Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/25/2021 has been entered.

Response to Arguments
In communications filed on 3/25/2021, claims 1-4, 7-11, and 14-17 are presented for examination. Claims 1, 8, and 15 are independent.
Amended claim(s): 1-4, 8-11, and 15.
New claim(s): 16-17. 
Applicants’ arguments, see Applicant Arguments/Remarks filed 3/25/21, with respect to claim(s) rejected under prior art 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  Claim(s) 1-4, 7-11, and 14-17 is/are directed to a method, apparatus and CRM. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101. When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether Step 1: Identifying Statutory Categories              In the case, claim(s) is/are directed to method, CRM, and system to perform risk assessment of user associated information to make access decision – falls into one of the four statutory categories (i.e., method, system, and CRM). Nevertheless, the claims fall within the judicial exception of an abstract idea.
Step 2A: Identifying a Judicial Exception

The abstract functions of the claims in the case are claim(s) is/are directed to method, CRM, and system to collect information regarding users, analyze the information to generate a risk assessment, and make a decision based on the generated risk assessment (“collecting multiple types of information about a user awaiting identity authentication for access to a website, wherein the multiple types of information are used to authenticate the identity of the user, wherein the multiple types of information about the user includes one or more of: 
acquiring a plurality of risk coefficients corresponding to respective ones of the multiple types of information, wherein a risk coefficient among the plurality of risk coefficients indicates a degree to which the user's identity is trusted, wherein the acquiring of the plurality of risk coefficients corresponding to respective ones of the multiple types of information comprises: in the event that the type of information includes identifying document information, determining the risk coefficient corresponding to the identifying document information based identifying document clarity; in the event that the type of information includes permission information, determining the risk coefficient corresponding to the permission information based on: whether the user has been denied or granted access to an affiliate website to the website; and in the event that the type of information includes information relating to the user's behavior on the Internet, determining the risk coefficient corresponding to the behavioral information based on one or more of: whether the user has visited a known illegitimate website, whether the user has visited a risky website known to spread a virus, and/or whether the user has visited a leaky website known to leak customer information; obtaining a comprehensive risk coefficient based at least in 
As such, the abstract idea is collecting data, analyzing the data, mathematically manipulating the data to generate a risk assessment, and making a decision based on the risk assesment. As such, the claims fall under at least the category of “an idea of itself”, “Certain Methods of Organizing Human Activity” and “mathematical relations / formulas”. The phrase “an idea of itself is used to describe an idea standing alone such as an instantiated concept, plan or scheme, as well as a mental process (thinking) that “can be performed in the human mind, or by a human using a pen and paper." Looking at the steps of the claims, for each of the claims, data is simply being organized into bits of input and output messages with mathematical operations/correlations being performed on them. This is simply collecting, organizing and comparing known information which was ruled abstract in: 
         a. Collecting and comparing known information (Classen); 
         b. Comparing information regarding a sample or test subject to a control or target data (Ambry/Myriad CAFC); 
 Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning); 
         d. Data recognition and storage (Content Extraction);
         e. Obtaining and comparing intangible data (Cybersource); 
         f. Collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group);
         g. Organizing and manipulating information through mathematical correlations (Digitech);
         h. Virus Screening (Int. Ventures v. Symantec ‘610 patent);
         i. A mathematical formula for calculating parameters indicating an abnormal condition (Grams);
Furthermore, the invention is nothing more than collecting and categorizing information through mathematical correlation. The steps are similar to concepts and ideas that have been identified as abstract by the courts. For example, collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group); a mathematical formula for calculating parameters indicating an abnormal condition (Grams); Obtaining and comparing intangible data (Cybersource); and collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning). While the specific facts of the case differ from these cases, the claims are still directed to collecting and providing known information and comparing new and stored information. A computer is not necessary to generate, receive and correlate/compare data. Even further still, any steps that deal with generating, receiving, analyzing/comparing are insignificant, extra solution activity because receiving, analyzing and transmitting device data, comparing collected data and taking action based on matching/comparison are all well-known in the computer network security arts.
Finding the claims to be directed toward an abstract idea, however, is not the end of the inquiry. See Mayo Collaborative Servs. v. Prometheus Labs. Inc., 132 S. Ct. 1289, 1297 (2012). Rather, the second step requires determining whether additional substantive limitations narrow, confine, or otherwise tie down the claim so that, in practical terms, it does not cover the full abstract idea itself. Another way of stating the test is whether the claim language provides “significantly more” than the abstract idea itself.                    
 Step 2B: Considering Additional Elements
The considerations are whether the claim includes:
•    Improvements to another technology or technical field;
•    Improvements to the functioning of the computer itself;

•    Effecting a transformation or reduction of a particular article to a different state or thing;
•    Adding a specific limitation other than what is well-understood, routine and conventional in the field, or adding unconventional steps that confine the claim to a particular useful application;
•    Other meaningful limitations beyond generally linking the use of the judicial exception to a particular technological environment. 
Applying the test to the claims in the application, the structural elements of the claims, which include a computer when taken in combination with the functional elements claim(s) is/are directed to method, CRM, and system to collect information regarding users, analyze the information to generate a risk assessment, and make a decision based on the generated risk assessment, together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of any computer itself, or provide meaningful limitations beyond generally linking an abstract idea (collecting data from server(s)) to a particular technological environment (a general purpose computer and/or lacks an unconventional step that confines the claim to a particular useful application in the sense that the result is equivalent to purely mental activity, e.g., data, comparison and output/updates/response. Dependent claims merely recite the mathematical model for calculating the risk assessment. Therefore all corresponding dependent claims are also rejected.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of 
Claim 1-4, 7-11, and 14-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20140331293 A1 (hereinafter ‘Toole’) in view of Arthur, James D., and K. Todd Stevens. "Assessing the adequacy of documentation through document quality indicators." Proceedings. Conference on Software Maintenance-1989. IEEE, 1989 (hereinafter ‘Arthur’) in view of US 20130097701 A1 (hereinafter ‘Moyle’) in view of US 9185095 B1 (hereinafter ‘Moritz’)

As regards claim 1, Toole (US 20140331293 A1) discloses: A method, comprising: collecting multiple types of information about a user awaiting identity authentication for access to a website, wherein the multiple types of information are used to authenticate the identity of the user, (Toole: Figs. 1-8, ¶4, ¶13)
wherein the multiple types of information about the user includes one or more of: identifying document information, (Toole: Figs. 2-6, ¶18-¶27, ¶43-¶44, ¶67. i.e., the document 
acquiring a plurality of risk coefficients corresponding to respective ones of the multiple types of information, wherein a risk coefficient among the plurality of risk coefficients indicates a degree to which the user's identity is trusted, (Toole: Figs 1-8, ¶65-¶73)
wherein the acquiring of the plurality of risk coefficients corresponding to respective ones of the multiple types of information comprises: in the event that the type of information includes identifying document information, determining the risk coefficient corresponding to the identifying document information based on (Toole: Figs. 2-6, ¶18-¶27, ¶43-¶44, ¶67. i.e., the document factors for authentication including biodata information): 
However, Toole does not but in analogous art, Arthur teaches: identifying document clarity; (Arthur: pages 41-43, 
Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Toole to include measuring the adequacy of a document using multiple factors including completeness, accuracy, and validity as taught by Arthur with the motivation to measure the quality/clarity of a document (Arthur: pages 41-43)
Toole et al combination further discloses: in the event that the type of information includes permission information, determining the risk coefficient corresponding to the permission information based on: (Toole: Figs. 2-6, ¶13-¶14, ¶18-¶27, ¶43-¶44, ¶¶48-50, i.e., the risk associated with restrictions/permissions to conduct transactions)
However Toole et al do not but in analogous art, Moyle (US 20130097701 A1) teaches: whether the user has denied or granted access to an affiliate website to the website; (Moyle: ¶28-¶30, i.e., risk assessment of user behavior includes user’s authentication to certain systems and/or accessing certain websites)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Toole to include events such as authentications of user to certain systems in the enterprise system including 
Toole et al combination further discloses: in the event that the type of information includes information relating to the user's behavior on the Internet, determining the risk coefficient corresponding to the behavioral information based on one or more of: (Toole: Figs. 2-6, ¶18-¶27, ¶43-¶44, ¶68-¶72, i.e., observed factors i.e., behavior, such as accessing servers from a particular wifi or network or location)
However, Toole et al do not but in analogous art, Moritz teaches: whether the user has visited a known illegitimate website, whether the user has visited a risky website known to spread a virus, and/or whether the user has visited a leaky website known to leak customer information; (Moritz: Fig. 1, Abstract, col 1:45 to col. 2:65, col. 4:60 to col 5:16, i.e., determining user’s deviation from normal behavior by tracking user’s behavior online including the sites visited, IP addresses used, etc. See also, Moyle: ¶28-¶30)
Before the effective date of the invention, it would have been obvious to one of ordinary skill in the art to modify Toole to include tracing a user’s behavior online using factors such as IP addresses, visited sites etc as taught by Moritz with the 
Toole et al combination further discloses: obtaining a comprehensive risk coefficient based at least in part on the plurality of risk coefficients corresponding to the respective ones of the multiple types of information; and (Toole: Figs 1-7, ¶65-¶74)
determining whether to authenticate the user's identity based at least in part on the comprehensive risk coefficient. (Toole: Figs 1-7, ¶65-¶74)

Claims 8 and 15 recite substantially the same features recited in claim 1 and are rejected based on the aforementioned rationale discussed in the rejection of claim 1.

As regards claim 2, Toole et al combination discloses the method as described in claim 1, the acquiring of the plurality of risk coefficients comprises: evaluating, using a data model, the risk coefficients corresponding to the respective ones of information to obtain the comprehensive risk coefficient, (Toole: Figs 1-8 i.e., figs 2-6 shows the data models for the various different authentication types/factors that’s built, ¶4-¶6, ¶65-¶74) wherein: the data model is obtained through training based on training sets; and (Toole: Figs 1-8 i.e., figs 

Claim 9 recites substantially the same features recited in claim 2 and is rejected based on the aforementioned rationale discussed in the rejection of claim 2.

As regards claim 3, Toole et al combination discloses the method as described in claim 1, the acquiring of the plurality of risk coefficients comprises: evaluating, using a data model, the risk coefficients corresponding to the respective ones of information to obtain the comprehensive risk coefficient, (Toole: Figs 1-8 i.e., figs 2-6 shows the data models for the various different authentication types/factors that’s built, ¶4-¶6, ¶65-¶74) wherein: the data model is obtained through training based on training sets; the (Toole: Figs 1-8 i.e., figs 2-6 shows the data models for the various different authentication types/factors that’s built, ¶12-¶34 i.e., the 

Claim 10 recites substantially the same features recited in claim 3 and is rejected based on the aforementioned rationale discussed in the rejection of claim 3.

As regards claim 4, Toole et al combination discloses the method as described in claim 1, the obtaining of the comprehensive risk coefficient comprises: obtaining weighted risk coefficients by weighing the risk coefficients corresponding to the multiple types of information based on the risk coefficients corresponding to the respective ones of the multiple types of information and weights of the respective ones of the multiple types of information; (Toole: Figs 1-7, ¶4-¶5, ¶14, ¶65-¶74) and obtaining the comprehensive risk coefficient based on the weighted risk coefficients, wherein a weight corresponding to a specific type of information indicates an effect of the specific type of information has on the comprehensive risk coefficient, the weight corresponding to the specific type of information being pre-assigned. (Toole: Figs 1-7, ¶4-¶5, ¶30-¶35, ¶48 ¶14, ¶65-¶74) 

Claim 11 recites substantially the same features recited in claim 4 and is rejected based on the aforementioned rationale discussed in the rejection of claim 4.

As regards claim 7, Toole et al combination discloses the method as described in claim 1, wherein the acquiring of the risk coefficient corresponding to respective ones of the 

Claim 14 recites substantially the same features recited in claim 7 and is rejected based on the aforementioned rationale discussed in the rejection of claim 7.

As regards claim 16, Toole et al combination discloses the method as described in claim 1, wherein the multiple types of information about the user includes two or more of: identifying document information, permission information, and/or Internet behavior information of the user. (Toole: Figs. 2-6, ¶18-¶27, ¶43-¶50, ¶68-¶74)

claim 17, Toole et al combination discloses the method as described in claim 1, wherein the multiple types of information about the user includes: identifying document information, permission information, and Internet behavior information of the user. (Toole: Figs. 2-6, ¶18-¶27, ¶43-¶50, ¶68-¶74)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995.  The examiner can normally be reached on Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval 






/SYED A ZAIDI/Primary Examiner, Art Unit 2432