Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are presented for examination.
IDS filed on 4/29/26 is considered.
The New Grounds of Rejection
Applicant’s amendment and argument with respect to claims 1-20 filed on 4/29/26 have been fully considered but they are deemed to be moot in views of the new grounds of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 7-20 are rejected under 35 U.S.C. 103 as being unpatentable over Maurer et al. US Patent Publication Number 2018/0013750, hereinafter Maurer, in view of Callanan et al., US Patent Publication Number 2010/0324964, hereinafter Callanan.
Referring to claim 1, Maurer discloses a system (figures 1, 2, 4, system 200) comprising:
a remote access session monitoring unit (figure 1, 2 and 4, user space security process 202/network interface 180) that is configured to receive user activity data recorded in relation to a remote access session established by a particular user for performing a particular activity ([0020][[0024], user activities accessing applications/services are recorded and logged, and wherein user accessing applications/services is viewed as established remote access session; also see figure 4, step 402), the remote access session being established, through a user device, to remotely access an operational technology (OT) network at an organizational site for performing the particular activity ([0016] [0037], Maurer discloses an typical operational technology network at an organizational site for performing typical network service/activity), wherein the user activity data is indicative of actions executed at the user device during the remote access session [0016][0017][[0020][0024], user accessing services is user activity data is indicative of actions executed at the user device during the remote access session), the remote access session monitoring unit comprising:
a processing engine (processor 102/104) implementing an activity monitoring model to process the user activity data to ascertain occurrence of an unfamiliar activity event during the remote access session ([0020], the user space security process 202 can perform various actions 214, including monitoring unusual user activity; also see figure 4, step 406) wherein the unfamiliar activity event has no association to the particular activity ([0020], comparing the access with permission records 210 to determine if the file access request is normal); and
an OT security engine to initiate one or more preventive actions upon ascertaining occurrence of the unfamiliar activity event during the remote access session ([0026][0027][0029], figure 4, steps 406-412, action is blocked and access is denied if activity is not listed on the permission record).
Maurer does not explicitly teach wherein the actions executed at the user device comprise at least one of movement of a mouse locally on the user device, keystrokes pressed on a keyboard of the user device, and transfer of files between the user device and the OT network.
Callanan teach a work activity monitor 101 detects activity which comprises monitoring applications for file accesses, network accesses, mouse movements, keystrokes, etc. ([0014]).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the monitoring of file accesses, network accesses, mouse movements, keystrokes of Callanan as part of the user activity monitoring of Maurer, because Maurer discloses monitoring unusual user activity ([0020]), and Callanan discloses the user activity could include file accesses, network accesses, mouse movements, keystrokes, etc.(0014)).
A person with ordinary skill in the art would have been motivated to make the modification to Maurer, because user activities such as file accesses, network accesses, mouse movements, keystrokes as suggested by Callanan to enhance security by preventing data breaches and allows organizations to detect insider threats, such as unauthorized file downloads.
Referring to claim 2, Maurer in view of Callanan discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain historical ideal user activity data ([0024][0025], the user space security process can record normal operations. This can include identifying which files and directories an application typically accesses, such as a web server accessing files in the website directory. Additionally, the user space security process can identify which applications a service or user may routinely access, and characterize and map permissions records based on the observed normal activity), wherein the historical ideal user activity data is indicative of different ideal user actions for performing the particular activity ([0020][0029], the user space security process is able to identify different user activity by monitoring and compare the activity with the recorded historical activities); and analyze the historical ideal user activity data to obtain the activity monitoring model ([0020],[0025]-[0029], activity monitoring model for abnormal activity determination).
Referring to claim 3, Maurer in view of Callanan discloses the system of claim 1, wherein the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session ([0016][0024][0029], Maurer discloses information handling systems that monitors network user activities and provide network securities which are evident to show the user the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session).
Referring to claim 4, Maurer in view of Callanan discloses the system of claim 3, wherein the one or more preventive actions include at least one of: transmitting, to a remote access server, a session termination signal (block/deny) to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generating an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the unfamiliar activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claim 7, Maurer in view of Callanan discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain pre-defined malicious user activity data, wherein the pre-defined malicious user activity data is indicative of different malicious user actions performable during the remote access session; and analyze the pre-defined malicious user activity data to obtain a malicious activity detection model ([0016][0017][0020], figure 4, steps 402-412, log 212 recorded pre-define abnormal user activities which include the malicious activities recited in [0016], and the malicious activity detection model is obtained to server the process in figure 4).
Referring to claim 8, Maurer in view of Callanan discloses the system of claim 7, wherein the processing engine is to: analyze, utilizing the malicious activity detection model, the user activity data to ascertain occurrence of a malicious activity event during the remote access session, wherein the malicious activity event includes occurrence of at least one of the malicious user actions during the remote access session ([0020], The user space security process 202 can maintain logs 212 of any abnormal file access., monitoring unusual user activity; [0016], where the malicious activities includes the example of authorized users can be tricked into revealing access codes or running malicious software).
Referring to claim 9, Maurer in view of Callanan discloses the system of claim 8, wherein, for the user activity data being real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to initiate at least one of: generation of a session termination signal, for transmission to a remote access server, to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generation of an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the malicious activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claim 10, Maurer in view of Callanan discloses the system of claim 8, wherein, for the user activity data being indicative of the actions executed at the user device during a pre-defined duration of the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to generate an alert notification indicating the malicious activity event that occurred during the remote access session ([0020] notification serves as an alert); and the communication module is to transmit the alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claims 11-19, the claims encompass the same scope of the invention as that of the claims 1-4, 7-10. Therefore, claims 11-19 are rejected on the same ground as the claims 1-4, 7-10.
Referring to claim 20, Maurer discloses the non-transitory computer-readable medium of claim 19, wherein the instructions are executable by the processing resource to: generate another alert notification indicating the malicious activity event that occurred during the remote access session upon ascertaining occurrence of the malicious activity event; and transmit the another alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity, [0023][0026[0027] figure 4, steps 406-410, different notifications/alerts are generated for different operations).
Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Maurer in view of Callanan and in further view of Ronen et al., US Patent Publication Number 2015/0310213, hereinafter Ronen.
Referring to claim 5, Maurer in view of Callanan discloses the system recited in claim 1. Bennett does not explicitly teach wherein the user activity data is indicative of the actions executed at the user device during a pre-defined duration of the remote access session
Ronen in the same field of network security environment discloses monitoring the user’s activity for over a predefined period of time (page 7, claim 12).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the idea of user activity monitoring over a predefined duration of Ronen into Maurer because both Maurer and Ronen discloses monitoring user activities for network security, and Ronen further suggests the monitoring is taking place for a predefined period of time (claim 12).
A person with ordinary skill in the art would have been motivated to make the modification to Maurer to reserve network resource for only monitor a predefined period of time to provide a more precise and focused monitoring as suggested by Ronen.
Referring to claim 6, Maurer in view of Callanan and Ronen discloses the system of claim 5, wherein the one or more preventive actions include: generating an alert notification indicating the unfamiliar activity event that occurred during the remote access session (Maurer, [0020], notification servers as an alert); and transmitting the alert notification to a supervisor (administrator) on a supervisor device (Maurer, [0020], notifying a system administrator or network administrator of unusual activity).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIANGCHE A WANG whose telephone number is (571)272-3992. The examiner can normally be reached M-F 10:00am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Liang-che Alex Wang
May 18, 2026
/LIANG CHE A WANG/Primary Examiner, Art Unit 2447