Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/24/2022 has been entered.
Claims Status
2.	Claims 1, 4, 11, 16, and 19-20 have currently been amended. Claims 3, 5, 9, and 18 have been cancelled. Newly added claims 21-24 have been entered.
Claims Objections
3.	Claim 4 is objected to because of the following informalities:  
Claim 4 is currently dependent upon cancelled claim 3.  Appropriate correction is required.
Response to Arguments
4.	The applicant’s arguments filed on 10/24/2022 have been taken into consideration, but are moot in view of new grounds of rejection.
In response to the applicant’s argument (disclosed on pg. 2-6 of the remarks segment) that previously cited reference Kwang does not teach or suggest determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols and correlating authentication packets via the different authentication protocols:
In light of the newly amended claim language, prior art reference Mentze et al (WO 2015/174968) has been cited, which discloses (as disclosed in par [0017], lines 1-2 of Mentze et al) and determining an authentication mechanism chosen for a client based on traffic transmitted from the client and storing policies for the different authorization types (e.g. determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols) and (as disclosed in claim 6, lines 4-5 of Mentze et al) choosing authentication for a host device based on the determined traffic type transmitted from the host (e.g., correlating authentication packets via the different authentication protocols).


Claim Rejections – 35 USC 103  
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office Action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 1-2, 4, 6-8, 10-17, and 19-24 are rejected under 35 USC 103 as being unpatentable over Iyer et al (US 2016/0306965) in view of Kwang (US 2009/0132579), further in view of Mentze et al (WO 2015/174968).
Regarding claim 1, Iyer et al teaches a method for determining presence of a user on a network (par [0030], lines 6-7, par [0103], lines 5-7 & par [0104], lines 1-6, which disclose determining the physical presence of an entity, such as a user, at a network location), comprising:
collecting traffic to a network from a device of a user (par [0047], lines 13-15, which discloses collecting metrics corresponding to private network traffic);
determining, over a period of time, network login and logoff of a user of the device from the collected traffic (par [0097], lines 1-5 & par [0188], lines 13-17, which disclose storing access control information-related login/logout event data corresponding to various time stamps in which login event data has been gathered);
identifying a type of login for each login in the network login and logoff information (par [0097], lines 9-12 & par [0188], lines 13-17, which discloses determining login event types corresponding to the gathered login & logout event data);
determining a plurality of network sessions from the network login and logoff information (par [0098], lines 1-5 & par [0188], lines 13-17, which disclose determining a plurality of login/logout events);
determining, from the network login and logoff information, a location of the user associated with each of the plurality of network sessions (par [0100], lines 1-7 & par [0188], lines 13-17, which disclose determining user location associated with each login/logout event); 
generating a timetable specific to the user that indicates the plurality of network sessions (par [0078], which discloses a statistical baseline displaying time of activity corresponding to network access and login events), wherein, for each of the plurality of network sessions, the timetable identifies the corresponding time period (par [0078], which discloses the statistical baseline including time of activity of each event), the location of the user (par [0078], which discloses the statistical baseline including entity location); and utilizing each of the time period, the location of the user (par [0104], lines 1-5, which discloses access events corresponding to the physical presence of an entity), and the type of login of the timetable (fig. 4, ‘442, ‘463 and par [0097-0098], which discloses the login event types being collected by the statistical analysis component storing the baseline module) to determine that the user of the device was present at a particular location at a particular time (fig. 4, ‘442 ‘465 & par [0104], lines 1-10, which discloses the physical presence of an entity being collected by the statistical analysis component storing the baseline module).
Iyer et al does not explicitly teach the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device and the timetable identifying whether the user was active or not active and the type of login for each login.
However, Kwang teaches the specified limitations, including the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device (par [0128], lines 2-7, which discloses calculating time periods for each user session using the login and logout times for each session); and the timetable identifying whether the user was active or not active and the type of login for each login (par [0141], lines 1-6, which discloses calculating active and inactive time periods for each user).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al would provide the predictive result of improving upon collecting client network metrics when implementing the audit agent (as disclosed in par [0021-29] & fig. 2-10 of Kwang) for reducing system utilization associated with needing a plurality of queries to determine network user login and location status.
Iyer et al and Kwang do not explicitly teach determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols and correlating authentication packets via the different authentication protocols.
However, Mentze et al further teaches determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols (par [0017], lines 1-2, which discloses determining an authentication mechanism chosen for a client based on traffic transmitted from the client and par [0036], lines 1-2, which discloses storing policies for the different authorization types) and correlating authentication packets via the different authentication protocols (claim 6, lines 4-5, which discloses choosing authentication for a host device based on the determined traffic type transmitted from the host).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the teachings of Mentze et al within the client activity monitoring systems of Iyer et al and Kwang et al would cause one to be motivated to incorporate network access control for updated authentication protocols without requiring software updates or changes (as disclosed in par [0016] of Mentze et al) which would allow Iyer et al and Kwang et al to authenticate requesting users of a plurality of authentication types without reducing network optimization required by performing software upgrades when a user or client represents an authentication protocol that wasn’t previously compatible with the authentication network.
Regarding claim 2, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches wherein collecting traffic to the network is performed in an on-premises environment (par [0104], lines 7-8, “physical location of an entity”) and comprises collecting tunneled traffic (par [0188], lines 7-8, “network traffic volume”).
Regarding claim 4, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches determining the likelihood that the user logged into the device at one location in view of receiving login information that the user logged into the device at another location (par [0100], lines 5-15, which discloses determining the possibility of the user logging in one location also logging into another location during a short duration of time).
Regarding claim 6, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches identifying when the user is actively on the network upon authenticating each login of the network login information utilizing an authentication protocol (par [0104], lines 1-15, which discloses the physical presence of an entity upon login using various authentication protocol).
Regarding claim 7, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
 Iyer et al further teaches wherein utilizing an authentication protocol comprises utilizing at least one of an authentication protocol selected from the group consisting of:
NT LAN Manager (NTLM); Kerberos; Lightweight Directory Access Protocol (LDAP) (par [0097], lines 6-7, which discloses login authentication protocol including LDAP); and Network Time Protocol (NTP).
Regarding claim 8, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches determining if each login is a remote login (par [0098], lines 1-5, “remote login events”), an interactive login or a login associated with a service upon authenticating each login of the login information utilizing an authentication protocol (par [0097], “authentication protocols”).
Regarding claim 10, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches s identifying when the user is not actively on the network by utilizing an authentication protocol (par [0097-0098], which discloses using several authentication protocols to determine user presence and activity).
Regarding claim 11, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al teaches identifying types of logins in the network login information to determine whether the user is actively on the network (par [0097-0098] & par [0104], which disclose determining physical presence of entities logged in using various login and authentication types).
Regarding claim 12, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
 Iyer et al further teaches wherein determining the network login information comprises determining at least one login that is other than an interactive login requiring the user to enter credentials (par [0098], lines 1-5, which discloses determining if the user has logged in via a VPN/remote login or a local login) and, as a result, determining that the user is not actively on the network (par [0100], lines 14-17, which discloses determining that a user is not likely to be located at a claimed location).
Regarding claim 13, Iyer et al does not explicitly teach wherein the period of time corresponds with multiple days.
However, Kwang further teaches wherein the period of time corresponds with multiple days (par [0126], lines 5-10, which discloses monitoring data regarding user login sessions using weekly or monthly totals).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al would provide the predictive result previously addressed regarding claim 1.
Regarding claim 14, Iyer et al does not explicitly teach wherein the period of time corresponds with multiple days.
However, Kwang further teaches wherein determining a plurality of network sessions comprises determining a plurality of network sessions over multiple days (par [0128], which discloses monitoring data regarding several user login sessions over a determined period of time).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al would provide the predictive result previously addressed regarding claim 1.
Regarding claim 15, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 1.
Iyer et al further teaches utilizing the timetable to determine that the user of the device was present at another particular location at another particular time (par [0100], lines 8-14, which discloses determining that an entity is impossible to be located at a claimed location).
Regarding claim 16, Iyer et al teaches a system to detect presence of a user in an enterprise network (par [0103], lines 5-7 & par [0104], lines 1-6, which disclose determining the physical presence of an at a network location), the system comprising:
a gateway accepting communications from the devices accessing the enterprise network (par [0188], line 20); a domain controller, in communication with the gateway, authenticating devices seeking to access the enterprise network (par [0097], “authentication client); 
a monitor, in communication with the domain controller, aggregating connection information from the devices accessing the network and collecting traffic to the enterprise network from the devices (fig. ‘400, which discloses an entity activity monitoring component); and wherein to detect presence the monitor is operable to:
determine, over a period of time, network login and logoff information of the user of the device from the portion of the collected traffic (par [0097], lines 1-5 & par [0188], lines 13-14, which disclose storing login/logout event data corresponding to different time stamps);
identify a type of login for each login in the network login and logoff information (par [0097], lines 9-12, which discloses determining login event types);
determine a plurality of network sessions from the network login and logoff information (par [0098], lines 1-5, which discloses determining a plurality of login events);
determine, from the network login and logoff information, a location of the user associated with each of the plurality of network sessions (par [0100], lines 1-7, which discloses determining user location associated with each login event); 
generate a timetable specific to the user that indicates the plurality of network sessions (par [0078], which discloses a statistical baseline displaying time of activity corresponding to network access and login events), wherein, for each of the plurality of network sessions, the timetable identifies the corresponding time period (par [0078], which discloses the statistical baseline including time of activity of each event), the location of the user (par [0078], which discloses the statistical baseline including entity location); and 
utilize each of the time period (par [0084], lines 21-25, which discloses event data collected during a particular time series or interval), the location of the user (par [0104], lines 1-5, which discloses access events corresponding to the physical presence of an entity), and the type of login of the timetable (fig. 4, ‘442, ‘463 and par [0097-0098], which discloses the login event types being collected by the statistical analysis component storing the baseline module) to determine that the user of the device was present at a particular location at a particular time (fig. 4, ‘442 ‘465 & par [0104], lines 1-10, which discloses the physical presence of an entity being collected by the statistical analysis component storing the baseline module).
Iyer et al does not explicitly teach the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device and the timetable identifying whether the user was active or not active and the type of login for each login.
However, Kwang further teaches the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device (par [0128], lines 2-7, which discloses calculating time periods for each user session using the login and logout times for each session); and the timetable identifying whether the user was active or not active and the type of login for each login (par [0141], lines 1-6, which discloses calculating active and inactive time periods for each user).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al would provide the predictive result of improving upon collecting client network metrics when implementing the audit agent (as disclosed in par [0021-29] & fig. 2-10 of Kwang) for reducing system utilization associated with needing a plurality of queries to determine network user login and location status.
Iyer et al and Kwang do not explicitly teach determining that the collected traffic came from the device of the user based on the domain controller authenticating the portion of the collected traffic via different authentication protocols and correlating authentication packets via the different authentication protocols.
However, Mentze et al further teaches determining that the collected traffic came from the device of the user based on the domain controller authenticating the portion of the collected traffic via different authentication protocols (fig. 1, ‘210 & par [0003-0004], which disclose a network controller for performing network access control, par [0017], lines 1-2, which discloses determining an authentication mechanism chosen for a client based on traffic transmitted from the client and par [0036], lines 1-2, which discloses storing policies for the different authorization types) and correlating authentication packets via the different authentication protocols (claim 6, lines 4-5, which discloses choosing authentication for a host device based on the determined traffic type transmitted from the host).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the teachings of Mentze et al within the client activity monitoring systems of Iyer et al and Kwang et al would cause one to be motivated to incorporate network access control for updated authentication protocols without requiring software updates or changes (as disclosed in par [0016] of Mentze et al) which would allow Iyer et al and Kwang et al to authenticate requesting users of a plurality of authentication types without reducing network optimization required by performing software upgrades when a user or client represents an authentication protocol that wasn’t previously compatible with the authentication network.
Regarding claim 17, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 16.

Iyer et al further teaches identifying when the user is actively on the network upon authenticating each login of the network login information utilizing an authentication protocol (par [0104], lines 1-15, which discloses the physical presence of an entity upon login using various authentication protocol).
Regarding claim 19, Iyer et al, Kwang, and Mentze et al teach the limitations of clam 16.
 Iyer et al further teaches identifying types of logins in the network login information to determine whether the user is actively on the network (par [0097-0098] & par [0104], which disclose determining physical presence of entities logged in using various login and authentication types).
Regarding claim 20, Iyer et al teaches a hardware-implemented computer-readable storage medium (par [0108], lines 16-17) including instructions for detecting presence of a user (par [0104], lines 1-5, which discloses determining the physical presence of an entity), which when executed by a processor are operable to:
passively collect traffic to a network from a device (par [0047], lines 19-24, which discloses extracting VPN traffic that matches a triggering condition);
determine, over a period of time, network login and logoff information of a user of the device from the collected traffic (par [0097], lines 1-5 & par [0188], lines 13-14, which disclose storing login/logout event data corresponding to different time stamps);
identify when the user is actively on the network upon authenticating each login of the login information utilizing an authentication protocol (par [0191], lines 7-12 and claim 8, which disclose determining user activity upon successful authentication);
identifying a type of login for each login in the network login and logoff information (par [0097], lines 9-12, which discloses determining login event types);
determine a plurality of network sessions from the network login and logoff information of the user device (par [0098], lines 1-5, which discloses determining a plurality of login events);
determine, from the network login and logoff information, a location of the user associated with each of the plurality of network sessions (par [0100], lines 1-7, which discloses determining user location associated with each login event); 
generate a timetable specific to the user that indicates the plurality of network sessions (par [0078], which discloses a statistical baseline displaying time of activity corresponding to network access and login events), wherein, for each of the plurality of network sessions, the timetable identifies the corresponding time period (par [0078], which discloses the statistical baseline including time of activity of each event), the location of the user (par [0078], which discloses the statistical baseline including entity location); and 
utilize each of the time period (par [0084], lines 21-25, which discloses event data collected during a particular time series or interval), the location of the user (par [0104], lines 1-5, which discloses access events corresponding to the physical presence of an entity), and the type of login of the timetable (fig. 4, ‘442, ‘463 and par [0097-0098], which discloses the login event types being collected by the statistical analysis component storing the baseline module) to determine that the user of the device was present at a particular location at a particular time (fig. 4, ‘442 ‘465 & par [0104], lines 1-10, which discloses the physical presence of an entity being collected by the statistical analysis component storing the baseline module).
Iyer et al does not explicitly teach the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device and the timetable identifying whether the user was active or not active and the type of login for each login.
Kwang further teaches the specified limitations, including the plurality of network sessions corresponding to time periods between a respective network login and a respective network logoff of the user of the device (par [0128], lines 2-7, which discloses calculating time periods for each user session using the login and logout times for each session); and the timetable identifying whether the user was active or not active and the type of login for each login (par [0141], lines 1-6, which discloses calculating active and inactive time periods for each user).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al would provide the predictive result of improving upon collecting client network metrics when implementing the audit agent (as disclosed in par [0021-29] & fig. 2-10 of Kwang) for reducing system utilization associated with needing a plurality of queries to determine network user login and location status.
Iyer et al and Kwang do not explicitly teach determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols and correlating authentication packets via the different authentication protocols.
However, Mentze et al further teaches determining that the collected traffic came from the device of the user by authenticating the collected traffic via different authentication protocols (par [0017], lines 1-2, which discloses determining an authentication mechanism chosen for a client based on traffic transmitted from the client and par [0036], lines 1-2, which discloses storing policies for the different authorization types) and correlating authentication packets via the different authentication protocols (claim 6, lines 4-5, which discloses choosing authentication for a host device based on the determined traffic type transmitted from the host).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the teachings of Mentze et al within the client activity monitoring systems of Iyer et al and Kwang et al would cause one to be motivated to incorporate network access control for updated authentication protocols without requiring software updates or changes (as disclosed in par [0016] of Mentze et al) which would allow Iyer et al and Kwang et al to authenticate requesting users of a plurality of authentication types without reducing network optimization required by performing software upgrades when a user or client represents an authentication protocol that wasn’t previously compatible with the authentication network.
Regarding claim 21, Iyer et al, Kwang, and Mentze et al teach the limitations of claim 1.
Iyer et al further teaches identifying when the user is actively on the network by authenticating each login in the network login and logoff information (par [0097-0098]) utilizing an authentication protocol that is included among the different authentication protocols that are used to determine that the collected traffic came from the device of the user (par [0097], “LDAP, RAS,….”).

Regarding claim 22, 	Iyer et al does not explicitly teach wherein, for each of the plurality of network sessions, the identified type of login being an automatic login or a login occurring as a result of a service indicates that the user was not active.
However, Kwang teaches wherein, for each of the plurality of network sessions, the identified type of login being an automatic login or a login occurring as a result of a service indicates that the user was not active (claim 13-15, “login and logout timestamps…..period of inactivity”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al according to the motivation previously addressed regarding claim 1.

Regarding claim 23, 	Iyer et al does not explicitly teach wherein, for each of the plurality of network sessions, whether the user was active or not active depends on whether the user was required to enter a credential.
However, Kwang teaches wherein, for each of the plurality of network sessions, whether the user was active or not active depends on whether the user was required to enter a credential (fig. 9 & par [0073], which disclose an active user session by using a session GUID to identify each user session and determining if a specific user session is not active by searching a GUID & par [0087], lines 1-4, “prompt for user name and password”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al according to the motivation previously addressed regarding claim 16.

Regarding claim 24, 	Iyer et al does not explicitly teach determine a login that corresponds to a session and that is not an interactive login, which requires the user to enter a credential; and as a result of the login not being an interactive login, determine that the user is not actively on the network during the session.
However, Kwang teaches determine a login that corresponds to a session and that is not an interactive login, which requires the user to enter a credential (par [0087], lines 1-4, “prompt the user name and password”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the user session metric collecting embodiment of Kwang within the network user activity monitoring system of Iyer et al according to the motivation previously addressed regarding claim 16.
Iyer et al and Kwang do not explicitly teach as a result of the login not being an interactive login, determine that the user is not actively on the network during the session.
However, Mentze et al further teaches as a result of the login not being an interactive login, determine that the user is not actively on the network during the session (par [0002], lines 1-3, “visibility of active network users”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the teachings of Mentze et al within the client activity monitoring systems of Iyer et al and Kwang et al according to the motivation previously addressed regarding claim 16.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RANDY A SCOTT/Primary Examiner, Art Unit 2439                                                                                                                                                                                                        20221031