DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Applicant’s Amendment and Remarks filed on 20 July 2022. 
Claims 1-20 are pending in this application.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  
Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Step 1, Statutory Category: Yes, the claim 1 is a method that recites a series of steps and therefore falls in the statutory category of a process.
Step 2A- Prong 1: Judicial Exception Recited: Yes, the claim recites: “(c) sorting, the plurality of notifications into subsets of notifications intended for different users of the plurality of users; and (d) sort the subsets of notifications with notifications from a plurality of applications used by the plurality of users.” As drafted, the claim as a whole recites a method including steps that could be performed in the human mind, but for the recitation of generic computing components. The human mind can easily sorting the notifications/message into subsets of notifications intended for different users of the plurality of users. For example, a person can easily evaluating/determining/judging to group/sort/dividing the plurality of messages/notifications into different groups/classes/categories according to different users. Therefore, but for the recitation of generic computing components, these steps may be a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion). 
Therefore, yes, the claims do recite judicial exceptions.
Step 2A- Prong 2: Integrated into a practical Application: No, this judicial exception is not integrated into a practical application. In particular, the claim recites additional limitations that “establishing, one or more hooks to intercept notifications; (b) intercepting, via the one or more hooks, a plurality of notifications for a plurality of users” which is insignificant pre-solution data gathering (see MPEP § 2106.05(g)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b) and an attempt to generally link the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05(h))). In addition, “an agent”, “hooks”, “a virtual machine”, “an operating system”, “one or more virtualized applications”, “one or more devices used by a user of the plurality of users to connected to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application”, “network”, “notification service executed by a server remote from the agent”, “a plurality of applications” and “a device of the one or more devices of the user” are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to the abstract idea.
Step 2B: Claim provides an Inventive Concept: No. As discussed with respect to Step 2A prong Two, the additional elements “an agent”, “hooks”, “a virtual machine”, “an operating system”, “one or more virtualized applications”, “one or more devices used by a user of the plurality of users to connected to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application”, “network”, “notification service executed by a server remote from the agent”, “a plurality of applications” and “a device of the one or more devices of the user” (i.e., as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and an attempt to generally link the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05(h))). In addition, the limitation “establishing, one or more hooks to intercept notifications; (b) intercepting, via the one or more hooks, a plurality of notifications for a plurality of users” are insignificant pre-solution data gathering (see MPEP § 2106.05(g)), and “(d) communicating, by the agent via a network, the plurality of subsets of notifications to a notification service” and “wherein the notification service communicates, via the network to a device of the one or more devices of the user that is remote from the agent and the server, the subsets of notifications sorted with the notifications from the plurality of applications to cause the device to execute an action within the virtualized application”, which is additionally well understood, routine, conventional activity (see MPEP § 2106.05(d), courts have identified “receiving and transmitting data, storing and retrieving information, et cetera as well understood, routine, conventional) and a generic computing device performing a generic computer function (see MPEP §2106.05(b)). (Further, the limitation of “to cause the device to execute an action within the virtualized application” which is “causing”, the claimed does not specifically indicated that the action is actually performed). The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A. These additional elements and combination of the elements does not amount to significant more than the exception itself or provide an inventive concept in Step 2B.

Under the 2019 PEG, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. Here, the establishing step, intercepting step and communicating step for displaying were considered to be extra-solution activity in Step 2A as insignificant pre-solution data gathering, and well understood, routine, conventional activity, thus it is re-evaluated in Step 2B to determine if it is more than what is well understood, routine, conventional activity in the field. The establishing and intercepting steps is for the purpose of “collecting” the data, and wherein the communicating step is for “displaying” the data and these can be reached on one of court case (Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) (collection, analysis and display data) see MPEP § 2106.05(g)). Accordingly, a conclusion that the establishing, intercepting and communicating are well understood, routine, conventional activity is supported under Berkheimer options 2.

For these reasons, there is no inventive concept in the claim, and thus the claim is ineligible. 

Claim 9 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Step 1, Statutory Category: Yes, the claim 9 is a method that recites a series of steps and therefore falls in the statutory category of a process.
Step 2A- Prong 1: Judicial Exception Recited: Yes, the claim recites: “aggregating, the notifications for the user; (d) selecting, one or more notifications from the aggregated notifications of the user, at least one of the one or more notifications comprising a notification to the user.” As drafted, the claim as a whole recites a method including steps that could be performed in the human mind, but for the recitation of generic computing components. The human mind can aggregating/merging the notifications/message and selecting/choose one of the notification from the aggregated/merged notifications. For example, a person can easily evaluating/determining/judging to group/merging/aggregating the plurality of messages/notifications into one group and further selecting/choosing one of the notification/message from the aggregated/merged group of notifications. Therefore, but for the recitation of generic computing components, these steps may be a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion). 
Therefore, yes, the claims do recite judicial exceptions.
Step 2A- Prong 2: Integrated into a practical Application: No, this judicial exception is not integrated into a practical application. In particular, the claim recites additional limitations that “receiving, a plurality of notifications for a user; (b) receiving, notifications from other applications of the user, the other applications being different from the virtualized applications” which is insignificant pre-solution data gathering (see MPEP § 2106.05(g)). In addition, “notification service executed by a server”, “an agent”, “a virtual machine”, “virtualized applications and executed remotely from the virtual machine”, “wherein one or more devices used by the user to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application”, “a notification system of a device”, “network” and “wherein at least one of the selected one or more notifications is obtained by the notification service from the virtualized application when the one or more devices are not actively connected to the virtualized application via the session” are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b) and an attempt to generally link the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05(h))). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to the abstract idea.
Step 2B: Claim provides an Inventive Concept: No. As discussed with respect to Step 2A prong Two, the additional elements “notification service executed by a server”, “an agent”, “a virtual machine”, “virtualized applications and executed remotely from the virtual machine”, “wherein one or more devices used by the user to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application”, “a notification system of a device”, “network” and “wherein at least one of the selected one or more notifications is obtained by the notification service from the virtualized application when the one or more devices are not actively connected to the virtualized application via the session” (i.e., as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and an attempt to generally link the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05(h))). In addition, the limitation “receiving, notifications for a user; (b) receiving, notifications from other applications of the user” are insignificant pre-solution data gathering (see MPEP § 2106.05(g)), and “communicating, the selected one or more notifications to the user to cause the device to execute an action within the virtualized application”, which is additionally well understood, routine, conventional activity (see MPEP § 2106.05(d), courts have identified “receiving and transmitting data, storing and retrieving information, et cetera as well understood, routine, conventional) and a generic computing device performing a generic computer function (see MPEP §2106.05(b)) (Further, the limitation of  “to cause the device to execute an action within the virtualized application” which is “causing”, and the claimed does not specifically indicated that the action is actually performed). The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A. These additional elements and combination of the elements does not amount to significant more than the exception itself or provide an inventive concept in Step 2B.

Under the 2019 PEG, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. Here, the receiving steps and communicating step to display the notifications were considered to be extra-solution activity in Step 2A as insignificant pre-solution data gathering, and well understood, routine, conventional activity, thus it is re-evaluated in Step 2B to determine if it is more than what is well understood, routine, conventional activity in the field. The receiving step is for the purpose of “receiving” the data, and wherein the communicating step is for “transmitting” the data and these can be reached on one of court case (Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) see MPEP § 2106.05(d) II). In addition, the communicating step for “displaying” the data/notification can be reached on one of court case (Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) (collection, analysis and display data) see MPEP § 2106.05(g)). Accordingly, a conclusion that the receiving and communicating are well understood, routine, conventional activity is supported under Berkheimer options 2.

For these reasons, there is no inventive concept in the claim, and thus the claim is ineligible. 

Independent claim 14 is rejected for the same reason as claim 1 above. Claim 14 further recites “one or more processor”, “a memory”. These additional elements are directed to generic computer components providing generic computer functions (see MPEP § 2106.05(b)). 

With respect to the dependent claim 2, the claim elaborates that wherein the notification service sorts each user's notifications from the virtual machine with notifications of the user from a cloud based application or a file system. (“sort” the notifications, it is being treated as part of abstract idea and is analogues to Mental processes, such that concept can be performed in the human mind. In addition, the claim as a whole is a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion)).

With respected to the dependent claim 3, the claim elaborates that wherein the notification service communicates the subsets of notifications sorted with the notifications from the plurality of applications to one or more devices of the user. (“communicates notifications” is being treated as a well understood, routine, conventional activity such that this additional element does not integrate the abstract idea into a practical application, such evidence can be found in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) (collection, analysis and display data) see MPEP § 2106.05(g)).

With respected to the dependent claim 4, the claim elaborates that identifying, by the notification service, duplicate notifications for the user received from the one or more virtualized applications or the operating system. (“identifying” the “duplicate” notification, it is being treated as part of abstract idea and is analogues to Mental processes, such that concept can be performed in the human mind. In addition, the claim as a whole is a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion)).

With respected to the dependent claim 5, the claim elaborates that removing, by the notification service, the duplicate notifications from the plurality of notifications for each user of the plurality of users. (“removing” the duplicated notification, it is being treated as part of abstract idea and is analogues to Mental processes, such that concept can be performed in the human mind. In addition, the claim as a whole is a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion)).

With respected to the dependent claim 6, the claim elaborates that generating, by the notification service, the subsets of notifications (“generating” the subsets of notification is being treated as analysis/manipulate the data, it is a well understood, routine, conventional activity such that this additional element does not integrate the abstract idea into a practical application, such evidence can be found in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) see MPEP § 2106.05(g))).

With respected to the dependent claim 7, the claim elaborates that identifying, by the notification service via the agent, an action requested by the one or more virtualized applications or the operating system of the virtual machine, the action corresponding to at least one notification of a subset of notifications from the subset of notifications. (“identifying” the action, as drafted, it is being treated as part of abstract idea and is analogues to Mental processes, such that concept can be performed in the human mind. In addition, the claim as a whole is a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion)).

With respected to the dependent claim 8, the claim elaborates that identifying, by the notification service, at least one user of the plurality of users associated with the virtual machine; and providing, by the notification service, the action to the device associated with the user. (“identifying” is being treated as part of abstract idea and is analogues to Mental processes, such that concept can be performed in the human mind. “providing” the action is a well understood, routine, conventional activity such that this additional element does not integrate the abstract idea into a practical application, such evidence can be found in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) see MPEP § 2106.05(g))). In addition, the claim as a whole is a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion)).

With respected to the dependent claim 10, the claim elaborates that wherein responsive to the one or more notifications, the session of the user is established by the user on the device of the user to connect to the virtualized application. (“establish” virtual session by the device of the user, it is directed to generic computer components providing generic computer functions (see MPEP § 2106.05(b)).

With respected to the dependent claim 11, the claim elaborates that wherein the notifications from the other applications include at least one of a web application notifications, a Software as a service (SaaS) application notifications, or a file notifications. (different “notifications” (i.e., web application notification), it is directed to generic computer components providing generic computer functions (see MPEP § 2106.05(b)).

With respected to the dependent claim 12, the claim elaborates that generating, by the notification service, an alert for the device of the user to indicate an action requested by the one or more virtualized applications or an operating system of the virtual machine. (“generating” the alert by the notification service is being treated as analysis/manipulate the data, it is a well understood, routine, conventional activity such that this additional element does not integrate the abstract idea into a practical application, such evidence can be found in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) see MPEP § 2106.05(g))).

With respected to the dependent claim 13, the claim elaborates that providing, by the notification service, a plurality of alerts to one or more devices of the user, the plurality of alerts corresponding to the selected one or more notifications (“providing” the alert by the notification service is being treated as a well understood, routine, conventional activity such that this additional element does not integrate the abstract idea into a practical application, such evidence can be found in Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) see MPEP § 2106.05(g))).

Dependent claims 15-20 recite the same features as applied to claims 2-7 above, therefore they are also rejected under the same rationale.


Claim Rejections – 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-8 and 14-20 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
As per claims 1 and 14 (line# refers to claim 1):
In line 6, it recites the phrase “the virtualized applications ”. However, prior to this phrase at lines 3-4, it recites “one or more virtualized applications”. Thus, it is unclear whether the second recitation of “the virtualized applications” is the same or different from the first recitation of “one or more virtualized applications”. if they are the same, same term should be used (i.e., the one or more virtualized applications).

As per claims 2-8 and 15-20:
They are method and system claims that depend on claims 1 and 14 respectively above. Therefore, they have same deficiencies as claims 1 and 14 above.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 6, 14-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan et al. (US. Patent. 10,362,046 B1) in view of Sharp et al. (US Pub 2012/0089980 A1) and further in view of Boyd (US. Patent. 6,993,013 B1) and ILIC (US Pub. 2017/0364823 A1).
Srinivasan, Boyd and ILIC were cited in the previous Office Action.

As per claim 1, Srinivasan teaches the invention substantially as claimed including A method comprising: 
(a) establishing, by an agent executed by a virtual machine, one or more hooks to intercept notifications from an operating system of the virtual machine and one or more virtualized applications executed by the virtual machine accessible by a plurality of users; (Srinivasan, Fig. 1, 122 Agent; Figs. 3 and 5, 522 Agent, 520 virtual machine; Col 15, lines 5-23, The agent 522 may be a process or application executed by the virtual machine 520…The agent 522 may execute one or more "hooks" in a kernel of an operating system of the virtual machines 520. For example the agent 522 may execute a hook (as establishing the hook, since the hook is executed and is established/used for intercepting the messages/notification) that intercepts messages generated by the operating system when processes are created or terminated by the operating system or other software executed by the virtual machine 520 (as one or more virtualized applications). The executable code that handles such intercepted function calls, events, or messages may be referred to in the context of the present disclosure as a "hook." Executing a hook by the agent 522 or other entity as described herein covers a range of techniques which may be used to alter or augment the behavior of an operating system, applications, or of other executable code by at least intercepting function calls, messages, or events passed between applications, including the operating system; Col 10, lines 55-58, virtual machine 320 may be provided to the customers…and the customers may utilize the virtual machine 320, lines 63-67, the customer 302 with an interface, such as the user interface described above in connection with FIG. 2, to manage and interact (as accessible) with the security service 310, the agents 322, and/or the virtual machines 320); 
(b) intercepting, by the agent via the one or more hooks, a plurality of notifications for the plurality of users generated by the one or more virtualized applications or the operating system (Srinivasan, Col 15, lines 9-15, The agent 522 may execute one or more "hooks" in a kernel of an operating system of the virtual machines 520. For example the agent 522 may execute a hook that intercepts messages generated by the operating system when processes are created or terminated by the operating system or other software executed by the virtual machine 520; Col 5, lines 21-23, the customer 102 has one or more administrators that receive alerts associated with security information; Col 10, lines 55-58, virtual machine 320 may be provided to the customers (as plurality of users)…and the customers may utilize the virtual machine 320); 
(d) communicating, by the agent via a network, the notifications to a notification service, executed by a server remote from the agent, to identify the notifications with notifications from a plurality of applications used by the plurality of users, the plurality of applications being different from the one or more virtualized applications(Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents, operational information; Fig. 5, 526A network A (including agent 522 and virtual machine 520), 526B network B, (including 520 virtual machine, 522 agent), 510 security service (as notification service, Col 9, lines 55-56, The security service 310, which may be implemented by physical hardware; Col 10, line 3, The physical hardware may include a server computer; as the security service/notification service executed by a server which is remote from the agent, since the agent is executed in VM in different networks (network A and B)); Col 13, lines 49-55, The computing resources (e.g., virtual machines 520) may be placed on the servers according to a rack diversity constraint, where the sets of racks may be localized by different networks 526A-526B. The operational information 504 may include information as described above; the information may be obtained from different agents executed by the servers in the sets of racks (as notifications from plurality of applications used by the plurality of users, the plurality of applications being different from the one or more virtualized applications, since they are come from different networks); Col 15, lines 22-26, intercepting function calls, messages, or events passed between applications, including the operating system. The agent 522 may then generate a stream of additional information corresponding to various hooks executed by the agent 522 and provide the stream to the security service 510 (as communicating, each user’s notification to security service (as notification service)); Col 10, lines 44-48, a server computer 342 may host a first virtual machine…operated by a first customer and may host a second virtual machine instantiated…that is operated by a second customer (as agents within each VM in different networks are used by different customers); Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware), lines 17-19, The security service 510 can then transmit an alarm to the 100 different customers; [Examiner noted: there is different networks, each including different VMs and agents that are used by the plurality of users, the notification/operations information obtained by the agents in different networks are send to the same security service (remote from agents), since the notification/operations are obtained from the different networks, therefore, the plurality of applications (within the network B) being different from the one or more virtualized applications (within the network A)]),
wherein the notification service communicates, via the network to a device of the one or more devices of the user that is remote from the agent and the server, the notifications identified/sorted with the notifications from the plurality of applications to cause the device to execute an action within the virtualized application (Srinivasan, Fig.1, 102, user/customer, 106 network, 122 agent; Fig. 4, 402 user/customer (as device remote from the agent and the server); Col 5, lines 31-38, a message or other alert may be transmitted to the customer 102 or designated administrator indicating security information 146 and/or the mitigation operation performed by the agent 122 and/or result thereof. The notification may be an e-mail, Short Message Service (SMS), pop-up, or other suitable message (as communicates to user, notifications identified; see Col 16 lines 17-20, the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers and update the correlated security model to indicate the IP address is associated with malicious activity; also see Col 6, lines 3-14, the customer 102 may define particular action to take in response to particular security risks or threat levels…cause the agent 122 to perform immediate remedial/mitigation operation. The remedial/mitigation operation may include termination of customer-operated computing resources, updates to applications, updates to the authentication protocol, or other operations to mitigate or eliminate the security threat (as execute an action with the virtualized application to mitigate or eliminate the security threat)).

Srinivasan fails to specifically teach wherein one or more devices used by a user of the plurality of users to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application, when intercepting, while the one or more devices used by the user is not actively connected to the virtualized application, and the plurality of applications being different from the one or more virtualized applications comprising the virtualized application to which the one or more devices of the user is not actively connected.

However, Sharp teaches wherein one or more devices used by a user of the plurality of users to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application, (Sharp, Fig. 1A, 102A-N clients (as users); Fig. 6, 604 receive notification a user session terminated (as not actively connected); Abstract, lines 4-6,  A session monitor of the performance monitoring system is notified that a user session terminated, where the user session accessed a virtual machine; [0096] lines 6-10, a user session 304 can be generated when a user using a client computing device (as one or more devices used by a user) located remote from the computing device 203, requests a virtual desktop or a virtual machine, or requests access to a virtual desktop or a virtual machine; [0063] lines 19-20, the applications executing on a virtual machine); 
when intercepting, while the one or more devices used by the user is not actively connected to the virtualized application and the plurality of applications being different from the one or more virtualized applications comprising the virtualized application to which the one or more devices of the user is not actively connected (Sharp, Fig. 6, 604 receive notification a user session terminated (as not actively connected), 608 record the user session information, 612 record the virtual machine metrics; [0128] lines 1-9, in response to receiving the notification that a user session terminated, then records user session information for the terminated session (Step 608). Recording the user session information can include obtaining the user session information from any one of the following sources: the virtual machine manager 352; the VDI platform 310; the VDI client 320; or from a storage repository on the client computer used by the user of the terminated user session; [0089] lines 14-18, This user information can be tied to a particular user or user session and can be obtained by intercepting information or data generated responsive to a user's actions within the context of the user session; Abstract, lines 4-6, A session monitor of the performance monitoring system is notified that a user session terminated, where the user session accessed a virtual machine).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan with Sharp because Sharp’s teaching of recording/intercepting the information upon terminating the user session (as intercepting while the user is not actively connected to a session) would have provided Srinivasan’s system with the advantage and capability to enable the system to intercepting the information when the user is terminated with the virtual session which allow the system to evaluating the intercepted information for future virtual machine (i.e., resource) allocation in order to improving the system performance and efficiency. 

Srinivasan and Sharp fail to specifically teach (c) sorting, by the agent, the plurality of notifications into subsets of notifications intended for different users of the plurality of users; and communicating the subsets of notifications to the notification service, and sort the subsets of notifications with notifications.

However, Boyd teaches (c) sorting, by the agent, the plurality of notifications into subsets of notifications (Boyd, Fig. 2, 104 soft switch (as agent); Col 6, lines 33-46, Each of the CPs 124, 126 and 128 are coupled to a corresponding protocol message file 130, 132 and 134, respectively…The CPs 124, 126 and 128 are configured to control the transfer of voice and data by endpoints such as the IADs 114-1 and 114-2 when telephone calls are initiated by the telephones coupled to the IADs 114-1 and 114-2. The switch 104 also includes a load balancer (not shown) which monitors the number of exchanges being handled by each one of the CPs 124, 126 and 128 and will direct incoming signaling messages to selected ones of the CPs 124, 126 and 128 (as sorting, the plurality of notifications into subsets of notifications (see Fig. 2, 130 message for 124 CP1 (one subset) and 132 message for 126 CP2 (another subset)), and
communicating the subsets of notifications to the notification service, and sort the subsets of notifications with notifications (Boyd, Fig. 2, 136 Merge CP message Tool, 140 sorted protocol messages file; Col 7, lines 5-12, The first software tool 136 includes a sorting algorithm which enables the tool to sort plural entries based upon a series of comparisons of a parameter, for example, date/time, common to all of the entries, thereby enabling the proactive analysis system 120 to generate the sorted protocol message directory 140 from the contents of the first, second and third protocol message directories 130, 132 and 134 (as including the subsets of notifications)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan and Sharp with Boyd because Boyd’s teaching of sorting the messages/data (as notification) would have provided Srinivasan and Sharp’s system with the advantage and capability to easily managing the notifications based on their associated parameters which improving the system efficiency.

Srinivasan, Sharp and Boyd fail to specifically teach sorting the plurality of notifications into subsets of notifications intended for different users of the plurality of users.

However, ILIC teaches sorting the plurality of notifications into subsets of notifications intended for different users of the plurality of users (ILIC, [0060] lines 16-26, notification system 320 may receive 100,000 notifications from notification provider 310 directed to a group of users (e.g., 100,000 users assuming all notifications are directed at different users), and based on the notification-type values of the notifications and the characteristic type values of the recipients may determine a subset of 40,000 of the notifications for sending to a corresponding subset of the group of users (e.g., 40,000 users assuming all notifications are directed at different users)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp and Boyd with ILIC because ILIC’s teaching of generating/determining different subset of notifications which is correspond to the subset of group of users would have provided Srinivasan, Sharp and Boyd’s system with the advantage and capability to easily managing and transmitting the notifications which improving the system performance.


As per claim 2, Srinivasan, Sharp, Boyd and ILIC teach the invention according to claim 1 above. Srinivasan further teaches wherein the notification service identify each user's notifications from the virtual machine with notifications of the user from a cloud based application or a file system (Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents; Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware) [Examiner noted: the security service (as notification service) identifying the malicious activities from all the messages/notifications received from the agents within other VM (as including cloud based application within other VM), see Fig. 4, different agents 422]). In addition, Boyd teaches notifications are sorted (Boyd, Fig. 2, 140 sorted protocol messages file; Col 7, lines 5-12, The first software tool 136 includes a sorting algorithm which enables the tool to sort plural entries based upon a series of comparisons of a parameter, for example, date/time, common to all of the entries, thereby enabling the proactive analysis system 120 to generate the sorted protocol message directory 140 from the contents of the first, second and third protocol message directories 130, 132 and 134).

As per claim 3, Srinivasan, Sharp, Boyd and ILIC teach the invention according to claim 1 above. Srinivasan further teaches wherein the notification service communicates notifications identified from the plurality of applications to one or more devices of the user (Srinivasan, Fig. 1, 102 customer; Fig. 8, 802 user device (see Col 20, line 24, user device 802); Col 16, lines 15-18, the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers). In addition, Boyd teaches the subsets of notifications sorted with the notifications from the plurality of applications (Boyd, Fig. 2, 136 Merge CP message Tool, 140 sorted protocol messages file; Col 7, lines 5-12, The first software tool 136 includes a sorting algorithm which enables the tool to sort plural entries based upon a series of comparisons of a parameter, for example, date/time, common to all of the entries, thereby enabling the proactive analysis system 120 to generate the sorted protocol message directory 140 from the contents of the first, second and third protocol message directories 130, 132 and 134 (as including the subsets of notifications)).

As per claim 6, Srinivasan, Sharp, Boyd and ILIC teach the invention according to claim 1 above. ILIC teaches generating, by the notification service, the subsets of notifications (ILIC, [0060] lines 16-26, notification system 320 may receive 100,000 notifications from notification provider 310 directed to a group of users (e.g., 100,000 users assuming all notifications are directed at different users), and based on the notification-type values of the notifications and the characteristic type values of the recipients may determine a subset of 40,000 of the notifications for sending to a corresponding subset of the group of users (e.g., 40,000 users assuming all notifications are directed at different users)).

As per claim 14, it is a system claim of claim 1 above. Therefore it is rejected for the same reason as claim 1 above. In addition, Srinivasan further teaches the agent having one or more processors coupled to a memory (Srinivasan, Col 2, lines 9-10, agent, executed by customer-operated computing resources; Col 17, lines 19-28,  any other processes described, or variations and/or combinations of those processes) may be performed under the control of one or more computer systems including executable instructions and/or other data, and may be implemented as executable instructions executing collectively on one or more processors. The executable instructions and/or other data may be stored on a non-transitory computer-readable storage medium (e.g., a computer program persistently stored on magnetic, optical, or flash media; Col 22, line 4, memory).

As per claims 15-16 and 19, they are system claims of claims 2-3 and 6 respectively above. Therefore, they are rejected for the same reasons as claims 2-3 and 6 respectively above.


Claims 4-5 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp, Boyd and ILIC, as applied to claims 1 and 14 respectively above, and further in view of Schwartz (US Pub. 2018/0324122 A1).
Schwartz was cited in the previous Office Action.

As per claim 4, Srinivasan, Sharp, Boyd and ILIC teach the invention according to claim 1 above. Srinivasan teaches identifying, by the notification service, notifications for the user received from the one or more virtualized applications or the operating system (Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents; Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware)).

Srinivasan, Sharp, Boyd and ILIC fail to specifically teach identifying duplicate notifications.

However, Schwartz teaches identifying duplicate notifications (Schwartz, claim 5, determining whether the new notification is a duplicate of an existing notification).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp, Boyd and ILIC with Schwartz because Schwartz’s teaching of determining the duplicate notification and removing the duplicated notification would have provided Srinivasan, Sharp, Boyd and ILIC’s system with the advantage and capability to prevent unnecessary transmission for the duplicated notification which improving the system performance and efficiency.

As per claim 5, Srinivasan, Sharp, Boyd, ILIC and Schwartz teach the invention according to claim 4 above. Srinivasan teaches the notification service, identify the notifications from the plurality of notifications for each user of the plurality of users (Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents; Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware)).
In addition, Schwartz further teaches removing the duplicate notifications (Schwartz, claim 5, determining whether the new notification is a duplicate of an existing notification in the notification queue, and if it is determined that the new notification is a duplicate, removing the new notification).

As per claims 17-18, they are system claims of claims 4-5 respectively above. Therefore, they are rejected for the same reasons as claims 4-5 respectively above.


Claims 7 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp, Boyd and ILIC, as applied to claims 1 and 14 respectively above, and further in view of Staker et al. (US Pub. 2012/0179916 A1).
Staker was cited in the previous Office Action.

As per claim 7, Srinivasan, Sharp, Boyd and ILIC teach the invention according to claim 1 above. Srinivasan further teaches identifying, by the notification service via the agent, the action corresponding to at least one notification of a subset of notifications from the subset of notifications (Srinivasan, Col 5, lines 26-35, The agent 122 may be set to continuously monitor the customer-operated computing resources …When the agent 122 determines to perform a mitigation operation (as action) in response to a security threat detected based at least in part on the security rules 148, a message (as at least one notification of a subset of notifications from the subset of notifications, see Fig. 5, 504 different subsets) or other alert may be transmitted to the customer 102 or designated administrator indicating security information 146 and/or the mitigation operation performed by the agent).

Srinivasan, Sharp, Boyd and ILIC fail to specifically teach the 4837-6893-8135.1Atty Docket No. 099011-4451 (Q18-4_WS_034US)action requested by the one or more virtualized applications or the operating system of the virtual machine.

However, Staker teaches the 4837-6893-8135.1Atty Docket No. 099011-4451 (Q18-4_WS_034US)action requested by the one or more virtualized applications or the operating system of the virtual machine (Staker, [0539] lines 11-14, security operations (as action) requested by applications 5520 of virtual machine 5510 may be transmitted to security module 5570).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp, Boyd and ILIC with Staker because Staker’s teaching of security operations/action requested by the applications running within the virtual machine would have provided Srinivasan, Sharp, Boyd and ILIC’s system with the advantage and capability to improving the system security which providing user-independent security (see Staker [0060], provides for user-independent security, portability, availability).

As per claim 20, it is a system claim of claim 7 above. Therefore, it is rejected for the same reason as claim 7 above.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp, Boyd, ILIC and Staker, as applied to claim 7 above, and further in view of Dintenfass et al. (US Pub. 2018/0324186 A1).
Dintenfass was cited in the previous Office Action.

As per claim 8, Srinivasan, Sharp, Boyd, ILIC and Staker teach the invention according to claim 7 above. Srinivasan teaches identifying, by the notification service, at least one user of the plurality of users associated with the virtual machine (Srinivasan, Col 10, lines 44-48, a server computer 342 may host a first virtual machine…operated by a first customer and may host a second virtual machine instantiated…that is operated by a second customer; Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware), lines 17-19, The security service 510 can then transmit an alarm to the 100 different customers); and providing, by the notification service, the alert to the device associated with the user (Srinivasan, Fig. 1, 102 customer; Fig. 8, 802 user device (see Col 20, line 24, user device 802); Col 16, lines 15-18, the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers).

Srinivasan, Sharp, Boyd, ILIC and Staker fail to specifically teach providing the action to the device associated with the user.

However, Dintenfass teaches providing the action to the device associated with the user (Dintenfass, [0073] lines 2-4, providing the action step to a computing device associated with a second user).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp, Boyd, ILIC and Staker with Dintenfass because Dintenfass’s teaching of providing the action steps to the device associated with user would have provided Srinivasan, Sharp, Boyd, ILIC and Staker’s system with the advantage and capability to allow the user to addressing the events based on the received actions which improving the user experience.

Claims 9 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan et al. (US. Patent. 10,362,046 B1) in view of Sharp et al. (US Pub 2012/0089980 A1) and further in view of Boyd (US. Patent. 6,993,013 B1) 
Srinivasan and Boyd were cited in the previous Office Action.

As per claim 9, Srinivasan teaches the invention substantially as claimed including A method comprising 
(a) receiving, by a notification service executed by a server from an agent executed by a virtual machine, notifications for a user from virtualized applications executed by the virtual machine (Srinivasan, Fig. 1, 102 customer; Fig. 5, 510 security service (as notification service, Col 9, lines 55-56, The security service 310, which may be implemented by physical hardware; Col 10, line 3, The physical hardware may include a server computer; as the security service/notification service executed by a server from the agent, since the agent is executed in VM in different networks (network A and B))), 522 Agent, 520 virtual machine; Col 15, lines 5-15, The agent 522 may be a process or application executed by the virtual machine 520…The agent 522 may execute one or more "hooks" in a kernel of an operating system of the virtual machines 520. For example the agent 522 may execute a hook that intercepts messages generated by the operating system when processes are created or terminated by the operating system or other software executed by the virtual machine 520. Lines 22-26, intercepting function calls, messages, or events passed between applications, including the operating system. The agent 522 may then generate a stream of additional information corresponding to various hooks executed by the agent 522 and provide the stream to the security service 510; Col 10, lines 55-58, virtual machine 320 may be provided to the customers…and the customers may utilize the virtual machine 320. lines 63-67, the customer 302 with an interface, such as the user interface described above in connection with FIG. 2, to manage and interact with the security service 310, the agents 322, and/or the virtual machines 320;
(b) receiving, by the notification service, notifications from other applications of the user, the other applications being different from the virtualized applications and executed remotely from the virtual machine (Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents; Fig. 5, 526A network A (including agent 522 and virtual machine 520), 526B network B, (including 520 virtual machine, 522 agent), 510 security service; Col 13, lines 49-55, The computing resources (e.g., virtual machines 520) may be placed on the servers according to a rack diversity constraint, where the sets of racks may be localized by different networks 526A-526B (as remotely). The operational information 504 may include information as described above; the information may be obtained from different agents executed by the servers in the sets of racks (as other applications being different from the virtualized applications and executed remotely from the virtual machine, since they are come from different networks); Col 15, lines 22-26, intercepting function calls, messages, or events passed between applications, including the operating system. The agent 522 may then generate a stream of additional information corresponding to various hooks executed by the agent 522 and provide the stream to the security service 510 (as communicating, each user’s notification to security service (as notification service)); Col 10, lines 44-48, a server computer 342 may host a first virtual machine…operated by a first customer and may host a second virtual machine instantiated…that is operated by a second customer (as agents within each VM in different networks are used by different customers); Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware), lines 17-19, The security service 510 can then transmit an alarm to the 100 different customers; [Examiner noted: there is different networks, each including different VMs and agents that are used by the plurality of users, the notification/operations information obtained by the agents in different networks are send to the same security service, since the notification/operations are obtained from the different networks, therefore, the other applications (within the network B) being different from the virtualized applications (within the network A)]);
(c) identifying, by the notification service, the notifications for the user from the virtualized applications with the notifications from other applications of the user (Srinivasan, Fig. 4, 410 security service (as notification service), 620 virtual machines, 422 agents; Col 15, lines 56-59, The security service 510 may process information obtained from the agents 522 and/or operational information 504 based at least in part on the set of security rules defined by the customer, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-12, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware) [Examiner noted: the security service (as notification service) identifying the malicious activities from all the messages/notifications received from the agents, see Fig. 5, different agents 522 from different networks]; 
(d) selecting, by the notification service, one or more notifications from the identified notifications of the user, at least one of the one or more notifications comprising a notification to the user from a virtualized application of the virtualized applications (Srinivasan, Col 15, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-20, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware)…the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers [Examiner noted: the malicious activity with the same IP address of the operational information(as notification) is determined/selected from the identified malicious operational information, and then the alarm/notification is send to the corresponding user]; and 
(e) communicating, by the notification service via a network, the selected one or more notifications to a notification system of a device of the user to cause the device to execute an action within the virtualized application (Srinivasan, Fig. 1, 102 customer; Fig. 4, 402 user/customer (as device remote from the agent and the server); Col 5, lines 31-38, a message or other alert may be transmitted to the customer 102 or designated administrator indicating security information 146 and/or the mitigation operation performed by the agent 122 and/or result thereof. The notification may be an e-mail, Short Message Service (SMS), pop-up, or other suitable message (as communicates to user, notifications identified from the plurality of applications; Col 18, lines 54-57, an electronic client device 802, which can include any appropriate device (as notification system of a device of the user) operable to send and/or receive requests, messages, or information over an appropriate network; Col 16 lines 17-20, the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers and update the correlated security model to indicate the IP address is associated with malicious activity; also see Col 6, lines 3-14, the customer 102 may define particular action to take in response to particular security risks or threat levels…cause the agent 122 to perform immediate remedial/mitigation operation. The remedial/mitigation operation may include termination of customer-operated computing resources, updates to applications, updates to the authentication protocol, or other operations to mitigate or eliminate the security threat (as execute an action with the virtualized application to mitigate or eliminate the security threat)).

Srinivasan fails to specifically teach when receiving notifications, wherein one or more devices used by the user to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application; and when communicating, wherein at least one of the selected one or more notifications is obtained by the notification service from the virtualized application when the one or more devices are not actively connected to the virtualized application via the session. 

However, Sharp teaches when receiving notifications, wherein one or more devices used by the user to connect to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application (Sharp, Fig. 1A, 102A-N clients (as users); Fig. 6, 604 receive notification a user session terminated (as not actively connected); Abstract, lines 4-6,  A session monitor of the performance monitoring system is notified that a user session terminated, where the user session accessed a virtual machine; [0096] lines 6-10, a user session 304 can be generated when a user using a client computing device (as one or more devices used by a user) located remote from the computing device 203, requests a virtual desktop or a virtual machine, or requests access to a virtual desktop or a virtual machine; [0063] lines 19-20, the applications executing on a virtual machine); and
when communicating, wherein at least one of the selected one or more notifications is obtained by the notification service from the virtualized application when the one or more devices are not actively connected to the virtualized application via the session (Sharp, Fig. 6, 604 receive notification a user session terminated (as not actively connected), 608 record the user session information, 612 record the virtual machine metrics; [0089] lines 14-18, This user information can be tied to a particular user or user session and can be obtained by intercepting information or data generated responsive to a user's actions within the context of the user session; [0091] lines 4-8, when a user terminates a user session, the user session information and virtual machine metrics generated during that user session can be transmitted (as communicate) to the performance monitoring system 316 (as notifications is obtained by the notification service when the one or more devices are not actively connected)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan with Sharp because Sharp’s teaching of recording/communicating the information upon terminating the user session would have provided Srinivasan’s system with the advantage and capability to enable the system to intercepting the information when the user is terminated with the virtual session which allow the system to evaluating the intercepted information for future virtual machine (i.e., resource) allocation in order to improving the system performance and efficiency. 

Srinivasan and Sharp fail to specifically teach the received notifications are aggregating/aggregated.

However, Boyd teaches the received notifications are aggregating/aggregated (Boyd, Fig. 2, 136 Merge CP messages Tool; Col 2, lines 49-52, The first software tool merges the signaling messages maintained in the plurality of signaling message files and places the merged signaling messages into a sorted signaling message file).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan and Sharp with Boyd because Boyd’s teaching of merging and sorting the messages/data (as notification) would have provided Srinivasan and Sharp’s system with the advantage and capability to easily managing the notifications based on their associated parameters which improving the system efficiency.

As per claim 13, Srinivasan, Sharp and Boyd teach the invention according to claim 9 above. Srinivasan further teaches providing, by the notification service, a plurality of alerts to one or more devices of the user, the plurality of alerts corresponding to the selected one or more notifications (Srinivasan, Fig. 1, 102 customer; Fig. 8, 802 user device (see Col 20, line 24, user device 802); Col 15, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-20, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware)…the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers).


Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp and Boyd, as applied to claim 9 above, and further in view of Linden et al. (US Pub. 2016/0173540 A1)
Linden was cited in the previous Office Action.


As per claim 10, Srinivasan, Sharp and Boyd teach the invention according to claim 9 above. Srinivasan further teaches the session of the user is established by the user on the device of the user to connect to the virtualized application (Srinivasan, Col 6, lines 3-10, the customer 102 may define particular action to take in response to particular security risks or threat levels. For example, a low security risk issue, such as out of date software, is simply reported in the security information 146, while a high security risk, such as use of a deprecated authentication protocol, would cause the agent 122 to perform immediate remedial/mitigation operation; Col 10, lines 55-58, virtual machine 320 may be provided to the customers…and the customers may utilize the virtual machine 320, lines 63-67, the customer 302 with an interface, such as the user interface described above in connection with FIG. 2, to manage and interact with the security service 310, the agents 322, and/or the virtual machines 320 (as virtual session established, since the customer is defining particular action in response to the notification)).

Srinivasan, Sharp and Boyd fail to specifically teach the session is established in responsive to the one or more notifications.

However, Linden teaches the session is established in responsive to the one or more notifications (Linden, [0063] lines 1-10, the session manager 214 may send a notification to the user when an active activity session is about to become inactive or end. For example, the session manager 214 may detect that an active activity session has been idle for a week (as not actively connected to a session). Before the session manager 214 ends the activity session, the session manager 214 may notify the user regarding whether the user would like to resume (as to establish) the activity session or end the activity session. The notification may be an email, a message (IM or text), a popup window on the client device, etc.,)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp and Boyd with Linden because Linden’s teaching of sending the notifications to the user device when the user device is not actively connected and causing the re-establish the session in response to the notifications would have provided Srinivasan, Sharp and Boyd’s system with the advantage and capability to allow the system to determine whether the user is intended to maintain the session or not maintain the session which improving the user experience and resource utilization efficiency.


Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp and Boyd, as applied to claim 9 above, and further in view of TRAN et al. (US Pub. 2020/0327202 A1).
TRAN was cited in the previous Office Action.

As per claim 11, Srinivasan, Sharp and Boyd teach the invention according to claim 9 above. Srinivasan, Sharp and Boyd fail to specifically teach wherein the notifications from the other applications include at least one of a web application notifications, a Software as a service (SaaS) application notifications, or a file notifications.

However, TRAN teaches wherein the notifications from the other applications include at least one of a web application notifications, a Software as a service (SaaS) application notifications, or a file notifications (TRAN, [0020] lines 9-13, provide safety event notifications including but not be limited to e-mail, short message service (SMS), mobile application notification, web application notification, notifications on an interface dashboard of the cloud platform, etc.).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp and Boyd with TRAN because TRAN’s teaching of different applications’ notification would have provided Srinivasan, Sharp and Boyd’s system with the advantage and capability to allow the system to address different situations based on received notifications which improving the system security.


Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, Sharp and Boyd, as applied to claim 9 above, and further in view of Staker et al. (US Pub. 2012/0179916 A1).
Staker was cited in the previous Office Action.

As per claim 12, Srinivasan, Sharp and Boyd teach the invention according to claim 9 above. Srinivasan further teaches generating, by the notification service, an alert for the device of the user to indicate notification (Srinivasan, Col 15, lines 60-62, the security service 510 may identify malicious activity indicated in operational information 504 at various levels from various sources; Col 16, lines 9-20, This information may be correlated by the security service 510 to determine a subset of the IP address associated with malicious activity (e.g., the binaries executed by the virtual machines 520 match known malware)…the security service 510 observes the same IP address attempting to connect to 100 different customer virtual machines. The security service 510 can then transmit an alarm to the 100 different customers; Fig. 8, 802 user device (see Col 20, line 24, user device 802)).

Srinivasan, Sharp and Boyd fail to specifically teach the generated alert also including an action requested by the one or more virtualized applications or an operating system of the virtual machine.

However, Staker teaches the 4837-6893-8135.1Atty Docket No. 099011-4451 (Q18-4_WS_034US)action requested by the one or more virtualized applications or an operating system of the virtual machine (Staker, [0539] lines 11-14, security operations (as action) requested by applications 5520 of virtual machine 5510 may be transmitted to security module 5570).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Srinivasan, Sharp and Boyd with Staker because Staker’s teaching of security operations/action requested by the applications running within the virtual machine would have provided Srinivasan, Sharp and Boyd’s system with the advantage and capability to improving the system security which providing user-independent security (see Staker [0060], provides for user-independent security, portability, availability).


Response to Arguments  
The Amendment filed on 07/20/2022 has been entered. Applicant’s amendment has overcome the previous rejections under 35 U.S.C § 112(b). However, new 112(b) rejection has been made in response to the Applicant’s amendment.

Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

In the remark applicant’s argue in substance: 
(a), The claims cannot be classified as a mathematical concept, a method of organizing human activity, or a mental process… claims also cannot be regarded as a mental process…Indeed, the claims recite an agent executed by a virtual machine that establishes hooks to intercept notifications from an operating system of the virtual machine that executes virtualized applications when a device of the user is not actively connected to one of the virtualized applications, where the agent sorts the different notification into subsets of notifications intended for different users, and then communicates the sorted subsets of notifications to a notification service to then further sort the subset of notifications together with a plurality of applications used by the different users, which provides the notifications to cause the device to execute an action within the virtualized application…the technical solution is to provide an agent on a virtual machine that communicates with a notification service in order to sort notifications from virtualized applications and other applications to provide to a user device when the user device is not actively connected to the virtual session or not actively connected to the virtualized application in the virtual session. (Specification, paragraph [0033].) As such, the claimed technology cannot be regarded as a mental process. (Remarks Pages 8-9)

(b), The claims are directed to a practical application of a judicial exception because they are directed to an improving the functioning of virtualized applications and other applications accessed or used by user devices. For example, a user can interact with one or more virtualized applications through a virtual session. (Specification, paragraph [0033].) If the user is not actively connected to the virtual session or the virtualized application in the virtual session, the notifications may not be provided to the user, thereby causing the user to have to re- access or re-open the virtual session or virtualized application just to determine or identify any new notifications. Id. Thus, this technical solution can provide a new notification service that can provide notifications for virtualized applications to the user whether or not the user is actively connected to the virtual session or the virtualized application, and cause the user to execute an action within the virtualized application. (Specification, paragraph [0034].) To do so, this technical solution provides an agent running in the virtual session that is configured to hook notifications from virtualized applications, sort the notifications into subsets of notifications intended for different users, and then provide the subsets to a notification service that can aggregate the subsets of notifications with notifications from other applications used by the different users before providing the corresponding notifications to the different users. (Remarks Pages 9-10)

Examiner respectfully disagreed with Applicant’s argument for the following reasons:
As to point (a), Examiner would like to point out that the claimed invention recites a method including steps that could be performed in the human mind, but for the recitation of generic computing components. The human mind can aggregating/merging/sorting the notifications/message and selecting/choose one of the notification from the aggregated/merged/sorted notifications (as cited in claims 1 and 9). For example, a person can easily evaluating/determining/judging to group/merging/aggregating/sorting the plurality of messages/notifications into one group and further selecting/choosing one of the notification/message from the aggregated/merged group of notifications. Therefore, but for the recitation of generic computing components, these steps may be a Mental Processes that can be performed in the human mind (including an observation, evaluation, judgment, opinion).
In addition, Applicant is arguing a “claims also cannot be regarded as a mental process” inquiry while discusses the claimed additional elements/limitations. Examiner would like to point out that additional limitations/elements are recited at Step 2A Prong 1 (established whether a judicial exception is recited), Examiner addresses the inquiry with regard to Integration into Practical Application at Step 2A Prong 2. (please see 101 rejection above).
Further, Applicant is arguing that “when a device of the user is not actively connected to one of the virtualized applications…which provides the notifications to cause the device to execute an action within the virtualized application…provide to a user device when the user device is not actively connected to the virtual session or not actively connected to the virtualized application in the virtual session. (Specification, paragraph [0033].) As such, the claimed technology cannot be regarded as a mental process”.
Examiner respectfully disagreed. Again, Examiner addresses the inquiry with regard to Integration into Practical Application at Step 2A Prong 2. For example, “one or more devices used by a user of the plurality of users to connected to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application” as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b). And the limitation of “cause the device to execute an action within the virtualized application” which is “causing”, the claimed limitation does not specifically indicated that the action is actually performed”.  In fact, the claim only recited that the notification is “communicated” which will lead/cause the device to execute an action. And this “communication” step is for “transmitting” the data and these can be reached on one of court case (Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) see MPEP § 2106.05(d) II). (also see( Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) (collection, analysis and display data) see MPEP § 2106.05(g)). Accordingly, a conclusion that the receiving and communicating are well understood, routine, conventional activity is supported under Berkheimer options 2.

As to point (b), Applicant attempts to allege an integration into practical application by relying upon specification (as indicated in Remarks pages 9-10), “a user can interact with one or more virtualized applications through a virtual session. If the user is not actively connected to the virtual session or the virtualized application in the virtual session, the notifications may not be provided to the user, thereby causing the user to have to re- access or re-open the virtual session or virtualized application just to determine or identify any new notifications. Id. Thus, this technical solution can provide a new notification service that can provide notifications for virtualized applications to the user whether or not the user is actively connected to the virtual session or the virtualized application, and cause the user to execute an action within the virtualized application. To do so, this technical solution provides an agent running in the virtual session that is configured to hook notifications from virtualized applications, sort the notifications into subsets of notifications intended for different users, and then provide the subsets to a notification service that can aggregate the subsets of notifications with notifications from other applications used by the different users before providing the corresponding notifications to the different users”. (Specification, paragraph [0033]-[0034]).
To demonstrate that the recited judicial exceptions have been integrated into practical application, one would need to demonstrate that the additional elements beyond the judicial exception impose meaningful limitation, however, in the instant application the additional elements do not. 
The claim recites additional limitations that “establishing, one or more hooks to intercept notifications; (b) intercepting, via the one or more hooks, a plurality of notifications for a plurality of users”. According to the specification [0039], “The hooks 290 can include a connection or session to the virtualized application 204 and/or operating system 206”. The steps of “establishing…hooks” and “intercepting…notifications” are just establishing the connections in order to intercept/receive the messages/notifications, which is insignificant pre-solution data gathering (see MPEP § 2106.05(g)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b) and an attempt to generally link the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05(h))). 
In addition, “an agent”, “hooks”, “a virtual machine”, “an operating system”, “one or more virtualized applications”, “one or more devices used by a user of the plurality of users to connected to a session of a virtualized application of the virtualized applications is not actively connected to the virtualized application”, “network”, “notification service executed by a server remote from the agent”, “a plurality of applications” and “a device of the one or more devices of the user” are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer function, see MPEP §2106.05(b)) and Applying the judicial exception with, or by use of, a particular machine MPEP 2106.05(b). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to the abstract idea.
Moreover, the limitation “establishing, one or more hooks to intercept notifications; (b) intercepting, via the one or more hooks, a plurality of notifications for a plurality of users” are insignificant pre-solution data gathering (see MPEP § 2106.05(g)), and “(d) communicating, by the agent via a network, the plurality of subsets of notifications to a notification service” and “wherein the notification service communicates, via the network to a device of the one or more devices of the user that is remote from the agent and the server, the subsets of notifications sorted with the notifications from the plurality of applications to cause the device to execute an action within the virtualized application”, which is additionally well understood, routine, conventional activity (see MPEP § 2106.05(d), courts have identified “receiving and transmitting data, storing and retrieving information, et cetera as well understood, routine, conventional) and a generic computing device performing a generic computer function (see MPEP §2106.05(b)). And this can be reached on court cases: Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) see MPEP § 2106.05(d) II) and Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016) (collection, analysis and display data) see MPEP § 2106.05(g)). Further, the limitation of “to cause the device to execute an action within the virtualized application” which is “causing”, the claimed does not specifically indicated that the action is actually performed). 
Therefore, the claimed invention is not integration into a practical application. Under the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) Prong Two, 2A. Please refer to the rejection under 35 U.S.C. 101 above.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUJIA XU whose telephone number is (571)272-0954. The examiner can normally be reached M-F 9:00-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571) 272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MENG AI T AN/Supervisory Patent Examiner, Art Unit 2195                                                                                                                                                                                                        

/Z.X./Examiner, Art Unit 2195