DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 12/21/2020. Claims 1-2, 9, 11, 13, and 15-20 are amended. Claims 1-20 are pending in this examination.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under.
                                                           Examiner note

Applicant is encouraged to schedule an interview with the examiner prior to the next communication to compact prosecution of the case.

Response to Argument
Applicant’s arguments with respect to claims for newly added limitation: determining a security level being violated by an activity after access to a mobile device has been granted have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Applicant's arguments filed on 12/21/2020 regarding claims 1, 16 and 19 have  been fully considered but they are not persuasive:
The Applicant submits on pages 9-10 of remarks filed on 12/21/2020 for Claims 1, 16 and 19   the cited portions of Turgeman and Heshmati fail to disclose the specific combination of claim 1. For example, the cited portions of Turgeman and Heshmati do not disclose where a first security level is associated with a first post-access activity by a potential unauthorized user, where a second security level is associated with a second post-access activity by the potential unauthorized user, and where the first post-access activity is distinct from the second post-access activity, as in claim 1.
	
Examiner respectfully disagrees with remarks filed on pages 9-10 on 12/21/2020 for claims 1, 16 and 19. Turgeman in his application discloses:

where a first security level is associated with a first post-access activity by a potential unauthorized user, where a second security level is associated with a second post-access activity by the potential unauthorized user, and where the first post-access activity is distinct from the second post-access activity ¶[¶14, detecting a fraudulent human user or attacker or imposter, or for detecting a "bot" or automated script or robotic user or emulated user or simulated user or machine-based non-human user], and [¶37, Optionally, a comparator/matching module 117 may compare or match, between (or among): (a) values of user-specific features that are extracted in a current user session (or user interaction), and (b) values of respective previously-captured or previously-extracted user-specific features (of the current user, and/or of other users, and/or of pre-defined sets of values that correspond to known automated scripts or "bots" or known attackers)], and [¶84 ...the image or voice of the user, may be utilized as an assisting parameter in the decision whether or not the current user, who is performing the required task by interactions or gestures, is indeed the genuine user. For example, if the system of the present invention is utilized in order to authorize or reject (determining) the access of a user into a building or a vehicle, then utilization of the user's image and/or voice may further be used as part of the decision-making process in which the user is authenticated or is blocked]
Examiner note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Turgeman uses Voice and image comparison as a two distinct security level to find out if the user authentic or fraudulent.

  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103, which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 6-10, 14-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2016/0294837 issued to Turgeman et al (“Turgeman”)  in view of US Patent No. 2015/0288687 issued to Heshmati et al (“Heshmati”) and further in view of US Patent No. 2016/0182543 issued to Aabye et al (“Aabye”)
Regarding claims 1, 16 and 19, Turgeman discloses A computer-implemented method comprising: generating, at a processor of a mobile device, a user profile for an authorized user of the mobile device based on behavior patterns associated with the authorized user, the behavior patterns determined based on historical data indicating past user behavior of the authorized user[¶52, a Repeated Behavior Identifier 156 may monitor, track and analyze the user interactions with the service or the device, in order to identify one or more patterns of usage or behavior that are unique to the particular user…a match may indicate that this is the genuine user or the same previous user], and [¶¶78, 91, a typical user profile is built, or even during a training period in which the system learns the behavioral patterns], and [¶57]; and
	detecting subsequent user behavior of a particular user attempting to gain access to the mobile device by a login process [¶52, Subsequently, when user authentication is required, may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns.  This may be used for detection of "friendly fraud" incidents, or identification of users for accountability purposes… identification of a licensee in order to detect or prevent software piracy or unauthorized usage by non-licensee user(s), for software or products that are sold or licensed on a per-user basis or a per-seat basis],and [¶119]; and
  responsive to determining that the particular user is a potential unauthorized user based on a comparison of the subsequent user behavior during the login process to the behavior patterns of the user profile [¶52 a Repeated Behavior Identifier 156 may monitor, track and analyze the user interactions with the service or the device, in order to identify one or more patterns of usage or behavior that are unique to the particular user.. .a match may indicate that this is the genuine user or the same previous user... Subsequently, when user authentication is required, and/or as part of a password recovery or password reset process, the user authentication module 150 may request the user to type the phrase "I sincerely enjoyed the concert", and may monitor the manner in which the user types the word "sincerely", and may determine whether the fresh manner of typing that word matches the previously-identified Repeated Behavior of typing that word; and a match may indicate that this is the genuine user or , for example, a Task-Based Behavioral Signature Comparator 162 may compare between: (a) a fresh or current or ad-hoc behavioral signature that is extracted from a current performance of a task by a user who contends to be the genuine user; and (b) a historical or original or previously-determined task-based behavioral signature which had been extracted and stored for that original or genuine user], and [¶¶57,91, 119];
and responsive to granting access to the mobile device based on the login process[ ¶91,  Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns.  This may be used for detection of "friendly fraud" incidents, or identification of users for accountability purposes… identification of a licensee in order to detect or prevent software piracy or unauthorized usage by non-licensee user(s), for software or products that are sold or licensed on a per-user basis or a per-seat basis]. Examiner Note: user might logged in to the mobile device, however, he/she might not have access to some software licensed on a per-user basis or a per-seat basis], and [¶58,, for example, a Task-Based Behavioral Signature Comparator 162 may compare between: (a) a fresh or current or ad-hoc behavioral signature that is extracted from a current performance of a task by a user who contends to be the genuine user; and (b) a historical or original or previously-determined task-based behavioral signature which had been extracted and stored for that original or genuine user], and [see ¶¶122-127 and corresponding text for more detail of collecting user interactions data both (i) during performance of the task, immediately prior to performance of the task, immediately after performance of the task...], and [¶94, Some embodiments may be utilized for authenticating, or confirming the identity of, a user who is already logged-in or signed-in...]; and
determining a security level being violated by the activity, where a first security level is associated with a first post-access activity by a potential unauthorized user, where a second security level is associated with a second post-access activity by the potential unauthorized user, and where the first post-access activity is distinct from the second post-access activity ¶[¶14, detecting a fraudulent human user or attacker or imposter, or for detecting a "bot" or automated script or robotic user or emulated user or simulated user or machine-based non-human user], and [¶37, Optionally, a comparator/matching module 117 may compare or match, between (or among): (a) values of user-specific features that are extracted in a current user session (or user interaction), and (b) values of respective previously-captured or previously-extracted user-specific features (of the current user, and/or of other users, and/or of pre-defined sets of values that correspond to known automated scripts or "bots" or known attackers)], and [¶84 ...the image or voice of the user, may be utilized as an assisting parameter in the decision whether or not the current user, who is performing the required task by interactions or gestures, is indeed the genuine user. For example, if the system of the present invention is utilized in order to authorize or reject (determining) the access of a user into a building or a vehicle, then utilization of the user's image and/or voice may further be used as part of the decision-making process in which the user is authenticated or is blocked].
Examiner note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Turgeman uses Voice and image comparison as a two distinct security level to find out if the user authentic or fraudster and then activate the fraud mitigation module.
 and performing the particular countermeasure [¶43, The user identity determination module 131 may trigger or activate a fraud mitigation module 132 able to perform one or more 
 selecting a particular countermeasure of a plurality of countermeasures, based on the the security level, where the plurality of countermeasures comprise a first countermeasure to be performed responsive to a first security level being violated and a second countermeasure to be performed responsive to a second security level being violated, and where the first countermeasure and the second countermeasure are distinct.
Turgeman discloses this limitation as: [¶23, a user authentication process may utilize face recognition as one authentication factor out of one-or-more factor(s) for user authentication; but a camera or imager may fail to work, or may not work properly due to poor lighting.  For example, a user authentication process may utilize voice recognition or speech recognition as one authentication factor out of one-or-more factor(s) for user authentication], and [¶43, The user identity determination module 131 may trigger or activate a fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation; for example, by requiring the current user to respond to a challenge, to answer security question(s), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like]; and ¶[¶14, detecting a fraudulent human user or attacker or imposter, or for detecting a "bot" or automated script or robotic user or emulated user or simulated user or machine-based non-human user], and [¶37, Optionally, a comparator/matching module 117 may compare or match, between (or among): (a) values of user-specific features that are extracted in a current user session (or user interaction), and (b) values of respective previously-captured or previously-extracted user-specific features (of the current user, and/or of other users, and/or of 
Examiner note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Turgeman uses Voice and image comparison as a two distinct security level to find out if the user authentic or fraudster and then activate the fraud mitigation module.
 Furthermore Heshmati discloses this limitation as: based on the security level, where the plurality of countermeasures comprise a first countermeasure to be performed responsive to a first security level being violated and a second countermeasure to be performed responsive to a second security level being violated, and where the first countermeasure and the second countermeasure are distinct [¶64, accordingly, in one embodiment sensor data may be used to recognize a gesture in order to identify a user.  As schematically represented in FIG. 3, a user may train a wearable device to recognize a specific gesture and subsequently to use that gesture to identify the user… level of security desired,], and [¶73, authenticator 120 may be configured to associate different levels of security to different sets of data from wearable device 100.  In this manner, a relatively simple gesture may be used to grant access to rudimentary functions of wearable device 100 or to more general locations while a more complex gesture provides access to higher functions or more secure areas], and [¶21,In a gesture and/or a pattern of motion associated with the user], and [¶66, a camera or other suitable optical sensor may also be used to recognize the pattern of a user's iris, fingerprint or any other distinguishing characteristic.  In another aspect, a wearable device having a microphone may be used to record a user's voice in order to perform identification.  As desired, identification using a user's voice may involve a speech recognition algorithm and a spoken password or phrase or may involve an audio analysis configured to recognize characteristics such as tone, pitch, timbre and the like]. 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman with the teaching of Heshmati order for providing sensor based authentication of  a user's identification and may be used to control access to resources to restrict unauthorized use [Heshmati, abstract, ¶2].
	 detecting activity by the potential unauthorized user 
Turgeman discloses detecting activity by the potential unauthorized user [¶42, if the comparator/matching module 117 determines that one or more features, or a set of features, that characterize the current interaction session of the current user, does not match those features as extracted in previous interaction session(s) of that user, then, a possible-fraud signal may be generated or sent or transmitted to other units of system 100 and/or to pre-defined recipients].
	Turgeman and Heshmati do not explicitly disclose, however, Aabye discloses   after access to the mobile device has been granted [¶94, in step S116, the security server computer 20 may then receive this information and may analyze it to determine whether or not the portable communication device 10 has been accessed by an unauthorized user or compromised.  In some embodiments, the security server computer 20 may compare the cryptogram that was device 10 has likely been accessed by an unauthorized user or compromised.  The security server computer may also analyze the security notification data or the derivative of the security notification data to determine a type of access by the unauthorized user, such as a type of security element module that detected the unauthorized access], and [¶77, a security element module 10B-1 associated with a security software application, working in conjunction with the processor 10A, can determine that the portable communication device 10 has been accessed by an unauthorized user.  For example, software on the portable communication device 10 may have been altered in an abnormal way, or portable communication device 10 may have been previously hacked].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman and Hesmati with the teaching of Aabye order to implement security element modules that may be used to detect security compromises of the portable communication device[[Aabye, ¶60]..
Regarding claim 2, the subject matter of dependent  claim 2 contains the corresponding features as the method of claim 1 expressed respectively in analogous terms and additionally the features disclosed in 2: Turgeman discloses  detecting second activity by the second unauthorized user, the second activity distinct from the activity; determining the second security level being violated by the second activity; selecting a second particular countermeasure of the plurality of countermeasures based on the second security level,; and performing the second particular countermeasure[¶43, for example, combined factors and data may be taken into account by a user identity determination module 131, which may fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation; for example, by requiring the current user to respond to a challenge, to answer security question(s) (based on  security level), to contact customer service by phone( based on different security level), to perform two-step authentication or two-factor authentication (equated to second security level), or the like], and [¶¶14, 38, 42].
Regarding claim 3, Turgeman discloses  wherein the first security level corresponds to unauthorized access of data stored on the mobile device, and wherein the second security level corresponds to identity theft [¶84,  It is noted that in some embodiments, the user authentication or controlled access methods of the present invention, may optionally be used in conjunction with sensing and/or analyzing other user-specific features or biometric traits; for example, using an image or photo or video of the user (e.g., before or during or after the actual interaction is performed), or using an audio or speech utterance or voice utterance by the user (e.g., before or during or after the actual interaction is performed), face recognition, retina scanning, speech analysis, fingerprints, and/or other biometric features and/or user-specific characteristics.  For example, the image or voice of the user, may be utilized as an assisting parameter in the decision whether or not the current user, who is performing the required task by interactions or gestures, is indeed the genuine user.  For example, if the system of the present invention is utilized in order to authorize or reject the access of a user into a building or a vehicle, then utilization of the user's image and/or voice may further be used as part of the 
Regarding claim 4, Turgeman discloses, wherein performing the particular countermeasure comprises: determining that the activity satisfies a first security level; and performing a first countermeasure of the plurality of countermeasures in response to determining the detected activity satisfies the first security level, wherein the first countermeasure protects information stored at the mobile device from the potential unauthorized user[¶43, For example, combined factors and data may be taken into account by a user identity determination module 131, which may determine or estimate whether or not the current user is a "fraudster" or an attacker or an imposter.  The user identity determination module 131 may trigger or activate a fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation. The user identity determination module 131 may trigger or activate a fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation; for example, by requiring the current user to respond to a challenge, to answer security question(s) (equated to first security level), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like], and [¶¶ 14, 38, 42].
Regarding claim 6, Turgeman discloses wherein performing the first countermeasure comprises: detecting a request for identity information from the potential unauthorized user, the identity information associated with the authorized user; generating false identity information in response to detecting the request; and providing the false identity information to the unauthorized user[ ¶14,some embodiments may include devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker… used for verifying identity of a user, or for differentiating or distinguishing between or among users, or for detecting a fraudulent human user or attacker or imposter, or for detecting a "bot" or automated script or robotic user or emulated user or simulated user or machine-based non-human User], and[¶63, a user performs the on-screen task or challenge, is a user-specific trait that may be used for user authentication, and/or for distinguishing among users, and/or for confirming user identity, and/or for detecting a potential attacker or imposter (which may be human, or may be machine-based or a "bot" or malware or automated script]. [¶¶37, 57, 89, 93].
Regarding claim 7, Turgeman discloses wherein performing the particular countermeasure further comprises: determining that the activity satisfies a second security level, the second security level higher than the first security level; and performing a second countermeasure of the plurality of countermeasures in response to determining the detected activity satisfies the second security level, wherein the second countermeasure enables the mobile device to determine information associated with the potential unauthorized user[¶43, for example, combined factors and data may be taken into account by a fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation; for example, by requiring the current user to respond to a challenge, to answer security question(s) (equated to first security level), to contact customer service by phone, to perform two-step authentication or two-factor authentication (equated to second security level), or the like], and [¶¶14, 38, 42].
Regarding claim 8, Turgeman discloses wherein performing the second countermeasure comprises activating a camera of the mobile device[¶23, a user authentication process may utilize face recognition as one authentication factor out of one-or-more factor(s) for user authentication; but a camera or imager may fail to work, or may not work properly due to poor lighting.  For example, a user authentication process may utilize voice recognition or speech recognition as one authentication factor out of one-or-more factor(s) for user authentication].
Regarding claim 9, Turgeman discloses wherein performing the second countermeasure comprises: prompting the potential  unauthorized user to touch a particular portion of the mobile device, the particular portion of the mobile device comprising a scanner; scanning a fingerprint of the potential unauthorized user while the potential unauthorized user touches the particular portion of the mobile device and transmitting identity data based on the fingerprint to a second device[¶23, a user authentication process may utilize fingerprint(s) as one authentication factor out of one-or-more which may not be susceptible to duplication or copying; in direct contrast with a human fingerprint, which is also a unique biometric trait but which can be copied or duplicated by some attackers], and [¶69], and [¶79, Subsequently, that touch-screen device may be used as an authentication terminal, requiring each guest or visitor to authenticate by entering his name or username, then presenting to the user his suitable pre-defined on-screen task, and then allowing (or blocking) the user's physical entry based on the behavioral traits of how the user performs that task.  This may be an addition to, or an alternative to, other user authentication methods for entering a secure area or a controlled-access physical location (such as, showing a badge or an I.D.  card; scanning a barcode; showing a token; retina scan; fingerprint scan; voice recognition or voice signature; or the like)], and [¶81].
Regarding claim 10, Turgeman discloses  wherein performing the second countermeasure comprises generating a voice signature of the potential unauthorized user while the potential unauthorized user speaks into a microphone[ ¶12, other type(s) of a user-authentication factor, or of an authentication-factor or authentication-means (e.g., fingerprint, retina scan, face scan, voice-based or speech-based biometric feature, face recognition, or the like], and [¶23, a user authentication process may utilize voice recognition or speech recognition
Regarding claim 14,  Turgeman discloses wherein a first countermeasure of the plurality of countermeasures comprises deleting data stored at the mobile device, the first countermeasure associated with a first security level corresponding to unauthorized access of data stored on the mobile device, wherein a second countermeasure of the plurality of countermeasures comprises obtaining identity information associated with the potential unauthorized user, the second countermeasure associated with a second security level corresponding to detecting identity theft, and wherein a third countermeasure of the plurality of countermeasures comprises initiating a self-destruct processor to destroy a non-volatile memory, the third countermeasure associated with a third security level corresponding with to detecting criminal activity [Regarding claim 14, the subject matter of dependent claim 14  contains the corresponding features as the method of claim 1 expressed respectively in analogous terms and additionally the features disclosed in 17: Turgeman discloses: unauthorized access of data stored; detecting identity theft; and detecting criminal activity [¶43, for example, combined factors and data may be taken into account by a user identity determination module 131, which may determine or estimate whether or not the current user is a "fraudster" or an attacker or an imposter.  The user identity determination module 131 may trigger or activate a fraud mitigation module 132 able to perform one or more fraud mitigating steps based on that determination or estimation, for example, by requiring the current user to respond to a challenge, to answer security question(s), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like ], and  [¶91, identification of a licensee in order to detect or prevent software piracy or unauthorized usage by non-licensee user(s), for software or products that are sold or licensed on a per-user basis or a per-seat basis]; and [¶93] Some embodiments may be utilized to identify or equated to criminal activity)], and [¶41, fraudulent activity or irregular activity)], and [ ¶¶ 18, 89].
Regarding claim 15, Turgeman discloses  wherein the behavior patterns are weighted and comprise at least one of geographical location patterns of the authorized user, mobile device usage time patterns of the authorized user, typing speed patterns of the authorized user, or data-type patterns of the authorized user [¶47, to enable the system to extract user-specific feature(s) from the typing (e.g., typing speed; whether the user capitalized or did not capitalize certain letters or words; identifying a sequence of several characters that the particular user types faster or slower, compared to his average or median typing speed, or compared to other words that he typed or types, or compared to other users, or compared to a threshold value)].
Regarding claim 20,  Aabye does not explicitly disclose, however, Turgeman discloses wherein the historical data includes geographical locations where the authorized user accesses the mobile device [¶38, a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction)].
And Heshmati discloses [¶59, Device 100 may also include user interface 124 which provides mechanisms for effecting input and/or output to a user, such as a display screen, audio speakers, a touch screen, , a scanner, a camera, or any other similar components… location such as a global positioning system (GPS)… geographical position of wearable device]

Claims 5, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2016/0294837 issued to Turgeman et al (“Turgeman”) in view of US Patent No. 2015/0288687 issued to Heshmati et al (“Heshmati”) and further in view of US Patent No. 2016/0182543 issued to Aabye et al (“Aabye”) and in view of US Patent No. 2015/0040226issued to Barau et al (“Barau”).
Regarding claim 5, Turgeman , Heshmati, and Aabye do not explicitly disclose, however, Barau discloses wherein performing the first countermeasure comprises deleting data stored at the mobile device [¶94] hence, in response, in a step 84, the computer 32 triggers a countermeasure limiting the unscrambling of the multimedia contents.  Here, it temporarily or definitively prevents the unscrambling of the multimedia contents using the processor 16.  Typically, the deciphering of the control words is inhibited to do this], and [0095] More precisely, the countermeasure can be one of the following countermeasures: [0096] the erasure of the confidential data contained in the memory 38 such as the cryptographic keys and the access entitlements] [0097] the triggering of the self-destruction of the processor 16 so as to render it definitively unusable].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman, Heshmati,, and Aabye with the teaching of Barau order for the implementation of countermeasures to prevent cryptanalysis [Barau, ¶12].
Regarding claim 12, Turgeman,  Heshmati, and Aabye do not explicitly disclose, however, Barau discloses wherein performing the particular countermeasure further comprises: determining that the activity satisfies a third security level; and performing a third countermeasure of the plurality of countermeasures in response to determining the detected activity satisfies the third security level [¶94, Hence, in response, in a step 84, the computer 32 triggers a countermeasure limiting the unscrambling of the multimedia contents.  Here, it temporarily or definitively prevents the unscrambling of the multimedia contents using the processor 16.  Typically, the deciphering of the control words is inhibited to do this], and [0095] More precisely, the countermeasure can be one of the following countermeasures: [0096] the erasure of the confidential data contained in the memory 38 such as the cryptographic keys and the access entitlements] [0097] the triggering of the self-destruction of the processor 16 so as to render it definitively unusable].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman,  Heshmati , and Aabye with the teaching of Barau order for the implementation of countermeasures to prevent cryptanalysis and make the processor un-useable  [ Barau, ¶¶12, 97].
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2016/0294837 issued to Turgeman et al (“Turgeman”)  in view of US Patent No. 2015/0288687 issued to Heshmati et al (“Heshmati”) and further in view of US Patent No. 2016/0182543 issued to Aabye et al (“Aabye”) and further in view of US Patent No. 2015/0033306 issued to Dickerson et al (“Dickerson”).
Regarding claim 11,Turgeman discloses  generating information about the potential unauthorized user while the potential unauthorized user is engaged with the mobile device, the information including a fingerprint of the potential unauthorized user, a voice signature of the potential unauthorized user, or both [¶84,  It is noted that in some embodiments, the user authentication or controlled access methods of the present invention, may optionally be used in conjunction with sensing and/or analyzing other user-specific features or biometric traits; for example, using an image or photo or video of the user (e.g., before or during or after the actual interaction is performed), or using an audio or speech utterance or voice utterance by the user (e.g., before or during or after the actual interaction is performed), face recognition, retina scanning, speech analysis, fingerprints, and/or other biometric features and/or user-specific characteristics.  For example, the image or voice of the user, may be utilized as an assisting parameter in the decision whether or not the current user, who is performing the required task by interactions or gestures, is indeed the genuine user.  For example, if the system of the present invention is utilized in order to authorize or reject the access of a user into a building or a vehicle, then utilization of the user's image and/or voice may further be used as part of the decision-making process in which the user is authenticated or is blocked], and [¶57, The user-specific behavioral profile or signature or feature-set may be utilized in order to distinguish or differentiate between a first user and a second user; or between a first user and all other users; or between a genuine user and a fraudulent user (attacker, human imposter, computerized imposter, "bot", automated script)], and [¶58,For example, a Task-Based Behavioral Signature Comparator 162 may compare between: (a) a fresh or current or ad-hoc behavioral signature that is extracted from a current performance of a task by a user who contends to be the genuine user; 
	Turgeman, Heshmati, and Aabye do not explicitly disclose, however, Dickerson discloses wherein performing the second countermeasure comprises: providing false data in response to commands issued by the potential unauthorized user to engage the potential unauthorized user with the mobile device, the false data associated with the commands [¶47, The security module 206 provides the user simulated access to a computing or electronic system in response… Simulated access mimics a native computing environment of the computing or electronic system without granting the user access to authentic data…In one configuration, simulated access provides the user access to a set of false Data… In a further configuration, simulated access include monitoring or recording user activity within the simulated computing environment.  The monitoring may include logging the IP address of the computing device 106, a timestamp of the simulated access, and recording the user using audiovisual components of the computing device 106, such as an attached or integrated camera, an integrated microphone, or the like… This security scheme assumes that the user, by entering a valid authentication on the first attempt, is not the authorized user but an unauthorized user.  Providing the unauthorized user simulated access to the computing or electronic system upon entry of a valid authentication entry on the first attempt allows may lead to the identification of the intruder…].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman, Heshmati, and Aabye teaching of Dickerson  in order for providing the unauthorized user simulated access to the computing or electronic system upon entry of a valid authentication entry on the first attempt .
Claims 13, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2016/0294837 issued to Turgeman et al (“Turgeman”) in view of US Patent No. 2015/0288687 issued to Heshmati et al (“Heshmati”) and further in view of US Patent No. 2016/0182543 issued to Aabye et al (“Aabye”) and further in view of US Patent No. 2016/0275277 issued to Huang et al (“Huang”).
Regarding claims 13, and 17, Turgeman, Heshmati, and  Aabye  do not explicitly disclose, however, Huang discloses wherein the determination that the particular user is a potential unauthorized user is generated responsive to the comparison of the subsequent 
user behavior during the login process to the behavior patterns of the user profile indicating that access data has been manipulated or falsified [¶31, in an embodiment, user input patterns on a user interface may be monitored as a contextual trigger for data protection.  For instance, data (e.g., one or more files and/or folders) to be protected can be specified, a user interface interaction pattern may be assigned to the data as a contextual trigger, and a data protection response can be assigned to the data that is enacted if the contextual trigger is detected.  One or more user interface patterns may be assigned to the data as a contextual trigger, including one or a combination of the following types of patterns: [¶32,  (A) Keyboarding patterns, such as average typing speed, that are outside of a range of usual keyboarding patterns for a user.  Examples of such keyboarding patterns include a usual typing speed range of the user, a usual typing speed for a particular word for the user, usual typographical errors made by the user, and/or other keyboarding patterns that can be an indicator of risky environment], and 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman, Heshmati and Aabye teaching of Huang  in order for protecting data stored on a device based on user input patterns[Huang, Abstract].

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2016/0294837 issued to Turgeman et al (“Turgeman”) in view of US Patent No. 2015/0288687 issued to Heshmati et al (“Heshmati”) and further in view of US Patent No. 2016/0182543 issued .
Regarding claim 18, Turgeman, Heshmati and Aabye do not explicitly disclose, however, Stirtzinger discloses wherein the historical data includes time periods when the a1uthorized user accesses the mobile device [¶42] Behavior profiles may be indexed based on the attributes of the recorded activity.  For example, the behavior profile may be indexed based on the timestamp.  Indexing the behavior profile based on the timestamp may facilitate the construction of patterns of behavior based on hourly activity, daily activity, weekly activity, monthly activity, etc.42] Behavior profiles may be indexed based on the attributes of the recorded activity.  For example, the behavior profile may be indexed based on the timestamp.  Indexing the behavior profile based on the timestamp may facilitate the construction of patterns of behavior based on hourly activity, daily activity, weekly activity, monthly activity, etc. [¶51, computer program for providing a report of the anomalous behavior.  The report may be a suspect activity report and/or an interactive report.  The suspect activity report may define criteria for suspect activity.  For example, the suspect activity report may include a day of the week and report the criteria for suspect activity for that day of the week.  The analyst 170 may view the report and identify an entity who meets the most criteria for suspect activity.  The interactive report may define criteria for normal activity (e.g., the pattern of behavior defined in the behavior profile) and for suspect activity.  The analyst 170 may compare the normal activity with the suspect activity to discover additional relationships and patterns.  Interactive reports may also allow the analyst 170 to view the source data used generate the reports], and [¶53] Method 300 continues to operation 304 in which a behavior profile for an entity is generated based on the raw data.  For example, the import services may generate a behavior profile for an entity based on the raw data.  The 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Turgeman and Heshmati and Aabye teaching of Stirtzinger  in order for identifying anomalous behavior,  For example, a method may include receiving raw data, generating a behavior profile for the entity based on the raw data, receiving comparison data, determining whether the comparison data deviates from a pattern of behavior defined in the behavior profile, and identifying the comparison data 
as anomalous behavior when the comparison data deviates from the pattern of behavior [Stirtzinger, Abstract].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Aguayo (US2015/0317475) [[¶320, an attacker that has breached the security measures and compromised the device attempting to steal sensitive information].
Beauchesne (US2015/0264069) [¶4, once the user's computer has been breached, it can be used by the outside attacker …].
Rebelo (2016/0224777) [¶5, an unauthorized user has accessed sensitive data stored on the mobile device…].
Diamanti (US10, 142,794) [36, a cognitive security service 120 provides timely and reliable detection of security compromises to mobile devices, whether from the device being physically compromised or internally compromised.  In one example, a device may be physically compromised if physically taken by an unauthorized user.  In one example, a mobile device may be internally compromised if one or more software, network, or hardware layers 
Of the mobile device is accessed or attempted to be accessed by an unauthorized 
user…].
GUO(US9,838,405)[ Brief Summary( 2), a computing device is malicious and/or that an 
attacker has accessed sensitive information on the computing device].
Lyle (US6, 981,155) [Brief Summary (6), the attacker has accessed the honey pot files; the attacker has already gained access to the computer containing the files.  
Russo (US9, 154,515) [(43), the filter module 136 determining that a particular user accessed an unauthorized computing device].

Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.                                                                                                                                                                                                    
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497