DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see Remarks, filed 07/28/2022, with respect to the objections of claims 14-20 have been fully considered and the amendments to the claims are persuasive.  Therefore, the objections to claims 14-20 are withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art.
With respect to the rejection(s) of independent claim 1 under 35 USC § 103, applicant’s argument has been fully considered and is persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 7-8 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB 2014/0304780 A1 to Kuang et al. (hereinafter “Kuang”), and further in view of USPAT No. 7,565,692 B1to Maria
Regarding claim 1:
Kuang discloses:
A system (Kuang, ¶38: “… a system for remote access to a service on a server computer …”) for protecting a computer (Kuang, ¶108: “… the server computer 210 …”, see Fig. 6, Server 210) from malicious remote desktop protocol attacks (Kuang, ¶05: “…  a system … for secure remote connection to computing services.”, see Fig 6: “RDP Connection”), the system comprising:  
Kuang, ¶108: “… a server program 212 executing on the server computer 210 authorizes 106 the user 202 to access and use the predetermined services 214 on the server computer 210 that are available to the authenticated user 202 and authenticated client device 204.”);
a remote computer (Kuang, ¶105: “… a client device 204 …”);
the(Kuang, ¶129: “The server program 212 … creates a blocking window 606 on a server desktop 608.”) and detects a remote access connection (Kuang, ¶129: “The server program 212 detects 510 the remote desktop connection 206 …”) to the computer by the remote computer by way of the remote access protocol (Kuang ¶129: “The client program 408 establishes 508 a remote desktop connection 206 from the client device 204 to the server computer 210.”); 
after the (¶38: “… upon successful authenticating of the client device …”), the (Kuang, ¶38: “… establishing an authorization connection between the client device and the server computer …”) to verification software (Kuang, ¶132: “… client program 408 …”) that runs on the remote computer (Kuang, ¶132: “… the client program 408 copies 704 the client OTA code 802 to a shared clipboard 806.”, ¶133: “… the server program 212 detects 706 the client OTA code on the shared clipboard 806. The server program 212 creates 708 a server OTA code 810 …”) and if the test connection fails or if the test connection times out (Kuang, ¶134: “…  the server program 212 compares … the server OTA code 810 with the client OTA code 802. If the server OTA code 810 does not match the client OTA code 802 …”), the (Kuang, ¶134: “… the blocking window 606 remains 714 and the authorization process 106 is stopped.”).  

However, Kuang does not explicitly disclose the following limitation disclosed by Maria: 
intrusion detection software running on the computer (Maria ¶156: “… The socket installs the intrusion detection software on the computer on which the agent is running (Step 410). The socket then executes the intrusion detection software and the computer begins functioning as an intrusion detection platform (Step 420).”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Kuang to incorporate the functionality of an intrusion detection software, and be able to combine Kuang’s remote computer access to establish a connection with the well-known method of intrusion detection, as disclosed by Maria, as such modification would monitor the network for malicious network traffic that indicates an active attack. 
Regarding claim 2:
The combination of Kuang and Maria discloses:
The system of claim 1, wherein after the intrusion detection software attempts to make the test connection to the verification software that runs on the remote computer, the intrusion detection software waits for reception of at least one packet of data over the test connection and if the at least one packet of data is not received or a connection timeout occurs, the intrusion detection software declares the remote computer to be malicious and the intrusion detection software terminates the remote access connection (Kuang, ¶132: “… the client program 408 copies 704 the client OTA code 802 to a shared clipboard 806.”, ¶133: “… the server program 212 detects 706 the client OTA code on the shared clipboard 806. The server program 212 creates 708 a server OTA code 810 …”, ¶134: “…  the server program 212 compares … the server OTA code 810 with the client OTA code 802. If the server OTA code 810 does not match the client OTA code 802 … the blocking window 606 remains 714 and the authorization process 106 is stopped.”).  
Regarding claims 7-8:
Claims 7-8 substantially recite the same limitations as claims 1-2, respectively, in the form of a system implementing the corresponding method, therefore they are rejected under the same rationale.

Regarding claims 14-15:
Claims 14-15 substantially recite the same limitations as claims 1-2, respectively, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore they are rejected under the same rationale.
Claims 3-4, 9-11 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kuang in view of Maria, and further in view of US-PGPUB No. 2010/0313262 A1 Mehta et al. (hereinafter “Mehta”)
Regarding claim 3:
The combination of Kuang and Maria discloses the system of claim 2, but fails to explicitly disclose the following limitation taught by Mehta: 
wherein after the at least one packet of data is received, the intrusion detection software searches a table of expected values for the data and if the data is not found in the table of expected values, the intrusion detection software declares the remote computer to be malicious and the intrusion detection software terminates the remote access connection (Mehta ¶24: “… controller … may contain a whitelist stored in memory hierarchy … of those individual remote access points which are to be accepted. This whitelist may also reside outside of the controller … with the controller … being able to access the information at any time. This whitelist for example could be based on the unique MAC address of first wired interface … present in each remote access point ... If the MAC address, which is present in the device credentials such as digital certificate, is on the whitelist, the connection is accepted, otherwise the connection is rejected.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang and Maria to incorporate the functionality of the controller to contain a whitelist of those individual remote access points which are to be accepted, as disclosed by Mehta, such modification would allow the intrusion detection system to identify safe remote devices from those malicious ones by checking the unique identifier, for example MAC address, against expected values (whitelists), thus protecting the system from malicious access.
Regarding claim 4:
The combination of Kuang, Maria and Mehta discloses:
The system of claim 3, wherein the table of expected values includes computer identifications of approved remote computers (Mehta, ¶24: “… controller 100 may contain a whitelist stored in memory hierarchy 120 of those individual remote access points which are to be accepted. This whitelist for example could be based on the unique MAC address of first wired interface … present in each remote access point ...”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang and Maria to incorporate the functionality of the controller to contain a whitelist of those individual remote access points which are to be accepted, as disclosed by Mehta, such modification would allow the intrusion detection system to identify safe remote devices from those malicious ones by checking the unique identifier, for example MAC address, against expected values (whitelists), thus protecting the system from malicious access.
Regarding claims 9:
Claim 9 substantially recites the same limitation as claim 3, in the form of a system implementing the corresponding method, therefore it is rejected under the same rationale.
Regarding claim 10:
The combination of Kuang, Markta and Mehta discloses: 
The method of claim 9 if not finding one of the expected values from the table of expected values in the data, declaring the remote computer to be malicious and terminating the remote access connection (Mehta ¶24: “… controller … may contain a whitelist stored in memory hierarchy … of those individual remote access points which are to be accepted. This whitelist may also reside outside of the controller … with the controller … being able to access the information at any time. This whitelist for example could be based on the unique MAC address of first wired interface … present in each remote access point ... If the MAC address, which is present in the device credentials such as digital certificate, is on the whitelist, the connection is accepted, otherwise the connection is rejected.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang and Maria to incorporate the functionality of the controller to contain a whitelist of those individual remote access points which are to be accepted, as disclosed by Mehta, such modification would allow the intrusion detection system to identify safe remote devices from those malicious ones by checking the unique identifier, for example MAC address, against expected values (whitelists), thus protecting the system from malicious access.
Regarding claim 11:
Claims 11 substantially recite the same limitations as claim 4, in the form of a system implementing the corresponding method, therefore it is rejected under the same rationale.
Regarding claims 16 - 19:
Claims 16, 17 and 18-19 substantially recite the same limitations as claims 3 -5 and 10 respectively, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore they are rejected under the same rationale.
Claims 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kuang, Maria, Mehta and further in view of US-PGPUB No. 2010/0197293 A1 to Shem-Tov (hereinafter “Tov”)
Regarding claim 5:
The combination of Kuang, Maria and Mehta discloses the system of claim 3, but fails to explicitly disclose the following limitation taught by Tov:
wherein the table of expected values includes phone number of approved remote computers (Tov, ¶06: “… authenticating the caller includes comparing the telephone number to a list of authorized telephone numbers.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang, Maria and Mehta to incorporate the functionality of the prevention invention method to include telephone numbers for authentication, as disclosed by Tov, such modification would allow the intrusion detection system to identify safe remote devices from those malicious ones by checking the unique identifier, for example phone number, against expected values (whitelists), thus protecting the system from malicious access.
Regarding claim 12:
Claims 12 substantially recite the same limitations as claim 5, in the form of a system implementing the corresponding method, therefore it is rejected under the same rationale.
Claims 6 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kuang, Maria and further in view of US-PGPUB No. 2014/0007222 A1 to Qureshi et al. (hereinafter “Qureshi”)
Regarding claim 6:
The combination of Kuang and Maria discloses the system of claim 1, but fails to explicitly disclose the following limitation taught by Qureshi: 
wherein after detecting that the remote access connection has been made and the new logon session is initiated, the intrusion detection software blocks any new programs from executing until the intrusion detection software determines that the remote computer is authorized (Qureshi ¶88: “The secure VM may also prevent an enterprise application from running unless and until the user enters a valid passcode or otherwise successfully authenticates.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang and Maria to incorporate the functionality of the secure VM to protect an application from running unless and until the user enters a valid passcode or otherwise successfully authenticated, as disclosed by Qureshi, such modification would allow to protect the host programs from being run by a remote device application before being properly authenticated, thus protecting the system from malicious access.
Regarding claim 20:
Claim 20 substantially recites the same limitation as claim 6, in the form of program instructions stored in a non-transitory storage medium to execute the corresponding method, therefore it is rejected under the same rationale.
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Kuang, Maria, Mehta and further in view of Qureshi
Regarding claim 13:
The combination of Kuang, Maria and Mehta discloses the method of claim 9, but fails to explicitly disclose the following limitation taught by Qureshi: 
wherein after detecting that the remote access connection has been made and the new logon session is initiated, blocking any new programs from executing until declaring the remote computer to be safe authorized (see Qureshi ¶88: “The secure VM may also prevent an enterprise application from running unless and until the user enters a valid passcode or otherwise successfully authenticates.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kuang, Maria and Mehta to incorporate the functionality of the secure VM to protect an application from running unless and until the user enters a valid passcode or otherwise successfully authenticated, as disclosed by Qureshi, such modification would allow to protect the host programs from being run by a remote device application before being properly authenticated, thus protecting the system from malicious access.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Shem Tov et al. (US-PGPUB No. 2018/0359237-A1)- disclosed an invention that relates to remote desktop access to a target machine and, more particularly, but not exclusively, to generating an assessment of a remote desktop access connection session.
German et al. (US-PGPUB No. 2013/0067229-A1)- disclosed an invention that relates to remote desktop technology, and, more particularly, relate to a method, apparatus, and computer program product for key sharing over remote desktop protocol.
Fausak et al. (US-PGPUB No 2019/0222571- A1)- disclosed information handling systems for remote access to a personal computer as a service using a remote desktop protocol and Windows Hello support.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491