PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office
    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/930,770
Filing Date: 13 August 2021
Appellant(s): Citrix Systems, Inc.



__________________
Ross Dannenberg
For Appellant















EXAMINER’S ANSWER


This is in response to the Supplemental appeal brief filed 2/8/2022.

	(1) Grounds of Rejection to be Reviewed on Appeal

Every ground of rejection set forth in the Office action dated 3/12/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
	

 	(2) Response to Argument

1. 	Independent Claim 1 
Appellants argues:

Argument 1 on page 3 of the Reply Brief the reference, Leone, does not disclose the limitation, “identifying, …based on the series of events [received from a client device], a relationship between the first event [of a first application on the client device] and the second event” since Leone teachings involves receiving events from a plurality of different users. Whereas, the claim language only requires the series of events to be generated from one client device. Therefore, the examiner does not explain how correlating anomalous events occurring at different mobile terminals will identify a relationship between two events that occurred at a single mobile terminal or how different anomalous events may be interpreted as a series of events. (Brief, page 3)

Argument 2 on page 5 The reference, Kumar, does not teach the limitation, “determining…that the first event is potentially malicious activity based on a comparison between the identified relationship and other series of events previously determined to be malicious activity” since previously cited paragraph 0030 of Kumar is silent about performing correlation with “previous events” or any other series of events. (Brief, page 5)

Argument 3 on page 7, the motivation to combine references Kumar with Leone is based on the examiner’s lack of understanding of the cited references since Leone describes a trust provider system [105], not a traditional security system as suggested by the examiner. Moreover, the examiner has not articulated how a person of ordinary skill in the art would have combined the Leone and Kumar to arrive at the cited invention(Brief, page 7)


2. 	Response to argument(1):
	In regards to argument(1), Leone discloses a system that generalizes the teaching of the appellant’s invention to include inputs from a plurality of user devices. Leone additionally discloses in paragraph 0035 that a minimum of at least one telecommunication device may be considered for analysis. Paragraph 0084 further discloses that each client component is configured to send notifications of anomalous events to a trust provider. Therefore, implicitly, in the case of a single client component, a set of data may be sent that is subsequently analyzed to generate correlated results that necessitates correlating different data samples[i.e. previous data and current data] generated by the single component [i.e. auto correlation] to determine anomalous events emanating from the single input device. Consequently, Leone discloses the claimed limitations of “identifying, by the computing device and based on the series of events, a relationship between the first event and the second event”; and “receiving, by a computing device, data from a client device, data indicative of occurrences of a series of events that includes a first event of a first application on the client device and a second event”

Response to argument(2):
In regards to argument(2), Kumar discloses in paragraphs 0019 and 0020 that at least one system may be configured to be continuously monitored and to have their monitored events correlated to determine any threats. The process of performing correlation on continuously monitored events of one system, for example, implicitly requires consideration of any previous events since the only events generated by the single system consists of any current event and any past previous events. 

Response to argument(3):
In regards to argument(3), Kumar discloses in paragraph 0006 a definition of a traditional legacy system to be any system based on use of signatures to provide system security. Leone discloses in paragraph 0054 that communication between a trust provider and mobile terminals is protected via a digital signature mechanism. Therefore, the system taught by Leone may be characterized as a traditional system, as defined by Kumar, that may be enhance by the teachings of Kumar in order to establish a system for receiving data indicating a series of events from an application; and correlating the events to determine potentially malicious activities and initiating remedial actions

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/GREGORY A LANE/Examiner, Art Unit 2438                                                                                                                                                                                                        
Conferees:
    /David J Pearson/    Primary Examiner, Art Unit 2438  


/TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                    
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.