Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are presented for examination.
IDS filed on 5/29/24 is considered.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: a communication module to receive… in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-4, 7-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Maurer et al. US Patent Publication Number 2018/0013750, hereinafter Maurer.
Referring to claim 1, Maurer discloses a system (figures 1, 2, 4, system 200) comprising:
a remote access session monitoring unit (figure 1, 2 and 4, user space security process 202) comprising:
a communication module (network interface 180) to receive user activity data recorded in relation to a remote access session established by a particular user for performing a particular activity ([0020][[0024], user activities accessing applications/services are recorded and logged, and wherein user accessing applications/services is viewed as established remote access session; also see figure 4, step 402), the remote access session being established, through a user device, to remotely access an operational technology (OT) network at an organizational site for performing the particular activity ([0016] [0037], Maurer discloses an typical operational technology network at an organizational site for performing typical network service/activity), wherein the user activity data is indicative of actions executed at the user device during the remote access session [0016][0017][[0020][0024], user accessing services is user activity data is indicative of actions executed at the user device during the remote access session);
a processing engine (processor 102/104) implementing an activity monitoring model to process the user activity data to ascertain occurrence of an unfamiliar activity event during the remote access session ([0020], the user space security process 202 can perform various actions 214, including monitoring unusual user activity; also see figure 4, step 406) wherein the unfamiliar activity event has no association to the particular activity ([0020], comparing the access with permission records 210 to determine if the file access request is normal); and
an OT security engine to initiate one or more preventive actions upon ascertaining occurrence of the unfamiliar activity event during the remote access session ([0026][0027][0029], figure 4, steps 406-412, action is blocked and access is denied if activity is not listed on the permission record).
Referring to claim 2, Maurer discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain historical ideal user activity data ([0024][0025], the user space security process can record normal operations. This can include identifying which files and directories an application typically accesses, such as a web server accessing files in the website directory. Additionally, the user space security process can identify which applications a service or user may routinely access, and characterize and map permissions records based on the observed normal activity), wherein the historical ideal user activity data is indicative of different ideal user actions for performing the particular activity ([0020][0029], the user space security process is able to identify different user activity by monitoring and compare the activity with the recorded historical activities); and analyze the historical ideal user activity data to obtain the activity monitoring model ([0020],[0025]-[0029], activity monitoring model for abnormal activity determination).
Referring to claim 3, Maurer discloses the system of claim 1, wherein the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session ([0016][0024][0029], Maurer discloses information handling systems that monitors network user activities and provide network securities which are evident to show the user the user activity data is real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session).
Referring to claim 4, Maurer discloses the system of claim 3, wherein the one or more preventive actions include at least one of: transmitting, to a remote access server, a session termination signal (block/deny) to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generating an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the unfamiliar activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claim 7, Maurer discloses the system of claim 1, wherein the remote access session monitoring unit comprises a model training engine to: obtain pre-defined malicious user activity data, wherein the pre-defined malicious user activity data is indicative of different malicious user actions performable during the remote access session; and analyze the pre-defined malicious user activity data to obtain a malicious activity detection model ([0016][0017][0020], figure 4, steps 402-412, log 212 recorded pre-define abnormal user activities which include the malicious activities recited in [0016], and the malicious activity detection model is obtained to server the process in figure 4).
Referring to claim 8, Maurer discloses the system of claim 7, wherein the processing engine is to: analyze, utilizing the malicious activity detection model, the user activity data to ascertain occurrence of a malicious activity event during the remote access session, wherein the malicious activity event includes occurrence of at least one of the malicious user actions during the remote access session ([0020], The user space security process 202 can maintain logs 212 of any abnormal file access., monitoring unusual user activity; [0016], where the malicious activities includes the example of authorized users can be tricked into revealing access codes or running malicious software).
Referring to claim 9, Maurer discloses the system of claim 8, wherein, for the user activity data being real-time user activity data indicative of the actions executed at the user device at a particular time during the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to initiate at least one of: generation of a session termination signal, for transmission to a remote access server, to initiate immediate termination of the remote access session, wherein the remote access session is established through the remote access server ([0027], instruction is sent to block and the access is denied); and generation of an alert notification for transmission to a supervisor on a supervisor device, wherein the alert notification is indicative of the malicious activity event that occurred at the particular time during the remote access session ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claim 10, Maurer discloses the system of claim 8, wherein, for the user activity data being indicative of the actions executed at the user device during a pre-defined duration of the remote access session, upon ascertaining occurrence of the malicious activity event, the OT security engine is to generate an alert notification indicating the malicious activity event that occurred during the remote access session ([0020] notification serves as an alert); and the communication module is to transmit the alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity).
Referring to claims 11-19, the claims encompass the same scope of the invention as that of the claims 1-4, 7-10. Therefore, claims 11-19 are rejected on the same ground as the claims 1-4, 7-10.
Referring to claim 20, Maurer discloses the non-transitory computer-readable medium of claim 19, wherein the instructions are executable by the processing resource to: generate another alert notification indicating the malicious activity event that occurred during the remote access session upon ascertaining occurrence of the malicious activity event; and transmit the another alert notification to a supervisor on a supervisor device ([0020], notifying a system administrator or network administrator of unusual activity, [0023][0026[0027] figure 4, steps 406-410, different notifications/alerts are generated for different operations).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Maurer in view of Ronen et al., US Patent Publication Number 2015/0310213, hereinafter Ronen.
Referring to claim 5, Maurer discloses the system recited in claim 1. Bennett does not explicitly teach wherein the user activity data is indicative of the actions executed at the user device during a pre-defined duration of the remote access session
Ronen in the same field of network security environment discloses monitoring the user’s activity for over a predefined period of time (page 7, claim 12).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the idea of user activity monitoring over a predefined duration of Ronen into Maurer because both Maurer and Ronen discloses monitoring user activities for network security, and Ronen further suggests the monitoring is taking place for a predefined period of time (claim 12).
A person with ordinary skill in the art would have been motivated to make the modification to Maurer to reserve network resource for only monitor a predefined period of time to provide a more precise and focused monitoring as suggested by Ronen.
Referring to claim 6, Maurer in view of Ronen discloses the system of claim 5, wherein the one or more preventive actions include: generating an alert notification indicating the unfamiliar activity event that occurred during the remote access session (Maurer, [0020], notification servers as an alert); and transmitting the alert notification to a supervisor (administrator) on a supervisor device (Maurer, [0020], notifying a system administrator or network administrator of unusual activity).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made. Applicant must show how the amendments avoid such references and objections. See 37 CFR 1.111(c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIANGCHE A WANG whose telephone number is (571)272-3992. The examiner can normally be reached M-F 10:00am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Liang-che Alex Wang
January 13, 2026
/LIANG CHE A WANG/Primary Examiner, Art Unit 2447