DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-14 are pending and herein considered.

Allowable Subject Matter
Claims 6 and 8-9 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The subject matter of claims 6 and 8-9 is not disclosed by the prior art of record.

Claim Objections
	Claim 8 is objected to for minor informalities. It is believed that clam 8 was intended to read, “a Levenshtein distance calculated between the incorrect authentication credentials provided during the respective failed access attempt [[are]] and the incorrect authentication credentials”

Claim Rejections - 35 USC § 112
Claims 1-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claims 1  “initiate at least one action in case the updated authentication session value exceeds…” The term the updated authentication session value lacks sufficient antecedent, and the claims are indefinite.
Claims 2-13 are rejected as depending on claim 1. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-5, 7 and 10-14 are rejected under 35 U.S.C. 103 as being unpatentable over Abraham et al. US 2009/0006856 A1 (hereinafter Abraham) in view of Sama US 2013/0254875 A1 (hereinafter Sama).
Regarding claim 1, Abraham substantially discloses:
A computer implemented method of reducing a probability for falsely classifying a legitimate authentication process conducted by a legitimate user as a password guessing attack, comprising: using at least one processor for (Method and system to protect against brute force and dictionary (a variant of brute force) attacks by providing “an adaptive access control scheme…based on a password authentication scheme” to avoid an “account lock-out” when “a legitimate user is trying to access their account” (Abraham: par. 5-6, 28-30)).
Abraham teaches (a) authorized users that input correct authentication credentials (e.g. passwords) and are granted access to secure assets (Abraham: par. (b) questionable users that repeatedly input “authentication information that is close to stored authentication information and/or to authorization information that was historically correct” (Abraham: par. 21, 29; Fig. 1); and (c) intruder (attackers) that input incorrect passwords that are not similar to stored (current or historical) passwords (Abraham: par. 30; Fig. 1). Abraham further teaches an authorization (authentication) score that is based on “a similarity between the provided password and a correct password” over a number of failed authentication attempts (Abraham: par. 21-22; Fig. 1).Thus, although not expressly stated, the user categories (a-c) represent different risk values (scores), and the authentication score is derived from the risk scores (Abraham: par. 11, 19, 22-23; Fig. 1). However, in the interest of advancing the prosecution, Sama discloses “systems, computer program products, and methods for determining a risk associated with a login transaction” (Sama: par. 5). A login (authentication) risk is determined based on similarity and a plurality of “partial matching techniques” (Sama: par. 23). The partial matching techniques are used to determine that a received password is similar with a stored valid (reference) password (Sama: par. 33, 35, 38-40), or is derived (by an attacker) from user (profile) information (Sama: par. 29, 52-53, 60-62); and further to assign risk scores to login (authentication) transactions and score thresholds that designate the risk levels as “NORMAL”, “SUSPECT” or “DENY” (Sama: par. 31-32, 58, 60). Actions to be performed are determined based on the risk level (Sama: par. 31, 45).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Abraham and Sama to at least include the partial matching techniques and the associated risk scoring taught by Sama. One 
estimating a password guessing attack risk for an authentication process conducted by a user for accessing a secure service by performing the following for each of a plurality of failed access attempts in which the user provides incorrect authentication credentials (provided passwords that do not exactly match the corresponding stored reference passwords result in failed access attempts (Sama: e.g. Fig. 3; Abraham: e.g. Fig. 1; and as outlined above)):
calculate a risk score for a respective failed access attempt based on analysis of the incorrect authentication credentials provided during the respective failed access attempt (An authentication (login) risk score is calculated for each failed access attempt (i.e. when the received and reference (stored) passwords do not “match exactly”; Sama: Fig. 3 steps 308, 314, 320, 322; par. 31-32, 58-60), based on analysis of incorrect password provided for authentication (Sama: par. 23-29, 36-44, 61-62);
update an authentication session score of the authentication process according to the calculated risk score (Abraham: par. 21-23, Fig. 1; averaging the authentication (authorization) score over multiple failed password entries, where at least in one embodiment in view of Sama, the authentication score is a risk score); and
initiate at least one action in case the updated authentication session value exceeds at least one threshold value extracted from a security policy predefined for the secure service (Abraham: par. 11, 23; “The authorization [authentication session] score can be compared against one or more [specified] thresholds to determine the likelihood of an intruder versus an authorized user”. “When the user is likely an unauthorized intruder… access to a simulated system can be granted”. In the aforementioned and in view of Sama, the authorization score is a risk score, and the rules used to set the “specified threshold” values represent a policy. Sama: par. 45; “based on the determined risk, authentication server 120 may determine that one or more actions to be performed”, e.g. “increasing or decreasing the tolerance for the strike count policy (for locking the user account after a specific number of unsuccessful attempts)).
The aforementioned covers all the limitations of claim 1.

Regarding claim 14, it corresponds to claim 1, and claim 14 does not disclose beyond the features of claim 1. Therefore, claim 1 is rejected under 35 U.S.C 103, as being unpatentable over Abraham in view of Sama for the same reasons outlined for the rejection of claim 1.

Regarding claims 2-5, 7 and 10-13, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Abraham in view of Sama discloses:
(2) The authentication credentials comprising at least one member of a group consisting of: a code, a password and a key (Abraham: par. 14. Sama: par. 6).
(3) The password guessing attack comprising at least one member of a group consisting of: a dictionary attack and a brute-force attack (Abraham: par. 5, 30. Sama: par. 62; password derived from user information).
(4) The incorrect authentication credentials provided during each failed access attempt are stored for the duration of the authentication process (Abraham: par. 21-22, Fig. 1; “In step 135, a number of attempts can be compared against a maximum attempt threshold”. “When the threshold is exceeded, the method can progress from step 135 to step 140, where an authorization score can be determined. This score can be based upon a similarity between the provided password and a correct password”).
(5) By default the risk score is set to a predefined maximum value (One would have set the default risk value to “DENY” (high risk value, Sama: par. 31) as an additional protection against a password attack).
(7) The risk score is set to a predefined first value lower than the predefined maximum value in case the incorrect authentication credentials provided during the respective failed access attempt are identical to the incorrect authentication credentials provided in at least one previous failed access attempt during the current authentication process with the exception that the current incorrect authentication credentials are in a different character capitalization compared to the previous incorrect authentication credentials (“Questionable user 230 [SUSPECT risk level] can include a human agent that repeatedly inputs authentication information that is close to stored authentication information” (Abraham: par. 29; and as outlined for the rejection of claim 1)).
(10) The risk score is set to a predefined third value lower than the predefined maximum value in case the incorrect authentication credentials provided during the respective failed access attempt are identical to previously valid historical authentication credentials used by the user in the past for accessing the secure service (A user that enters correct historical passwords is a questionable (not an attacker) user and is 
(11) The at least one action is defined by the security policy predefined for the secure service, the at least one action is a member of a group consisting of: instructing a permanent lock of access to the secure service for the user, instructing lock of access to the secure service for the user for a predefined time period and generating at least one notification message to the user (Sama: par. 45; and as outlined for the rejection of claim 1).
(12) Adjusting the at least one threshold value according to authentication processes analytics generated based on analysis of a plurality of authentication processes conducted by a plurality of users attempting to access the secure service (The adjustment to the threshold value depends on the risk level (Sama: e.g. par. 45), which is assigned based on the behavior of a plurality of users (Abraham: par. 27-30).
(13) Adjusting at least one of a predefined maximum value, a first predefined value, a second predefined value and a third predefined value according to the authentication processes analytics, wherein the predefined maximum value, the first predefined value, the second predefined value and the third predefined value are used for calculating the risk value for the incorrect authentication credentials provided during at least one failed access attempt (As outlined for the rejection of claims 5, 7 and 10).




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Kolman et al. US 9,722,996 B1
Urmanov et al. US 2019/0384897 A1
Greenspan et al. US 2018/0124033 A1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-14-2021