include Wright’s method and system is to detect and provide host intrusion prevention through behavioral based protection, which may guard against unknown threats by analyzing and comparing behavior of the computer based on historical.
Regarding claim 7, Cooley discloses:
A method of operating a gateway comprising:
connecting an endpoint (i.e. endpoint Device 202) to a data network through the gateway (i.e. networking device 208) (See FIG. 2 for Endpoints connected through the networking device);
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
the network request presenting a potential security risk (i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10; In this example, as the request submitted by endpoint device 202(1) reaches networking device 208, detection module 104 may intercept the request to determine whether the requested data transfer includes content that has been potentially prohibited by at least one policy associated with endpoint device 202(1)); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley fails to disclose:
	wherein the network request includes a request to download an executable file; determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
	a network request that includes download an executable file (See FIG. 3A; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as network request which contains downloading executable files).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
	The motivation to include an appliance which is able to prevent automatic download of an executable files from external networks is to protect internal network from maliciously download executable files from external networks. 
The combination of Cooley and Dandliker fails to disclose:
	determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Wright discloses:
	determining (i.e., monitor and compare the user interaction; see [0007]) whether the network request (i.e., clicking on a link on a webpage, downloading a file; See [0007 & 0010]) was initiated by a human user (i.e., based on user interaction with the computer such as downloading a file; see [0007]) based at least in part on a historical record of activity on the endpoint (i.e., a predetermined behavior of the user interaction on the computer) indicating whether the network request was an automatically generated network request or a network request initiated by a human user ([0007] protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior; [0067] The indication of the malicious behavior may be a result of comparing an operation of the executing code with a predetermined behavior, such as a gene stored for reference in a gene database 248; [0074] FIG. 3 depicts a flowchart for behavioral-based threat detection. At step 302, an executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. At step 304, a plurality of malicious behavior indications are collected by performing step 302 a number of times. At step 308, the plurality of malicious behavior indications are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. At step 310, an action is caused based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype [step 310 is construed as determination step based on previously recorded behavior [i.e., historical record of activity] that the computer process is an automated behavior which is not executed in result of the user interaction]; [0085] The indication of suspicious and/or risky user 400 behavior may be a result of comparing one or more user 400 behaviors with a predetermined behavior gene, such as a behavior gene stored for reference in a behavior gene database 422).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, as disclosed by Wright.
	The motivation to include Wright’s method and system is to detect and provide host intrusion prevention through behavioral based protection, which may guard against unknown threats by analyzing and comparing behavior of the computer based on historical.
Regarding claim 8, the combination of Cooley, Dandliker and Wright discloses:
The method of claim 7 wherein the network request includes a request for a download of an executable from the data network (Dandliker: [0107] In step 310, the allowed action is performed with respect to the specified network identifier. Various embodiments involve performing a variety of allowed actions. Referring now to FIG. 3B, examples of responsive actions that may be performed based on different URL reputation score values are shown. For example, messaging apparatus 116 may block access to the network resource identifier and any associated web site or resource, as shown in block 320. Messaging apparatus 116 may prevent automatic downloads or installations of certain file types, as shown in block 322. For example, downloads or installations of EXE or ZIP files can be blocked).
Regarding claim 9, the combination of Cooley, Dandliker and Wright discloses:
The method of claim 7 wherein the network request includes a request directed to an unknown address (Cooley: Col. 4, Line # 59-67; As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may be configured to store any type of form of information used to determine whether to block attempts by users of endpoint devices to download one or more files from an external network).
Regarding claim 10, the combination of Cooley, Dandliker and Wright discloses:
The method of claim 7 wherein the network request includes a request directed to a known source of malware (Cooley: Col. 4, Line # 59-67; As illustrated in FIG. 1, exemplary system 100 may also include one or more databases, such as database 120. In one example, database 120 may be configured to store any type of form of information used to determine whether to block attempts by users of endpoint devices to download one or more files from an external network).
Regarding claim 17, Cooley discloses:
A system comprising: 
a gateway (i.e. networking device 208) including a network interface configured to couple in a communicating relationship with a data network that includes an endpoint (i.e. endpoint Device 202) (See FIG. 2 for Endpoints connected through the networking device); a memory on the gateway; and a processor on the gateway;
detecting, at the gateway (i.e. detecting at a networking device), a network request by a process (i.e. a file request from endpoint device to download file from external resource) executing on the endpoint to a remote resource outside the enterprise network (See FIG. 3; Step 302; Col.1, Line # 43-59; Col. 6, Line # 55-61; detection of downloading of a file from an external network), 
the network request presenting a potential security risk (i.e. potential policy violation) including a request in violation of a network security policy (See FIG. 3; Step 304; Col. 7, Line # 36-51; potential download policy violations);
at the gateway, determining whether the network request is a suspicious network request or not (Col. 7, Line # 2-10; In this example, as the request submitted by endpoint device 202(1) reaches networking device 208, detection module 104 may intercept the request to determine whether the requested data transfer includes content that has been potentially prohibited by at least one policy associated with endpoint device 202(1)); 
in response to the potential security risk and a determination (i.e. directing, in response to the determination) that network request is a suspicious network request (i.e. networking device intercept the request to determine whether the requested data transfer includes prohibited content such as malware, viruses, computer worms, Trojan horses, spyware, adware, social-engineering attacks, rootkits. as disclosed in Col. 7, Line # 2-10), 
initiating, at the gateway, a remedial action (i.e. blocking the download of the file AND notifying at the endpoint that download has been blocked) that includes executing a security measure on the endpoint in response to the potential security risk presented by the network request (See FIG. 3; Steps 306 & 308; Col. 8, Line # 56-63; Col. 9, Line # 21-26; directing the network device to block the download of the file AND notify the user at the endpoint that download has been blocked).
Cooley fails to disclose:
	wherein the network request includes a request to download an executable file; determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Dandliker discloses:	
	a network request that includes download an executable file (See FIG. 3A; [0107] blocking automatic downloads or installations of EXE files by the messaging apparatus which is construed as network request which contains downloading executable files).
	 It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley reference and include an apparatus which is able to prevent automatic download of an executable files from external networks, as disclosed by Dandliker.
	The motivation to include an appliance which is able to prevent automatic download of an executable files from external networks is to protect internal network from maliciously download executable files from external networks. 
The combination of Cooley and Dandliker fails to disclose:
	determining whether the network request was initiated by a human user based at least in part on a historical record of activity on the endpoint indicating whether the network request was an automatically generated network request or a network request initiated by a human user.
However, Wright discloses:
	determining (i.e., monitor and compare the user interaction; see [0007]) whether the network request (i.e., clicking on a link on a webpage, downloading a file; See [0007 & 0010]) was initiated by a human user (i.e., based on user interaction with the computer such as downloading a file; see [0007]) based at least in part on a historical record of activity on the endpoint (i.e., a predetermined behavior of the user interaction on the computer) indicating whether the network request was an automatically generated network request or a network request initiated by a human user ([0007] protection may be provided based at least in part by monitoring a user interaction with a computer, and/or computer network client device, during a usage session for an indication of a user behavior; [0067] The indication of the malicious behavior may be a result of comparing an operation of the executing code with a predetermined behavior, such as a gene stored for reference in a gene database 248; [0074] FIG. 3 depicts a flowchart for behavioral-based threat detection. At step 302, an executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. At step 304, a plurality of malicious behavior indications are collected by performing step 302 a number of times. At step 308, the plurality of malicious behavior indications are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. At step 310, an action is caused based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype [step 310 is construed as determination step based on previously recorded behavior [i.e., historical record of activity] that the computer process is an automated behavior which is not executed in result of the user interaction]; [0085] The indication of suspicious and/or risky user 400 behavior may be a result of comparing one or more user 400 behaviors with a predetermined behavior gene, such as a behavior gene stored for reference in a behavior gene database 422).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Cooley and Dandliker references and include a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, as disclosed by Wright.
	The motivation to include Wright’s method and system is to detect and provide host intrusion prevention through behavioral based protection, which may guard against unknown threats by analyzing and comparing behavior of the computer based on historical.


 Claims 3-4, 6, 11, 13-14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley et al., (US9154520B1) in view of Dandilker et al., (US20080082662A1) and in view of Wright., (US20110023115A1) and further in view of Yu et al., (US20150249641A1).
Regarding claim 3, the combination of Cooley, Dandliker and Wright fails to disclose:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes transmitting a request to the endpoint for a user input.
However, Yu discloses:
	wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes transmitting a request to the endpoint for a user input ([0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process).
It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 4, the combination of Cooley, Dandliker and Wright fails to disclose:
The computer program product of claim 1 wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a user is logged in to the endpoint.
However, Yu discloses:
	wherein determining whether the network request was an automatically generated network request or a network request initiated by a human user includes determining whether a user is logged in to the endpoint ([0054-0055] discloses sending a human test message and getting a response back is construed as a user is logged in to the endpoint). 
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 6, the combination of Cooley, Dandliker and Wright fails to disclose:
The computer program product of claim 1 wherein the determining whether the network request was an automatically generated network request or a network request initiated by a human user status includes analyzing a record of keyboard or mouse activity within a predetermined time window.
However, Yu discloses:
wherein the determining whether the network request was an automatically generated network request or a network request initiated by a human user status includes analyzing a record of keyboard or mouse activity within a predetermined time window ([0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user; [0056] At block 506, the received response is compared with the correct answer of the challenge question. If it is not a correct answer, the process goes to block 507 and the network access is blocked).
It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 11, the combination of Cooley, Dandliker and Wright fails to disclose:
The method of claim 7 wherein evaluating the status of the endpoint includes querying the endpoint about whether the user is present.
However, Yu discloses:
	evaluating the status of the endpoint includes querying the endpoint about whether the user is present ([0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified; [0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user).
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 13, the combination of Cooley, Dandliker and Wright fails to disclose:
The method of claim 7 wherein evaluating the status of the endpoint includes transmitting a request to the endpoint for a user input.
However, Yu discloses:
	wherein evaluating the status of the endpoint includes transmitting a request to the endpoint for a user input ([0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process).
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 14, the combination of Cooley, Dandliker and Wright fails to disclose:
The method of claim 7 wherein the status includes whether a user is logged in to the endpoint.
However, Yu discloses:
	wherein the status includes whether a user is logged in to the endpoint ([0054] At block 504, a human user test message is generated and sent to the potential user when a high risk network access is identified. The human user test message may be a visual or audio CAPTCHA message or other security challenge questions that are different to be recognized by an automatic process. In one embodiment, the human user test message may be sent to the source of the network access as a response to the network access. It is also possible that the network access is redirected to a web page showing the human user test message).
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.
Regarding claim 16, the combination of Cooley, Dandliker and Wright fails to disclose:
The method of claim 7 wherein the status includes a record of keyboard or mouse activity within a predetermined time window.
However, Yu discloses:
	wherein the status includes a record of keyboard or mouse activity within a predetermined time window ([0055] At block 505, a response to the human user test is received by the security device. Since the human user test message is not a simple verification such as an OK message that can be easily generated and sent by an automatic process running on the user's computer, a correct response can be sent only by a human user; [0056] At block 506, the received response is compared with the correct answer of the challenge question. If it is not a correct answer, the process goes to block 507 and the network access is blocked).
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Cooley, Dandliker and Wright references and include an intermediary network security device to monitor and prevent potential malicious activity on the user computer, as disclosed by Yu.
	The motivation to include an intermediary network security device to monitor and prevent potential malicious activity on the user computer is to perform behavioral inspection on the user computer and prevent malicious activity if the activity is being performed by the automated malicious process.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Cooley et al., (US9154520B1) in view of Dandilker et al., (US20080082662A1) and in view of Wright., (US20110023115A1) and further in view of Gear et al., (US20160117911A1).
Regarding claim 5, the combination of Cooley, Dandliker and Wright fails to disclose:
The computer program product of claim 1 wherein determining whether the network request was initiated by a human user includes determining whether a display of the endpoint is locked.
However, Gear discloses:
determining whether a display of the endpoint is locked ((i.e. determination if workstation/computing device is locked) (abstract; Fig 3, item 312 into 318; [0035]-[0036] [0036]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley, Dandliker and Wright references and use multiple different factors and sensors to determine whether a human user is present, such as the use of whether the workstation is locked, as disclosed by Gear.
The motivation would be to provide the most accurate estimation as to whether a human was present at the device at the time the request was made and thus influence the probability of whether the request was machine generated or human generated.
Regarding claim 15, the combination of Cooley, Dandliker and Wright fails to disclose:
The method of claim 7 wherein the status includes whether a display of the endpoint is locked.
However, Gear discloses:
determining whether a display of the endpoint is locked ((i.e. determination if workstation/computing device is locked) (abstract; Fig 3, item 312 into 318; [0035]-[0036] [0036]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Cooley, Dandliker and Wright references and use multiple different factors and sensors to determine whether a human user is present, such as the use of whether the workstation is locked, as disclosed by Gear.
The motivation would be to provide the most accurate estimation as to whether a human was present at the device at the time the request was made and thus influence the probability of whether the request was machine generated or human generated.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SYED M AHSAN/Patent Examiner, Art Unit 2432                                                                                                                                                                                                        07/01/2022