Prosecution Insights
Last updated: July 17, 2026
Application No. 18/676,478

REMOTE ACCESS SESSION MONITORING TECHNIQUES

Final Rejection §103
Filed
May 28, 2024
Examiner
WANG, LIANG CHE A
Art Unit
2447
Tech Center
2400 — Computer Networks
Assignee
Honeywell International Inc.
OA Round
2 (Final)
86%
Grant Probability
Favorable
3-4
OA Rounds
7m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 86% — above average
86%
Career Allowance Rate
646 granted / 751 resolved
+28.0% vs TC avg
Moderate +9% lift
Without
With
+9.2%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
15 currently pending
Career history
764
Total Applications
across all art units

Statute-Specific Performance

§101
1.9%
-38.1% vs TC avg
§103
60.3%
+20.3% vs TC avg
§102
25.7%
-14.3% vs TC avg
§112
8.2%
-31.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 751 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Claims 1-20 are presented for examination. IDS filed on 4/29/26 is considered. The New Grounds of Rejection Applicant’s amendment and argument with respect to claims 1-20 filed on 4/29/26 have been fully considered but they are deemed to be moot in views of the new grounds of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 7-20 are rejected under 35 U.S.C. 103 as being unpatentable over Maurer et al. US Patent Publication Number 2018/0013750, hereinafter Maurer, in view of Callanan et al., US Patent Publication Number 2010/0324964, hereinafter Callanan. Referring to claim 1, Maurer discloses a system (figures 1, 2, 4, system 200) comprising: a remote access session monitoring unit (figure 1, 2 and 4, user space security process 202/network interface 180) that is configured to receive user activity data recorded in relation to a remote access session established by a particular user for performing a particular activity ([0020][[0024], user activities accessing applications/services are recorded and logged, and wherein user accessing applications/services is viewed as established remote access session; also see figure 4, step 402), the remote access session being established, through a user device, to remotely access an operational technology (OT) network at an organizational site for performing the particular activity ([0016] [0037], Maurer discloses an typical operational technology network at an organizational site for performing typical network service/activity), wherein the user activity data is indicative of actions executed at the user device during the remote access session [0016][0017][[0020][0024], user accessing services is user activity data is indicative of actions executed at the user device during the remote access session), the remote access session monitoring unit comprising: a processing engine (processor 102/104) implementing an activity monitoring model to process the user activity data to ascertain occurrence of an unfamiliar activity event during the remote access session ([0020], the user space security process 202 can perform various actions 214, including monitoring unusual user activity; also see figure 4, step 406) wherein the unfamiliar activity event has no association to the particular activity ([0020], comparing the access with permission records 210 to determine if the file access request is normal); and an OT security engine to initiate one or more preventive actions upon ascertaining occurrence of the unfamiliar activity event during the remote access session ([0026][0027][0029], figure 4, steps 406-412, action is blocked and access is denied if activity is not listed on the permission record). Maurer does not explicitly teach wherein the actions executed at the user device comprise at least one of movement of a mouse locally on the user device, keystrokes pressed on a keyboard of the user device, and transfer of files between the user device and the OT network. Callanan teach a work activity monitor 101 detects activity which comprises monitoring applications for file accesses, network accesses, mouse movements, keystrokes, etc. ([0014]). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the monitoring of file accesses, network accesses, mouse movements, keystrokes of Callanan as part of the user activity monitoring of Maurer, because Maurer discloses monitoring unusual user activity ([0020]), and Callanan discloses the user activity could include file accesses, network accesses, mouse movements, keystrokes, etc.(0014)). A person with ordinary skill in the art would have been motivated to make the modification to Maurer, because user activities such as file accesses, network accesses, mouse movements, keystrokes as suggested by Callanan to enhance security by preventing data breaches and allows organizations to detect insider threats, such as unauthorized file downloads. Referring to claim 2, Maurer in view of Callanan discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain historical ideal user activity data ([0024][0025], the user space security process can record normal operations. This can include identifying which files and directories an application typically accesses, such as a web server accessing files in the website directory. Additionally, the user space security process can identify which applications a service or user may routinely access, and characterize and map permissions records based on the observed normal activity), wherein the historical ideal user activity data is indicative of different ideal user actions for performing the particular activity ([0020][0029], the user space security process is able to identify different user activity by monitoring and compare the activity with the recorded historical activities); and analyze the historical ideal user activity data to obtain the activity monitoring model ([0020],[0025]-[0029], activity monitoring model for abnormal activity determination). Referring to claim 3, Maurer in view of Callanan discloses the system of claim 1, wherein the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session ([0016][0024][0029], Maurer discloses information handling systems that monitors network user activities and provide network securities which are evident to show the user the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session). Referring to claim 4, Maurer in view of Callanan discloses the system of claim 3, wherein the one or more preventive actions include at least one of: transmitting, to a remote access server, a session termination signal (block/deny) to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generating an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the unfamiliar activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity). Referring to claim 7, Maurer in view of Callanan discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain pre-defined malicious user activity data, wherein the pre-defined malicious user activity data is indicative of different malicious user actions performable during the remote access session; and analyze the pre-defined malicious user activity data to obtain a malicious activity detection model ([0016][0017][0020], figure 4, steps 402-412, log 212 recorded pre-define abnormal user activities which include the malicious activities recited in [0016], and the malicious activity detection model is obtained to server the process in figure 4). Referring to claim 8, Maurer in view of Callanan discloses the system of claim 7, wherein the processing engine is to: analyze, utilizing the malicious activity detection model, the user activity data to ascertain occurrence of a malicious activity event during the remote access session, wherein the malicious activity event includes occurrence of at least one of the malicious user actions during the remote access session ([0020], The user space security process 202 can maintain logs 212 of any abnormal file access., monitoring unusual user activity; [0016], where the malicious activities includes the example of authorized users can be tricked into revealing access codes or running malicious software). Referring to claim 9, Maurer in view of Callanan discloses the system of claim 8, wherein, for the user activity data being real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to initiate at least one of: generation of a session termination signal, for transmission to a remote access server, to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generation of an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the malicious activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity). Referring to claim 10, Maurer in view of Callanan discloses the system of claim 8, wherein, for the user activity data being indicative of the actions executed at the user device during a pre-defined duration of the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to generate an alert notification indicating the malicious activity event that occurred during the remote access session ([0020] notification serves as an alert); and the communication module is to transmit the alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity). Referring to claims 11-19, the claims encompass the same scope of the invention as that of the claims 1-4, 7-10. Therefore, claims 11-19 are rejected on the same ground as the claims 1-4, 7-10. Referring to claim 20, Maurer discloses the non-transitory computer-readable medium of claim 19, wherein the instructions are executable by the processing resource to: generate another alert notification indicating the malicious activity event that occurred during the remote access session upon ascertaining occurrence of the malicious activity event; and transmit the another alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity, [0023][0026[0027] figure 4, steps 406-410, different notifications/alerts are generated for different operations). Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Maurer in view of Callanan and in further view of Ronen et al., US Patent Publication Number 2015/0310213, hereinafter Ronen. Referring to claim 5, Maurer in view of Callanan discloses the system recited in claim 1. Bennett does not explicitly teach wherein the user activity data is indicative of the actions executed at the user device during a pre-defined duration of the remote access session Ronen in the same field of network security environment discloses monitoring the user’s activity for over a predefined period of time (page 7, claim 12). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the idea of user activity monitoring over a predefined duration of Ronen into Maurer because both Maurer and Ronen discloses monitoring user activities for network security, and Ronen further suggests the monitoring is taking place for a predefined period of time (claim 12). A person with ordinary skill in the art would have been motivated to make the modification to Maurer to reserve network resource for only monitor a predefined period of time to provide a more precise and focused monitoring as suggested by Ronen. Referring to claim 6, Maurer in view of Callanan and Ronen discloses the system of claim 5, wherein the one or more preventive actions include: generating an alert notification indicating the unfamiliar activity event that occurred during the remote access session (Maurer, [0020], notification servers as an alert); and transmitting the alert notification to a supervisor (administrator) on a supervisor device (Maurer, [0020], notifying a system administrator or network administrator of unusual activity). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIANGCHE A WANG whose telephone number is (571)272-3992. The examiner can normally be reached M-F 10:00am to 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Liang-che Alex Wang May 18, 2026 /LIANG CHE A WANG/Primary Examiner, Art Unit 2447
Read full office action

Prosecution Timeline

May 28, 2024
Application Filed
Jan 29, 2026
Non-Final Rejection mailed — §103
Apr 29, 2026
Response Filed
May 21, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683999
DATA SECURITY IN A CLOUD COMPUTING ENVIRONMENT
2y 5m to grant Granted Jul 14, 2026
Patent 12684000
Systems and methods for simulating events and attack vectors associated with embedded devices using injectable grammar
2y 11m to grant Granted Jul 14, 2026
Patent 12684004
APPROACHES TO DOCUMENTING AND VISUALIZING INDICATIONS OF RISK DISCOVERED THROUGH AN ANALYSIS OF DIGITAL ACTIVITIES PERFORMED ACROSS DIFFERENT SERVICES AND USING THE SAME FOR DETECTING THREATS
2y 2m to grant Granted Jul 14, 2026
Patent 12684005
APPROACHES TO ASCERTAINING BEHAVIORAL DEVIATIONS BASED ON AN ANALYSIS OF MULTIPLE DIGITAL ACTIVITIES PERFORMED ON THE SAME SERVICE OR ACROSS DIFFERENT SERVICES TO DETECT THREATS
2y 2m to grant Granted Jul 14, 2026
Patent 12676882
DYNAMIC METHOD INVOCATION FOR ZERO-DAY EXPLOITS
3y 2m to grant Granted Jul 07, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
86%
Grant Probability
95%
With Interview (+9.2%)
2y 8m (~7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 751 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month