Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
This office action is responsive to the Amendments and Request for Continued Examination (RCE) filed on 03 December 2021.  As directed by the Amendments, claims 1, 8, and 15 have been amended.  Claims 1-20 are pending in the application.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03 December 2021 has been entered.

Response to Arguments
The arguments presented on pages 9-13 of the Remarks filed on 03 December 2021 have been fully considered by the Examiner but are not persuasive.  Particularly, the Examiner contends that the previously cited references fairly read on the claim limitations as presently amended.


“Although, 99 users were tested, Deutschmann does not teach assessment of widely crowd sourced data from a general population of similarly-structured information handling systems to determine a selection of core identifiers that are distinct for a user and to be monitored for identification of the user. Deutschmann does not teach determining for a user that some subset of hardware performance parameters deviate from the crowd sourced population to be useful core identifiers of the user for a fingerprint profile. Thus, Deutschmann does not teach selecting a subset of those identified parameters as the core identifiers that exceed a threshold level of deviation for those core identifiers from the general population. Moreover, a selection from this subset is made such that not all metrics need to be assessed. Again, Deutschmann trains for particular users and distinguishes among those users. Applicant amends the claims to further clarify these core identifiers are identified among the metrics relative to deviation threshold compared to the general population of crowd-sourced data for similarly configured information handling systems.” (emphasis added)

	Generally, Deutschmann is relied upon to disclose collecting information handling system interaction telemetry data that is crowd-sourced from a population of similarly-structured information handling systems accessed by a plurality of users. (Deutschmann, pg. 230, § 6.1 “The test bed”, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc. The data was collected by software, which tracked various events that Ibid., “The users where[sic] asked not to share their working space with other people to avoid a “contamination” of the data. [Because users did not share their working spaces, the test bed comprises at least 99 similarly-structured workstations.])

	While the Examiner agrees that the underlined portions of the Remarks above are not disclosed by Deutschmann, Deutschmann is not relied upon for those limitations.  As cited in the previous rejection and repeated mutatis mutandis below, Geneiatakis is relied upon to teach to determine a selection of core identifiers that are distinct for a user and to be monitored for identification of the user  and a selection from this subset is made such that not all metrics need to be assessed (Geneiatakis, pg. 17, last three lines, “Moreover, the training of the classifier will determine whether all of these features will be used for the classification of the test data or just a subset of them and in general the optimal configuration of the classifier (most appropriate set of parameters based on the performance of the classifiers)”) [The System of Geneiatakis monitors dozens of hardware parameters, and chooses a subset of those parameters for classification purposes based on the performance of the classifiers.
	Likewise, Geneiatakis is not relied upon for some subset of hardware performance parameters deviate from the crowd sourced population to be useful core identifiers of the user for a fingerprint profile or selecting a subset of those identified parameters as the core identifiers that exceed a threshold level of deviation for those core identifiers , as those features are taught by Song (Song, 7:52-8:27, “To optimize classification performance, we apply the techniques of feature selection for multi-class  
Ibid, “σb is known as the between-class variance”; “and σ12 is the within-class variance” [“variance” from the statistical means of the features corresponds to the claimed “deviation level.”];)  [Note: Claim 1 no longer recites the limitation regarding “a threshold level of deviation”, but this feature is still present in independent claims 8 and 15.]

	On page 10 of the Remarks, the Applicant states:
Geneiatakis similarly teaches a system that is trained for data collected from four users who use a single shared computer for three hours. Geneiatakis at p. 14. This limited data set enables the system of Geneiatakis to identify differences among training for the four users. Further, Geneiatakis does not teach selecting a subset of core indirect identifiers from measured performance parameter levels of hardware component device utilization that deviate beyond threshold amounts from a plurality of general measured performance parameter levels of hardware component device utilization crowd sourced from users utilizing a general population plurality of similarly-structured information handling systems. Song is cited for a different aspect relating to statistical deviation but applies to biometrics. Still, neither of Geneiatakis or Song teach selecting the core identifiers as a subset of performance parameter levels of hardware component device utilization that may be selected from among many hardware operation parameters to identify a user relative to a crowd-sourced population using similar information handling systems. (emphasis added)

The Applicant appears to be attempting to distinguish the claimed invention over the Geneiatakis and Song references by pointing out that neither reference teaches crowdsourcing telemetry data from a “general population plurality of similarly-structured information systems”.  Neither Geneiatakis nor Song is relied upon to teach this feature, as Deutschmann discloses a “test bed” of at least 99 similarly-configured information handling systems from which telemetry data may be aggregated from 99 users.
	
In short, the independent claims are rejected under 35 U.S.C. § 103 as being unpatentable in view of a combination of Deutschmann, Geneiatakis, and/or Song, so it is to be expected that each reference will fail to disclose or teach at least some limitations of the claim.  As will be presented in more detail below, the rejections generally rely upon Deutschmann’s “test bed” of 99 users and 99 similarly-configured workstations from which telemetry data may be collected and aggregated, combined with the teachings of Geneiatakis and Song regarding possible monitored telemetry features and selection of a discriminative subset of telemetry features such that the selected features are sufficient to distinguish users of the information handling systems from one another.  Further, the feature selection of Song relies upon analyzing the variance (i.e. deviation level) of the monitored features in order to select the most discriminative features for user identification (applicable to claims 8 and 15, as this limitation has been removed from claim 1 via the present Amendments).

The remaining arguments are based upon the other independent claims’ similarity to claim 1, or upon the dependent claims’ dependence from their respective base claims and are not addressed separately here.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 4 are rejected under 35 U.S.C. § 103 as being unpatentable over Deutschmann I, Lindholm J. “Behavioral biometrics for DARPA's active authentication program”. In 2013 International Conference of the BIOSIG Special Interest Group (BIOSIG) 2013 Sep 5 (pp. 1-8), hereinafter “Deutschmann” (previously cited) in view of Geneiatakis et al., “Utilizing CPU, Memory and other features signals to control Geneiatakis” (previously cited)
 
Regarding claim 1, Deutschmann discloses [a]n information handling system comprising: a monitoring system data repository memory device (Fig. 3, Memory 308) for storing aggregate information handling system interaction telemetry data (Deutschmann, pg. 226, § 3 “General Continuous Authentication System,” “A monitor, which collects relevant behavioral data from the underlying system. In our research we gathered mouse, keyboard data and application usage.”; Deutschmann, pg. 226, § 4 “Calculating FAR/FRR/EER.” “a test group of 99 users were selected. They worked in DoD-like environment and their behavior was captured for three months by a monitor installed on every machine. We monitored applications as well as keyboard and mouse interactions.” [corresponds to claimed “aggregate information handling system interaction telemetry data”] representing measured performance parameter levels of hardware component device utilization (Ibid., and pg. 227, § 4.1.3 “Application interactions”, “We analyzed information such as time open, apps open in parallel, how they are opened and closed, number of open views, memory and CPU consumption” [memory and CPU consumption correspond to claimed “levels of hardware component device utilization”]) from component device smart meters and sensors of an operating information handling system (Deutschmann, pp. 226-227, § 4.1.1 Keyboard interactions”, “Keystroke patterns are collected by the way users type at the 
  and reported for a user of an information handling system; (Deutschmann, pg. 230, § 6.1 “The test bed”, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc. The data was collected by software, which tracked various events that could be interesting regarding their behavior.”; Ibid., “The users where[sic] asked not to share their working space with other people to avoid a “contamination” of the data. The data collection could be stopped by the users at any time, if they shared their working space or wanted to obtain privacy.)  [The information for each user is collected from the monitored computer in their individual working space.]
the monitoring system data repository memory device receiving aggregate information handling system interaction telemetry data for measured performance parameter levels of hardware component device utilization by a plurality of similarly-structured information handling system utilized by other users that is crowd-sourced from a population of the similarly-structured information handling systems accessed by a plurality of the other users; (Deutschmann, pg. 230, § 6.1, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc. The data was collected by software, which tracked various events that could be interesting regarding their behavior.” [As described above, the 99 users were asked not to share their working spaces during data collection, so data is necessarily being collected from  at least 99 different information handling systems.  Further, the disclosed “”standard Windows 7 desktops” reads on the claimed “similarly-structured information handling systems.”]) […] and to construct a fingerprint profile of operational activity by the user including a usage signature baseline level […]. (Deutschmann, pg. 226, § 3 “General Continuous Authentication System”, “A user profile which is storing condensed timings and is continuously updated when the input is assumed to be from the correct user. The system has to perform a initial training when the behavioral profile is empty. During this phase our system will assume that it is the correct user that is interacting with the system.” [The initial training generates a profile that corresponds to the claimed “signature baseline level”, which is then updated as the user continues to use the system.])

	While Deutschmann as discussed above discloses similarly-structured information handling systems and the plurality of other users, Deutschmann does not explicitly disclose executing instructions of an information handling system interaction signature platform via an application processor executing instructions of an information handling system interaction signature platform: to apply a supervised learning model algorithm to the aggregate information handling system interaction telemetry data for the hardware component device utilization when the user is in control compared to the aggregate information handling system interaction telemetry data or the hardware component device utilization for the plurality of other users to determine with a supervised learning classifier a subset of measured performance parameter levels of the hardware component device utilization as core indirect identifiers of hardware component device utilization specific to the user where the subset of measured performance parameter levels of the hardware component device utilization as core indirect identifiers of hardware component device utilization specific to the user are classified as distinct from general measured performance parameter levels of the plurality of other users […] comprises a learned usage signature of the user by the supervised learning classifier relative to the population […] core indirect identifiers of hardware component operation for the user,

-or-

of the core indirect identifiers of hardware component operation for the user.

	Geneiatakis teaches an application processor executing instructions of an information handling system interaction signature platform: to apply a supervised learning model algorithm (Geneiatakis, pg. 10, lines 4-8, “Apply classifier on test data: a posteriori or at runtime depending on the experimental settings). The classifier should be able to identify the class to which each of the test data belongs and it decides upon that based on the similarity and pattern matches of the test data features with the training data features.” ; Geneiatakis, pp. 22-23 § 6.1 “Classifiers” [lists six types of machine learning classifiers, including two (SVM and MultiLayer Perceptron Neural Network) that are explicitly described as using “supervised learning”] to the aggregate information handling system interaction telemetry data for the hardware component device utilization (Geneiatakis, Fig. 3 and pg 11, lines 3-11, “Thus, we designed a system monitor, as illustrated in Figure 3, consist[ing] of a General and Process level monitor modules. The General monitor, as its name implies, collects system general health data. Specifically, monitors the following system’s components: [CPU, Memory, and Network] Tables 1, 2, 3, and 4 overview the collected features. The process level monitor, on the other side, collects for each process the same type of information as Table 5 and 6 illustrate.”)  [Tables 1 through 6 list 56 different features that may be monitored and recorded, grouped into “CPU Features,” “Memory Features,” “TCP MIB Features,” “Net Stat Features,” “Process Level Information,” and “CPU Process Level Information.”] when the user is in control compared to the aggregate information handling system interaction telemetry data for the hardware component device utilization for the plurality of other users (Geneiatakis, pg. 14, § 4.2 “Experiments,” “As an initial test campaign we monitor and record the above mentioned features for four users, while they perform a number of common activities in a shared computer for three hours”;
to determine with a supervised learning classifier a subset of measured performance parameter levels of the hardware component device utilization as core indirect identifiers of hardware component device utilization  (Geneiatakis, pg. 17, last three lines, “Moreover, the training of the classifier will determine whether all of these features will be used for the classification of the test data or just a subset of them and in general the optimal configuration of the classifier (most appropriate set of parameters based on the performance of the classifiers)”) specific to the user, where the subset of measured performance parameter levels of the hardware component device utilization as core indirect identifiers of hardware component device utilization specific to the user are classified as distinct from measured performance parameter levels of the plurality of other users, (Geneiatakis, pg. 29, lines 3-13, “In the following, we discuss in detail results pertaining to the CPU related data. The C4.5, Decision Table and Bayes Network classifiers all exhibit 100% accuracy. […] The maximum frequency of the FFT transformation over the considered windows is the feature that has a very distinct value for each of the users that participated in the experiments and therefore has led to the comprises a learned usage signature of the user by the supervised learning classifier, (Geneiatakis, pg.29, lines 17-21, “Assuming that the data collected is correct, namely there is no bias from the experimental PC and indeed these properties (actually the maximum FFT feature of these properties) have a distinguishing value [corresponds to claimed “usage signature”] for every different user independently of the time he/she used the PC, then the C4.5, Decision Table and Bayes Network classifiers are deemed ideal to pinpoint the identity of users for whom they have been trained.” [The classifiers may distinguish each different user in the system based on the FFT feature of the monitored CPU properties based on the user’s distinguishing value for the feature(s).]

-and-

of the core indirect identifiers of hardware component operation for the user. (Geneiatakis, pg. 29, lines 3-13, “In the following, we discuss in detail results pertaining to the CPU related data. The C4.5, Decision Table and Bayes Network classifiers all exhibit 100% accuracy. […] The maximum frequency of the FFT transformation over the considered windows is the feature that has a very distinct value for each of the users 
Geneiatakis, pg. 17, last three lines, “Moreover, the training of the classifier will determine whether all of these features will be used for the classification of the test data or just a subset of them and in general the optimal configuration of the classifier (most appropriate set of parameters based on the performance of the classifiers)”)

	Geneiatakis is analogous art, as it is in the field of using machine learning to identify users based on their interactions with a computing device.
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to incorporate the monitored system features and supervised classifiers of Geneiatakis into the user modeling and identification of Deutschmann, the benefit being that monitored activity levels capture idiosyncratic features of the user, as cited by Geneiatakis at page 5, § 2.1 “Computer Resource Monitoring,” lines 6-8 “The activity level monitoring is crucial since every action or decision of the user is translated to function calls, processes, memory use, which in turn include all the idiosyncratic features of the user, which we target to capture.”

claim 4, the combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  Further, Geneiatakis teaches 
wherein at least one core indirect identifier of hardware component device utilization includes average threadcount.  (Geneiatakis, pg. 14, Table 5 “Active threads – The number of active threads” [This monitored system value may be trivially converted to and recorded as the claimed “average threadcount.”)


Claims 5, 8, 10, 12, and 14-15 are rejected under 35 U.S.C. § 103 as being unpatentable over Deutschmann I, Lindholm J. “Behavioral biometrics for DARPA's active authentication program”. In 2013 International Conference of the BIOSIG Special Interest Group (BIOSIG) 2013 Sep 5 (pp. 1-8), hereinafter “Deutschmann” (previously cited) in view of Geneiatakis et al., “Utilizing CPU, Memory and other features signals to control processes and related data in computing devices with potential to identify user,” European Commission, Joint Research Centre, Institute for the Protection and Security of the Citizen, Report EUR 27054 EN, 2015, hereinafter “Geneiatakis” (previously cited) and further in view of Song et al. (US 9,275,345, hereinafter “Song”) (previously cited)

Regarding claim 5, the combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  

wherein the aggregate information handling system interaction telemetry data reported for the user is received from the information handling system repeatedly accessed by the user with user identification credentials during a learning phase. 
Song teaches wherein the aggregate information handling system interaction telemetry data reported for the user is received from the information handling system repeatedly accessed by the user with user identification credentials during a learning phase (Song, Col. 11, line 65 - Col. 12, line 12.  We evaluate our proposed methodology over the "RUU1" dataset, by classifying user behavior among different users. For every user, a unique behavior model is trained and segments of test behavior are then labeled by our system; comparing each sample against the models from all users, i.e. one-vs-all classification. Accuracy reflects the percentage of correctly labeled instances. During the RUU1 user study, monitoring was not continuous throughout the trial period-users were given the option to enable and disable sensor logging at any time. All of the users turned on their sensors intermittently, for periods ranging between a few minutes to a couple of hours at a time.”)
	Song is analogous art as it is in the field of identifying/authenticating users by monitoring their system interaction data.
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the operational characteristic monitoring of Deutschmann with the operational characteristic monitoring of Song, the benefit being that by analyzing a variety of different users, it is possible to reduce the number of 

Regarding claim 8, Deutschmann discloses [a] computerized method of constructing a fingerprint profile of operational activity by a user of an information handling system comprising: storing aggregate information handling system interaction telemetry data (Deutschmann, pg. 226, § 3 “General Continuous Authentication System,” “A monitor, which collects relevant behavioral data from the underlying system. In our research we gathered mouse, keyboard data and application usage.”; Deutschmann, pg. 226, § 4 “Calculating FAR/FRR/EER.” “a test group of 99 users were selected. They worked in DoD-like environment and their behavior was captured for three months by a monitor installed on every machine. We monitored applications as well as keyboard and mouse interactions.” [corresponds to claimed “aggregate information handling system interaction telemetry data”] 
representing measured performance parameter levels of hardware component device utilization (Ibid., and pg. 227, § 4.1.3 “Application interactions”, “We analyzed information such as time open, apps open in parallel, how they are opened and closed, number of open views, memory and CPU consumption” [memory and CPU consumption correspond to claimed “levels of hardware component device utilization”]) 
from component device smart meters and sensors of an operating information handling system (Deutschmann, pp. 226-227, § 4.1.1 Keyboard interactions”, “Keystroke patterns are collected by the way users type at the keyboard. We count one keystroke as one interaction.” and § 4.1.2 “Mouse interactions”, “Mouse dynamics can be divided into different categories of actions, such as: main action types: Mouse move, click, drag and drop and action characteristics: Angle, velocity, direct distance.”) [The claim language recites the limitation "component device smart meters and sensors."  The instant specification provides no explicit definition for a "smart" meter or "smart" sensor.  This claim limitation is being interpreted to include any feature or functionality that is operable to monitor system parameter values, as described in ¶¶ [0061-62] of the instant specification.]
and reported for a user of the information handling system in a monitoring system data repository memory device; (Deutschmann, pg. 230, § 6.1 “The test bed”, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc. The data was collected by software, which tracked various events that could be interesting regarding their behavior.”; Ibid., “The users where[sic] asked not to share their working space with other people to avoid a “contamination” of the data. The data collection could be stopped by the users at any time, if they shared their working space or wanted to obtain privacy.)  [The information for each user is collected from the monitored computer in their individual working space.]; Deutschman, § 3 “A monitor, which collects relevant behavioral data from the underlying system. In our research we gathered mouse, 
receiving aggregate information handling system interaction telemetry data for measured performance parameter levels of hardware component device utilization crowd sourced from similarly-structured information handling systems utilized by a plurality of other users that is crowd-sourced from a population of similarly-structured information handling systems accessed by the plurality of other users via a network adapter; (Deutschmann, pg. 230, § 6.1, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc. The data was collected by software, which tracked various events that could be interesting regarding their behavior.” [As described above, the 99 users were asked not to share their working spaces during data collection, so data is necessarily being collected from  at least 99 different information handling systems.  Further, the disclosed “”standard Windows 7 desktops” reads on the claimed “similarly-structured information handling systems.”])
[…]constructing a fingerprint profile of operational activity by the user including a usage signature baseline level for the measured performance parameter level […] (Deutschmann, pg. 226, § 3 “General Continuous Authentication System”, “A user profile which is storing condensed timings and is continuously updated when the input is assumed to be from the correct user. The system has to perform an initial training when the behavioral profile is empty. During this phase our system will assume that it is the correct user that is interacting with the system.” [The initial training generates a profile 

	While Deutschmann as discussed above discloses from a crowd-sourced population and similarly-structured information handling systems (Deutschmann, pg. 230, § 6.1, “The test bed was consisting of 99 users, which have been using the computer for regular work for at least 20 hours per week, for a total of 10 weeks on standard Windows 7 desktops with office suite, web browser, antivirus etc.), Deutschmann does not explicitly disclose executing instructions of an information handling system interaction signature platform via an application processor to apply a supervised learning model algorithm supervised learning classifier to classify measured performance parameter levels of the hardware component device utilization of the operating information handing system by the user that is a distinct classification for the measured performance parameter level that exceeds a threshold level of deviation from the general measured performance parameter levels of hardware component device utilization for the plurality of other users […]; determining a selection of a subset of core indirect identifiers of hardware component device utilization parameters from a plurality of potential indirect identifiers in the interaction telemetry data based on the distinct classification of the measured performance parameter level determined by the supervised learning classifier, wherein the distinct classification of the selection of the subset of core indirect identifier of hardware component operation distinct from similarly-structured information handling systems includes the selection of a subset of measured performance parameter levels that exceed the threshold level of a deviation and is used to determine that the interaction is unique enough to identify the specific user to indicate a learned usage signature of selected subset of core indirect Page 4 of 13U.S. App. No.: 15/067,027Customer No. 138037 identifiers for  the user relative to the general measured performance parameter levels of hardware component device utilization for the plurality of other users for similarly-structured information handling systems;

-or-

that is determined to be the selected subset of core indirect identifiers for the user.

	Geneiatakis teaches executing instructions of an information handling system interaction signature platform via an application processor to apply a supervised learning model algorithm supervised learning classifier (Geneiatakis, pg. 10, lines 4-8, “Apply classifier on test data: having decided on the optimal classifier, it needs to be applied on the collected test data (a posteriori or at runtime depending on the experimental settings). The classifier should be able to identify the class to which each of the test data belongs and it decides upon that based on the similarity and pattern matches of the test data features with the training data features.” ; Geneiatakis, pp. 22-23 § 6.1 “Classifiers” [lists six types of machine learning classifiers, including two (SVM and MultiLayer Perceptron Neural Network) that are explicitly described as using “supervised learning”] to classify measured performance parameter levels of the hardware component device utilization of the operating information handing system by the user that is a distinct classification for the measured performance parameter level […] (Ibid. and Geneiatakis, Fig. 3 and pg 11, lines 3-11, “Thus, we designed a system monitor, as illustrated in Figure 3, consist[ing] of a General and Process level monitor modules. The General monitor, as its name implies, collects system general health data. Specifically, monitors the following system’s components: [CPU, Memory, and Network] Tables 1, 2, 3, and 4 overview the collected features. The process level monitor, on the other side, collects for each process the same type of information as Table 5 and 6 illustrate.”)  [Tables 1 through 6 list 56 different features that may be monitored and recorded, grouped into “CPU Features,” “Memory Features,” “TCP MIB Features,” “Net Stat Features,” “Process Level Information,” and “CPU Process Level Information.”] 
determining a selection of a subset of core indirect identifiers of hardware component device utilization parameters from a plurality of potential indirect identifiers in the interaction telemetry data based on the distinct classification of the measured performance parameter level determined by the supervised learning classifier, (Geneiatakis, pg. 17, last three lines, “Moreover, the training of the classifier will determine whether all of these features will be used for the classification of the test data or just a subset of them and in general the optimal configuration of the classifier (most appropriate set of parameters based on the performance of the classifiers)”)
[…]  and is used to determine that the interaction is unique enough to identify the specific user to indicate a learned usage signature of selected subset of core indirect Page 4 of 13U.S. App. No.: 15/067,027Customer No. 138037 identifiers for the user relative to the general measured performance parameter levels of hardware component device utilization for the plurality of other users for similarly-structured information handling systems; (Geneiatakis, pg.29, lines 17-21, “Assuming that the data collected is correct, namely there is no bias from the experimental PC and indeed these properties (actually the maximum FFT feature of these properties) have a distinguishing value [corresponds to claimed “usage signature”] for every different user independently of the time he/she used the PC, then the C4.5, Decision Table and Bayes Network classifiers are deemed ideal to pinpoint the identity of users for whom they have been trained.” [The classifiers may distinguish each different user in the system based on the FFT feature of the monitored CPU properties based on the user’s distinguishing value for the feature(s).]

-and-

that is determined to be the selected subset of core indirect identifiers for the user. (Geneiatakis, pg.29, lines 17-21, “Assuming that the data collected is correct, namely there is no bias from the experimental PC and indeed these properties (actually the maximum FFT feature of these properties) have a distinguishing value [corresponds to claimed “usage signature”] for every different user independently of the time he/she used the PC, then the C4.5, Decision Table and Bayes Network classifiers are deemed ideal to pinpoint the identity of users for whom they have been trained.” [The classifiers may distinguish each different user in the system based on the FFT feature of the monitored CPU properties based on the user’s distinguishing value for the feature(s).]


	The above combination of Deutschmann and Geneiatakis does not teach

that exceeds a threshold level of deviation from the general measured performance parameter levels of hardware component device utilization for the plurality of other users […];

-or-

wherein the distinct classification of the selection of the subset of core indirect identifier of hardware component operation distinct from similarly-structured information handling systems includes the selection of a subset of measured performance parameter levels that exceed the threshold level of a deviation

Song teaches that exceeds a threshold level of deviation from the general measured performance parameter levels of hardware component device utilization for the plurality of other users […]; (Song, 7:52-8:27, “To optimize classification performance, we apply the techniques of feature selection for multi-class learning. Specifically, selection is made based on a ranking of discriminative power of each independent feature, measured using Fisher's criteria. This process is as follows:  
Ibid, “σb is known as the between-class variance”; “and σ12 is the within-class variance” [“variance” from the statistical means of the features corresponds to the claimed “deviation level.”]; “The between-class variance reflects the distance (or separability) between the different classes, while the within-class variance measures the variance within that particular class; a smaller variance indicates that the feature measured for a particular class is stabilized around a specific value. Similarly, if the feature's between-class variance is high, it indicates that the feature is comparably more discriminative as measurements of this feature among different classes vary greatly. The Fisher score is highest when a feature exhibits both low within-class variance and high between-class variance.” [The Fisher score determines how discriminative a particular feature is and enables selection of only those features above a particular score. (corresponds to claimed “subset of measured performance parameter levels that exceed the threshold level of a deviation”] ; 
Song, 9:49-59 “In addition to the scalar Fisher's method, we have also evaluated the multivariate extension, known as Fisher Linear Discriminant (FLD). FLD is analogous to the 1-D scalar method [i.e. Fisher’s criteria] described previously, with the key difference that, instead of ranking the features independently, we project the data vector into a lower dimensional subspace. The premise is that a linear subspace exists, spanning the original, where the different classes can be more easily separated. The criteria for this selection is, therefore, applied, not to each individual feature, but to the method of selecting the basis vectors for the sub-space.” [The Fisher Linear 

-and-

wherein the distinct classification of the selection of the subset of core indirect identifier of hardware component operation distinct from similarly-structured information handling systems includes the selection of a subset of measured performance parameter levels that exceed the threshold level of deviation (Ibid.)
	
Song is analogous art, as it is directed to the task of analyzing a user’s actions on a computer in order to generate a biometric fingerprint for the user’s activity.
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to apply Fisher’s criteria and the Fisher Linear Determinant to the selected hardware parameters of Deutschmann and Geneiatakis, the benefit being that classification is optimized when the parameters used are the most discriminative for identifying particular users, as cited by Song at 7:52-56 “To optimize classification performance, we apply the techniques of feature selection for multi-class learning. Specifically, selection is made based on a ranking of discriminative power of each independent feature, measured using Fisher's criteria.”

	Claim 15 recites similar limitations as claim 8, and is rejection under the same rationale as applied to claim 8 above.

Regarding claim 10, the combination of references as applied to claim 8 above teaches [t]he computerized method of claim 8.  Further, Geneiatakis teaches wherein the at least one core indirect identifier of hardware component device utilization includes CPU idle time percentage.  (Geneiatakis, pg. 11, Table 1, “Idle time – Total time in which CPU does nothing” [This monitored system value can be trivially converted to and recorded as the claimed “CPU idle time percentage.”])

Regarding claim 12, the combination of references as applied to claim 8 above teaches [t]he computerized method of claim 8.  Further, Song teaches further comprising: constructing the fingerprint profile of operational activity (Song, Col. 11, line 67 “For every user, a unique behavior model is trained…”) by determining a learned statistical deviation from the usage signature baseline level for the at least one core indirect identifier of hardware component device utilization. (Song, Col.7, line 53 - Col. 8, line 25 “Specifically, selection is made based on a ranking of discriminative power of each independent feature, measured using Fisher’s criteria.  This process is as follows: for any feature, let u1, u2, … , uk represent the statistical means of that feature, measured over the data associated with each of the k users.”)

Regarding claim 14, the combination of references as applied to claim 8 above teaches [t]he computerized method of claim 8.  Further, Geneiatakis teaches wherein the supervised learning model algorithm is a Bayes classification algorithm.  (Geneiatakis, pg. 22, § 6.1 “Classifiers,” “Bayes Networks (K2): This 

Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Deutschmann, Geneiatakis, and Song in view of Alam et al. (US 2008/0319926, hereinafter “Alam”) (previously cited).

Regarding claim 2, the combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  
The above combination does not explicitly teach wherein the at least one core indirect identifier of hardware component device utilization includes average CPU consumption.  
Alam teaches wherein the at least one core indirect identifier of hardware component device utilization includes average CPU consumption (Alam, ¶ [0012] “Resources may be expressed in resource units, where a resource unit may comprise a preselected incremental amount of the total capacity of a particular resource. For example, a unit of CPU resource may consist of one CPU, one CPU clock cycle, 1 % of a single CPU's capacity, or a combination thereof.”; Alam, ¶ [0021] “…some of the metrics may include average and peak usage of CPU resources, memory resources, network resources, disk resources, middleware resources, and SAN resources.”)
Alam is analogous art, as it addresses the task of monitoring the operational use characteristics of computers.


Regarding claim 9, the combination of references as applied to claim 8 above teaches [t]he computerized method of claim 8.  
The above combination does not explicitly teach wherein the at least one core indirect identifier of hardware component device utilization includes average available memory percentage during operation.  
Alam teaches wherein the at least one core indirect identifier of hardware component device utilization includes average available memory percentage during operation.  (Alam ¶ [0012] “Resources may be expressed in resource units, where a resource unit may comprise a preselected incremental amount of the total capacity of a particular resource. For example, a unit of CPU resource may consist of one CPU, one CPU clock cycle, 1 % of a single CPU's capacity, or a combination thereof.”; Alam, ¶ [0021] “…some of the metrics may include average and peak usage of CPU resources, memory resources, network resources, disk resources, middleware resources, and SAN resources.”)

It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the operational behavior monitoring of Stavrou with the use of average available memory monitoring as taught by Alam the benefit being that memory usage is a measurable, dynamic value associated with an individual computer system, as cited by Alam in the Abstract, “Resource information is gathered on each computer system resource from a set of resources which are memory resources, SAN resources, CPU resources, hard disk resources, network resources, and middleware resources.”

Claims 3, 6, 13, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Deutschmann , Geneiatakis, and Song in view of Stavrou et al. (US 2017/0161478, hereinafter “Stavrou”) (previously cited)

	Regarding claim 3, The combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  
The above combination does not teach wherein at least one core indirect identifier of hardware component device utilization includes an LCD average brightness percentage.
Stavrou teaches wherein at least one core indirect identifier of hardware component device utilization includes an LCD average brightness percentage. (Stavrou, ¶ [0102] “authentication engine 302 can collect datapoints related to electronic 
Stavrou is analogous art, as it is in the field of identifying computer users based on their behaviometric activity.
It would have been obvious to one of ordinary skill in the art to use the LCD average brightness of Stavrou with the measured user parameters of Deutschmann and Geneiatakis, the benefit being that average LCD brightness is one of “a plurality of factors comprising of biometric modalities, power consumption, application usage, user interactions, user movement, and user location/travel” that may be used to actively authenticate users of an electronic device in a continuous manner, as cited by Stavrou in the Abstract.

	Regarding claim 6, the combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  Further, Geneiatakis teaches to determine if someone other than the user is accessing the information handling system (Geneiatakis, pg. 4, lines 17-19, “We should mentioned that on the one side such approaches can be used to employ a continuous authentication assessment, in which when an uncommon behaviour is detected would trigger users’ authentication.”)
the application processor to analyze the fingerprint profile of operational activity by the user including a plurality of usage signature baseline levels for the plurality of core indirect identifiers.
Stavrou teaches the application processor to analyze the fingerprint profile of operational activity by the user including a plurality of usage signature baseline levels for the plurality of core indirect identifiers. (Stavrou, ¶ [0095], “The electronic device uses the collated information to build the user behavior models.  The electronic device generates baselines from the data collected from each user.” [corresponds to baselines for an individual user]) 
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to analyze operational activity and compare it to a baseline level in order to authenticate the user of a computer system, as recited by Stavrou in ¶ [0004] “In an example embodiment, a computer-implemented method for continuous authentication of users of an electronic device includes collecting data from an actual user of an electronic device […] by an authentication engine; checking for a deviation of the collected data by the authentication engine from a behavior model of the user; and enforcing at least one access control policy on the electronic device by an enforcement engine based on an input from the authentication engine, on the authentication engine detecting deviations equal to or greater than a pre-defined number of deviations within a pre-defined time window.”

	Claims 13 and 16 recite similar limitations as claim 6, and are rejected under the same rationale as applied to claim 6 above.


	Regarding claim 17, the combination of references as applied to claim 15 above teaches the information handling system of claim 15.  
The above combination does not teach further comprising: the application processor executing instructions of the information handling system interaction signature platform to detect a match to the fingerprint profile of operational activity by the user if the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as the at least one core indirect identifier of hardware component operation falls within a learned statistical deviation from the usage signature baseline level for the at least one core indirect identifier of the user. 
Stavrou teaches further comprising: the application processor executing instructions of the information handling system interaction signature platform to detect a match to the fingerprint profile of operational activity by the user if the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as the at least one core indirect identifier of hardware component operation falls within a learned statistical deviation from the usage signature baseline level for the at least one core indirect identifier of the user. (Stavrou, ¶ [0029] “Embodiments herein perform continuous authentication by using a combination of touch, movement and power patterns that can be considered to be unique to a 

	Regarding claim 18, the combination of references as applied to claim 15 above teaches the information handling system of claim 15.  
The above combination does not teach further comprising: the application processor assessing user identification credentials to identify a fingerprint profile of operational activity associated with the user identification credentials; the application processor determining that a non-match has occurred if the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as the at least one core indirect identifier of the user falls outside a learned statistical deviation from the user signature baseline level for the at least one core indirect identifier of the user.
Stavrou teaches further comprising: the application processor assessing user identification credentials to identify a fingerprint profile of operational activity associated with the user identification credentials; (Stavrou, Fig. 8, the behavior models of operational activity are associated with specific identified users (e.g. User1 and User2)) the application processor determining that a non-match has occurred if the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as the at least one core indirect identifier of the user falls outside a learned statistical deviation from the user signature baseline level for the at least one core indirect identifier of the user. (Stavrou, ¶ [0029] “the system performs continuous authentication by using a combination of touch, movement and power patterns that can be considered to be unique to a specific legitimate user and flags deviations from those patterns.  As those deviations are discovered, penalties are applied that curtail the functionalities available on the device to the imposter”)

Claim 7 is rejected under 35 U.S.C. § 103 as being unpatentable over Deutschmann and Geneiatakis in view of "Random Forests," Leo Breiman, Machine Learning, 45, 5–32, 2001, copyright 2001 Kluwer Academic Publishers (hereinafter "Breiman") (previously cited).

Regarding claim 7, the combination of references as applied to claim 1 above teaches [t]he information handling system of claim 1.  
The above combination does not explicitly teach wherein the supervised learning model algorithm is a random forest classification algorithm.  
Breiman teaches wherein the supervised learning model algorithm is a random forest classification algorithm (Breiman, Pg. 11, section 4 “Random forests using random input selection”)
Breiman is analogous art, as it is directed to the task of generating a supervised learning model algorithm.


The forests studied here consist of using randomly selected inputs or combinations of inputs at each node to grow each tree. The resulting forests give accuracy that compare favorably with Adaboost. This class of procedures has desirable characteristics:
i Its accuracy is as good as Adaboost and sometimes better.
ii It’s relatively robust to outliers and noise.
iii It’s faster than bagging or boosting.
iv It gives useful internal estimates of error, strength, correlation and variable importance.
v It’s simple and easily parallelized. 
Breiman, pg. 10, section 3 “Using random features”


Claims 11 and 20 are rejected under 35 U.S.C. § 103 as being unpatentable over Deutschmann, Geneiatakis, and Song in further view of Valacich et al. (WO 2014/205148, hereinafter "Valacich") (previously cited)

claim 11, the combination of references as applied to claim 8 above teaches [t]he computerized method of claim 8.
The above combination does not explicitly teach wherein the usage signature baseline level for the measured performance parameter level that is determined to be the at least one core indirect identifier is a distribution of values for the at least one core indirect identifier of hardware component device utilization.  
Valacich teaches wherein the usage signature baseline level for the measured performance parameter level that is determined to be the at least one core indirect identifier is a distribution of values for the at least one core indirect identifier of hardware component device utilization. (Valacich ¶ [0011] “The reference profile can be established by identifying a certain acceptable ranges [corresponds to a distribution of values] for a given input device usage characteristic.” [corresponds to a core indirect identifier])
Valacich is analogous art, as it is in the field of continuous user authentication.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the user modeling of Stavrou with the use of a range of values for a usage characteristic as taught by Valacich, the benefit being that storing a range of acceptable values in a user profile allows the system to represent that user usage characteristics that may vary from day to day or from situation to situation, as cited by Valacich in ¶ [0011], “For example, the length of time a key is held down by the user can vary from day to day or from situation to situation.”

claim 20, the combination of references as applied to claim 15 above teaches [t]he information handling system of claim 15.  
The above combination does not explicitly teach further comprising: the application processor to compare the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as at least one core indirect identifier with the fingerprint profiles of operational activity for a set of known users.  
Valacich teaches further comprising: the application processor to compare the monitored information handling system interaction telemetry data for the measured performance parameter level of hardware component device utilization identified as at least one core indirect identifier with the fingerprint profiles of operational activity for a set of known users. (Valacich ¶ [0043] “if the intruder's signature [corresponds to fingerprint profile] is in the database (i.e., a member of the organization) [corresponds to a set of known users], he or she can be identified”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication system of Stavrou with comparing interaction telemetry data against a pool of known users as taught by Valacich, the benefit being that it allows an intruder to potentially be identified (Valacich, ¶ [0043] as cited above).

Claim 19 is rejected under 35 U.S.C. § 103 as being unpatentable over Deutschmann, Geneiatakis, Song and Stavrou in further view of Valacich.

Regarding claim 19, the combination of references as applied to claim 18 above teaches [t]he information handling system of claim 18.  
The above combination does not explicitly teach further comprising: a network adapter for transmitting a dispatch ticket indicating a non-match with the fingerprint profile of operational activity associated with the user identification credentials.  
Valacich teaches further comprising: a network adapter for transmitting a dispatch ticket indicating a non-match with the fingerprint profile of operational activity associated with the user identification credentials. (Valacich ¶ [0008] “When an intruder is detected, policy-based actions can be executed such as locking the system, alerting a system administrator, or alerting the legitimate user.”
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication system of Stavrou with the notification function taught by Valacich, the benefit being that transmitting an indication of a non-match with user identification credentials allows the system to lock down the network, alert a system administrator or alert the legitimate user (Valacich, ¶ [0008] as cited above)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT R GARDNER whose telephone number is (469)295-9128. The examiner can normally be reached 8:00am - 5:00pm M-F.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J Lo can be reached on 571-272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SCOTT R GARDNER/Examiner, Art Unit 2126                                                                                                                                                                                                        /ANN J LO/Supervisory Patent Examiner, Art Unit 2126