Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the amendments filed 11/23/2020.  Claims 1, 10 and 19 have been amended.  Claims 8 and 20 have been cancelled.  Claims 1-7 and 9-19 are pending and have been considered.

Priority
Acknowledgment is made of no claims of foreign priority.

Drawings
The drawings filed on 09/24/2018 are accepted.

Specification
The specification filed on 09/24/2018 is accepted.

Claim Objections
Claim 17 is objected to under 37 CFR 1.75(c), as being of improper dependent form for failing to further limit the subject matter of parent claim 10.  Claim 10 has been amended to add limitations of claim 17, however Applicant fails to cancel claim 17.  The Office considers any claim that refers to another claim as dependent thereon, i.e. a dependent claim.  Since claim 10 is an independent claim comprising four steps and claim 17 fails to add, delete, or change any of these steps, claim 17 fails to further limit its parent claim.  Applicant is required to cancel the claim(s), or amend the claim(s) to place the claim(s) in proper dependent form, or rewrite the claim(s) in independent form.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/25/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant's arguments filed 11/23/202 with respect to “none of the cited references, whether taken alone or in combination, disclose or suggest the limitations of independent claims 1, 10, and 19 as currently amended. In particular, none of the cited references disclose at least retrieving a “plurality of parameters including: a username associated with the user, a password associated with the user, and a user agent identifier” and generating an authentication score object (based on the plurality of parameters) comprising a plurality of fields, wherein the plurality of fields of the authentication score object includes “a numerical score identifying a risk level associated with allowing the electronic communication session with the client computing device, and: an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object Avital, Nguyen, Cashman, and Jang. However, none of these references disclose the recited authentication object in the independent claims. Avital and Cashman, for example, simply disclose a “risk score” and an “authentication score,” respectively, as stand-alone values. There is no disclosure or suggestion of an “authentication object” having “a plurality of fields.” much less any of the fields (e.g., “an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object was modified, etc.”) recited in the independent claims.” have been fully considered but they are not persuasive:
Because Avital et al teaches conventional risk-based authentication includes an evaluation of multiple authentication factors to determine whether a human using a computer is authentic, i.e., not an imposter. In particular, a risk engine takes, as inputs, authentication factors such as username and password, time of day, IP address, and geolocation
Jang et al teaches a change in the authentication score depending on time. Here, the time axis may denote a specific time, days, weeks, or months, or may denote the number of authentication attempts. For example, it may be assumed that the maximum value of the authentication score is 3000 and the score corresponding to threshold 114 is 800 see par. 307-308.
Nguyen et al teaches  that the monitoring component 110 may gather, collect, or analyze data, metrics, characteristics, attributes, etc. associated with one or more aspects of a user, one or more aspects of a resource, or one or more interactions between a user and a resource, transactions performed by a user, session attributes, a location of a user, etc. Data may include one or more user selected attributes, one or more configuration attributes, one or more user actions, or one or more trends. For example, user selected attribute data may include usernames, passwords, authentication credentials, credentials, or one or more aspects thereof, such as length, number of special characters, number of capitalized characters, shift, control, etc. Configuration attribute data may include browser type, access mode, device type, browser version, IP address, device ID, unique IDs, secure versus unsecure network, network attributes, type of encryption, etc. User interaction data may include navigation paths, utilization of hyperlinks, browsing history or pages visited within a network or outside of a network, activity pattern, behaviors, actions, habits, behaviors, transactions conducted, physical location, etc. col.9, lines 55 col.10, line 10 and further teaches that  the scoring component 130 to calculate a security score or provide a security score to a user or an entity based on data associated with a user, a resource, one or more interactions between the user and the resource, one or more trends
The examiner further notes that each of the attribute is considered as one of the parameter(user selected attributes, configuration attributes, user actions, or trends) used in generating the score and each of the parameter has a plurality of field ( usernames, passwords, authentication credentials, credentials, or one or more aspects thereof, such as length, number of special characters, number of capitalized characters, shift, control) which meet the limitation of a “plurality of parameters including: a username associated with the user, a password associated with the user, and a user agent identifier” and generating an authentication score object (attributes) comprising a plurality of fields, wherein the plurality of fields of the authentication score object includes “a numerical score identifying a risk level associated with allowing the electronic communication session with the client computing device, and: an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object was modified, an indicator of whether the numerical score identifying the risk level associated with allowing the electronic communication session with the client computing device exceeds a predetermined threshold, an identifier associated with the user of the client computing device, or an indicator of whether the electronic communication session is allowed or rejected,”
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill 

Claims 1, 10, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Jang et al 2016/0147987 A1.
Claim 1, 10 and 19: Avital et al teaches a tangible, non-transitory computer-readable medium storing instructions that, when executed by a server computer system, and a method comprising (col.3, lines 37-43, a computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication) a server computer system comprising: 
a processor (col.3, lines 37-43,  processing circuitry); and 
memory coupled to the processor and storing instructions that, when executed by the processor (col.3, lines 17-23memory, and processing circuitry coupled to the network interface and the memory), cause the server computer system to perform operations comprising: 
detecting an attempt, by a client computing device of a user, to initiate an electronic communications session (Fig.5, item 202, col.1, lines 30-40, col.4, lines 35-55, col.9, line 63 to col.10, line 16col.3, line receive an authentication request from a user operating a client apparatus, during an authentication session, the user to provide a device fingerprint from the client apparatus (i.e., "something you are"), a personal identification number or PIN (i.e., "something you know"), and an electronic credential from an integrated circuit credit card (i.e., "something you have")); 
retrieving a plurality of parameters, the plurality of parameters including: a username associated with the user, a password associated with the user, and a user agent identifier (col.2, lines 21-30, col.10, lines 5-17, the initial set of credentials includes a user identifier which uniquely identifies the user among other users, user password, and a set of smart phone parameters provided by the smart phone). 
generating, based on the plurality of parameters, an authentication score object comprising a plurality of fields, wherein the plurality of fields of the authentication score object includes a numerical score identifying a risk level associated with allowing the electronic communication session with the client computing device (col.10, lines 17-45, performing the risk-based authentication operation includes inputting the user identifier, the user password, and the set of smart phone parameters into a risk engine to produce, as the risk score, a numerical value indicating an amount of riskiness that the user is not authentic) an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication Avital et al, col.10, lines 17-45,   Nguyen et al, col.5, lines  30-65, Cashman et al par.141-150); and
 allowing or rejecting the electronic communication session with the client computing device based on the authentication score object (col.10, lines 17-45, the policy server 144 can perform a normal authentication operation which compares the generated risk score to a risk score threshold to determine whether authentication is deemed successful or unsuccessful. if the generated risk score is less than the risk score threshold, the policy server 144 indicates that authentication is successful and allows the user 42 to access the protected resource 48). 
Avital et al teaches and allowing the electronic communication session with the client computing device based on the authentication score object and further the generated risk score is greater than the risk score threshold (signifying high risk that the user 42 is an imposter), the policy server 144 indicates that authentication is unsuccessful and takes remedial action see col.10, lines 17-45.
Nguyen et al in a similar field of endeavor teaches
 rejecting the electronic communication session with the client computing device based on the authentication score object (col.6, lines 34-45, The scoring component 130 may calculate a security score for one or more of the entities, one or more authentication credentials, etc. based on a number of sessions initiated from a set of authentication credential. The security score may be utilized by the security component 140 to determine one or more actions, such as denying one or more additional sessions from being created or initiated or terminating one or more existing sessions associated with an entity or set of authentication credentials).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Nguyen et al in order to provide a session management to detect and mitigate potentially malicious activity to thereby minimizing potential losses or damage, as suggested by Nguyen et al col.1, line 40 to col.2, line35.
The combination does not explicitly teaches, however Jang et al in a similar field of endeavor teaches wherein the one or more fields of the authentication score object include: 
par.307-309).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Avital et al with the addition feature of Jang et al in order to provide method and an electronic device for performing an authentication on the basis of biometrics, as suggested by Jang et al abstract.
Claim 17: the combination teaches wherein the one or more fields of the authentication score object include: 
an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object was modified, an indicator of whether the numerical score identifying the risk level associated with allowing the electronic communication session with the client computing device exceeds a predetermined threshold, an identifier associated with the user of the client computing device, or an indicator of whether the electronic communication session is allowed or rejected (Avital et al, col.10, lines 17-45,   Nguyen et al, col.5, lines  30-65, Cashman et al par.141-150, (Jang et al par.307-309).
The same motivation to modify Avital et al in view of Nguyen et al as applied to claim 10 above applies here.
Avital et al in view of Jang et al as applied to claim 10 above applies here.
Claims 2-5 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Cashman et al 2013/0124229 A1.
Claims 2 and 11: the combination does not explicitly teach, however Cashman et al in a similar field of endeavor teaches wherein the memory further stores instructions for causing the server computer system to perform operations comprising: 
updating one or more fields in the authentication score object subsequent to allowing the electronic communication session (par.132-137); and 
terminating the electronic communication session based on the updated authentication score object (par.137).
 Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Cashman et al in order to provide systems and methods for computerized user self-registration, authentication, and authorization for access to a number of computerized services, as suggested by Cashman et al par.1.
Claims 3 and 12: the combination teaches
 wherein updating the one or more fields in the authentication object is performed periodically or in response to identifying a change in a parameter from the plurality of parameters (Cashman et al, par.138, 141). 
The same motivation to modify Avital et al in view of Cashaman et al as applied to claims 1 and 10 above applies here.
Claims 4 and 13:  the combination does not explicitly teach, however Cashman et al in a similar field of endeavor teaches wherein the memory further stores instructions for causing the server computer system to perform operations comprising:
 updating one or more fields in the authentication score object subsequent to rejecting the electronic communication session (Cashman et al, par.132-137); and
 allowing the electronic communication session based on the updated authentication score object (Cashman et al, par.132-137). 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Cashman et al in order to provide systems and methods for computerized user self-registration, authentication, and authorization for access to a number of computerized services, as suggested by Cashman et al par.1.
Claims 5 and 14:  the combination teaches
 wherein updating the one or more fields in the authentication object is performed periodically or in response to identifying a change in a parameter from the plurality of parameters (Cashman et al, par.138, 141). 
The same motivation to modify Avital et al in view of Cashaman et al as applied to claims 1 and 10 above applies here.

Claims 6, 7, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Cashman et al 2013/0124229 A1 and Crajek et al 2018/0069867 A1.
Claims 6 and 15: the combination teaches wherein the plurality of parameters include: 
an identifier specified by the client computing device, a user identifier associated with the user, an Internet protocol (IP) address associated with the client computing device, a login time, a login type, an indicator that the user is required to use two-factor-authentication, an indicator that a cookie associated with the client computing device is valid or invalid (Avital et al, col.10, lines 17-45,   Nguyen et al, col.5, lines 30-65). 
The combination does not explicitly teaches, however Grajek et al in a similar field of endeavor teaches 
par31-32). 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Grajek et al in order to provide systems and methods for computer user authentication using machine learning, as suggested by Grajek et al abstract.
Claims 7 and 16:  the combination teaches wherein a field of the authentication score object includes a parameter from the plurality of parameters (Avital et al, col.10, lines 17-45, Nguyen et al, col.5, lines 30-65). 
The same motivation to modify Avital et al in view of Nguyen et al as applied to claims 1 and 10 above applies here.

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Harmon et al 2016/0021117 A1.
Claims 9 and 18: the combination teaches wherein the one or more fields of the 
Harmon et al in a similar field of endeavor teaches wherein generating the authentication score object includes: 
assigning a first weight to a first parameter from the plurality of parameters; assigning a second weight to a second parameter from the plurality of parameters, wherein the first weight is different from the second weight; and determining a field for the authentication score object based on the first parameter and the second parameter (par.65-67).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Avital et al with the addition feature Harmon et al in order to provide electronic authentication for access to computing resources, and more particularly, to devices and methods for threat-based authentication, as suggested by Harmon et al par.2.
The following patents and papers are cited to further show the state of the art at the time of Applicants’ invention with respect to user session authentication 
Schultz et al U.S. 20090116703 A1  As illustrated, database 600 may maintain a group of entries in the following exemplary fields: a date/time field 610, a user identification (ID) field 620, a voice score field 630, a facial score field 640, and a file(s) field 650. Database 600 may maintain additional or different information than illustrated in 
Moganti et al U.S. 20120084078 A1 teaches a scalable voice signature authentication capability is provided herein. The scalable voice signature authentication capability enables authentication of varied services such as speaker identification (e.g. private banking and access to healthcare account records), voice signature as a password (e.g. secure access for remote services and document retrieval) and the Internet and its various services (e.g., online shopping), and the like 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Friday, February 26, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436