DETAILED ACTION

Currently pending claims are 1 – 20.

As per the instant independent claims 1 & 15, Examiner notes there are two separate sessions (PART I /2 & PART II / 2) of 35 USC § 102 rejections presented using two different sets of prior-arts set forth below using different prior-arts.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1 – 5, 10 – 14 and 15 – 18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hamlin et al. (U.S. Patent 10,552,590). 

As per claim 1 (PART I / 2), Hamlin teaches a computing apparatus, comprising: 
a hardware platform comprising a processor and a memory (Hamlin: FIG. 1); 
a contextual reputation store (Hamlin: Figure 1 & see below); and 
instructions encoded within the memory to provision a security agent (Hamlin: Figure 1 / E-124 & Col. 4 Line 7 – 12: an authentication agent that resides at an information handling system constitutes a security agent) configured to: 
create a user persona in the contextual reputation store based at least in part on the user's interaction with the computing apparatus (Hamlin: see above & Col. 3 Line 2 – 12: a credibility (i.e. reputation) of a baseline pattern behavior such as a keyboard typing (key-stroke pattern) w.r.t. an identity of an authenticated user constitutes a contextual reputation w.r.t. a user persona as a patterns of usage associated with the user – as such, creating a user persona in a contextual reputation store based on a user assurance event that characterizes an authentication status of the user – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0052] / [0053]: (a) establishing various personas along with baseline behavior(s) of a user including keyboad inputing methods (activities) and (b) different privileges of accessing enterprise resources are determined based on the strength of user authentications);    
compute a persona-weighted reputation for an action and store the persona-weighted reputation action to the contextual reputation store (Hamlin: see above & Col. 3 Line 13 – 29: see above & generating a different level of confidence scores that constitutes a persona-weighted reputation corresponding to the user interactions with a computing device to determine the authenticated state of the user’s access ability (i.e. different privileges) to various secure resources); 
intercept a user action on the computing apparatus (see above); 
determine a current user persona (see above); 
determine from the contextual reputation store a persona- weighted reputation for the user action (see above); and 
take a security action based at least in part on the persona-weighted reputation for the user action (Hamlin: see above & Col. 3 Line 26 – 29: taking a security action based on the confidence score of the user’s authenticated state to determine the user’s access ability (i.e. different privileges) to various secure resources w.r.t. the user’s weighted credibility (i.e. reputation)).

As per claim 15 (PART I / 2), the claim limitations are met as the same reasons as that set forth in the paragraph above regarding to claim 1 with the exception of the feature(s) of define a first persona-specific score for a user action by a user operating within the first user persona (Hamlin: see above & Col. 3 Line 13 – 29: see above & generating a different level of confidence scores that constitutes a persona-weighted reputation corresponding to the user interactions with a computing device to determine the authenticated state of the user’s access ability (i.e. different privileges) to various secure resources based on a credibility (i.e. reputation) to the identity of an authenticated user such as a keyboard typing pattern (key-stroke pattern) that constitutes a first user persona as a patterns of usage w.r.t different computing contexts).

As per claim(s) 2 and 16, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.

As per claim 3, Hamlin teaches the persona trigger event comprises opening or closing an application (Hamlin: see above & Col. 4 Line 52 – 54). 

As per claim 4, Hamlin teaches the persona trigger event comprises a change in mouse or keyboard focus (Hamlin: see above & Col. 3 Line 2 – 12: such as a focus of the keyboard typing (key-stroke pattern) has been changed frm a baseline pattern behavior).  

As per claim 5, Hamlin teaches the persona trigger event comprises access to a website (Hamlin: see above & Col. 8 Line 55 – 61: accessing a trusted or an un-trusted website).  

As per claim 10, Hamlin teaches determining the persona-weighted reputation comprises determining a strength of user authentication (Hamlin: see above & Col. 3 Line 26 – 29: taking a security action based on the confidence score (i.e, the strength of user authentication) of the user’s authenticated state to determine the user’s access ability (i.e. different privileges) to various secure resources w.r.t. the user’s weighted credibility (i.e. reputation) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0053] Last sentence: the privileges of accessing enterprise resources are determined based on the strength of user authentication).  

As per claim 11 – 12, Hamlin teaches to provision the security agent at a privilege ring more privileged than user-space applications (Hamlin: see above & Col. 3 Line 26 – 29: taking a security action by the security agent to determine (assign) the user’s access ability (i.e. different privileges) to various secure resources (user-space) based on the confidence score w.r.t. the user’s weighted credibility (i.e. reputation) – As such, provision the security agent is provisioned at a privilege ring more privileged than user-space applications so as to determine (assign) the user’s access ability (i.e. different privileges) to various secure resources (user-space)).

As per claim 13, Hamlin teaches wherein the contextual reputation store includes a default persona for actions not falling within a persona otherwise defined (Hamlin: see above & Col. 3 Line 2 – 12: a credibility (i.e. reputation) to the identity of an authenticated user such as a keyboard typing (key-stroke pattern) as a contextual reputation corresponding to a user persona (w.r.t. a baseline pattern behavior) – i.e. a default persona for actions not falling within a persona otherwise defined). 

As per claim 14, Hamlin teaches wherein the security action is selected from the group consisting of allow, deny, and warn (Hamlin: see above & Col. 3 Line 26 – 29: taking a security action based on the confidence score of the user’s authenticated state to determine the user’s access ability to various secure resources w.r.t. the user’s weighted credibility (i.e. reputation)).  

As per claim(s) 17, the claims contain(s) similar limitations to claims 3 – 5 and thus is/are rejected with the same rationale.

As per claim 18, Hamlin teaches to define a second persona for the user, including a trigger for entering the second persona, and to assign a second persona-specific score to the action, the second persona-specific score different from the first persona-specific score (Hamlin: see above & Col. 7 Line 56 – 67: (e.g.) a time-based facial recognition with an assigned score constitutes a second persona as a different computing context).  


Claims 19 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Gates et al. (U.S. Patent 8,887,300). 

As per claim 19, Gates teaches a computer-implemented method of providing persona-based contextual security, comprising: 
generating a plurality of personas for a single user of a computing device based on the single user's varying patterns of usage in different computing contexts (Gates: Col. 32 Line 41 – 51 and Col. 8 Line 17 – 29: a plurality of personas is generated as baseline behaviors associated with a single user's varying patterns of usage presented with different contexts such as different individual mood classification during different times of the day and/or when the user is working at different locations (at home or at the office);   
defining a first persona-specific reputation for an action anticipated to be taken by the user in a first persona of the plurality of personas (Gates: see above & Col. 12 Line 3 – 7: (e.g.) a baseline level of user’s biometrical characteristics (e.g. mood classfications) anticipated to be taken by the user for detecting a suspicious (malicious) event constitutes a first persona-specific reputation); 
entering a context of the first persona according to a first persona trigger (see above: as a baseline characteristics for comparison); 
detecting an instance of the action within the first persona (see above); 
determining a response to the action from the persona-specific reputation (Gates: see above & Col. 13 Line 11 – 27: (e.g.) an alerting with a response of mitigating action); and
enacting the response (Gates: see above & Col. 13 Line 11 – 27: see above).  

As per claim 20, Gates teaches wherein the plurality of personas further comprises a second persona for the user, including a second persona trigger, and a second persona-specific reputation for the action different from the first persona-specific reputation for the action (Gates: see above & Col. 32 Line 41 – 51 and Col. 12 Line 3 – 7: (e.g.) different in terms of time / days and/or locations associated with the user).

Claims 1 and 15 (PART II / 2) are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Steeves et al. (U.S. Patent 9,177,125).

As per claim 1, Steeves teaches a computing apparatus, comprising: 
a hardware platform comprising a processor and a memory (Steeves: Figure 1 / E-120 & 130); 
a contextual reputation store (Steeves: Figure 1 & see below); and 
instructions encoded within the memory to provision a security agent (Steeves: Figure 1 & Col. 3 Line 46 – 48 and Col. 4 Line 8 – 11: a user computing device, on which a user log-on, can also serve as an authentication server) configured to: 
create a user persona in the contextual reputation store based at least in part on the user's interaction with the computing apparatus (Steeves: see above & Col. 4 Line 31 – 67: (a) based on a user login event, a weighted reputation corresponding to a user persona is determined based on the user login location such as a very-high reputation at user’s home region, a medium-high reputation at the user’s familiar location (e.g. frequently visited), a medium-low reputation at a undesignated location and etc – i.e. (b) creating a user persona in a contextual reputation store based on user authentication (login) events that characterize an authentication status of the user);    
compute a persona-weighted reputation for an action and store the persona-weighted reputation action to the contextual reputation store (Steeves: see above & Col. 4 Line 31 – 67: (a) see above & (b) a different level of persona-weighted reputations is determined for an action such as a user login interaction with a computing device); 
intercept a user action on the computing apparatus (see above); 
determine a current user persona (see above); 
determine from the contextual reputation store a persona- weighted reputation for the user action (see above); and 
take a security action based at least in part on the persona-weighted reputation for the user action (Steeves: see above & Col. 2 Line 50 – 63 and Col. 4 Line 46 – 53: a security action with different levels of enhanced security challenges is presented to the user w.r.t. different levels of persona-weighted reputation (see above) prior to granting the user request to access computer resources).  

As per claim 15, the claim limitations are met as the same reasons as that set forth in the paragraph above regarding to claim 1 with the exception of the feature(s) of define a first persona-specific score for a user action by a user operating within the first user persona (Steeves: see above & Col. 4 Line 31 – 67: (a) see above & (b) determining a specific level of persona-weighted reputations (i.e. a first persona-specific score) for an action such as a user login interaction with a computing device).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 6 – 8 are rejected under 35 U.S.C. 103 as being unpatentable over Hamlin et al. (U.S. Patent 10,552,590), in view of Gates et al. (U.S. Patent 8,887,300).  

As per claim 6, Gates (& Hamlin) teaches wherein the persona trigger event comprises accessing an e-mail address (Gates: Col. 32 Line 3 – 9 and Col. 31 Line 47 – 52: the trigger event can be when the user reading (accessing) the e-mail message to track the user’s reactions (w.r.t. a baseline pattern behavior) using a front-facing camera associated with the user’s computing device).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of including a persona trigger event such as accessing an e-mail address because Gates’s teaching can alternatively, effectively and securely authenticating the user based on the user’s behavior pattern such as when the user reading (accessing) the e-mail to track the user’s reactions (w.r.t. a baseline pattern behavior) using a front-facing camera associated with the user’s computing device (see above) within the Hamlin’s system of creating a user persona in a contextual reputation store based on a user behavior pattern associated with an assurance event w.r.t. a baseline pattern behavior (e.g. keyboard typing) that characterizes an authentication status of the user (see above).

As per claim 7, Gates (& Hamlin) teaches wherein the persona trigger event comprises a time of day (Gates: see above & Col. 22 Line 20 – 24: the time-of-day at work during the daytime or at home during the night).  See the same rationale of combination applied herein as above in rejecting the claim 6.

As per claim 8, Gates (& Hamlin) teaches wherein the user action is an administrative action (Gates: see above & Col. 25 Line 51 – 53 and Col. 26 Line 33 – 35: a tirggering event to capture the reaction with facial expressions and gestures (see above) including when the user perform an administrative role such as a person’s reaction to an authorization request ).  See the same rationale of combination applied herein as above in rejecting the claim 6.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Hamlin et al. (U.S. Patent 10,552,590), in view of Larkins et al. (U.S. Patent 9,027,126).  

As per claim 9, Gates (& Hamlin) teaches determining the persona-weighted reputation comprises comparing a speed of actions taken to a human-capable speed (Larkins: Col. 6 Line 38 – 54: based on a fake information entering from a baiting program from a phishing site w.r.t. a (normal) human typing speed to determine that a valid account may be compromised).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of including a persona trigger event such as accessing an e-mail address because Larkins’s teaching can alternatively, effectively and securely authenticating the user based on a fake information entering from a baiting program from a phishing site w.r.t. a (normal) human typing speed to determine that a valid account may be compromised (see above) within the Hamlin’s system of creating a user persona in a contextual reputation store based on a user behavior pattern associated with an assurance event w.r.t. a baseline pattern behavior (e.g. keyboard typing) that characterizes an authentication status of the user (see above).



Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2268 – 2021
---------------------------------------------------