DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 1-25 and 27 are allowed.

Reasons for Allowance
Examiner’s statement of reasons for allowance for claims 1-25 and 27 are stated below.
Regarding independent Claim 1, the Examiner found neither prior art cited in its entirety, nor based on the prior art, found any motivation to combine any of said prior art that teaches “generating, prior to authentication using a behavioral model, an identification confidence score of a user of a plurality of users based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication, wherein the behavioral model is an individual machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse movement and keyboard dynamics; initiating authentication for the user based on the identification confidence score; monitoring, using the behavioral model, user activity of the user for anomalous activity to generate first data; generating, at predetermined intervals after the authentication, snapshot data of the user activity, the snapshot data comprising both of : (i) current bandwidth usage and (ii) a number of open ports; determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user and (b) the snapshot data and at least one of (1) the first data, (2) the historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of the one or more resources is anomalous; removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource; and modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score by lowering the score when 
The dependent claims 2-13 are allowable due to their dependence on independent claim 1.

Regarding independent Claim 14, the Examiner found neither prior art cited in its entirety, nor based on the prior art, found any motivation to combine any of said prior art that teaches “generating, prior to authentication, an identification confidence score of a user of a plurality of users based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication; initiating authentication for the user based on the identification confidence score; monitoring, using a behavioral model for the user, user activity of the user for anomalous activity to generate first data, wherein the behavioral model is an individual machine learning model created for each individual user of the plurality of users using a Bayesian hierarchical regression model that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse movement and keyboard dynamics; generating, at predetermined intervals after the authentication, snapshot data of the user activity, the snapshot data comprising both of :(i) current bandwidth usage and (ii) a number of open ports; determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user and (b) the snapshot data and at least one of (1) the first data, (2) the historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of the one or more resources is anomalous; removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource; and modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score by lowering the score when the user's utilization of the one or more resource is anomalous” in combination with all the elements of the independent claim.
The dependent claims 15-25 are allowable due to their dependence on independent claim 14.


Regarding independent Claim 27, the Examiner found neither prior art cited in its entirety, nor based on the prior art, found any motivation to combine any of said prior art that teaches “generating, prior to authentication using a behavioral model, an identification confidence score of a user of a plurality of users based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication, wherein the behavioral model is a machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse movement and keyboard dynamics; initiating authentication for the user based on the identification confidence score; providing, based on the authentication, an identity token to one or more resources giving the user remote access to such one or more resources, the one or more resources comprise software applications, application proxies, network services, mobile device managers, desktop access, or server access; monitoring, using the behavioral model after the providing, user activity of the user for anomalous activity to generate first data; generating, at predetermined intervals after the authentication, snapshot data of the user activity, the snapshot data comprising both of: (i) current bandwidth usage and (ii) a number of open ports; determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user and (b) the snapshot data and at least one of (1) the first data, (2) the historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of the one or more resources is anomalous; removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource based on the identity token; modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score by lowering the score when the user's utilization of the one or more resource is anomalous; increasing, when the user's utilization of the one or more resources is indicative of the user, the identification confidence score; and re-authenticating the user when the identification confidence score falls below a pre-defined level” in combination with all the elements of the independent claim.


The closest prior art made of record are:
Johansson et al. USPN9,485,237 teaches a system and method for confidence based authentication.  An identification of a user account is obtained from a user, and a minimum confidence threshold is determined.  Multiple authentication challenges are presented to the user.  Responses are obtained from the user to a subset of the challenges, with each response having a corresponding authentication point value.  A confidence score is generated for the user, where the confidence score is increased by the respective authentication point values of the correct responses.  The user is authenticated as being associated with the user account in response to determining that the confidence score meets the minimum confidence threshold. 
Gibson et al. US2016/0162683 teaches a system and a method for passive security for applications. Performing a security function on an application based on processed passive user information.  Applications are associated with a passive security engine.  Passive user information is monitored via inputs.  The passive user information is processed.  A security function is performed for at least two of the applications based on the processed passive user information. 
Kurupati USPN9,686,300 teaches a system and a method for intrusion detection.  Collecting, by a processing device, raw data regarding a user action.  The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user.  The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD.  The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.
 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959.  The examiner can normally be reached on M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HENRY TSANG/Primary Examiner, Art Unit 2495