DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/18/2018, 01/31/2019, 06/03/2019, 10/09/2019, 10/17/2019, 10/23/2019, 11/06/2019, 12/10/2019, 01/08/2020, 04/07/2020, 05/15/2020, 06/02/2020, 06/23/2020 and 06/10/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 10-16 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al. (US PGPUB: 20160306974, Filed Date: Jun. 30, 2016, hereinafter “Turgeman-6974”) in view of Turgeman (US PGPUB: 20150310196, Filed Date: Jun. 11, 2015, hereinafter “Turgeman-0196”).
Regarding independent claim 1, Turgeman-6974 teaches: A method for training a Machine Learning Algorithm (MLA), the MLA executed by a server, the MLA for classifying a user action sequence that is performed by a user with an electronic service using a computer device, the method executable by the server, the method comprising: (Turgeman-6974 − [0016] The present invention comprises systems, devices, and methods to enable detection (or determination, or estimation) of a “bot” or malicious automatic script or malware or a cyber-attack module or unit or computerized module, which is produces or generates or imitates human-like user-interaction data that resembles (or is posing as) human utilization of mouse, keyboard, touch-screen, touch-pad, or other input units of an electronic device or computing device or computer. [0045] a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
receiving an indication of interface elements of the electronic service and events associated with the interface elements to be monitored; (Turgeman-6974 − [0026] The Applicants have realized that the interactions of a user with a computerized service (e.g., a website or an online service), may be monitored, logged and tracked in order to detect user-specific characteristics that may enable the system to differentiate among users, or that may enable the system to differentiate between a legitimate user (e.g., a genuine user who is the account-owner, an authorized user) and an attacker (or impersonator or “fraudster” or imposter or impostor or other illegitimate user). [0029] Accordingly, the present invention may perform automatic scanning and mapping of the website (or webpage, or application, or service) that is being protected or being monitored or that is expected or intended to be monitored for fraudulent activity. The mapping process may identify UI elements or GUI elements (e.g., buttons, drop-down menus, selection boxes, data fields) and other elements (e.g., entire page or web-page; a tab or area in a website; a tab or area in a webpage; a tab or area in an application; an entire form; a sequence of operations or forms or pages), and may further classify or categorize or map such elements based on their context, based on their associated risk potential, or based on the level of damage that may occur if such element is fraudulently utilized, or based on the level of sufficiency of possible-fraud that would be required in order to trigger a fraud notification. TABLE 1 Risk Relatedness or UI Element Fraud Relatedness “Contact Us” button or link 4 “Branch Locator” button or link 2 “F.A.Q.” button or link 1 “Show Account Balance” button or link 49 “Show Monthly Statement” button or link 47 “Perform Payment to Payee” button or link 51 “Define New Payee” button or link 90 “Perform Money Transfer” button or link 89 “Beneficiary Name” field 92 “Beneficiary Account Number” field 87 “Amount to Wire” field 85 “Send Email Confirmation” yes/no selector 88 “Submit Payment Now” button 96 “Wire the Funds Now” button 98 [0064] In accordance with the present invention, a UI-Element-Based Fraud Estimator 168 may operate, in real-time as a user engages with the web-page or with UI elements, and/or in retrospect or retroactively (e.g., by reviewing and analyzing a log of previously-recorded user interactions), in order to estimate whether a particular user operation, or a set of operations, is estimated to be fraudulent, or is estimated to be associated with fraudulent behavior, or is estimated to be associated with a fraudulent user. Events being UI elements reference in Table 1.)
receiving a plurality of indications of the user action sequence, the user action sequence including occurrence of at least one of: (i) events associated with the interface elements and (ii) user interactions with the interface elements; and associated timestamps, the plurality of indications being of at least two different types of classes, for which the MLA is to be trained for classifying user actions into; (Turgeman-6974 − [0031] The contextual mapping information of such elements may be stored in a lookup table or database or other data-structure, or as a fraud risk-level parameter associated with each element; and may subsequently be utilized as a factor or a parameter in the process of determining whether or not an operation or a transaction (or a set of operations) is fraudulent or legitimate, or in the process of assigning or generating a total fraud-possibility score for a transaction or for on operation or set of operations. Table 1. [0064] In accordance with the present invention, a UI-Element-Based Fraud Estimator 168 may operate, in real-time as a user engages with the web-page or with UI elements, and/or in retrospect or retroactively (e.g., by reviewing and analyzing a log of previously-recorded user interactions), in order to estimate whether a particular user operation, or a set of operations, is estimated to be fraudulent, or is estimated to be associated with fraudulent behavior, or is estimated to be associated with a fraudulent user. [0065] In a demonstrative example, the UI-Element-Based Fraud Estimator 168 may detect that a highly-suspicious behavior has been identified in conjunction with engaging with the “Branch Locator” button; such as, that the on-screen mouse-pointer, when moving towards the “Branch Locator” button, appears to “jump” (e.g., indicating a possible Remote Access user, rather than a direct user that sits in front of a computing device), or that the mouse-pointer moves in an entirely perfect straight line (e.g., typically associated with an automatic script that moves the mouse-pointer, and not with a human user that rarely performs perfectly-linear moves).)
generating a training set comprising user action sequences belonging to the at least two different types of classes; (Turgeman-6974 − [0045] Optionally a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction); optionally, without necessarily using any specific pre-define features or characteristics or features, and optionally using a heuristic approach or holistic approach or “fuzzy logic” algorithm that attempts to find a unique identifier or a unique digital footprint without necessarily being tied to a specific biometric parameter or to a set of pre-defined biometric parameters. [0089] It is noted that in accordance with the present invention, monitoring and/or analyzing of “user interactions” and/or “user gestures”, may further comprise the monitoring and/or analyzing of interactions, gestures, and/or sensed data that is collected shortly before or immediately before the actual interaction, and/or interactions, gestures, and/or sensed data that is collected shortly after or immediately after the actual interaction; in addition to the data collected or sensed or monitored during the interaction itself. [0096] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns. The two different type of classes referring to fraudulent user and legitimate user)
the generating a given training set having a given user action sequence including: subdividing the given user action sequence into subsequences, the subdividing being based on a pre-determined set of: max subsequence length, min subsequence length;  (Turgeman-6974 − [0043] User-specific features extractor 115 may extract or estimate user-specific features or traits or characteristics or attributes, that characterize an interaction (or a set or batch or group or flow of interactions, or a session of interactions) of a user with the computerized service 102. Optionally, an extracted features database 116 may store data or records which reflects users and their respective values of extracted (or estimated) user-specific features. [0070] Optionally, the Bot/Malware/Script determination module 174 may comprise, or may utilize or may be associated with, a Statistical Analysis Unit which may perform statistical analysis of data of input-unit(s) interactions; for example, calculating average, mean, standard deviation, variance, distribution, distribution pattern(s), and/or other statistical properties of the registered or reported input-unit(s) events or gestures or data; and then, comparing them or matching them to general-population statistical properties of human-users utilization of such input-units, in order to find a mismatch or a significant deviation from human-characterizing statistical properties of human behavior. For example, determining that the keyboard exhibited an average (or median) typing speed of 650 words-per-minute, within one usage session or over multiple usage-sessions of the same user, indicates that this is non-human characteristic (e.g., as human can type at a speed of up to around 200 words-per-minute), thereby indicating that a computerized script more-probably than a human-user was responsible for entering such keyboard data. Similarly, statistical distribution of input-unit data or metadata (e.g., time-gaps between key-down/key-up events, time-gaps between typed characters, time-gaps between mouse-clicks or on-screen taps, or the like) may similarly be used for detecting non-human behavior of an automated, impostor, script or “bot”. The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like. Similarly, the Bot/Malware/Script determination module 174 may search for, and may detect, other types of abnormal behavior that does not (or cannot) characterize human utilization of an input-unit; for example, occurrence of two (or more) mouse-clicks or touchpad-taps or touch-screen taps, simultaneously or concurrently, at two (or more) different locations or on-screen locations; thereby indicating an automated “bot” or script, and not a human user.)
determining a frequency of each subsequence appearing in the user action sequences belonging to a given one of the at least two different types of classes; (Turgeman-6974 − [0070] Optionally, the Bot/Malware/Script determination module 174 may comprise, or may utilize or may be associated with, a Statistical Analysis Unit which may perform statistical analysis of data of input-unit(s) interactions; for example, calculating average, mean, standard deviation, variance, distribution, distribution pattern(s), and/or other statistical properties of the registered or reported input-unit(s) events or gestures or data; and then, comparing them or matching them to general-population statistical properties of human-users utilization of such input-units, in order to find a mismatch or a significant deviation from human-characterizing statistical properties of human behavior. For example, determining that the keyboard exhibited an average (or median) typing speed of 650 words-per-minute, within one usage session or over multiple usage-sessions of the same user, indicates that this is non-human characteristic (e.g., as human can type at a speed of up to around 200 words-per-minute), thereby indicating that a computerized script more-probably than a human-user was responsible for entering such keyboard data. Similarly, statistical distribution of input-unit data or metadata (e.g., time-gaps between key-down/key-up events, time-gaps between typed characters, time-gaps between mouse-clicks or on-screen taps, or the like) may similarly be used for detecting non-human behavior of an automated, impostor, script or “bot”.)
selecting n most informative subsequences indicative at the probability of the associated given user action sequence belonging to the given one of the at least two different types of classes; (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II). In still other embodiments, the fraud estimation module 160 may generate as output a fraud-probability score, indicating the estimated probability (e.g., on a scale of 0 to 100, or other suitable range of values) that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is fraudulent (or, is associated with a fraudulent transaction, or with fraudulent purposes, or with a fraudulent user). Other types of outputs or determinations or scores may be generated by the systems and methods of the present invention. Generate a probability for determining a particular engagement is either a legitimate, or fraudulent activity.)
using the training set to train the MLA to classify an in-use user action sequence into one of the at least two types of classes. (Turgeman-6974 − [0096] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns. This may be used for detection of “friendly fraud” incidents, or identification of users for accountability purposes, or identification of the user that utilized a particular function in an Administrator account (e.g., optionally used in conjunction with a requirement that certain users, or users with certain privileges, may not share their password or credentials with any other person); or identification of a licensee in order to detect or prevent software piracy or unauthorized usage by non-licensee user(s), for software or products that are sold or licensed on a per-user basis or a per-seat basis.)
Turgeman-6974 does not explicitly teach: scoring each subsequence based on the frequency;
However, Turgeman-0196 teaches: scoring each subsequence based on the frequency; (Turgeman-0196 − [0120] The system may analyze the interactions, or may extract properties and/or attributes of such interactions; for example, distribution of interactions per usage session, standard deviation of sampled data per usage session, average time of usage per usage session, average number of clicks (or keystrokes) per usage session, average time-gap between interactions (e.g., between keystrokes) per usage session, typical reaction (or reactive action, or corrective action) that is performed by a user in response to a user-interface interference that is injected into the usage session, and/or other attributes of each usage session. In some implementation, a usage session may be defined as a time period that begins when a user starts accessing the particular service by starting to enter the login credentials, and that ends upon detecting that a pre-defined time period (e.g., one minute, five minutes, ten minutes, one hour, two hours) has elapsed since the last user interaction was observed for that particular service. [0342] Reference is made to FIG. 5B, which is a schematic block-diagram illustration of a system 580 able to differentiate among users based on behavioral fluency score(s), in accordance with some demonstrative embodiments of the present invention. [0344] In a demonstrative implementation, a typing fluency score estimator 591 may estimate or determine a typing fluency score that characterizes a usage session (or a transaction, or a set of transactions, or a set of operations, or a discrete segment of input-unit data, or a temporal segment of interactions). In parallel, a pointer-movement fluency score estimator 592 may estimate or determine a pointer-movement fluency score that characterizes that usage session (or a transaction, or a set of transactions, or a set of operations, or a discrete segment of input-unit data, or a temporal segment of interactions). In parallel, a clicking fluency score estimator 593 may estimate or determine a clicking (or tapping) fluency score that characterizes that usage session (or a transaction, or a set of transactions, or a set of operations, or a discrete segment of input-unit data, or a temporal segment of interactions).) 
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Turgeman-0196 since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.
Regarding dependents claim 2, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the sub-dividing of the given user sequence into subsequences is further based on a number of the most informative features (n). (Turgeman-6974 − [0043] [0070] User-specific features extractor 115 may extract or estimate user-specific features or traits or characteristics or attributes, that characterize an interaction (or a set or batch or group or flow of interactions, or a session of interactions) of a user with the computerized service 102. Optionally, an extracted features database 116 may store data or records which reflects users and their respective values of extracted (or estimated) user-specific features.)
Regarding dependents claim 3, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the subdividing the given user action sequence into subsequences further comprises: in each user action sequence in the training set, searching for n most informative subsequences to generate a set of Boolean features, where each Boolean feature is indicative of whether its corresponding subsequence is present in the given action sequence; and wherein the Boolean feature is used as part of the training set. (Turgeman-6974 − [0070] Similarly, statistical distribution of input-unit data or metadata (e.g., time-gaps between key-down/key-up events, time-gaps between typed characters, time-gaps between mouse-clicks or on-screen taps, or the like) may similarly be used for detecting non-human behavior of an automated, impostor, script or “bot”. The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like. Similarly, the Bot/Malware/Script determination module 174 may search for, and may detect, other types of abnormal behavior that does not (or cannot) characterize human utilization of an input-unit; for example, occurrence of two (or more) mouse-clicks or touchpad-taps or touch-screen taps, simultaneously or concurrently, at two (or more) different locations or on-screen locations; thereby indicating an automated “bot” or script, and not a human user.)
Regarding dependents claim 4, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 does not explicitly teach: wherein the receiving the plurality of indications of the user action sequence comprises receiving the plurality of indications of past user actions that have been marked as belonging to at least two types of classes.
However, Turgeman-0196 teaches: wherein the receiving the plurality of indications of the user action sequence comprises receiving the plurality of indications of past user actions that have been marked as belonging to at least two types of classes. (Turgeman-0196 − [0083] In another example, different keyboard layouts may dictate, or may be indicative of, different speed or rate of typing (in general, or of various words or syllables or sequences); and these parameters may be monitored and evaluated by the keyboard identification module 250, and may allow to distinguish or differentiate among users based on the estimated type of keyboard layout that is being utilized in a current session, compared to historical or past keyboard layout(s) that were observed in prior usage sessions.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Turgeman-0196 since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency 
Regarding dependents claim 5, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the at least two types of classes comprise one of a legitimate transaction class and a fraudulent transaction class. (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II). In still other embodiments, the fraud estimation module 160 may generate as output a fraud-probability score, indicating the estimated probability (e.g., on a scale of 0 to 100, or other suitable range of values) that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is fraudulent (or, is associated with a fraudulent transaction, or with fraudulent purposes, or with a fraudulent user). Other types of outputs or determinations or scores may be generated by the systems and methods of the present invention. Generate a probability for determining a particular engagement is either a legitimate, or fraudulent activity.)
Regarding dependents claim 6, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the number of the most informative features (n) is pre- defined. (Turgeman-6974 − [0070] The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like.)
Regarding dependents claim 7, discloses all the features with respect to claim 6 as outlined above
Turgeman-6974 teaches: wherein the method further comprises pre-defining the number (n). (Turgeman-6974 − The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like.)
Regarding dependents claim 8, discloses all the features with respect to claim 7 as outlined above
Turgeman-6974 teaches: wherein the pre-defining the number (n) using a scoring function. (Turgeman-6974 − [0031] The contextual mapping information of such elements may be stored in a lookup table or database or other data-structure, or as a fraud risk-level parameter associated with each element; and may subsequently be utilized as a factor or a parameter in the process of determining whether or not an operation or a transaction (or a set of operations) is fraudulent or legitimate, or in the process of assigning or generating a total fraud-possibility score for a transaction or for on operation or set of operations.)
Regarding dependents claim 10, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the MLA is a classifier. (Turgeman-6974 − a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
Regarding dependents claim 11, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974
However, Turgeman-0196 teaches: wherein the classifier is based on a decision tree model. (Turgeman-0196 − [0048] The user-specific signal characteristics may be stored in the database 203, and may be used subsequently by comparator/matching module 204 in order to compare or match between current-characteristics and previously-estimated characteristics, thereby enabling a decision whether or not the current user is genuine or fraudulent. [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Turgeman-0196 since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.
Regarding independent claim 12, Turgeman-6974 teaches: A method for classifying a user action sequence that is performed by a user on a computer device in association with an electronic service, the method being executed by a trained Machine Learning Algorithm (MLA), the MLA executed by an electronic device; (Turgeman-6974 − [0016] The present invention comprises systems, devices, and methods to enable detection (or determination, or estimation) of a “bot” or malicious automatic script or malware or a cyber-attack module or unit or computerized module, which is produces or generates or imitates human-like user-interaction data that resembles (or is posing as) human utilization of mouse, keyboard, touch-screen, touch-pad, or other input units of an electronic device or computing device or computer. [0045] a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
the method comprising: obtaining a user action sequence, the user action sequence defined by at least one event associated with the user interaction with interface elements of the electronic service; (Turgeman-6974 − [0031] The contextual mapping information of such elements may be stored in a lookup table or database or other data-structure, or as a fraud risk-level parameter associated with each element; and may subsequently be utilized as a factor or a parameter in the process of determining whether or not an operation or a transaction (or a set of operations) is fraudulent or legitimate, or in the process of assigning or generating a total fraud-possibility score for a transaction or for on operation or set of operations. Table 1. [0064] In accordance with the present invention, a UI-Element-Based Fraud Estimator 168 may operate, in real-time as a user engages with the web-page or with UI elements, and/or in retrospect or retroactively (e.g., by reviewing and analyzing a log of previously-recorded user interactions), in order to estimate whether a particular user operation, or a set of operations, is estimated to be fraudulent, or is estimated to be associated with fraudulent behavior, or is estimated to be associated with a fraudulent user. [0065] In a demonstrative example, the UI-Element-Based Fraud Estimator 168 may detect that a highly-suspicious behavior has been identified in conjunction with engaging with the “Branch Locator” button; such as, that the on-screen mouse-pointer, when moving towards the “Branch Locator” button, appears to “jump” (e.g., indicating a possible Remote Access user, rather than a direct user that sits in front of a computing device), or that the mouse-pointer moves in an entirely perfect straight line (e.g., typically associated with an automatic script that moves the mouse-pointer, and not with a human user that rarely performs perfectly-linear moves).)
assigning the user action sequence a default class; (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II).)
analyzing the user action sequence by: subdividing the given user action sequence into subsequences, the subdividing being based on a pre-determined set of: max subsequence length, min subsequence length, a number of the most informative features (n); (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II). In still other embodiments, the fraud estimation module 160 may generate as output a fraud-probability score, indicating the estimated probability (e.g., on a scale of 0 to 100, or other suitable range of values) that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is fraudulent (or, is associated with a fraudulent transaction, or with fraudulent purposes, or with a fraudulent user). Other types of outputs or determinations or scores may be generated by the systems and methods of the present invention. Generate a probability for determining a particular engagement is either a legitimate, or fraudulent activity.)
generating a trigger indicative of the user action sequence requiring a remedial action. (Turgeman-6974 − [0123] In some embodiments, the method comprises: (i) detecting that a user engages the first particular UI element on said web-page which creates a potential security risk for an administrator of said web-page; (ii) in response to said detecting of step (i), generating a possible-fraud notification.
Turgeman-6974 does not explicitly teach: submitting the generated subsequence to the MLA to be used by the MLA to predict a predicted class associated with the user action sequence; in response to the predicted class being different from the default class,
However, Turgeman-0196 teaches: submitting the generated subsequence to the MLA to be used by the MLA to predict a predicted class associated with the user action sequence; (Turgeman-0196 − [0030] System 200 may comprise a user-specific feature extraction module 201, which may extract or estimate user-specific features or traits or characteristics, that characterize an interaction (or a set or batch of interactions, or a session of interactions) of a user with a service, through an input unit 299 (e.g., mouse, keyboard, stylus, touch-screen) and an output unit 298 (e.g., monitor, screen, touch-screen) that the user utilizes for such interactions. A user interaction monitoring/sampling module 202 may monitor all user interactions and may record, capture, or otherwise sample such interactions, and/or may otherwise collect user interaction data which may enable the user-specific feature extraction module 201 to extract or estimate user-specific features of the interaction. [0030] A database 203 may store records of users and their respective estimated user-specific feature values. A machine-learning process may be performed in order to allow the hardware identification module 236 to learn the characteristics of the sampling of the mouse events (or keyboard events) of the genuine user, given an average level of computer resources burdening (or availability), which may be known or unknown. [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models. This solution may outperform building one model for all users, even though it may require more data as the number of training sessions per user may be decreased.)
in response to the predicted class being different from the default class, (Turgeman-0196 − [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models. This solution may outperform building one model for all users, even though it may require more data as the number of training sessions per user may be decreased. [0103] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Turgeman-0196 since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art 
Regarding dependents claim 13, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 does not explicitly teach: wherein in response to the predicted class being the same as the default class, repeating the method with a next indication of the user action.
However, Turgeman-0196 teaches: wherein in response to the predicted class being the same as the default class, repeating the method with a next indication of the user action. (Turgeman-0196 − [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models. This solution may outperform building one model for all users, even though it may require more data as the number of training sessions per user may be decreased. [0103] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Turgeman-0196 since each invention is in the same field of endeavor of detecting a 
Regarding dependents claim 14, Turgeman-6974 teaches:  wherein the method further comprises training the MLA using the method of claim 1. (Turgeman-6974 − [0016] The present invention comprises systems, devices, and methods to enable detection (or determination, or estimation) of a “bot” or malicious automatic script or malware or a cyber-attack module or unit or computerized module, which is produces or generates or imitates human-like user-interaction data that resembles (or is posing as) human utilization of mouse, keyboard, touch-screen, touch-pad, or other input units of an electronic device or computing device or computer. [0045] a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
Regarding dependents claim 15, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 teaches: wherein the electronic device is one of a user electronic device used for executing the user action sequence and a server executing the electronic service. (Turgeman-6974 − [0037] System 100 may enable an end-user device 101 to interact with a computerized service 102. the end-use device 101 may be a stand-alone machine or interface; [0038] The computerized service 102 may be a local and/or a remote computerized platform or service or application or web-site or web-page. [0039] Some demonstrative and non-limiting examples, of suitable computerizes service(s) which may be used in conjunction with the present invention, may include: banking service,)
Regarding dependents claim 16, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 teaches: wherein the electronic service is an on-line banking application and wherein the method is executable while the user is performing user interactions with the on-line banking application. (Turgeman-6974 − [0037] System 100 may enable an end-user device 101 to interact with a computerized service 102. the end-use device 101 may be a stand-alone machine or interface; [0038] The computerized service 102 may be a local and/or a remote computerized platform or service or application or web-site or web-page. [0039] Some demonstrative and non-limiting examples, of suitable computerizes service(s) which may be used in conjunction with the present invention, may include: banking service,)

Claim Rejections - 35 USC § 103
Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman-6974 in view of Turgeman-0196 as applied to claims 1-8 and 10-16 above, and further in view of Brownlee (How To Implement The Decision Tree Algorithm From Scratch In Python, Pub Date: Nov. 9, 2016).
Regarding dependents claim 9,
Turgeman-6974 teaches a Statistical Analysis Unit which may perform statistical analysis of data of input-unit(s) interactions; see paragraph [0070] but does not explicitly teach the Gini index.
However, Brownlee teaches: wherein the scoring comprises applying a scored using Gini where k is the number of classes, and pi is the share of the [i] class. (Brownlee – [page 4] Calculating Gini for two groups of data. Gini index = sum (proportion * (1.0 – proportion)))
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974, Turgeman-0196 and Brownlee since each invention is in the same field of endeavor of machine learning. It would have been obvious of one of ordinary skill in the art to add the teaching of Brownlee, since the Gini Index equation is a known formula in element decision tree algorithm. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARL E BARNES JR whose telephone number is (571)270-3395. The examiner can normally be reached Monday-Friday 9am-3pm, 6pm-9pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cesar Paula can be reached on 571-272-4128. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CARL E BARNES JR/Examiner, Art Unit 2177                                                                                                                                                                                                        


/CESAR B PAULA/Supervisory Patent Examiner, Art Unit 2177