DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
No rejection under 35 USC § 103 has been made for claims 6, 13, and 19. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,265,337 in view of Mhatre et al. (US 2016/0191559), hereafter “Mhatre.”
Taking claim 1 of the present application and claim 1 of US 11,265,337 as exemplary, the claims may be compared as follows: 

Claim 1 of the present application
Claim 1 of US 11,265,337
1. A method comprising:


monitoring, by a client device traffic of an application hosted on one or more remote computing devices and accessed via the client device;














providing, by the client device responsive to monitoring, data associated with traffic of the application as input to a model, the model configured to output identification of a predicted behavior of a user responsive to the input; and 

causing, by the device, access to the application by the user to be restricted responsive to the identification of the predicted behavior of the user from using the model.
1. A method of monitoring a network application, the method comprising: 

monitoring, by a client application on a client device, traffic of a first network application hosted on a server and at least one computing resource on the client device, the client application 

providing the client device with access to a plurality of network applications including the first network application via an embedded browser of the client application; 

generating, by the client application, analytics data according to the monitored traffic of the first network application and the monitored at least one computing resource on the client device; 

using, by the client application, a user behavior model having a set of weights determined using the analytics data, to identify anomalous activity associated with the first network application; and 


restricting, by the client application, in response to identifying the anomalous activity, access to the first network application.



As can be seen in the comparison above, claim 1 of US 11,265,337 anticipates claim 1 of the present application except that claim 1 of US 11,265,337 does not teach:	the model configured to output identification of a predicted behavior of a user responsive to the input; and 	responsive to the identification of the predicted behavior of the user from using the model. 	Mhatre teaches: 	a model configured to output identification of a predicted behavior of a user responsive to the input (Mhatre: 306 of FIG. 3; par 0037); and 	responsive to the identification of the predicted behavior of the user from using the model (Mhatre: 308 of FIG. 3; par 0038-0040).	It would have been obvious to one of ordinary skill in the art to employ the user action prediction model of Mhatre within the claim 1 system with predictable results. One would be motivated to make the combination to provide the predictable benefit of increasing the effectiveness of the system by modeling and predicting user behavior so as to detect anomalous behavior. A high likelihood of success is anticipated given that both claim 1 and Mhatre disclose systems for detecting anomalous user behavior based on observed network traffic. Further, in view of this substantial similarity it would have been readily apparent to one of ordinary skill that various beneficial features of Mhatre could have been implemented within the claim 1 system with predictable results and a beneficial effect.  

Independent claims 8 and 15 recite comparable subject matter and so the same analysis with respect to claim 1 is applicable. Dependent claims 2-7, 9-14, and 16-20 are rejected at least by virtue of dependency upon claims 1, 8, and 15 respectively. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-5, 7-12, 14-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Luna (US 2012/0278886), in view of Swafford (US 2019/0124118), and further in view of Mhatre et al. (US 2016/0191559), hereafter “Mhatre.”
Regarding claim 1, Luna teaches a method comprising: 	monitoring, by a client device, traffic of an application hosted on one or more remote computing devices (Luna: 310 of FIG. 3A; par 0082) and accessed via the client device (Luna: par 0125, 126); and 	causing, by the device, access to the application by the user to be restricted (Luna: par 0372 [Upon detecting malicious traffic or potentially malicious traffic, the malware traffic handling engine 435 can block the traffic entirely or handle the traffic according to certain criteria.]; 0374). 	Luna does not explicitly teach: 	providing, by the client device responsive to monitoring, data associated with traffic of the application as input to a model, the model configured to output identification of a predicted behavior of a user responsive to the input; and 	responsive to the identification of the predicted behavior of the user from using the model. 	Swafford teaches: 	providing, by a client device responsive to monitoring, data associated with traffic of the application as input to a model (Swafford: par 0049, 0060, 0106).	It would have been obvious to one of ordinary skill in the art to implement the endpoint agent functionality of Swafford within the local proxy of Luna with predictable results. One would be motivated to make the combination to provide the predictable benefit of Swafford’s behavioral modeling to better detect malicious traffic within the Luna system. A high likelihood of success is anticipated given that the endpoint agent of Swafford and the local proxy of Luna are analogous elements, both being software elements installed on a user device to monitor traffic for the purpose of detecting anomalies. Further, in view of this substantial similarity it would have been readily apparent to one of ordinary skill in the art that various beneficial features of Swafford could have been implemented within the Luna system with predictable results and a beneficial effect.	Luna-Swafford does not explicitly teach: 	the model configured to output identification of a predicted behavior of a user responsive to the input; and 	responsive to the identification of the predicted behavior of the user from using the model. 	Mhatre teaches: 	a model configured to output identification of a predicted behavior of a user responsive to the input (Mhatre: 306 of FIG. 3; par 0037); and 	responsive to the identification of the predicted behavior of the user from using the model (Mhatre: 308 of FIG. 3; par 0038-0040).	It would have been obvious to one of ordinary skill in the art to employ the user action prediction model of Mhatre within the Luna-Swafford system with predictable results. One would be motivated to make the combination to provide the predictable benefit of increasing the effectiveness of the system by modeling and predicting user behavior so as to detect anomalous behavior. A high likelihood of success is anticipated given that both Luna-Swafford and Mhatre disclose systems for detecting anomalous user behavior based on observed network traffic. Further, in view of this substantial similarity it would have been readily apparent to one of ordinary skill that various beneficial features of Mhatre could have been implemented within the Luna-Swafford system with predictable results and a beneficial effect. 

Regarding claim 2, the method of claim 1, further comprising accessing, by the client device, the application via browser within a client application of the client device (Luna: par 0177).

Regarding claim 3, the method of claim 1, further comprising generating, by the client device from monitoring, the data identifying one or more interactions of the user with the application (Luna: par 0298).

Regarding claim 4, the method of claim 1, further comprising determining, by the client device, a deviation from the predicted behavior and a behavior of the user measured from monitoring (Mhatre: 308 of FIG. 3; par 0038-0040).

Regarding claim 5, the method of claim 1, further comprising determining, by the client device, to restrict access to the application responsive to the deviation being greater than a threshold (Mhatre: par 0050, 0051).

Regarding claim 7, the method of claim 1, wherein the data comprises one or more of a metric of a computing resource of the client device or a metric of the traffic (Mhatre: par 0044, 053).

Regarding claim 8, a client device (Luna: 150 of FIG. 1C) comprising: 	one or more processors, coupled to memory and configured to (Luna: par 0122): 	monitor traffic of an application hosted on one or more remote computing devices (Luna: 310 of FIG. 3A; par 0082) and accessed via the client device (Luna: par 0125, 126); 	provide, responsive to monitoring, data associated with traffic of the application as input to a model, the model configured to output identification of a predicted behavior of a user responsive to the input (Swafford: par 0049, 0060, 0106; Mhatre: 306 of FIG. 3; par 0037); and 	cause access to the application by the user to be restricted responsive to the identification of the predicted behavior of the user from using the model (Luna: par 0372 [Upon detecting malicious traffic or potentially malicious traffic, the malware traffic handling engine 435 can block the traffic entirely or handle the traffic according to certain criteria.]; 0374).

Regarding claim 9, the client device of claim 8, wherein the one or more processors are further configured to access the application via browser within a client application of the client device (Luna: par 0177).

Regarding claim 10, the client device of claim 8, wherein the one or more processors are further configured to generate, from monitoring, the data identifying one or more interactions of the user with the application (Luna: par 0298).

Regarding claim 11, the client device of claim 8, wherein the one or more processors are further configured to determine a deviation from the predicted behavior and a behavior of the user measured from monitoring (Mhatre: 308 of FIG. 3; par 0038-0040).

Regarding claim 12, the client device of claim 11, wherein the one or more processors are further configured to determine to restrict access to the application responsive to the deviation being greater than a threshold (Mhatre: par 0050, 0051).

Regarding claim 14, the client device of claim 8, wherein the data comprises one or more of a metric of a computing resource of the client device or a metric of the traffic (Mhatre: par 0044, 053).

Regarding claim 15, a non-transitory computer readable medium storing program instructions for causing one or more processors of a client device to (Luna: par 0122):	monitor traffic of an application hosted on one or more remote computing devices (Luna: 310 of FIG. 3A; par 0082) and accessed via the client device (Luna: par 0125, 126);	provide, responsive to monitoring, data associated with traffic of the application as input to a model, the model configured to output identification of a predicted behavior of a user responsive to the input (Swafford: par 0049, 0060, 0106; Mhatre: 306 of FIG. 3; par 0037); and	cause access to the application by the user to be restricted responsive to the identification of the predicted behavior of the user from using the model (Luna: par 0372 [Upon detecting malicious traffic or potentially malicious traffic, the malware traffic handling engine 435 can block the traffic entirely or handle the traffic according to certain criteria.]; 0374).

Regarding claim 16, the non-transitory computer readable medium of claim 17, wherein the program instructions further cause the one or more processors to generate, from monitoring, the data identifying one or more interactions of the user with the application (Luna: par 0298).

Regarding claim 17, the non-transitory computer readable medium of claim 17, wherein the program instructions further cause the one or more processors to determine a deviation from the predicted behavior and a behavior of the user measured from monitoring (Mhatre: 308 of FIG. 3; par 0038-0040).

Regarding claim 18, the non-transitory computer readable medium of claim 17, wherein the program instructions further cause the one or more processors to determine to restrict access to the application responsive to the deviation being greater than a threshold (Mhatre: par 0050, 0051).

Regarding claim 20, the non-transitory computer readable medium of claim 17, wherein the data comprises one or more of a metric of a computing resource of the client device or a metric of the traffic (Mhatre: par 0044, 053).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES E SPRINGER whose telephone number is (571)270-5640. The examiner can normally be reached 9am - 5:30pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JAMES E. SPRINGER
Primary Examiner
Art Unit 2454



/JAMES E SPRINGER/           Primary Examiner, Art Unit 2454