DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 04/20/2021 has been received and entered.  Currently Claims 1-25 and 27 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 02/05/2021 has been considered by the examiner.

Response to Arguments
Applicant argues on page 12 of applicant’s remarks that the cited references fail to teach or describe “generating, at predetermined intervals after the authentication, snapshot data of the user activity, the snapshot data comprising at least one of: (i) current bandwidth usage or (iii) a number of open ports; determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user and (b) the snapshot data and at least one of (1) the first data, (2) the historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of the one or more resources is anomalous” as recited in the amended claims.
Applicant’s arguments are moot in view of the new ground(s) of rejection.

Applicant argues on page 13 of applicant’s remarks that Gibson fails to teach individual machine learning models "created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user" as recited in the amended claims.  Instead, Gibson [0021] describes a single passive security engine 130 that associates users with a profile. In order words, there is a single passive security engine 130 for a number of profiles, rather than individual passive security engines for each user profile.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-10, 13-20, 22-23 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. USPN9,485,237 hereinafter referred to as Johansson, in view of Gibson et al. US2016/0162683 hereinafter referred to as Gibson, Kurupati USPN9,686,300, and Nguyen et al. USPN10,237,298 hereinafter referred to as Nguyen.
As per claim 1, Johansson teaches a system comprising: at least one data processor; memory storing instructions, which when executed by at least one data processor, result in operations comprising: generating, an identification confidence score of a user based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication (Johansson col 6 lines 50-55, col 
initiating authentication for the user based on the identification confidence score indicating the level of trust is below a threshold (Johansson col 9 lines 30-45, If the confidence score does not meet a threshold, require further authentication).
Johansson does not explicitly disclose generating, prior to authentication using a behavioral model, an identification confidence score of a user;
wherein the behavioral model is an individual machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse and keyboard dynamics; 
monitoring, using the behavioral model, user activity of the user for anomalous activity to generate first data; 
generating, at predetermined intervals after the authentication, snapshot data of the user activity,
determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous; 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource; and 
modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score.  
Gibson teaches generating, prior to authentication using a behavioral model, an identification confidence score of a user (Gibson paragraph [0026]-[0027], [0051]-[0052], [0056], generate score for initial authentication);
wherein the behavioral model is an individual machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse and keyboard 
monitoring, using the behavioral model, user activity of the user for anomalous activity to generate first data (Gibson paragraph [0022]-[0023], [0048]-[0049], [0056], monitor, collect and process user data/activities); 
generating, at predetermined intervals after the authentication, snapshot data of the user activity (Gibson paragraph [0008], [0022]-[0023], [0048]-[0049], [0059], generate user data/activities at intervals),
determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous (Gibson paragraph [0026], [0049], [0051], [0056], compare current user data with baseline profile data to determine confidence score); 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource (Gibson paragraph [0031]-[0032], [0058], revoke user access to resource); and 
modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score (Gibson paragraph [0008]-[0009], [0050]-[0052], [0056], modifying the confidence score of the user via continuous authentication of the user).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson with the teachings of Gibson to include monitoring user information and passively authenticating the user based on the monitored information in order to provide continuous authentication of the user to ensure that the user accessing the secured resources is the same user that was initially authenticated.
Johansson in view of Gibson does not explicitly disclose one or more characteristics of the user including mouse movement.
Kurupati teaches one or more characteristics of the user including mouse movement (Kurupati col 2 lines 10-30, col 4 lines 35-40, col 9 lines 50-55, generating baseline model based on mouse movement).

Johansson in view of Gibson and Kurupati does not explicitly disclose generating, snapshot data of user activity, the snapshot data comprising at least one of: (i) current bandwidth usage or (ii) a number of open ports; 
determining, using behavioral model based on monitoring, differences between (b) the snapshot data and at least one of (1) first data, (2) historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of one or more resources is anomalous.
Nguyen teaches generating, snapshot data of user activity, the snapshot data comprising at least one of: (i) current bandwidth usage or (ii) a number of open ports (Nguyen col 7 lines 25-45, col 12 lines 20 – col 13 line 30, generate user data, such as bandwidth usage, based on current user activity); 
determining, using behavioral model based on monitoring, differences between (b) the snapshot data and at least one of (1) first data, (2) historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of one or more resources is anomalous (Nguyen col 7 lines 25-45, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, comparing current user data with baseline profile data to determine anomalies).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson and Kurupati with the teachings of Nguyen to include authenticating users based on behavioral information and patterns of the users because the results would have been predictable and resulted in providing continuous authentication of the user based on the behavioral patterns of the user.

As per claim 2, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: suspending, in response to anomalous activity by the user, all 

As per claim 3, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: terminating, in response to anomalous activity by the user, all processes associated with the user (Gibson paragraph [0031], [0058], revoke user access/logout user; Kurupati col 7 lines 24-26; Nguyen col 8 lines 25-35).  

As per claim 4, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the one or more characteristics of the user includes at least one of a device in use by the user, a geographical location of the device, an authentication history of the user, and a reputation of the internet protocol address used by the device (Johansson col 3 lines 35-45, col 4 lines 40-50, col 8 line 60 – col 9 line 5, client characteristics and user behavior; Gibson paragraph [0021]-[0023], [0031], [0056], device location and user behavior; Kurupati col 2 lines 10-30, col 4 lines 30-40, col 6 lines 30-42, user behavior and historical data; Nguyen col 5 lines 45-60, col 10 lines 1-10, generate baseline profile based on user data).  

As per claim 5, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the one or more characteristics of the user includes conduct of the user, the conduct comprising one or more of the user's speed of typing, intervals between the user typing characters, a firmness of the user pressing a user interface, and a location of the user's input on the user interface (Johansson col 4 lines 44-50; Gibson paragraph [0022]-[0023]; Kurupati col 4 lines 30-45, col 8 lines 15-35).  

As per claim 6, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data; and comparing the snapshot data against historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous (Nguyen col 7 lines 

As per claim 7, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data; and comparing the snapshot data against known actions of an attacker to determine whether the user's utilization of the one or more resources is anomalous (Nguyen col 1 lines 60-65, col 7 lines 25-65, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, col 21 lines 30-42, comparing current user data with known malicious behavior).  

As per claim 9, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: re-authenticating the user based on the modified identification score (Gibson paragraph [0032], [0043], [0058], request additional information/credentials; Kurupati col 7 lines 25-35; Nguyen col 2 lines 40-47, col 14 lines 18-25, requiring additional authentication).  

As per claim 10, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the anomalous activity includes one or more observed user behavior that is not consistent with previously observed actions of the user (Gibson paragraph [0026], [0049], [0051], [0056]; Nguyen col 7 lines 25-65, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, comparing current user data with baseline profile data to determine anomalies).

As per claim 13, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the authentication comprises requesting user biometrics (Johansson col 7 lines 1-10, col 9 lines 20-45; Gibson paragraph [0030]; Kurupati col 7 lines 30-35; Nguyen col 7 lines 5-10).  

As per claims 14-20 and 22-23, claims 14-20 and 22-23 claim a method essentially corresponding to the system claims 1-7 and 9-10 above, and they are rejected, at least for the same reasons.

As per claim 27, Johansson teaches a system comprising: at least one data processor; memory storing instructions, which when executed by at least one data processor, result in operations comprising: generating, an identification confidence score of a user based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication (Johansson col 6 lines 50-55, col 7 lines 1-10, col 7 lines 20-30, col 8 lines 25-40, col 9 lines 30-45, generate a confidence score for the user.  If the confidence score does not meet a threshold, require further authentication), 
initiating authentication for the user based on the identification confidence score indicating the level of trust is below a threshold (Johansson col 9 lines 30-45, If the confidence score does not meet a threshold, require further authentication);
providing, based on the authentication, the user with remote access to one or more resources comprising at least one of a desktop computer, an application, or a server (Johansson Fig.1, Fig. 3A- Fig. 3C, col 9 lines 30-45, grant user access to resource).
Johansson does not explicitly disclose generating, prior to authentication using a behavioral model, an identification confidence score of a user;
wherein the behavioral model is a machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse and keyboard dynamics; 
monitoring, using the behavioral model after providing, user activity of the user for anomalous activity to generate first data; 
generating, at predetermined intervals after the authentication, snapshot data of the user activity,
determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous; 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource; and 

Gibson teaches generating, prior to authentication using a behavioral model, an identification confidence score of a user (Gibson paragraph [0026]-[0027], [0051]-[0052], [0056], generate score for initial authentication);
wherein the behavioral model is a machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse and keyboard dynamics (Gibson paragraph [0021]-[0023], [0049], [0056], create baseline profiles for users using machine learning of user characteristics such as mouse and keyboard data); 
monitoring, using the behavioral model after providing, user activity of the user for anomalous activity to generate first data (Gibson paragraph [0022]-[0023], [0047]-[0049], [0056], [0058], monitor, collect and process user data/activities); 
generating, at predetermined intervals after the authentication, snapshot data of the user activity (Gibson paragraph [0008], [0022]-[0023], [0048]-[0049], [0059], generate user data/activities at intervals),
determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous (Gibson paragraph [0026], [0049], [0051], [0056], compare current user data with baseline profile data to determine confidence score); 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource (Gibson paragraph [0031]-[0032], [0058], revoke user access to resource); and 
modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score (Gibson paragraph [0008]-[0009], [0050]-[0052], [0056], modifying the confidence score of the user via continuous authentication of the user).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson with the teachings of Gibson to include monitoring user information and passively authenticating the user based on the monitored information in 
Johansson in view of Gibson does not explicitly disclose one or more characteristics of the user including mouse movement.
Kurupati teaches one or more characteristics of the user including mouse movement (Kurupati col 2 lines 10-30, col 4 lines 35-40, col 9 lines 50-55, generating baseline model based on mouse movement).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson with the teachings of Kurupati to include authenticating users based on a baseline model of mouse movement data in order to provide continuous authentication of the user based on granular mouse pattern details.
Johansson in view of Gibson and Kurupati does not explicitly disclose generating, snapshot data of user activity, the snapshot data comprising at least one of: (i) current bandwidth usage or (ii) a number of open ports; 
determining, using behavioral model based on monitoring, differences between (b) the snapshot data and at least one of (1) first data, (2) historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of one or more resources is anomalous.
Nguyen teaches generating, snapshot data of user activity, the snapshot data comprising at least one of: (i) current bandwidth usage or (ii) a number of open ports (Nguyen col 7 lines 25-45, col 12 lines 20 – col 13 line 30, generate user data, such as bandwidth usage, based on current user activity); 
determining, using behavioral model based on monitoring, differences between (b) the snapshot data and at least one of (1) first data, (2) historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of one or more resources is anomalous (Nguyen col 7 lines 25-45, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, comparing current user data with baseline profile data to determine anomalies).


Claims 8 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson, Kurupati, and Nguyen, and further in view of Jones et al. USPN9,537,880 hereinafter referred to as Jones.
As per claim 8, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data (Nguyen col 7 lines 25-65, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, generate user data, such as bandwidth usage, based on current user activity).
Johansson in view of Gibson, Kurupati and Nguyen does not explicitly disclose comparing snapshot data against historical utilization data for a group of users similar to user to determine whether the user's utilization of one or more resources is anomalous.  
Jones teaches comparing snapshot data against historical utilization data for a group of users similar to user to determine whether the user's utilization of one or more resources is anomalous (Jones col 4 lines 35-60, col 8 lines 40-55, col 9 lines 50-65, col 15 lines 40-50, col 15 lines 65-67, comparing user behavior data to behavior data of similar users).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson, Kurupati and Nguyen with the teachings of Jones to include comparing user behavior to behavior data of similar users to determine anomalous behaviors in order to provide a more comprehensive behavioral baseline for authenticating the user.

As per claim 21, claim 21 claims a method essentially corresponding to the system claim 8 above, and is rejected, at least for the same reasons.

Claims 11-12 and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson, Kurupati, and Nguyen, and further in view of Sng US2015/0180868.
As per claim 11, Johansson in view of Gibson, Kurupati and Nguyen teaches the system of claim 1, wherein the one or more resource comprises software applications, application proxies, network services, mobile device managers, desktop access, and server access (Johansson col 3 lines 55-67, col 6 lines 30-35, secure resources; Gibson paragraph [0032]; Kurupati col 3 lines 25-31, col 7 lines 24-30; Nguyen col 4 lines 10-15).  
Johansson in view of Gibson, Kurupati and Nguyen does not explicitly disclose wherein operations further comprise: providing, one or more resources, an identity token for user related to authentication of the user.
Sng teaches wherein operations further comprise: providing, one or more resources, an identity token for user related to authentication of the user (Sng paragraph [0028], providing token).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson, Kurupati and Nguyen with the teachings of Sng to include issuing and providing a security token in order to provide single sign-on solution.

As per claim 12, Johansson in view of Gibson, Kurupati, Nguyen and Sng teaches the system of claim 11, wherein the removing the user's access to the one or more resources comprises informing the one or more resources of the anomalous activity based on the identity token (Gibson paragraph [0031], [0058]; Nguyen col 4 lines 10-15, col 12 lines 20 – col 13 line 30; Kurupati col 7 lines 25-30; Sng paragraph [0028]).  

As per claims 24-25, claims 24-25 claim a method essentially corresponding to the system claims 11-12 above, and they are rejected, at least for the same reasons.
Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959.  The examiner can normally be reached on M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HENRY TSANG/Primary Examiner, Art Unit 2495