DETAILED ACTION
1.	This office action is in response to the communication filed on 05/09/2019.
2.	Claims 1-20 are pending. 

Notice of Pre-AIA  or AIA  Status
3.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Examiner Notes
5.	Regarding claim 18, the limitation “computer readable storage medium”, in light of the written specification (US-PGPUB, paragraph 101), is a non-transitory computer readable storage medium.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


6.	Claim(s) 1-3, 10-15 and 17-19 is/are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Cecchetti et al. (US 20130340076 A1).
Regarding claim 1:
Cecchetti discloses a computer-implemented method comprising: 
tracking characteristics of user input by a user to a computer system via one or more input devices of the computer system (see paras. 19-20 where characteristics, e.g. keystroke sequence, of a developer (i.e. a user) are analyzed (i.e. monitoring/tracking for analysis) to develop a profile for that developer; see fig. 10 and para. 93 for a computing system employed by a developer/user to submit a code); 
building and maintaining a user profile for that user based on the tracking, the user profile providing a baseline of expected characteristics of user input by that user, the baseline defined at least in part by the tracked characteristics (see paras. 20-21, 30); 
monitoring input to the computer system in real time as the input is provided to the computer system (see paras. 29-30, 44 where a submitted code including characteristics is analyzed (i.e. monitoring for analysis) to detect a potential intrusion and update a profile in real-time); 
identifying, based on the monitoring and on a comparison of characteristics of the monitored input to the baseline of expected characteristics, a potential malicious code injection as part of the monitored input to the computer system (see para. 29 where a submitted code is determined to be associated with a potential intrusion, e.g. submitted by a malicious programmer, based on a comparison of the characteristics of the submitted code with a developed profile; see para. 18 where a malicious code is inserted); and 
performing mitigation processing based on identifying the potential malicious code injection (see para. 29 for action such as countermeasures or quarantining a suspect/malicious code).

Regarding claims 14 and 18:
	See similar rejection to claim 1.

Regarding claim 2:
Cecchetti discloses:        
wherein the identifying comprises identifying a deviation of the characteristics of the monitored input from the baseline of expected characteristics, the deviation exceeding a predefined tolerance level, wherein exceeding the predefined tolerance level indicates a potential malicious code injection included in the monitored input to the computer system, and wherein one or more actions of the mitigation processing are selected based on a severity of the deviation of the characteristics of the monitored input from the baseline of expected characteristics (see para. 29 and/or 72 where an intrusion score/metric is determined based on a comparison of a profile (i.e. profile’s characteristics) to a submitted code’s characteristics, wherein the intrusion score/metric includes a .

Regarding claim 3:
Cecchetti discloses:
wherein the computer system comprises a plurality of predefined tolerance levels of increasing degree of severity, wherein the plurality of predefined tolerance levels define when to trigger the mitigation processing and which actions to trigger as part of the mitigation processing (see paras. 73-74).

Regarding claim 10:
Cecchetti discloses:
characteristics about at least one selected from the group consisting of: the user's navigation using PATH environmental variables of an operating system of the computer system, and the user's input-based invocation of executable commands (see paras. 19 and/or 29 for function calls, submitted code, etc.).

Regarding claims 11 and 17:
Cecchetti discloses wherein the baseline is further defined at least in part based on: 
one or more user characteristics selected from the group consisting of: the user's occupation, the user's primary language, the user's location, and a role of the user (see paras. 52 and/or 69 for characteristics include location information associated with a trusted developer); and 
computer system characteristics selected from the group consisting of: a role of the computer system, an expected use of the system, software loaded on the computer system, and a location of the computer system (see para. 52 and/or 69 for characteristics include location information associated with a trusted developer; see para. 93 for a computing system employed by a developer to submit a code).

Regarding claim 12:
Cecchetti discloses:
receiving the monitored input through a Human Interface Device of the computer system, the monitored input being provided to an input stream of device input (see fig. 10 and para. 93 for a computing system employed by a developer/user to submit a code; see paras. 18-19 where characteristics include a keystroke sequence associated with a submitted code is/are determined), wherein the monitoring buffers the monitored input from the input stream for comparison of the characteristics of the monitored input to the baseline of expected characteristics (see paras. 72-74), and wherein portions of the monitored input that are not identified as being part of the potential malicious code injection are passed to one or more destinations of the portions of the monitored input (see para. 74).

Regarding claim 13:
Cecchetti discloses:
wherein the tracking and the maintaining refine the user profile and update the baseline of expected characteristics based on an observed evolution in one or more tracked characteristics of the user input, the evolution corresponding to a trend observed over time in the one or more tracked characteristics of the user input (see paras. 19-20 where characteristics of a developer are analyzed to develop a profile for that developer; see para. 45 where a profile includes characteristics of a trusted developer; see para. 66 where a developer profile is updated based on characteristics received from the developer).

Regarding claims 15 and 19:
	See similar rejection to claim 3 (i.e. claims 2 and 3).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


7.	Claim(s) 4-9, 16 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cecchetti in view of Turgeman (US 20170091450 A1).
Regarding claim 4:
Cecchetti discloses:
wherein the identifying the potential malicious code injection is based on the comparison indicating at least a threshold amount of deviation from the baseline of expected characteristics in at least one characteristic of the monitored input, the at least one characteristic being selected from the group of consisting of: [speed of character input from an input device of the computer system, navigation using one or more PATH variables, invocation of keyboard shortcuts, invocation of operating system navigation shortcuts, invocation of system management or administrative tools via a command line interface, and invocation of unexpected software functions given a defined role of the computer system] (see paras. 72-73).
Cecchetti does not, but Turgeman discloses:
speed of character input from an input device of the computer system, navigation using one or more PATH variables, invocation of keyboard shortcuts, invocation of operating system navigation shortcuts, invocation of system management or administrative tools via a command line interface, and invocation of unexpected software functions given a defined role of the computer system (see Turgeman, paras. 65 and/or 81 for typing rate/speed; see para. 86 for keyboard shortcuts).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Cecchetti's invention by enhancing it for speed of character input from an input device of 

Regarding claim 5:
Cecchetti does not, but Turgeman discloses:
an action of presenting an on-screen challenge for the user to validate whether the user is providing the monitored input to the computer system, wherein the on-screen challenge requires user-interaction to confirm that the monitored input is not being supplied by a malicious actor (see Turgeman, paras. 51, 84 and/or 251).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Cecchetti's invention by enhancing it for an action of presenting an on-screen challenge for the user to validate whether the user is providing the monitored input to the computer system, wherein the on-screen challenge requires user-interaction to confirm that the monitored input is not being supplied by a malicious actor, as taught by Turgeman, in order to distinguish or discriminate between the genuine user and a remote attacker (Turgeman, para. 51).

Regarding claim 6:
Cecchetti does not, but Turgeman discloses:
wherein based on the user failing to correctly complete the on-screen challenge, the performing the mitigation processing comprises performing one or more additional actions to secure the computer system (see Turgeman, para. 31, where one or more fraud mitigating steps (i.e. one or more additional actions) are performed based on a user’s respond to a challenge; see para. 99 where a system is allowed to distinguish and/or differentiate between a legitimate user and an illegitimate user by mitigation).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Cecchetti's invention by enhancing it for an action of presenting an on-screen challenge for the user to validate whether the user is providing the monitored input to the computer system, wherein the on-screen challenge requires user-interaction to confirm that the monitored input is not being supplied by a malicious actor, as taught by Turgeman. The motivation is the same as presented in claim 5.

Regarding claim 7:
Cecchetti discloses:
[wherein based on the user correctly completing the on-screen challenge, the method further comprises refining the user profile and] updating the baseline of expected characteristics to reflect an expanded user input skillset that incorporates characteristics of the monitored input (see para. 45 where a developer .
Cecchetti does not, but Turgeman discloses:
wherein based on the user correctly completing the on-screen challenge, refining the user profile and updating the baseline (see Turgeman, para. 252 where a user correctly enters a particular response/word in response to a displayed challenge; see para. 54 where a user profile is updated when the user is determined to be genuine; see para. 85 where a user profile comprises user interaction characteristics).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Cecchetti's invention by enhancing it for refining the user profile and updating the baseline based on the user correctly completing the on-screen challenge, as taught by Turgeman. The motivation is the same as presented in claim 5.

Regarding claims 16 and 20:
	See similar rejection to claim 7 (i.e. claims 4, 5 and 7).

Regarding claim 8:
Cecchetti discloses:
wherein the mitigation processing comprises at least one action selected from the group consisting of: logging the user out of the computer system, disconnecting or blocking one or more network connections of the computer system, and logging and reporting an event to a remote server, the event indicating that a potential malicious code injection was identified (see para. 29 where a report is generated (i.e. logging and generating) and sent to a target server in response to a potential intrusion when a submit code submitted by a malicious programmer is determined; see para. 87 where a target server is a remote server; see para. 18 where a malicious code is inserted).

Regarding claim 9:
Cecchetti discloses:
obtaining, across periods of time, a time-series collection of data from which the characteristics of the user input are ascertained, wherein the characteristics fluctuate across the periods of time, and wherein the tracked characteristics comprise characteristics of keyboard input, the characteristics of the keyboard input comprising [at least one selected from the group consisting of: typing speed of the user, primary language in which the user types, and keyboard shortcut usage] (see paras. 19-20, 35 where characteristics include a keystroke sequence over a period of time, wherein the characteristics include a number of unusual or change characteristics).
Cecchetti does not, but Turgeman discloses:
at least one selected from the group consisting of: typing speed of the user, primary language in which the user types, and keyboard shortcut usage (see Turgeman, paras. 65 and/or 81 for typing rate/speed; see para. 86 for keyboard shortcuts).
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Anderholm et al., US 20050183143 A1, Methods and systems for monitoring user, application or device activity.
Appleboum et al., US 20200226298 A1, System and method for securing a computer system from threats introduced by USB devices.
Denney et al., US 20200356665 A1, Systems and methods for inhibiting threats to a computing environment.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID, can be reached on 571-272-4063.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2437