DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the amendment filed on January 12, 2021.
Due to the Turgeman reference, the objection of claim 15 is withdrawn.  Claim 15 is rejected below.
The Applicant amended the claims to indicate that the user account is monitored and determining if access is concurrently.  Therefore, the 101 rejection has been withdrawn.

Continuation-in-Part (CIP)
	This application is a CIP of 15/819,400.

Election/Restrictions
Applicant's election with traverse in the reply filed on July 8, 2020 is acknowledged.  The traversal is on the ground(s) that the inventions “are sufficiently inter-related to each other, and utilize the same or sufficiently similar components and/or keywords, such that their joined search is not expected to place an excessive search burden or examination burden.”  This is not found persuasive because the Examiner would have to perform a separate search for each of the five groups.
The requirement is still deemed proper and is therefore made FINAL.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-9, 15-17, 19-20, 23-27, and 32-33 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Turgeman (2014/0325646).

Turgeman discloses:

As per claim 1, a process comprising: (a) monitoring user interactions of a user that utilizes an electronic device to interact with a particular user-account of a computerized service; (b) detecting that said particular user-account is being accessed concurrently via two or more different log-in sessions from two or more different devices; (c) based on analysis of user interactions and further based on the detecting of 

As per claim 2, wherein monitoring user interactions comprises monitoring an average typing speed of said user; and based on monitored average typing speed of said user, determining that said set of operations were performed as part of a vishing attack.  (para.80—speed of typing)

As per claim 3, wherein monitoring user interactions comprises monitoring an average mouse-click speed of said user; and based on monitored average mouse-clock speed of said user, determining that said set of operations were performed as part of a vishing attack.  (para.28—mouse movement strokes)

As per claim 4, wherein monitoring user interactions comprises monitoring a usage-session time-length of multiple usage-sessions of said user; and based on monitored usage-session time-length, determining that said set of operations were performed as part of a vishing attack.  (para.50—monitor time)

As per claim 5, wherein monitoring user interactions comprises monitoring periods of inactivity of said user during usage sessions; and based on monitored 

As per claim 6, wherein monitoring user interactions comprises monitoring frequency of on-screen- pointer turns of said user; and based on monitored frequency of on-screen-pointer turns, determining that said set of operations were performed as part of a vishing attack.  (para.42-43—mouse movements)

As per claim 7, wherein monitoring user interactions comprises monitoring an average on-screen distance traveled between clicks of said user; and based on monitored on-screen distance traveled between clicks, determining that said set of operations were performed as part of a vishing attack.  (para.151-distance)

As per claim 8, wherein monitoring user interactions comprises monitoring an average speed of movement of on-screen-pointer; and based on monitored average speed of movement of on- screen-pointer, determining that said set of operations were performed as part of a vishing attack.  (para.23—mouse speed)

As per claim 9, wherein monitoring user interactions comprises monitoring a ratio of displacement to distance of on-screen-pointer; and based on monitored ratio of displacement to distance, determining that said set of operations were performed as part of a vishing attack.  (para.151—distance)



As per claim 16, wherein monitoring user interactions comprises: (A) defining a parameter that indicates fluency of navigation of the user through multiple pages and multiple GUI elements of an online interface; (B) tracking fluency of navigation of said user across multiple usage sessions, and updating said parameter; (C) based on said parameter indicating fluency of navigation, determining that said set of operations were performed as part of a vishing attack.  (para.38—monitoring fluency of navigation)

As per claim 17, wherein monitoring user interactions comprises: (A) defining a parameter that indicates characteristics of letter-chunks that the user enters consecutively; (B) tracking data-entry by the user across multiple usage-sessions, and updating said parameter; (C) based on said parameter indicating characteristics of letter-chunks, determining that said set of operations were performed as part of a vishing attack.  (para.61—monitoring letter chunks)

As per claim 19, 4Inventors:Oren Kedem et al.Attorney Docket: P-15205-US 1CIP Serial Number: 16/188,312wherein monitoring user interactions comprises: monitoring characteristics of typing rhythm exhibited by said user; and based on monitored 

As per claim 20, wherein monitoring user interactions comprises: (A) monitoring characteristics of typing rhythm exhibited by said user; (B) determining that typing rhythm in a particular usage-session of said user, is sufficiently different from previous typing rhythms exhibited in multiple previous usage-sessions of said user; and determining that said particular usage-session was part of a vishing attack.   (para.68—tracks typing)

As per claim 23, wherein monitoring user interactions comprises: monitoring an average time-gap between on-screen taps that said user performs directly via a touch-screen; and based on monitored average time-gap between on-screen taps that said user performs directly via said touch-screen, determining that said set of operations were performed as part of a vishing attack.  (para.57—monitors taps)

As per claim 24, wherein monitoring user interactions comprises: monitoring a maximum value of typing speed of said user; and based on monitored maximum value of typing speed of said user, determining that said set of operations were performed as part of a vishing attack.  (para.80—typing speed)

As per claim 25, wherein monitoring user interactions comprises: monitoring a minimum value of typing speed of said user; and based on monitored minimum value of 

As per claim 26, wherein monitoring user interactions comprises: monitoring a maximum value of mouse-click speed of said user; and based on monitored maximum value of mouse-click speed of said user, determining that said set of operations were performed as part of a vishing attack.   (para.28—mouse movement strokes)

As per claim 27, wherein monitoring user interactions comprises: monitoring a minimum value of mouse-click speed of said user; and based on monitored minimum value of mouse-click speed of said user, determining that said set of operations were performed as part of a vishing attack.   (para.28—mouse movement strokes)

As per claim 32, a non-transitory storage medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to perform a method comprising: (a) monitoring user interactions of a user that utilizes an electronic device to interact with a particular user-account of a computerized service; (b) detecting that said particular user-account is being accessed concurrently via two or more different log-in sessions from two or more different devices; (c) based on analysis of user interactions and further based on the detecting of step (b), determining that a set of operations were performed by said user in said particular user-account under orders from an attacker who dictated to said user which operations to perform in said particular user-account of said computerized service.  (para.113, 117, and 128—monitors log-in session of two or more users to determine if under orders from attacker)

As per claim 33, a system comprising: one or more processors, operably associated with one or more memory units; wherein the one or more processors are configured: (a) to monitor user interactions of a user that utilizes an electronic device to interact with a particular user-account of a computerized service; (b) to detect that said particular user-account is being accessed concurrently via two or more different log-in sessions from two or more different devices; (c) based on analysis of user interactions and further based on a detection reached in (b) above, to determine that a set of operations were performed by said user in said particular user- account under orders from an attacker who dictated to said user which operations to perform in said particular user-account of said computerized service. (para.113, 117, and 128—monitors log-in session of two or more users to determine if under orders from attacker)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  For example, 20180183827 discloses generating alerts related to a potential cyber attack an resource of an organization.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Lalita M HAMILTON whose telephone number is (571)272-6743.  The examiner can normally be reached on M-F: flexible schedule.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Kalinowski can be reached on 571-272-6771.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/LALITA M HAMILTON/           Primary Examiner, Art Unit 3691